diff options
| author | Damien Miller <djm@mindrot.org> | 2012-12-03 09:53:20 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-12-03 09:53:20 +1100 |
| commit | 15b05cfa17592da7470d7bd4b2de063188697471 (patch) | |
| tree | 50686085795dc25237f6aabe4c2a5963f38a6e06 /monitor.c | |
| parent | aa5b3f831417bac9538d2b6f21d55fef278e8926 (diff) | |
- djm@cvs.openbsd.org 2012/12/02 20:34:10
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
[monitor.c monitor.h]
Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.
Fix multiple authentication when one of the methods is
keyboard-interactive.
ok markus@
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 25 |
1 files changed, 17 insertions, 8 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.118 2012/11/04 11:09:15 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.119 2012/12/02 20:34:10 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY; | |||
| 199 | static char *hostbased_cuser = NULL; | 199 | static char *hostbased_cuser = NULL; |
| 200 | static char *hostbased_chost = NULL; | 200 | static char *hostbased_chost = NULL; |
| 201 | static char *auth_method = "unknown"; | 201 | static char *auth_method = "unknown"; |
| 202 | static char *auth_submethod = NULL; | ||
| 202 | static u_int session_id2_len = 0; | 203 | static u_int session_id2_len = 0; |
| 203 | static u_char *session_id2 = NULL; | 204 | static u_char *session_id2 = NULL; |
| 204 | static pid_t monitor_child_pid; | 205 | static pid_t monitor_child_pid; |
| @@ -352,7 +353,7 @@ void | |||
| 352 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 353 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
| 353 | { | 354 | { |
| 354 | struct mon_table *ent; | 355 | struct mon_table *ent; |
| 355 | int authenticated = 0; | 356 | int authenticated = 0, partial = 0; |
| 356 | 357 | ||
| 357 | debug3("preauth child monitor started"); | 358 | debug3("preauth child monitor started"); |
| 358 | 359 | ||
| @@ -379,7 +380,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 379 | 380 | ||
| 380 | /* The first few requests do not require asynchronous access */ | 381 | /* The first few requests do not require asynchronous access */ |
| 381 | while (!authenticated) { | 382 | while (!authenticated) { |
| 383 | partial = 0; | ||
| 382 | auth_method = "unknown"; | 384 | auth_method = "unknown"; |
| 385 | auth_submethod = NULL; | ||
| 383 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 386 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
| 384 | 387 | ||
| 385 | /* Special handling for multiple required authentications */ | 388 | /* Special handling for multiple required authentications */ |
| @@ -393,6 +396,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 393 | debug3("%s: method %s: partial", __func__, | 396 | debug3("%s: method %s: partial", __func__, |
| 394 | auth_method); | 397 | auth_method); |
| 395 | authenticated = 0; | 398 | authenticated = 0; |
| 399 | partial = 1; | ||
| 396 | } | 400 | } |
| 397 | } | 401 | } |
| 398 | 402 | ||
| @@ -417,7 +421,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 417 | #endif | 421 | #endif |
| 418 | } | 422 | } |
| 419 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 423 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
| 420 | auth_log(authctxt, authenticated, auth_method, | 424 | auth_log(authctxt, authenticated, partial, |
| 425 | auth_method, auth_submethod, | ||
| 421 | compat20 ? " ssh2" : ""); | 426 | compat20 ? " ssh2" : ""); |
| 422 | if (!authenticated) | 427 | if (!authenticated) |
| 423 | authctxt->failures++; | 428 | authctxt->failures++; |
| @@ -943,7 +948,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
| 943 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); | 948 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); |
| 944 | 949 | ||
| 945 | if (compat20) | 950 | if (compat20) |
| 946 | auth_method = "keyboard-interactive"; | 951 | auth_method = "keyboard-interactive"; /* XXX auth_submethod */ |
| 947 | else | 952 | else |
| 948 | auth_method = "bsdauth"; | 953 | auth_method = "bsdauth"; |
| 949 | 954 | ||
| @@ -1084,7 +1089,8 @@ mm_answer_pam_query(int sock, Buffer *m) | |||
| 1084 | xfree(prompts); | 1089 | xfree(prompts); |
| 1085 | if (echo_on != NULL) | 1090 | if (echo_on != NULL) |
| 1086 | xfree(echo_on); | 1091 | xfree(echo_on); |
| 1087 | auth_method = "keyboard-interactive/pam"; | 1092 | auth_method = "keyboard-interactive"; |
| 1093 | auth_submethod = "pam"; | ||
| 1088 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); | 1094 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); |
| 1089 | return (0); | 1095 | return (0); |
| 1090 | } | 1096 | } |
| @@ -1113,7 +1119,8 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
| 1113 | buffer_clear(m); | 1119 | buffer_clear(m); |
| 1114 | buffer_put_int(m, ret); | 1120 | buffer_put_int(m, ret); |
| 1115 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); | 1121 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); |
| 1116 | auth_method = "keyboard-interactive/pam"; | 1122 | auth_method = "keyboard-interactive"; |
| 1123 | auth_submethod = "pam"; | ||
| 1117 | if (ret == 0) | 1124 | if (ret == 0) |
| 1118 | sshpam_authok = sshpam_ctxt; | 1125 | sshpam_authok = sshpam_ctxt; |
| 1119 | return (0); | 1126 | return (0); |
| @@ -1127,7 +1134,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) | |||
| 1127 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1134 | (sshpam_device.free_ctx)(sshpam_ctxt); |
| 1128 | buffer_clear(m); | 1135 | buffer_clear(m); |
| 1129 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1136 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
| 1130 | auth_method = "keyboard-interactive/pam"; | 1137 | auth_method = "keyboard-interactive"; |
| 1138 | auth_submethod = "pam"; | ||
| 1131 | return (sshpam_authok == sshpam_ctxt); | 1139 | return (sshpam_authok == sshpam_ctxt); |
| 1132 | } | 1140 | } |
| 1133 | #endif | 1141 | #endif |
| @@ -1201,7 +1209,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1201 | hostbased_chost = chost; | 1209 | hostbased_chost = chost; |
| 1202 | } else { | 1210 | } else { |
| 1203 | /* Log failed attempt */ | 1211 | /* Log failed attempt */ |
| 1204 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | 1212 | auth_log(authctxt, 0, 0, auth_method, NULL, |
| 1213 | compat20 ? " ssh2" : ""); | ||
| 1205 | xfree(blob); | 1214 | xfree(blob); |
| 1206 | xfree(cuser); | 1215 | xfree(cuser); |
| 1207 | xfree(chost); | 1216 | xfree(chost); |