summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2005-05-25 11:01:01 +0000
committerColin Watson <cjwatson@debian.org>2005-05-25 11:01:01 +0000
commite88de75a1a236779a10e8ccbcc51d25308be8840 (patch)
tree7495477a2a7d0cac17a9fcded020b6ea816182ef /auth.c
parent30a0f9443782cd9d7308acd09430bf586186aa55 (diff)
parent5d05471f6657646d1d6500c7c43134462c407ee6 (diff)
Merge 4.0p1 to the trunk.
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c81
1 files changed, 66 insertions, 15 deletions
diff --git a/auth.c b/auth.c
index 0956b0b19..256807683 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $"); 26RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $");
27 27
28#ifdef HAVE_LOGIN_H 28#ifdef HAVE_LOGIN_H
29#include <login.h> 29#include <login.h>
@@ -50,6 +50,8 @@ RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
50#include "misc.h" 50#include "misc.h"
51#include "bufaux.h" 51#include "bufaux.h"
52#include "packet.h" 52#include "packet.h"
53#include "loginrec.h"
54#include "monitor_wrap.h"
53 55
54/* import */ 56/* import */
55extern ServerOptions options; 57extern ServerOptions options;
@@ -153,8 +155,9 @@ allowed_user(struct passwd * pw)
153 for (i = 0; i < options.num_deny_users; i++) 155 for (i = 0; i < options.num_deny_users; i++)
154 if (match_user(pw->pw_name, hostname, ipaddr, 156 if (match_user(pw->pw_name, hostname, ipaddr,
155 options.deny_users[i])) { 157 options.deny_users[i])) {
156 logit("User %.100s not allowed because listed in DenyUsers", 158 logit("User %.100s from %.100s not allowed "
157 pw->pw_name); 159 "because listed in DenyUsers",
160 pw->pw_name, hostname);
158 return 0; 161 return 0;
159 } 162 }
160 } 163 }
@@ -166,16 +169,16 @@ allowed_user(struct passwd * pw)
166 break; 169 break;
167 /* i < options.num_allow_users iff we break for loop */ 170 /* i < options.num_allow_users iff we break for loop */
168 if (i >= options.num_allow_users) { 171 if (i >= options.num_allow_users) {
169 logit("User %.100s not allowed because not listed in AllowUsers", 172 logit("User %.100s from %.100s not allowed because "
170 pw->pw_name); 173 "not listed in AllowUsers", pw->pw_name, hostname);
171 return 0; 174 return 0;
172 } 175 }
173 } 176 }
174 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { 177 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
175 /* Get the user's group access list (primary and supplementary) */ 178 /* Get the user's group access list (primary and supplementary) */
176 if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 179 if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
177 logit("User %.100s not allowed because not in any group", 180 logit("User %.100s from %.100s not allowed because "
178 pw->pw_name); 181 "not in any group", pw->pw_name, hostname);
179 return 0; 182 return 0;
180 } 183 }
181 184
@@ -184,8 +187,9 @@ allowed_user(struct passwd * pw)
184 if (ga_match(options.deny_groups, 187 if (ga_match(options.deny_groups,
185 options.num_deny_groups)) { 188 options.num_deny_groups)) {
186 ga_free(); 189 ga_free();
187 logit("User %.100s not allowed because a group is listed in DenyGroups", 190 logit("User %.100s from %.100s not allowed "
188 pw->pw_name); 191 "because a group is listed in DenyGroups",
192 pw->pw_name, hostname);
189 return 0; 193 return 0;
190 } 194 }
191 /* 195 /*
@@ -196,15 +200,16 @@ allowed_user(struct passwd * pw)
196 if (!ga_match(options.allow_groups, 200 if (!ga_match(options.allow_groups,
197 options.num_allow_groups)) { 201 options.num_allow_groups)) {
198 ga_free(); 202 ga_free();
199 logit("User %.100s not allowed because none of user's groups are listed in AllowGroups", 203 logit("User %.100s from %.100s not allowed "
200 pw->pw_name); 204 "because none of user's groups are listed "
205 "in AllowGroups", pw->pw_name, hostname);
201 return 0; 206 return 0;
202 } 207 }
203 ga_free(); 208 ga_free();
204 } 209 }
205 210
206#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER 211#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
207 if (!sys_auth_allowed_user(pw)) 212 if (!sys_auth_allowed_user(pw, &loginmsg))
208 return 0; 213 return 0;
209#endif 214#endif
210 215
@@ -240,8 +245,50 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
240 info); 245 info);
241 246
242#ifdef CUSTOM_FAILED_LOGIN 247#ifdef CUSTOM_FAILED_LOGIN
243 if (authenticated == 0 && strcmp(method, "password") == 0) 248 if (authenticated == 0 && !authctxt->postponed &&
244 record_failed_login(authctxt->user, "ssh"); 249 (strcmp(method, "password") == 0 ||
250 strncmp(method, "keyboard-interactive", 20) == 0 ||
251 strcmp(method, "challenge-response") == 0))
252 record_failed_login(authctxt->user,
253 get_canonical_hostname(options.use_dns), "ssh");
254#endif
255#ifdef SSH_AUDIT_EVENTS
256 if (authenticated == 0 && !authctxt->postponed) {
257 ssh_audit_event_t event;
258
259 debug3("audit failed auth attempt, method %s euid %d",
260 method, (int)geteuid());
261 /*
262 * Because the auth loop is used in both monitor and slave,
263 * we must be careful to send each event only once and with
264 * enough privs to write the event.
265 */
266 event = audit_classify_auth(method);
267 switch(event) {
268 case SSH_AUTH_FAIL_NONE:
269 case SSH_AUTH_FAIL_PASSWD:
270 case SSH_AUTH_FAIL_KBDINT:
271 if (geteuid() == 0)
272 audit_event(event);
273 break;
274 case SSH_AUTH_FAIL_PUBKEY:
275 case SSH_AUTH_FAIL_HOSTBASED:
276 case SSH_AUTH_FAIL_GSSAPI:
277 /*
278 * This is required to handle the case where privsep
279 * is enabled but it's root logging in, since
280 * use_privsep won't be cleared until after a
281 * successful login.
282 */
283 if (geteuid() == 0)
284 audit_event(event);
285 else
286 PRIVSEP(audit_event(event));
287 break;
288 default:
289 error("unknown authentication audit event %d", event);
290 }
291 }
245#endif 292#endif
246} 293}
247 294
@@ -465,8 +512,12 @@ getpwnamallow(const char *user)
465 logit("Invalid user %.100s from %.100s", 512 logit("Invalid user %.100s from %.100s",
466 user, get_remote_ipaddr()); 513 user, get_remote_ipaddr());
467#ifdef CUSTOM_FAILED_LOGIN 514#ifdef CUSTOM_FAILED_LOGIN
468 record_failed_login(user, "ssh"); 515 record_failed_login(user,
516 get_canonical_hostname(options.use_dns), "ssh");
469#endif 517#endif
518#ifdef SSH_AUDIT_EVENTS
519 audit_event(SSH_INVALID_USER);
520#endif /* SSH_AUDIT_EVENTS */
470 return (NULL); 521 return (NULL);
471 } 522 }
472 if (!allowed_user(pw)) 523 if (!allowed_user(pw))