upstream commit

refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
author: djm@openbsd.org <djm@openbsd.org> 2017-06-24 06:34:38 +0000
committer: Damien Miller <djm@mindrot.org> 2017-06-24 16:56:11 +1000
commit: 8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch)
tree: 51ab66a6011af6459e0d4ca15a4b4b78368607a1 /monitor.c
parent: e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff)
1 files changed, 23 insertions, 18 deletions
diff --git a/monitor.c b/monitor.c
index 8897f6a82..8a7897bde 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.171 2017/05/31 10:04:29 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.172 2017/06/24 06:34:38 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -308,6 +308,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                partial = 0;
                auth_method = "unknown";
                auth_submethod = NULL;
+                auth2_authctxt_reset_info(authctxt);
                authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
                /* Special handling for multiple required authentications */
@@ -347,6 +349,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                            auth_method, auth_submethod);
                        if (!partial && !authenticated)
                                authctxt->failures++;
+                        if (authenticated || partial) {
+                                auth2_update_session_info(authctxt,
+                                    auth_method, auth_submethod);
+                        }
                }
        }
@@ -1147,12 +1153,11 @@ mm_answer_keyallowed(int sock, Buffer *m)
                switch (type) {
                case MM_USERKEY:
                        allowed = options.pubkey_authentication &&
-                            !auth2_userkey_already_used(authctxt, key) &&
+                            !auth2_key_already_used(authctxt, key) &&
                            match_pattern_list(sshkey_ssh_name(key),
                            options.pubkey_key_types, 0) == 1 &&
                            user_key_allowed(authctxt->pw, key,
                            pubkey_auth_attempt);
-                        pubkey_auth_info(authctxt, key, NULL);
                        auth_method = "publickey";
                        if (options.pubkey_authentication &&
                            (!pubkey_auth_attempt || allowed != 1))
@@ -1160,11 +1165,12 @@ mm_answer_keyallowed(int sock, Buffer *m)
                        break;
                case MM_HOSTKEY:
                        allowed = options.hostbased_authentication &&
+                            !auth2_key_already_used(authctxt, key) &&
                            match_pattern_list(sshkey_ssh_name(key),
                            options.hostbased_key_types, 0) == 1 &&
                            hostbased_key_allowed(authctxt->pw,
                            cuser, chost, key);
-                        pubkey_auth_info(authctxt, key,
+                        auth2_record_info(authctxt,
                            "client user \"%.100s\", client host \"%.100s\"",
                            cuser, chost);
                        auth_method = "hostbased";
@@ -1175,11 +1181,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
                }
        }
-        debug3("%s: key %p is %s",
+        debug3("%s: key is %s", __func__, allowed ? "allowed" : "not allowed");
-            __func__, key, allowed ? "allowed" : "not allowed");
-        if (key != NULL)
+        auth2_record_key(authctxt, 0, key);
-                key_free(key);
+        sshkey_free(key);
        /* clear temporarily storage (used by verify) */
        monitor_reset_key_state();
@@ -1353,10 +1358,12 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
        switch (key_blobtype) {
        case MM_USERKEY:
                valid_data = monitor_valid_userblob(data, datalen);
+                auth_method = "publickey";
                break;
        case MM_HOSTKEY:
                valid_data = monitor_valid_hostbasedblob(data, datalen,
                    hostbased_cuser, hostbased_chost);
+                auth_method = "hostbased";
                break;
