diff options
-rw-r--r-- | ChangeLog | 14 | ||||
-rw-r--r-- | auth.c | 12 | ||||
-rw-r--r-- | auth.h | 10 | ||||
-rw-r--r-- | auth1.c | 8 | ||||
-rw-r--r-- | auth2-chall.c | 12 | ||||
-rw-r--r-- | auth2-gss.c | 8 | ||||
-rw-r--r-- | auth2-jpake.c | 4 | ||||
-rw-r--r-- | auth2.c | 37 | ||||
-rw-r--r-- | monitor.c | 25 | ||||
-rw-r--r-- | monitor.h | 80 |
10 files changed, 123 insertions, 87 deletions
@@ -29,6 +29,20 @@ | |||
29 | - djm@cvs.openbsd.org 2012/11/14 02:32:15 | 29 | - djm@cvs.openbsd.org 2012/11/14 02:32:15 |
30 | [ssh-keygen.c] | 30 | [ssh-keygen.c] |
31 | allow the full range of unsigned serial numbers; 'fine' deraadt@ | 31 | allow the full range of unsigned serial numbers; 'fine' deraadt@ |
32 | - djm@cvs.openbsd.org 2012/12/02 20:34:10 | ||
33 | [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] | ||
34 | [monitor.c monitor.h] | ||
35 | Fixes logging of partial authentication when privsep is enabled | ||
36 | Previously, we recorded "Failed xxx" since we reset authenticated before | ||
37 | calling auth_log() in auth2.c. This adds an explcit "Partial" state. | ||
38 | |||
39 | Add a "submethod" to auth_log() to report which submethod is used | ||
40 | for keyboard-interactive. | ||
41 | |||
42 | Fix multiple authentication when one of the methods is | ||
43 | keyboard-interactive. | ||
44 | |||
45 | ok markus@ | ||
32 | 46 | ||
33 | 20121107 | 47 | 20121107 |
34 | - (djm) OpenBSD CVS Sync | 48 | - (djm) OpenBSD CVS Sync |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.97 2012/10/30 21:29:54 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.98 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw) | |||
251 | } | 251 | } |
252 | 252 | ||
253 | void | 253 | void |
254 | auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | 254 | auth_log(Authctxt *authctxt, int authenticated, int partial, |
255 | const char *method, const char *submethod, const char *info) | ||
255 | { | 256 | { |
256 | void (*authlog) (const char *fmt,...) = verbose; | 257 | void (*authlog) (const char *fmt,...) = verbose; |
257 | char *authmsg; | 258 | char *authmsg; |
@@ -268,12 +269,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | |||
268 | 269 | ||
269 | if (authctxt->postponed) | 270 | if (authctxt->postponed) |
270 | authmsg = "Postponed"; | 271 | authmsg = "Postponed"; |
272 | else if (partial) | ||
273 | authmsg = "Partial"; | ||
271 | else | 274 | else |
272 | authmsg = authenticated ? "Accepted" : "Failed"; | 275 | authmsg = authenticated ? "Accepted" : "Failed"; |
273 | 276 | ||
274 | authlog("%s %s for %s%.100s from %.200s port %d%s", | 277 | authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", |
275 | authmsg, | 278 | authmsg, |
276 | method, | 279 | method, |
280 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, | ||
277 | authctxt->valid ? "" : "invalid user ", | 281 | authctxt->valid ? "" : "invalid user ", |
278 | authctxt->user, | 282 | authctxt->user, |
279 | get_remote_ipaddr(), | 283 | get_remote_ipaddr(), |
@@ -303,7 +307,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | |||
303 | * Check whether root logins are disallowed. | 307 | * Check whether root logins are disallowed. |
304 | */ | 308 | */ |
305 | int | 309 | int |
306 | auth_root_allowed(char *method) | 310 | auth_root_allowed(const char *method) |
307 | { | 311 | { |
308 | switch (options.permit_root_login) { | 312 | switch (options.permit_root_login) { |
309 | case PERMIT_YES: | 313 | case PERMIT_YES: |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.h,v 1.71 2012/11/04 11:09:15 djm Exp $ */ | 1 | /* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -148,10 +148,12 @@ void disable_forwarding(void); | |||
148 | void do_authentication(Authctxt *); | 148 | void do_authentication(Authctxt *); |
149 | void do_authentication2(Authctxt *); | 149 | void do_authentication2(Authctxt *); |
150 | 150 | ||
151 | void auth_log(Authctxt *, int, char *, char *); | 151 | void auth_log(Authctxt *, int, int, const char *, const char *, |
152 | void userauth_finish(Authctxt *, int, char *); | 152 | const char *); |
153 | void userauth_finish(Authctxt *, int, const char *, const char *); | ||
154 | int auth_root_allowed(const char *); | ||
155 | |||
153 | void userauth_send_banner(const char *); | 156 | void userauth_send_banner(const char *); |
154 | int auth_root_allowed(char *); | ||
155 | 157 | ||
156 | char *auth2_read_banner(void); | 158 | char *auth2_read_banner(void); |
157 | int auth2_methods_valid(const char *, int); | 159 | int auth2_methods_valid(const char *, int); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth1.c,v 1.76 2012/11/04 11:09:15 djm Exp $ */ | 1 | /* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -253,7 +253,8 @@ do_authloop(Authctxt *authctxt) | |||
253 | if (options.use_pam && (PRIVSEP(do_pam_account()))) | 253 | if (options.use_pam && (PRIVSEP(do_pam_account()))) |
