- djm@cvs.openbsd.org 2012/12/02 20:34:10

     [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
     [monitor.c monitor.h]
     Fixes logging of partial authentication when privsep is enabled
     Previously, we recorded "Failed xxx" since we reset authenticated before
     calling auth_log() in auth2.c. This adds an explcit "Partial" state.

     Add a "submethod" to auth_log() to report which submethod is used
     for keyboard-interactive.

     Fix multiple authentication when one of the methods is
     keyboard-interactive.

     ok markus@

1 files changed, 20 insertions, 17 deletions

diff --git a/auth2.c b/auth2.c
index 8114ec863..e367a1045 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -286,7 +286,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                 debug2("input_userauth_request: try method %s", method);
                 authenticated = m->userauth(authctxt);
         }
-        userauth_finish(authctxt, authenticated, method);
+        userauth_finish(authctxt, authenticated, method, NULL);
 
         xfree(service);
         xfree(user);
@@ -294,7 +294,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 }
 
 void
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
+    const char *submethod)
 {
         char *methods;
         int partial = 0;
@@ -302,6 +303,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
         if (!authctxt->valid && authenticated)
                 fatal("INTERNAL ERROR: authenticated invalid user %s",
                     authctxt->user);
+        if (authenticated && authctxt->postponed)
+                fatal("INTERNAL ERROR: authenticated and postponed");
 
         /* Special handling for root */
         if (authenticated && authctxt->pw->pw_uid == 0 &&
@@ -312,6 +315,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #endif
         }
 
+        if (authenticated && options.num_auth_methods != 0) {
+                if (!auth2_update_methods_lists(authctxt, method)) {
+                        authenticated = 0;
+                        partial = 1;
+                }
+        }
+
+        /* Log before sending the reply */
+        auth_log(authctxt, authenticated, partial, method, submethod, " ssh2");
+
+        if (authctxt->postponed)
+                return;
+
 #ifdef USE_PAM
         if (options.use_pam && authenticated) {
                 if (!PRIVSEP(do_pam_account())) {
@@ -330,23 +346,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #ifdef _UNICOS
         if (authenticated && cray_access_denied(authctxt->user)) {
                 authenticated = 0;
-                fatal("Access denied for user %s.",authctxt->user);
+                fatal("Access denied for user %s.", authctxt->user);
         }
 #endif /* _UNICOS */
 
-        /* Log before sending the reply */
-        auth_log(authctxt, authenticated, method, " ssh2");
-
-        if (authctxt->postponed)
-                return;
-
-        if (authenticated && options.num_auth_methods != 0) {
-                if (!auth2_update_methods_lists(authctxt, method)) {
-                        authenticated = 0;
-                        partial = 1;
-                }
-        }
-
         if (authenticated == 1) {
                 /* turn off userauth */
                 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);