        default:
                valid_data = 0;
@@ -1367,23 +1374,17 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
        ret = sshkey_verify(key, signature, signaturelen, data, datalen,
            active_state->compat);
-        debug3("%s: key %p signature %s",
+        debug3("%s: %s %p signature %s", __func__, auth_method, key,
-            __func__, key, (ret == 0) ? "verified" : "unverified");
+            (ret == 0) ? "verified" : "unverified");
+        auth2_record_key(authctxt, ret == 0, key);
-        /* If auth was successful then record key to ensure it isn't reused */
-        if (ret == 0 && key_blobtype == MM_USERKEY)
-                auth2_record_userkey(authctxt, key);
-        else
-                sshkey_free(key);
        free(blob);
        free(signature);
        free(data);
-        auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
        monitor_reset_key_state();
+        sshkey_free(key);
        sshbuf_reset(m);
        /* encode ret != 0 as positive integer, since we're sending u32 */
@@ -1799,6 +1800,7 @@ int
 mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
+        const char *displayname;
        if (!options.gss_authentication)
                fatal("%s: GSSAPI authentication not enabled", __func__);
@@ -1813,6 +1815,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
        auth_method = "gssapi-with-mic";
+        if ((displayname = ssh_gssapi_displayname()) != NULL)
+                auth2_record_info(authctxt, "%s", displayname);
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
author	djm@openbsd.org <djm@openbsd.org>	2017-06-24 06:34:38 +0000
committer	Damien Miller <djm@mindrot.org>	2017-06-24 16:56:11 +1000
commit	8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch)
tree	51ab66a6011af6459e0d4ca15a4b4b78368607a1 /monitor.c
parent	e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff)

diff --git a/monitor.c b/monitor.c index 8897f6a82..8a7897bde 100644 --- a/monitor.c +++ b/monitor.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor.c,v 1.171 2017/05/31 10:04:29 markus Exp $ */	1	/* $OpenBSD: monitor.c,v 1.172 2017/06/24 06:34:38 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -308,6 +308,8 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
308	partial = 0;	308	partial = 0;
309	auth_method = "unknown";	309	auth_method = "unknown";
310	auth_submethod = NULL;	310	auth_submethod = NULL;
		311	auth2_authctxt_reset_info(authctxt);
		312
311	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	313	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
312		314
313	/* Special handling for multiple required authentications */	315	/* Special handling for multiple required authentications */
@@ -347,6 +349,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
347	auth_method, auth_submethod);	349	auth_method, auth_submethod);
348	if (!partial && !authenticated)	350	if (!partial && !authenticated)
349	authctxt->failures++;	351	authctxt->failures++;
		352	if (authenticated \|\| partial) {
		353	auth2_update_session_info(authctxt,
		354	auth_method, auth_submethod);
		355	}
350	}	356	}
351	}	357	}
352		358
@@ -1147,12 +1153,11 @@ mm_answer_keyallowed(int sock, Buffer *m)
1147	switch (type) {	1153	switch (type) {
1148	case MM_USERKEY:	1154	case MM_USERKEY:
1149	allowed = options.pubkey_authentication &&	1155	allowed = options.pubkey_authentication &&
1150	!auth2_userkey_already_used(authctxt, key) &&	1156	!auth2_key_already_used(authctxt, key) &&
1151	match_pattern_list(sshkey_ssh_name(key),	1157	match_pattern_list(sshkey_ssh_name(key),
1152	options.pubkey_key_types, 0) == 1 &&	1158	options.pubkey_key_types, 0) == 1 &&
1153	user_key_allowed(authctxt->pw, key,	1159	user_key_allowed(authctxt->pw, key,
1154	pubkey_auth_attempt);	1160	pubkey_auth_attempt);
1155	pubkey_auth_info(authctxt, key, NULL);
1156	auth_method = "publickey";	1161	auth_method = "publickey";
1157	if (options.pubkey_authentication &&	1162	if (options.pubkey_authentication &&
1158	(!pubkey_auth_attempt \|\| allowed != 1))	1163	(!pubkey_auth_attempt \|\| allowed != 1))
@@ -1160,11 +1165,12 @@ mm_answer_keyallowed(int sock, Buffer *m)
1160	break;	1165	break;
1161	case MM_HOSTKEY:	1166	case MM_HOSTKEY:
1162	allowed = options.hostbased_authentication &&	1167	allowed = options.hostbased_authentication &&
		1168	!auth2_key_already_used(authctxt, key) &&
1163	match_pattern_list(sshkey_ssh_name(key),	1169	match_pattern_list(sshkey_ssh_name(key),
1164	options.hostbased_key_types, 0) == 1 &&	1170	options.hostbased_key_types, 0) == 1 &&
1165	hostbased_key_allowed(authctxt->pw,	1171	hostbased_key_allowed(authctxt->pw,
1166	cuser, chost, key);	1172	cuser, chost, key);
1167	pubkey_auth_info(authctxt, key,	1173	auth2_record_info(authctxt,
1168	"client user \"%.100s\", client host \"%.100s\"",	1174	"client user \"%.100s\", client host \"%.100s\"",
1169	cuser, chost);	1175	cuser, chost);
1170	auth_method = "hostbased";	1176	auth_method = "hostbased";
@@ -1175,11 +1181,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
1175	}	1181	}
1176	}	1182	}
1177		1183
1178	debug3("%s: key %p is %s",	1184	debug3("%s: key is %s", __func__, allowed ? "allowed" : "not allowed");
1179	__func__, key, allowed ? "allowed" : "not allowed");
1180		1185
1181	if (key != NULL)	1186	auth2_record_key(authctxt, 0, key);
1182	key_free(key);	1187	sshkey_free(key);
1183		1188
1184	/* clear temporarily storage (used by verify) */	1189	/* clear temporarily storage (used by verify) */
1185	monitor_reset_key_state();	1190	monitor_reset_key_state();
@@ -1353,10 +1358,12 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
1353	switch (key_blobtype) {	1358	switch (key_blobtype) {
1354	case MM_USERKEY:	1359	case MM_USERKEY:
1355	valid_data = monitor_valid_userblob(data, datalen);	1360	valid_data = monitor_valid_userblob(data, datalen);
		1361	auth_method = "publickey";
1356	break;	1362	break;
1357	case MM_HOSTKEY:	1363	case MM_HOSTKEY:
1358	valid_data = monitor_valid_hostbasedblob(data, datalen,	1364	valid_data = monitor_valid_hostbasedblob(data, datalen,
1359	hostbased_cuser, hostbased_chost);	1365	hostbased_cuser, hostbased_chost);
		1366	auth_method = "hostbased";
1360	break;	1367	break;
1361	default:	1368	default:
1362	valid_data = 0;	1369	valid_data = 0;
@@ -1367,23 +1374,17 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
1367		1374
1368	ret = sshkey_verify(key, signature, signaturelen, data, datalen,	1375	ret = sshkey_verify(key, signature, signaturelen, data, datalen,
1369	active_state->compat);	1376	active_state->compat);
1370	debug3("%s: key %p signature %s",	1377	debug3("%s: %s %p signature %s", __func__, auth_method, key,
1371	__func__, key, (ret == 0) ? "verified" : "unverified");	1378	(ret == 0) ? "verified" : "unverified");
1372		1379	auth2_record_key(authctxt, ret == 0, key);
1373	/* If auth was successful then record key to ensure it isn't reused */
1374	if (ret == 0 && key_blobtype == MM_USERKEY)
1375	auth2_record_userkey(authctxt, key);
1376	else
1377	sshkey_free(key);
1378		1380
1379	free(blob);	1381	free(blob);
1380	free(signature);	1382	free(signature);
1381	free(data);	1383	free(data);
1382		1384
1383	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1384
1385	monitor_reset_key_state();	1385	monitor_reset_key_state();
1386		1386
		1387	sshkey_free(key);
1387	sshbuf_reset(m);	1388	sshbuf_reset(m);
1388		1389
1389	/* encode ret != 0 as positive integer, since we're sending u32 */	1390	/* encode ret != 0 as positive integer, since we're sending u32 */
@@ -1799,6 +1800,7 @@ int
1799	mm_answer_gss_userok(int sock, Buffer *m)	1800	mm_answer_gss_userok(int sock, Buffer *m)
1800	{	1801	{
1801	int authenticated;	1802	int authenticated;
		1803	const char *displayname;
1802		1804
1803	if (!options.gss_authentication)	1805	if (!options.gss_authentication)
1804	fatal("%s: GSSAPI authentication not enabled", __func__);	1806	fatal("%s: GSSAPI authentication not enabled", __func__);
@@ -1813,6 +1815,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
1813		1815
1814	auth_method = "gssapi-with-mic";	1816	auth_method = "gssapi-with-mic";
1815		1817
		1818	if ((displayname = ssh_gssapi_displayname()) != NULL)
		1819	auth2_record_info(authctxt, "%s", displayname);
		1820
1816	/* Monitor loop will terminate if authenticated */	1821	/* Monitor loop will terminate if authenticated */
1817	return (authenticated);	1822	return (authenticated);
1818	}	1823	}