diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-06-24 06:34:38 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-06-24 16:56:11 +1000 |
commit | 8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch) | |
tree | 51ab66a6011af6459e0d4ca15a4b4b78368607a1 /monitor.c | |
parent | e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff) |
upstream commit
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 41 |
1 files changed, 23 insertions, 18 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.171 2017/05/31 10:04:29 markus Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.172 2017/06/24 06:34:38 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -308,6 +308,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
308 | partial = 0; | 308 | partial = 0; |
309 | auth_method = "unknown"; | 309 | auth_method = "unknown"; |
310 | auth_submethod = NULL; | 310 | auth_submethod = NULL; |
311 | auth2_authctxt_reset_info(authctxt); | ||
312 | |||
311 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 313 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
312 | 314 | ||
313 | /* Special handling for multiple required authentications */ | 315 | /* Special handling for multiple required authentications */ |
@@ -347,6 +349,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
347 | auth_method, auth_submethod); | 349 | auth_method, auth_submethod); |
348 | if (!partial && !authenticated) | 350 | if (!partial && !authenticated) |
349 | authctxt->failures++; | 351 | authctxt->failures++; |
352 | if (authenticated || partial) { | ||
353 | auth2_update_session_info(authctxt, | ||
354 | auth_method, auth_submethod); | ||
355 | } | ||
350 | } | 356 | } |
351 | } | 357 | } |
352 | 358 | ||
@@ -1147,12 +1153,11 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1147 | switch (type) { | 1153 | switch (type) { |
1148 | case MM_USERKEY: | 1154 | case MM_USERKEY: |
1149 | allowed = options.pubkey_authentication && | 1155 | allowed = options.pubkey_authentication && |
1150 | !auth2_userkey_already_used(authctxt, key) && | 1156 | !auth2_key_already_used(authctxt, key) && |
1151 | match_pattern_list(sshkey_ssh_name(key), | 1157 | match_pattern_list(sshkey_ssh_name(key), |
1152 | options.pubkey_key_types, 0) == 1 && | 1158 | options.pubkey_key_types, 0) == 1 && |
1153 | user_key_allowed(authctxt->pw, key, | 1159 | user_key_allowed(authctxt->pw, key, |
1154 | pubkey_auth_attempt); | 1160 | pubkey_auth_attempt); |
1155 | pubkey_auth_info(authctxt, key, NULL); | ||
1156 | auth_method = "publickey"; | 1161 | auth_method = "publickey"; |
1157 | if (options.pubkey_authentication && | 1162 | if (options.pubkey_authentication && |
1158 | (!pubkey_auth_attempt || allowed != 1)) | 1163 | (!pubkey_auth_attempt || allowed != 1)) |
@@ -1160,11 +1165,12 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1160 | break; | 1165 | break; |
1161 | case MM_HOSTKEY: | 1166 | case MM_HOSTKEY: |
1162 | allowed = options.hostbased_authentication && | 1167 | allowed = options.hostbased_authentication && |
1168 | !auth2_key_already_used(authctxt, key) && | ||
1163 | match_pattern_list(sshkey_ssh_name(key), | 1169 | match_pattern_list(sshkey_ssh_name(key), |
1164 | options.hostbased_key_types, 0) == 1 && | 1170 | options.hostbased_key_types, 0) == 1 && |
1165 | hostbased_key_allowed(authctxt->pw, | 1171 | hostbased_key_allowed(authctxt->pw, |
1166 | cuser, chost, key); | 1172 | cuser, chost, key); |
1167 | pubkey_auth_info(authctxt, key, | 1173 | auth2_record_info(authctxt, |
1168 | "client user \"%.100s\", client host \"%.100s\"", | 1174 | "client user \"%.100s\", client host \"%.100s\"", |
1169 | cuser, chost); | 1175 | cuser, chost); |
1170 | auth_method = "hostbased"; | 1176 | auth_method = "hostbased"; |
@@ -1175,11 +1181,10 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1175 | } | 1181 | } |
