diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-06-24 06:34:38 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-06-24 16:56:11 +1000 |
| commit | 8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch) | |
| tree | 51ab66a6011af6459e0d4ca15a4b4b78368607a1 /auth.h | |
| parent | e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff) | |
upstream commit
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
Diffstat (limited to 'auth.h')
| -rw-r--r-- | auth.h | 48 |
1 files changed, 33 insertions, 15 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.h,v 1.91 2017/05/30 14:29:59 markus Exp $ */ | 1 | /* $OpenBSD: auth.h,v 1.92 2017/06/24 06:34:38 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| @@ -44,6 +44,7 @@ | |||
| 44 | 44 | ||
| 45 | struct ssh; | 45 | struct ssh; |
| 46 | struct sshkey; | 46 | struct sshkey; |
| 47 | struct sshbuf; | ||
| 47 | 48 | ||
| 48 | typedef struct Authctxt Authctxt; | 49 | typedef struct Authctxt Authctxt; |
| 49 | typedef struct Authmethod Authmethod; | 50 | typedef struct Authmethod Authmethod; |
| @@ -62,13 +63,17 @@ struct Authctxt { | |||
| 62 | char *service; | 63 | char *service; |
| 63 | struct passwd *pw; /* set if 'valid' */ | 64 | struct passwd *pw; /* set if 'valid' */ |
| 64 | char *style; | 65 | char *style; |
| 66 | |||
| 67 | /* Method lists for multiple authentication */ | ||
| 68 | char **auth_methods; /* modified from server config */ | ||
| 69 | u_int num_auth_methods; | ||
| 70 | |||
| 71 | /* Authentication method-specific data */ | ||
| 72 | void *methoddata; | ||
| 65 | void *kbdintctxt; | 73 | void *kbdintctxt; |
| 66 | char *info; /* Extra info for next auth_log */ | ||
| 67 | #ifdef BSD_AUTH | 74 | #ifdef BSD_AUTH |
| 68 | auth_session_t *as; | 75 | auth_session_t *as; |
| 69 | #endif | 76 | #endif |
| 70 | char **auth_methods; /* modified from server config */ | ||
| 71 | u_int num_auth_methods; | ||
| 72 | #ifdef KRB5 | 77 | #ifdef KRB5 |
| 73 | krb5_context krb5_ctx; | 78 | krb5_context krb5_ctx; |
| 74 | krb5_ccache krb5_fwd_ccache; | 79 | krb5_ccache krb5_fwd_ccache; |
| @@ -76,12 +81,20 @@ struct Authctxt { | |||
| 76 | char *krb5_ticket_file; | 81 | char *krb5_ticket_file; |
| 77 | char *krb5_ccname; | 82 | char *krb5_ccname; |
| 78 | #endif | 83 | #endif |
| 79 | Buffer *loginmsg; | 84 | struct sshbuf *loginmsg; |
| 80 | void *methoddata; | 85 | |
| 86 | /* Authentication keys already used; these will be refused henceforth */ | ||
| 87 | struct sshkey **prev_keys; | ||
| 88 | u_int nprev_keys; | ||
| 81 | 89 | ||
| 82 | struct sshkey **prev_userkeys; | 90 | /* Last used key and ancilliary information from active auth method */ |
| 83 | u_int nprev_userkeys; | 91 | struct sshkey *auth_method_key; |
| 92 | char *auth_method_info; | ||
| 93 | |||
| 94 | /* Information exposed to session */ | ||
| 95 | struct sshbuf *session_info; /* Auth info for environment */ | ||
| 84 | }; | 96 | }; |
| 97 | |||
| 85 | /* | 98 | /* |
| 86 | * Every authentication method has to handle authentication requests for | 99 | * Every authentication method has to handle authentication requests for |
| 87 | * non-existing users, or for users that are not allowed to login. In this | 100 | * non-existing users, or for users that are not allowed to login. In this |
| @@ -120,10 +133,18 @@ int auth_password(Authctxt *, const char *); | |||
| 120 | int hostbased_key_allowed(struct passwd *, const char *, char *, | 133 | int hostbased_key_allowed(struct passwd *, const char *, char *, |
| 121 | struct sshkey *); | 134 | struct sshkey *); |
| 122 | int user_key_allowed(struct passwd *, struct sshkey *, int); | 135 | int user_key_allowed(struct passwd *, struct sshkey *, int); |
| 123 | void pubkey_auth_info(Authctxt *, const struct sshkey *, const char *, ...) | 136 | int auth2_key_already_used(Authctxt *, const struct sshkey *); |
| 124 | __attribute__((__format__ (printf, 3, 4))); | 137 | |
| 125 | void auth2_record_userkey(Authctxt *, struct sshkey *); | 138 | /* |
| 126 | int auth2_userkey_already_used(Authctxt *, struct sshkey *); | 139 | * Handling auth method-specific information for logging and prevention |
| 140 | * of key reuse during multiple authentication. | ||
| 141 | */ | ||
| 142 | void auth2_authctxt_reset_info(Authctxt *); | ||
| 143 | void auth2_record_key(Authctxt *, int, const struct sshkey *); | ||
| 144 | void auth2_record_info(Authctxt *authctxt, const char *, ...) | ||
| 145 | __attribute__((__format__ (printf, 2, 3))) | ||
| 146 | __attribute__((__nonnull__ (2))); | ||
| 147 | void auth2_update_session_info(Authctxt *, const char *, const char *); | ||
| 127 | 148 | ||
| 128 | struct stat; | 149 | struct stat; |
| 129 | int auth_secure_path(const char *, struct stat *, const char *, uid_t, | 150 | int auth_secure_path(const char *, struct stat *, const char *, uid_t, |
| @@ -150,9 +171,6 @@ void disable_forwarding(void); | |||
| 150 | 171 | ||
| 151 | void do_authentication2(Authctxt *); | 172 | void do_authentication2(Authctxt *); |
| 152 | 173 | ||
| 153 | void auth_info(Authctxt *authctxt, const char *, ...) | ||
| 154 | __attribute__((__format__ (printf, 2, 3))) | ||
| 155 | __attribute__((__nonnull__ (2))); | ||
| 156 | void auth_log(Authctxt *, int, int, const char *, const char *); | 174 | void auth_log(Authctxt *, int, int, const char *, const char *); |
| 157 | void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); | 175 | void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); |
| 158 | void userauth_finish(struct ssh *, int, const char *, const char *); | 176 | void userauth_finish(struct ssh *, int, const char *, const char *); |