summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog13
-rw-r--r--auth.c38
-rw-r--r--monitor.c2
3 files changed, 13 insertions, 40 deletions
diff --git a/ChangeLog b/ChangeLog
index 8dc22c86b..767208bf3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,13 @@
120050517 120060521
2 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
3 and slave, we can remove the special-case handling in the audit hook in
4 auth_log.
5
620060517
2 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file 7 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
3 pointer leak. From kjhall at us.ibm.com, found by coverity. 8 pointer leak. From kjhall at us.ibm.com, found by coverity.
4 9
520050515 1020060515
6 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of 11 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
7 _res, prevents problems on some platforms that have _res as a global but 12 _res, prevents problems on some platforms that have _res as a global but
8 don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by 13 don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
@@ -12,7 +17,7 @@
12 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and 17 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
13 do not allow kbdint again after the PAM account check fails. ok djm@ 18 do not allow kbdint again after the PAM account check fails. ok djm@
14 19
1520050506 2020060506
16 - (dtucker) OpenBSD CVS Sync 21 - (dtucker) OpenBSD CVS Sync
17 - dtucker@cvs.openbsd.org 2006/04/25 08:02:27 22 - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
18 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c] 23 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
@@ -4625,4 +4630,4 @@
4625 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 4630 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
4626 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 4631 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4627 4632
4628$Id: ChangeLog,v 1.4329 2006/05/17 12:24:56 dtucker Exp $ 4633$Id: ChangeLog,v 1.4330 2006/05/21 08:26:40 dtucker Exp $
diff --git a/auth.c b/auth.c
index e43c81658..ffa94e886 100644
--- a/auth.c
+++ b/auth.c
@@ -271,42 +271,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
271 get_canonical_hostname(options.use_dns), "ssh"); 271 get_canonical_hostname(options.use_dns), "ssh");
272#endif 272#endif
273#ifdef SSH_AUDIT_EVENTS 273#ifdef SSH_AUDIT_EVENTS
274 if (authenticated == 0 && !authctxt->postponed) { 274 if (authenticated == 0 && !authctxt->postponed)
275 ssh_audit_event_t event; 275 audit_event(audit_classify_auth(method));
276
277 debug3("audit failed auth attempt, method %s euid %d",
278 method, (int)geteuid());
279 /*
280 * Because the auth loop is used in both monitor and slave,
281 * we must be careful to send each event only once and with
282 * enough privs to write the event.
283 */
284 event = audit_classify_auth(method);
285 switch(event) {
286 case SSH_AUTH_FAIL_NONE:
287 case SSH_AUTH_FAIL_PASSWD:
288 case SSH_AUTH_FAIL_KBDINT:
289 if (geteuid() == 0)
290 audit_event(event);
291 break;
292 case SSH_AUTH_FAIL_PUBKEY:
293 case SSH_AUTH_FAIL_HOSTBASED:
294 case SSH_AUTH_FAIL_GSSAPI:
295 /*
296 * This is required to handle the case where privsep
297 * is enabled but it's root logging in, since
298 * use_privsep won't be cleared until after a
299 * successful login.
300 */
301 if (geteuid() == 0)
302 audit_event(event);
303 else
304 PRIVSEP(audit_event(event));
305 break;
306 default:
307 error("unknown authentication audit event %d", event);
308 }
309 }
310#endif 276#endif
311} 277}
312 278
diff --git a/monitor.c b/monitor.c
index 4b8287d85..08919ddfc 100644
--- a/monitor.c
+++ b/monitor.c
@@ -909,6 +909,7 @@ mm_answer_pam_query(int sock, Buffer *m)
909 xfree(prompts); 909 xfree(prompts);
910 if (echo_on != NULL) 910 if (echo_on != NULL)
911 xfree(echo_on); 911 xfree(echo_on);
912 auth_method = "keyboard-interactive/pam";
912 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 913 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
913 return (0); 914 return (0);
914} 915}
@@ -951,6 +952,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
951 (sshpam_device.free_ctx)(sshpam_ctxt); 952 (sshpam_device.free_ctx)(sshpam_ctxt);
952 buffer_clear(m); 953 buffer_clear(m);
953 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 954 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
955 auth_method = "keyboard-interactive/pam";
954 return (sshpam_authok == sshpam_ctxt); 956 return (sshpam_authok == sshpam_ctxt);
955} 957}
956#endif 958#endif