254 | #endif | 254 | #endif |
255 | { | 255 | { |
256 | auth_log(authctxt, 1, "without authentication", ""); | 256 | auth_log(authctxt, 1, 0, "without authentication", |
257 | NULL, ""); | ||
257 | return; | 258 | return; |
258 | } | 259 | } |
259 | } | 260 | } |
@@ -352,7 +353,8 @@ do_authloop(Authctxt *authctxt) | |||
352 | 353 | ||
353 | skip: | 354 | skip: |
354 | /* Log before sending the reply */ | 355 | /* Log before sending the reply */ |
355 | auth_log(authctxt, authenticated, get_authname(type), info); | 356 | auth_log(authctxt, authenticated, 0, get_authname(type), |
357 | NULL, info); | ||
356 | 358 | ||
357 | if (client_user != NULL) { | 359 | if (client_user != NULL) { |
358 | xfree(client_user); | 360 | xfree(client_user); |
diff --git a/auth2-chall.c b/auth2-chall.c index e6dbffe22..8fdb33498 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */ | 1 | /* $OpenBSD: auth2-chall.c,v 1.35 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2001 Per Allansson. All rights reserved. | 4 | * Copyright (c) 2001 Per Allansson. All rights reserved. |
@@ -283,7 +283,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
283 | KbdintAuthctxt *kbdintctxt; | 283 | KbdintAuthctxt *kbdintctxt; |
284 | int authenticated = 0, res; | 284 | int authenticated = 0, res; |
285 | u_int i, nresp; | 285 | u_int i, nresp; |
286 | char **response = NULL, *method; | 286 | char *devicename = NULL, **response = NULL; |
287 | 287 | ||
288 | if (authctxt == NULL) | 288 | if (authctxt == NULL) |
289 | fatal("input_userauth_info_response: no authctxt"); | 289 | fatal("input_userauth_info_response: no authctxt"); |
@@ -329,9 +329,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
329 | /* Failure! */ | 329 | /* Failure! */ |
330 | break; | 330 | break; |
331 | } | 331 | } |
332 | 332 | devicename = kbdintctxt->device->name; | |
333 | xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name); | ||
334 | |||
335 | if (!authctxt->postponed) { | 333 | if (!authctxt->postponed) { |
336 | if (authenticated) { | 334 | if (authenticated) { |
337 | auth2_challenge_stop(authctxt); | 335 | auth2_challenge_stop(authctxt); |
@@ -341,8 +339,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
341 | auth2_challenge_start(authctxt); | 339 | auth2_challenge_start(authctxt); |
342 | } | 340 | } |
343 | } | 341 | } |
344 | userauth_finish(authctxt, authenticated, method); | 342 | userauth_finish(authctxt, authenticated, "keyboard-interactive", |
345 | xfree(method); | 343 | devicename); |
346 | } | 344 | } |
347 | 345 | ||
348 | void | 346 | void |
diff --git a/auth2-gss.c b/auth2-gss.c index 0d59b2177..93d576bfb 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
163 | } | 163 | } |
164 | authctxt->postponed = 0; | 164 | authctxt->postponed = 0; |
165 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 165 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
166 | userauth_finish(authctxt, 0, "gssapi-with-mic"); | 166 | userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); |
167 | } else { | 167 | } else { |
168 | if (send_tok.length != 0) { | 168 | if (send_tok.length != 0) { |
169 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); | 169 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
251 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 251 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
252 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 252 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
253 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 253 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
254 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 254 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
255 | } | 255 | } |
256 | 256 | ||
257 | static void | 257 | static void |
@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | |||
291 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 291 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
292 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 292 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
293 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 293 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
294 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 294 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
295 | } | 295 | } |
296 | 296 | ||
297 | Authmethod method_gssapi = { | 297 | Authmethod method_gssapi = { |
diff --git a/auth2-jpake.c b/auth2-jpake.c index a460e8216..ed0eba47b 100644 --- a/auth2-jpake.c +++ b/auth2-jpake.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */ | 1 | /* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 3 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
4 | * | 4 | * |
@@ -556,7 +556,7 @@ input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt) | |||
