upstream commit

refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
author: djm@openbsd.org <djm@openbsd.org> 2017-06-24 06:34:38 +0000
committer: Damien Miller <djm@mindrot.org> 2017-06-24 16:56:11 +1000
commit: 8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch)
tree: 51ab66a6011af6459e0d4ca15a4b4b78368607a1 /auth.c
parent: e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff)
1 files changed, 44 insertions, 18 deletions
diff --git a/auth.c b/auth.c
index fd8211505..96116ecfe 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.121 2017/05/30 08:52:19 markus Exp $ */
+/* $OpenBSD: auth.c,v 1.122 2017/06/24 06:34:38 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -267,21 +267,41 @@ allowed_user(struct passwd * pw)
        return 1;
 }
-void
+/*
-auth_info(Authctxt *authctxt, const char *fmt, ...)
+ * Formats any key left in authctxt->auth_method_key for inclusion in
+ * auth_log()'s message. Also includes authxtct->auth_method_info if present.
+ */
+static char *
+format_method_key(Authctxt *authctxt)
 {
-        va_list ap;
+        const struct sshkey *key = authctxt->auth_method_key;
-        int i;
+        const char *methinfo = authctxt->auth_method_info;
+        char *fp, *ret = NULL;
-        free(authctxt->info);
-        authctxt->info = NULL;
-        va_start(ap, fmt);
+        if (key == NULL)
-        i = vasprintf(&authctxt->info, fmt, ap);
+                return NULL;
-        va_end(ap);
-        if (i < 0 || authctxt->info == NULL)
+        if (key_is_cert(key)) {
-                fatal("vasprintf failed");
+                fp = sshkey_fingerprint(key->cert->signature_key,
+                    options.fingerprint_hash, SSH_FP_DEFAULT);
+                xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s",
+                    sshkey_type(key), key->cert->key_id,
+                    (unsigned long long)key->cert->serial,
+                    sshkey_type(key->cert->signature_key),
+                    fp == NULL ? "(null)" : fp,
+                    methinfo == NULL ? "" : ", ",
+                    methinfo == NULL ? "" : methinfo);
+                free(fp);
+        } else {
+                fp = sshkey_fingerprint(key, options.fingerprint_hash,
+                    SSH_FP_DEFAULT);
+                xasprintf(&ret, "%s %s%s%s", sshkey_type(key),
+                    fp == NULL ? "(null)" : fp,
+                    methinfo == NULL ? "" : ", ",
+                    methinfo == NULL ? "" : methinfo);
+                free(fp);
+        }
+        return ret;
 }
 void
@@ -290,7 +310,8 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 {
        struct ssh *ssh = active_state; /* XXX */
        void (*authlog) (const char *fmt,...) = verbose;
-        char *authmsg;
+        const char *authmsg;
+        char *extra = NULL;
        if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
                return;
@@ -309,6 +330,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
        else
                authmsg = authenticated ? "Accepted" : "Failed";
+        if ((extra = format_method_key(authctxt)) == NULL) {
+                if (authctxt->auth_method_info != NULL)
+                        extra = xstrdup(authctxt->auth_method_info);
+        }
        authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
            authmsg,
            method,
@@ -317,10 +343,10 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
            authctxt->user,
            ssh_remote_ipaddr(ssh),
            ssh_remote_port(ssh),
-            authctxt->info != NULL ? ": " : "",
+            extra != NULL ? ": " : "",
-            authctxt->info != NULL ? authctxt->info : "");
+            extra != NULL ? extra : "");
-        free(authctxt->info);
-        authctxt->info = NULL;
+        free(extra);
 #ifdef CUSTOM_FAILED_LOGIN
        if (authenticated == 0 && !authctxt->postponed &&
author	djm@openbsd.org <djm@openbsd.org>	2017-06-24 06:34:38 +0000
committer	Damien Miller <djm@mindrot.org>	2017-06-24 16:56:11 +1000
commit	8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch)
tree	51ab66a6011af6459e0d4ca15a4b4b78368607a1 /auth.c
parent	e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff)

diff --git a/auth.c b/auth.c index fd8211505..96116ecfe 100644 --- a/auth.c +++ b/auth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth.c,v 1.121 2017/05/30 08:52:19 markus Exp $ */	1	/* $OpenBSD: auth.c,v 1.122 2017/06/24 06:34:38 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -267,21 +267,41 @@ allowed_user(struct passwd * pw)
267	return 1;	267	return 1;
268	}	268	}
269		269
270	void	270	/*
271	auth_info(Authctxt authctxt, const char fmt, ...)	271	* Formats any key left in authctxt->auth_method_key for inclusion in
		272	* auth_log()'s message. Also includes authxtct->auth_method_info if present.