1176 | } | 1182 | } |
1177 | 1183 | ||
1178 | debug3("%s: key %p is %s", | 1184 | debug3("%s: key is %s", __func__, allowed ? "allowed" : "not allowed"); |
1179 | __func__, key, allowed ? "allowed" : "not allowed"); | ||
1180 | 1185 | ||
1181 | if (key != NULL) | 1186 | auth2_record_key(authctxt, 0, key); |
1182 | key_free(key); | 1187 | sshkey_free(key); |
1183 | 1188 | ||
1184 | /* clear temporarily storage (used by verify) */ | 1189 | /* clear temporarily storage (used by verify) */ |
1185 | monitor_reset_key_state(); | 1190 | monitor_reset_key_state(); |
@@ -1353,10 +1358,12 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1353 | switch (key_blobtype) { | 1358 | switch (key_blobtype) { |
1354 | case MM_USERKEY: | 1359 | case MM_USERKEY: |
1355 | valid_data = monitor_valid_userblob(data, datalen); | 1360 | valid_data = monitor_valid_userblob(data, datalen); |
1361 | auth_method = "publickey"; | ||
1356 | break; | 1362 | break; |
1357 | case MM_HOSTKEY: | 1363 | case MM_HOSTKEY: |
1358 | valid_data = monitor_valid_hostbasedblob(data, datalen, | 1364 | valid_data = monitor_valid_hostbasedblob(data, datalen, |
1359 | hostbased_cuser, hostbased_chost); | 1365 | hostbased_cuser, hostbased_chost); |
1366 | auth_method = "hostbased"; | ||
1360 | break; | 1367 | break; |
1361 | default: | 1368 | default: |
1362 | valid_data = 0; | 1369 | valid_data = 0; |
@@ -1367,23 +1374,17 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1367 | 1374 | ||
1368 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, | 1375 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, |
1369 | active_state->compat); | 1376 | active_state->compat); |
1370 | debug3("%s: key %p signature %s", | 1377 | debug3("%s: %s %p signature %s", __func__, auth_method, key, |
1371 | __func__, key, (ret == 0) ? "verified" : "unverified"); | 1378 | (ret == 0) ? "verified" : "unverified"); |
1372 | 1379 | auth2_record_key(authctxt, ret == 0, key); | |
1373 | /* If auth was successful then record key to ensure it isn't reused */ | ||
1374 | if (ret == 0 && key_blobtype == MM_USERKEY) | ||
1375 | auth2_record_userkey(authctxt, key); | ||
1376 | else | ||
1377 | sshkey_free(key); | ||
1378 | 1380 | ||
1379 | free(blob); | 1381 | free(blob); |
1380 | free(signature); | 1382 | free(signature); |
1381 | free(data); | 1383 | free(data); |
1382 | 1384 | ||
1383 | auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; | ||
1384 | |||
1385 | monitor_reset_key_state(); | 1385 | monitor_reset_key_state(); |
1386 | 1386 | ||
1387 | sshkey_free(key); | ||
1387 | sshbuf_reset(m); | 1388 | sshbuf_reset(m); |
1388 | 1389 | ||
1389 | /* encode ret != 0 as positive integer, since we're sending u32 */ | 1390 | /* encode ret != 0 as positive integer, since we're sending u32 */ |
@@ -1799,6 +1800,7 @@ int | |||
1799 | mm_answer_gss_userok(int sock, Buffer *m) | 1800 | mm_answer_gss_userok(int sock, Buffer *m) |
1800 | { | 1801 | { |
1801 | int authenticated; | 1802 | int authenticated; |
1803 | const char *displayname; | ||
1802 | 1804 | ||
1803 | if (!options.gss_authentication) | 1805 | if (!options.gss_authentication) |
1804 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1806 | fatal("%s: GSSAPI authentication not enabled", __func__); |
@@ -1813,6 +1815,9 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
1813 | 1815 | ||
1814 | auth_method = "gssapi-with-mic"; | 1816 | auth_method = "gssapi-with-mic"; |
1815 | 1817 | ||
1818 | if ((displayname = ssh_gssapi_displayname()) != NULL) | ||
1819 | auth2_record_info(authctxt, "%s", displayname); | ||
1820 | |||
1816 | /* Monitor loop will terminate if authenticated */ | 1821 | /* Monitor loop will terminate if authenticated */ |
1817 | return (authenticated); | 1822 | return (authenticated); |
1818 | } | 1823 | } |