556 | authctxt->postponed = 0; | 556 | authctxt->postponed = 0; |
557 | jpake_free(authctxt->jpake_ctx); | 557 | jpake_free(authctxt->jpake_ctx); |
558 | authctxt->jpake_ctx = NULL; | 558 | authctxt->jpake_ctx = NULL; |
559 | userauth_finish(authctxt, authenticated, method_jpake.name); | 559 | userauth_finish(authctxt, authenticated, method_jpake.name, NULL); |
560 | } | 560 | } |
561 | 561 | ||
562 | #endif /* JPAKE */ | 562 | #endif /* JPAKE */ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */ | 1 | /* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -286,7 +286,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
286 | debug2("input_userauth_request: try method %s", method); | 286 | debug2("input_userauth_request: try method %s", method); |
287 | authenticated = m->userauth(authctxt); | 287 | authenticated = m->userauth(authctxt); |
288 | } | 288 | } |
289 | userauth_finish(authctxt, authenticated, method); | 289 | userauth_finish(authctxt, authenticated, method, NULL); |
290 | 290 | ||
291 | xfree(service); | 291 | xfree(service); |
292 | xfree(user); | 292 | xfree(user); |
@@ -294,7 +294,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
294 | } | 294 | } |
295 | 295 | ||
296 | void | 296 | void |
297 | userauth_finish(Authctxt *authctxt, int authenticated, char *method) | 297 | userauth_finish(Authctxt *authctxt, int authenticated, const char *method, |
298 | const char *submethod) | ||
298 | { | 299 | { |
299 | char *methods; | 300 | char *methods; |
300 | int partial = 0; | 301 | int partial = 0; |
@@ -302,6 +303,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
302 | if (!authctxt->valid && authenticated) | 303 | if (!authctxt->valid && authenticated) |
303 | fatal("INTERNAL ERROR: authenticated invalid user %s", | 304 | fatal("INTERNAL ERROR: authenticated invalid user %s", |
304 | authctxt->user); | 305 | authctxt->user); |
306 | if (authenticated && authctxt->postponed) | ||
307 | fatal("INTERNAL ERROR: authenticated and postponed"); | ||
305 | 308 | ||
306 | /* Special handling for root */ | 309 | /* Special handling for root */ |
307 | if (authenticated && authctxt->pw->pw_uid == 0 && | 310 | if (authenticated && authctxt->pw->pw_uid == 0 && |
@@ -312,6 +315,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
312 | #endif | 315 | #endif |
313 | } | 316 | } |
314 | 317 | ||
318 | if (authenticated && options.num_auth_methods != 0) { | ||
319 | if (!auth2_update_methods_lists(authctxt, method)) { | ||
320 | authenticated = 0; | ||
321 | partial = 1; | ||
322 | } | ||
323 | } | ||
324 | |||
325 | /* Log before sending the reply */ | ||
326 | auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); | ||
327 | |||
328 | if (authctxt->postponed) | ||
329 | return; | ||
330 | |||
315 | #ifdef USE_PAM | 331 | #ifdef USE_PAM |
316 | if (options.use_pam && authenticated) { | 332 | if (options.use_pam && authenticated) { |
317 | if (!PRIVSEP(do_pam_account())) { | 333 | if (!PRIVSEP(do_pam_account())) { |
@@ -330,23 +346,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
330 | #ifdef _UNICOS | 346 | #ifdef _UNICOS |
331 | if (authenticated && cray_access_denied(authctxt->user)) { | 347 | if (authenticated && cray_access_denied(authctxt->user)) { |
332 | authenticated = 0; | 348 | authenticated = 0; |
333 | fatal("Access denied for user %s.",authctxt->user); | 349 | fatal("Access denied for user %s.", authctxt->user); |
334 | } | 350 | } |
335 | #endif /* _UNICOS */ | 351 | #endif /* _UNICOS */ |
336 | 352 | ||
337 | /* Log before sending the reply */ | ||
338 | auth_log(authctxt, authenticated, method, " ssh2"); | ||
339 | |||
340 | if (authctxt->postponed) | ||
341 | return; | ||
342 | |||
343 | if (authenticated && options.num_auth_methods != 0) { | ||
344 | if (!auth2_update_methods_lists(authctxt, method)) { | ||
345 | authenticated = 0; | ||
346 | partial = 1; | ||
347 | } | ||
348 | } | ||
349 | |||
350 | if (authenticated == 1) { | 353 | if (authenticated == 1) { |
351 | /* turn off userauth */ | 354 | /* turn off userauth */ |
352 | dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); | 355 | dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.118 2012/11/04 11:09:15 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.119 2012/12/02 20:34:10 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY; | |||
199 | static char *hostbased_cuser = NULL; | 199 | static char *hostbased_cuser = NULL; |
200 | static char *hostbased_chost = NULL; | 200 | static char *hostbased_chost = NULL; |
201 | static char *auth_method = "unknown"; | 201 | static char *auth_method = "unknown"; |
202 | static char *auth_submethod = NULL; | ||
202 | static u_int session_id2_len = 0; | 203 | static u_int session_id2_len = 0; |
203 | static u_char *session_id2 = NULL; | 204 | static u_char *session_id2 = NULL; |
204 | static pid_t monitor_child_pid; | 205 | static pid_t monitor_child_pid; |