		273	*/
		274	static char *
		275	format_method_key(Authctxt *authctxt)
272	{	276	{
273	va_list ap;	277	const struct sshkey *key = authctxt->auth_method_key;
274	int i;	278	const char *methinfo = authctxt->auth_method_info;
275		279	char fp, ret = NULL;
276	free(authctxt->info);
277	authctxt->info = NULL;
278		280
279	va_start(ap, fmt);	281	if (key == NULL)
280	i = vasprintf(&authctxt->info, fmt, ap);	282	return NULL;
281	va_end(ap);
282		283
283	if (i < 0 \|\| authctxt->info == NULL)	284	if (key_is_cert(key)) {
284	fatal("vasprintf failed");	285	fp = sshkey_fingerprint(key->cert->signature_key,
		286	options.fingerprint_hash, SSH_FP_DEFAULT);
		287	xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s",
		288	sshkey_type(key), key->cert->key_id,
		289	(unsigned long long)key->cert->serial,
		290	sshkey_type(key->cert->signature_key),
		291	fp == NULL ? "(null)" : fp,
		292	methinfo == NULL ? "" : ", ",
		293	methinfo == NULL ? "" : methinfo);
		294	free(fp);
		295	} else {
		296	fp = sshkey_fingerprint(key, options.fingerprint_hash,
		297	SSH_FP_DEFAULT);
		298	xasprintf(&ret, "%s %s%s%s", sshkey_type(key),
		299	fp == NULL ? "(null)" : fp,
		300	methinfo == NULL ? "" : ", ",
		301	methinfo == NULL ? "" : methinfo);
		302	free(fp);
		303	}
		304	return ret;
285	}	305	}
286		306
287	void	307	void
@@ -290,7 +310,8 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
290	{	310	{
291	struct ssh ssh = active_state; / XXX */	311	struct ssh ssh = active_state; / XXX */
292	void (authlog) (const char fmt,...) = verbose;	312	void (authlog) (const char fmt,...) = verbose;
293	char *authmsg;	313	const char *authmsg;
		314	char *extra = NULL;
294		315
295	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)	316	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
296	return;	317	return;
@@ -309,6 +330,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
309	else	330	else
310	authmsg = authenticated ? "Accepted" : "Failed";	331	authmsg = authenticated ? "Accepted" : "Failed";
311		332
		333	if ((extra = format_method_key(authctxt)) == NULL) {
		334	if (authctxt->auth_method_info != NULL)
		335	extra = xstrdup(authctxt->auth_method_info);
		336	}
		337
312	authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",	338	authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
313	authmsg,	339	authmsg,
314	method,	340	method,
@@ -317,10 +343,10 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
317	authctxt->user,	343	authctxt->user,
318	ssh_remote_ipaddr(ssh),	344	ssh_remote_ipaddr(ssh),
319	ssh_remote_port(ssh),	345	ssh_remote_port(ssh),
320	authctxt->info != NULL ? ": " : "",	346	extra != NULL ? ": " : "",
321	authctxt->info != NULL ? authctxt->info : "");	347	extra != NULL ? extra : "");
322	free(authctxt->info);	348
323	authctxt->info = NULL;	349	free(extra);
324		350
325	#ifdef CUSTOM_FAILED_LOGIN	351	#ifdef CUSTOM_FAILED_LOGIN
326	if (authenticated == 0 && !authctxt->postponed &&	352	if (authenticated == 0 && !authctxt->postponed &&