3 files changed, 13 insertions, 40 deletions
diff --git a/ChangeLog b/ChangeLog
index 8dc22c86b..767208bf3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,13 @@
-20050517
+20060521
+ - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
+   and slave, we can remove the special-case handling in the audit hook in
+   auth_log.
+20060517
 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
   pointer leak.  From kjhall at us.ibm.com, found by coverity.
-20050515
+20060515
 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
   _res, prevents problems on some platforms that have _res as a global but
   don't have getrrsetbyname(), eg IRIX 5.3.  Found and tested by
@@ -12,7 +17,7 @@
 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
   do not allow kbdint again after the PAM account check fails.  ok djm@
-20050506
+20060506
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
     [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
@@ -4625,4 +4630,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4329 2006/05/17 12:24:56 dtucker Exp $
+$Id: ChangeLog,v 1.4330 2006/05/21 08:26:40 dtucker Exp $
diff --git a/auth.c b/auth.c
index e43c81658..ffa94e886 100644
--- a/auth.c
+++ b/auth.c
@@ -271,42 +271,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
                    get_canonical_hostname(options.use_dns), "ssh");
 #endif
 #ifdef SSH_AUDIT_EVENTS
-        if (authenticated == 0 && !authctxt->postponed) {
+        if (authenticated == 0 && !authctxt->postponed)
-                ssh_audit_event_t event;
+                audit_event(audit_classify_auth(method));
-                debug3("audit failed auth attempt, method %s euid %d",
-                    method, (int)geteuid());
-                /*
-                 * Because the auth loop is used in both monitor and slave,
-                 * we must be careful to send each event only once and with
-                 * enough privs to write the event.
-                 */
-                event = audit_classify_auth(method);
-                switch(event) {
-                case SSH_AUTH_FAIL_NONE:
-                case SSH_AUTH_FAIL_PASSWD:
-                case SSH_AUTH_FAIL_KBDINT:
-                        if (geteuid() == 0)
-                                audit_event(event);
-                        break;
-                case SSH_AUTH_FAIL_PUBKEY:
-                case SSH_AUTH_FAIL_HOSTBASED:
-                case SSH_AUTH_FAIL_GSSAPI:
-                        /*
-                         * This is required to handle the case where privsep
-                         * is enabled but it's root logging in, since
-                         * use_privsep won't be cleared until after a
-                         * successful login.
-                         */
-                        if (geteuid() == 0)
-                                audit_event(event);
-                        else
-                                PRIVSEP(audit_event(event));
-                        break;
-                default:
-                        error("unknown authentication audit event %d", event);
-                }
-        }
 #endif
 }
diff --git a/monitor.c b/monitor.c
index 4b8287d85..08919ddfc 100644
--- a/monitor.c
+++ b/monitor.c
@@ -909,6 +909,7 @@ mm_answer_pam_query(int sock, Buffer *m)
                xfree(prompts);
        if (echo_on != NULL)
                xfree(echo_on);
+        auth_method = "keyboard-interactive/pam";
        mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
        return (0);
 }
@@ -951,6 +952,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
        (sshpam_device.free_ctx)(sshpam_ctxt);
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+        auth_method = "keyboard-interactive/pam";
        return (sshpam_authok == sshpam_ctxt);
 }
 #endif