@@ -352,7 +353,7 @@ void | |||
352 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 353 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
353 | { | 354 | { |
354 | struct mon_table *ent; | 355 | struct mon_table *ent; |
355 | int authenticated = 0; | 356 | int authenticated = 0, partial = 0; |
356 | 357 | ||
357 | debug3("preauth child monitor started"); | 358 | debug3("preauth child monitor started"); |
358 | 359 | ||
@@ -379,7 +380,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
379 | 380 | ||
380 | /* The first few requests do not require asynchronous access */ | 381 | /* The first few requests do not require asynchronous access */ |
381 | while (!authenticated) { | 382 | while (!authenticated) { |
383 | partial = 0; | ||
382 | auth_method = "unknown"; | 384 | auth_method = "unknown"; |
385 | auth_submethod = NULL; | ||
383 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 386 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
384 | 387 | ||
385 | /* Special handling for multiple required authentications */ | 388 | /* Special handling for multiple required authentications */ |
@@ -393,6 +396,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
393 | debug3("%s: method %s: partial", __func__, | 396 | debug3("%s: method %s: partial", __func__, |
394 | auth_method); | 397 | auth_method); |
395 | authenticated = 0; | 398 | authenticated = 0; |
399 | partial = 1; | ||
396 | } | 400 | } |
397 | } | 401 | } |
398 | 402 | ||
@@ -417,7 +421,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
417 | #endif | 421 | #endif |
418 | } | 422 | } |
419 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 423 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
420 | auth_log(authctxt, authenticated, auth_method, | 424 | auth_log(authctxt, authenticated, partial, |
425 | auth_method, auth_submethod, | ||
421 | compat20 ? " ssh2" : ""); | 426 | compat20 ? " ssh2" : ""); |
422 | if (!authenticated) | 427 | if (!authenticated) |
423 | authctxt->failures++; | 428 | authctxt->failures++; |
@@ -943,7 +948,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
943 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); | 948 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); |
944 | 949 | ||
945 | if (compat20) | 950 | if (compat20) |
946 | auth_method = "keyboard-interactive"; | 951 | auth_method = "keyboard-interactive"; /* XXX auth_submethod */ |
947 | else | 952 | else |
948 | auth_method = "bsdauth"; | 953 | auth_method = "bsdauth"; |
949 | 954 | ||
@@ -1084,7 +1089,8 @@ mm_answer_pam_query(int sock, Buffer *m) | |||
1084 | xfree(prompts); | 1089 | xfree(prompts); |
1085 | if (echo_on != NULL) | 1090 | if (echo_on != NULL) |
1086 | xfree(echo_on); | 1091 | xfree(echo_on); |
1087 | auth_method = "keyboard-interactive/pam"; | 1092 | auth_method = "keyboard-interactive"; |
1093 | auth_submethod = "pam"; | ||
1088 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); | 1094 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); |
1089 | return (0); | 1095 | return (0); |
1090 | } | 1096 | } |
@@ -1113,7 +1119,8 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1113 | buffer_clear(m); | 1119 | buffer_clear(m); |
1114 | buffer_put_int(m, ret); | 1120 | buffer_put_int(m, ret); |
1115 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); | 1121 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); |
1116 | auth_method = "keyboard-interactive/pam"; | 1122 | auth_method = "keyboard-interactive"; |
1123 | auth_submethod = "pam"; | ||
1117 | if (ret == 0) | 1124 | if (ret == 0) |
1118 | sshpam_authok = sshpam_ctxt; | 1125 | sshpam_authok = sshpam_ctxt; |
1119 | return (0); | 1126 | return (0); |
@@ -1127,7 +1134,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) | |||
1127 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1134 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1128 | buffer_clear(m); | 1135 | buffer_clear(m); |
1129 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1136 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1130 | auth_method = "keyboard-interactive/pam"; | 1137 | auth_method = "keyboard-interactive"; |
1138 | auth_submethod = "pam"; | ||
1131 | return (sshpam_authok == sshpam_ctxt); | 1139 | return (sshpam_authok == sshpam_ctxt); |
1132 | } | 1140 | } |
1133 | #endif | 1141 | #endif |
@@ -1201,7 +1209,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1201 | hostbased_chost = chost; | 1209 | hostbased_chost = chost; |
1202 | } else { | 1210 | } else { |
1203 | /* Log failed attempt */ | 1211 | /* Log failed attempt */ |
1204 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | 1212 | auth_log(authctxt, 0, 0, auth_method, NULL, |
1213 | compat20 ? " ssh2" : ""); | ||
1205 | xfree(blob); | 1214 | xfree(blob); |
1206 | xfree(cuser); | 1215 | xfree(cuser); |
