diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-06-24 06:34:38 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-06-24 16:56:11 +1000 |
commit | 8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch) | |
tree | 51ab66a6011af6459e0d4ca15a4b4b78368607a1 /session.c | |
parent | e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff) |
upstream commit
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 54 |
1 files changed, 53 insertions, 1 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.289 2017/06/24 05:24:11 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.290 2017/06/24 06:34:38 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -94,6 +94,7 @@ | |||
94 | #include "kex.h" | 94 | #include "kex.h" |
95 | #include "monitor_wrap.h" | 95 | #include "monitor_wrap.h" |
96 | #include "sftp.h" | 96 | #include "sftp.h" |
97 | #include "atomicio.h" | ||
97 | 98 | ||
98 | #if defined(KRB5) && defined(USE_AFS) | 99 | #if defined(KRB5) && defined(USE_AFS) |
99 | #include <kafs.h> | 100 | #include <kafs.h> |
@@ -160,6 +161,9 @@ login_cap_t *lc; | |||
160 | static int is_child = 0; | 161 | static int is_child = 0; |
161 | static int in_chroot = 0; | 162 | static int in_chroot = 0; |
162 | 163 | ||
164 | /* File containing userauth info, if ExposeAuthInfo set */ | ||
165 | static char *auth_info_file = NULL; | ||
166 | |||
163 | /* Name and directory of socket for authentication agent forwarding. */ | 167 | /* Name and directory of socket for authentication agent forwarding. */ |
164 | static char *auth_sock_name = NULL; | 168 | static char *auth_sock_name = NULL; |
165 | static char *auth_sock_dir = NULL; | 169 | static char *auth_sock_dir = NULL; |
@@ -249,6 +253,40 @@ display_loginmsg(void) | |||
249 | } | 253 | } |
250 | } | 254 | } |
251 | 255 | ||
256 | static void | ||
257 | prepare_auth_info_file(struct passwd *pw, struct sshbuf *info) | ||
258 | { | ||
259 | int fd = -1, success = 0; | ||
260 | |||
261 | if (!options.expose_userauth_info || info == NULL) | ||
262 | return; | ||
263 | |||
264 | temporarily_use_uid(pw); | ||
265 | auth_info_file = xstrdup("/tmp/sshauth.XXXXXXXXXXXXXXX"); | ||
266 | if ((fd = mkstemp(auth_info_file)) == -1) { | ||
267 | error("%s: mkstemp: %s", __func__, strerror(errno)); | ||
268 | goto out; | ||
269 | } | ||
270 | if (atomicio(vwrite, fd, sshbuf_mutable_ptr(info), | ||
271 | sshbuf_len(info)) != sshbuf_len(info)) { | ||
272 | error("%s: write: %s", __func__, strerror(errno)); | ||
273 | goto out; | ||
274 | } | ||
275 | if (close(fd) != 0) { | ||
276 | error("%s: close: %s", __func__, strerror(errno)); | ||
277 | goto out; | ||
278 | } | ||
279 | success = 1; | ||
280 | out: | ||
281 | if (!success) { | ||
282 | if (fd != -1) | ||
283 | close(fd); | ||
284 | free(auth_info_file); | ||
285 | auth_info_file = NULL; | ||
286 | } | ||
287 | restore_uid(); | ||
288 | } | ||
289 | |||
252 | void | 290 | void |
253 | do_authenticated(Authctxt *authctxt) | 291 | do_authenticated(Authctxt *authctxt) |
254 | { | 292 | { |
@@ -264,7 +302,10 @@ do_authenticated(Authctxt *authctxt) | |||
264 | 302 | ||
265 | auth_debug_send(); | 303 | auth_debug_send(); |
266 | 304 | ||
305 | prepare_auth_info_file(authctxt->pw, authctxt->session_info); | ||
306 | |||
267 | do_authenticated2(authctxt); | 307 | do_authenticated2(authctxt); |
308 | |||
268 | do_cleanup(authctxt); | 309 | do_cleanup(authctxt); |
269 | } | 310 | } |
270 | 311 | ||
@@ -1077,6 +1118,8 @@ do_setup_env(Session *s, const char *shell) | |||
1077 | free(laddr); | 1118 | free(laddr); |
1078 | child_set_env(&env, &envsize, "SSH_CONNECTION", buf); | 1119 | child_set_env(&env, &envsize, "SSH_CONNECTION", buf); |
1079 | 1120 | ||
1121 | if (auth_info_file != NULL) | ||
1122 | child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file); | ||
1080 | if (s->ttyfd != -1) | 1123 | if (s->ttyfd != -1) |
1081 | child_set_env(&env, &envsize, "SSH_TTY", s->tty); | 1124 | child_set_env(&env, &envsize, "SSH_TTY", s->tty); |
1082 | if (s->term) | 1125 | if (s->term) |
@@ -2549,6 +2592,15 @@ do_cleanup(Authctxt *authctxt) | |||
2549 | /* remove agent socket */ | 2592 | /* remove agent socket */ |
2550 | auth_sock_cleanup_proc(authctxt->pw); | 2593 | auth_sock_cleanup_proc(authctxt->pw); |
2551 | 2594 | ||
2595 | /* remove userauth info */ | ||
2596 | if (auth_info_file != NULL) { | ||
2597 | temporarily_use_uid(authctxt->pw); | ||
2598 | unlink(auth_info_file); | ||
2599 | restore_uid(); | ||
2600 | free(auth_info_file); | ||
2601 | auth_info_file = NULL; | ||
2602 | } | ||
2603 | |||
2552 | /* | 2604 | /* |
2553 | * Cleanup ptys/utmp only if privsep is disabled, | 2605 | * Cleanup ptys/utmp only if privsep is disabled, |
2554 | * or if running in monitor. | 2606 | * or if running in monitor. |