1207 | xfree(chost); | 1216 | xfree(chost); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.h,v 1.16 2011/06/17 21:44:31 djm Exp $ */ | 1 | /* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
@@ -28,44 +28,48 @@ | |||
28 | #ifndef _MONITOR_H_ | 28 | #ifndef _MONITOR_H_ |
29 | #define _MONITOR_H_ | 29 | #define _MONITOR_H_ |
30 | 30 | ||
31 | /* Please keep *_REQ_* values on even numbers and *_ANS_* on odd numbers */ | ||
31 | enum monitor_reqtype { | 32 | enum monitor_reqtype { |
32 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | 33 | MONITOR_REQ_MODULI = 0, MONITOR_ANS_MODULI = 1, |
33 | MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, | 34 | MONITOR_REQ_FREE = 2, |
34 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | 35 | MONITOR_REQ_AUTHSERV = 4, |
35 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | 36 | MONITOR_REQ_SIGN = 6, MONITOR_ANS_SIGN = 7, |
36 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | 37 | MONITOR_REQ_PWNAM = 8, MONITOR_ANS_PWNAM = 9, |
37 | MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, | 38 | MONITOR_REQ_AUTH2_READ_BANNER = 10, MONITOR_ANS_AUTH2_READ_BANNER = 11, |
38 | MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, | 39 | MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13, |
39 | MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, | 40 | MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15, |
40 | MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, | 41 | MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17, |
41 | MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, | 42 | MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19, |
42 | MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, | 43 | MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21, |
43 | MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, | 44 | MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23, |
44 | MONITOR_REQ_KEYEXPORT, | 45 | MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25, |
45 | MONITOR_REQ_PTY, MONITOR_ANS_PTY, | 46 | MONITOR_REQ_KEYEXPORT = 26, |
46 | MONITOR_REQ_PTYCLEANUP, | 47 | MONITOR_REQ_PTY = 28, MONITOR_ANS_PTY = 29, |
47 | MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, | 48 | MONITOR_REQ_PTYCLEANUP = 30, |
48 | MONITOR_REQ_SESSID, | 49 | MONITOR_REQ_SESSKEY = 32, MONITOR_ANS_SESSKEY = 33, |
49 | MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, | 50 | MONITOR_REQ_SESSID = 34, |
50 | MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, | 51 | MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37, |
51 | MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, | 52 | MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39, |
52 | MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, | 53 | MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41, |
53 | MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, | 54 | MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43, |
54 | MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, | 55 | MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45, |
55 | MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, | 56 | MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47, |
56 | MONITOR_REQ_PAM_START, | 57 | MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, |
57 | MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, | 58 | MONITOR_REQ_TERM = 50, |
58 | MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, | 59 | MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53, |
59 | MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, | 60 | MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55, |
60 | MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, | 61 | MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, |
61 | MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, | 62 | MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, |
62 | MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, | 63 | MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, |
63 | MONITOR_REQ_TERM, | 64 | |
64 | MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, | 65 | MONITOR_REQ_PAM_START = 100, |
65 | MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, | 66 | MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, |
66 | MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, | 67 | MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, |
67 | MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, | 68 | MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, |
68 | MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM, | 69 | MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, |
70 | MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, | ||
71 | MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, | ||
72 | |||
69 | }; | 73 | }; |
70 | 74 | ||
71 | struct mm_master; | 75 | struct mm_master; |