1 files changed, 42 insertions, 0 deletions
diff --git a/auth.c b/auth.c
index b6c00c12b..bbf3a54a4 100644
--- a/auth.c
+++ b/auth.c
@@ -51,6 +51,7 @@ RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $");
 #include "bufaux.h"
 #include "packet.h"
 #include "loginrec.h"
+#include "monitor_wrap.h"
 /* import */
 extern ServerOptions options;
@@ -251,6 +252,44 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
                record_failed_login(authctxt->user,
                    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef AUDIT_EVENTS
+        if (authenticated == 0 && !authctxt->postponed) {
+                ssh_audit_event_t event;
+                debug3("audit failed auth attempt, method %s euid %d",
+                    method, (int)geteuid());
+                /*
+                 * Because the auth loop is used in both monitor and slave,
+                 * we must be careful to send each event only once and with
+                 * enough privs to write the event.
+                 */
+                event = audit_classify_auth(method);
+                switch(event) {
+                case AUTH_FAIL_NONE:
+                case AUTH_FAIL_PASSWD:
+                case AUTH_FAIL_KBDINT:
+                        if (geteuid() == 0)
+                                audit_event(event);
+                        break;
+                case AUTH_FAIL_PUBKEY:
+                case AUTH_FAIL_HOSTBASED:
+                case AUTH_FAIL_GSSAPI:
+                        /*
+                         * This is required to handle the case where privsep
+                         * is enabled but it's root logging in, since
+                         * use_privsep won't be cleared until after a
+                         * successful login.
+                         */
+                        if (geteuid() == 0)
+                                audit_event(event);
+                        else
+                                PRIVSEP(audit_event(event));
+                        break;
+                default:
+                        error("unknown authentication audit event %d", event);
+                }
+        }
+#endif
 }
 /*
@@ -476,6 +515,9 @@ getpwnamallow(const char *user)
                record_failed_login(user,
                    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef AUDIT_EVENTS
+                audit_event(INVALID_USER);
+#endif /* AUDIT_EVENTS */
                return (NULL);
        }
        if (!allowed_user(pw))

diff --git a/auth.c b/auth.c index b6c00c12b..bbf3a54a4 100644 --- a/auth.c +++ b/auth.c
@@ -51,6 +51,7 @@ RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $");
51	#include "bufaux.h"	51	#include "bufaux.h"
52	#include "packet.h"	52	#include "packet.h"
53	#include "loginrec.h"	53	#include "loginrec.h"
		54	#include "monitor_wrap.h"
54		55
55	/* import */	56	/* import */
56	extern ServerOptions options;	57	extern ServerOptions options;
@@ -251,6 +252,44 @@ auth_log(Authctxt authctxt, int authenticated, char method, char *info)
251	record_failed_login(authctxt->user,	252	record_failed_login(authctxt->user,
252	get_canonical_hostname(options.use_dns), "ssh");	253	get_canonical_hostname(options.use_dns), "ssh");
253	#endif	254	#endif
		255	#ifdef AUDIT_EVENTS
		256	if (authenticated == 0 && !authctxt->postponed) {
		257	ssh_audit_event_t event;
		258
		259	debug3("audit failed auth attempt, method %s euid %d",
		260	method, (int)geteuid());
		261	/*
		262	* Because the auth loop is used in both monitor and slave,
		263	* we must be careful to send each event only once and with
		264	* enough privs to write the event.
		265	*/
		266	event = audit_classify_auth(method);
		267	switch(event) {
		268	case AUTH_FAIL_NONE:
		269	case AUTH_FAIL_PASSWD:
		270	case AUTH_FAIL_KBDINT:
		271	if (geteuid() == 0)
		272	audit_event(event);
		273	break;
		274	case AUTH_FAIL_PUBKEY:
		275	case AUTH_FAIL_HOSTBASED:
		276	case AUTH_FAIL_GSSAPI:
		277	/*
		278	* This is required to handle the case where privsep
		279	* is enabled but it's root logging in, since
		280	* use_privsep won't be cleared until after a
		281	* successful login.
		282	*/
		283	if (geteuid() == 0)
		284	audit_event(event);
		285	else
		286	PRIVSEP(audit_event(event));
		287	break;
		288	default:
		289	error("unknown authentication audit event %d", event);
		290	}
		291	}
		292	#endif
254	}	293	}
255		294
256	/*	295	/*
@@ -476,6 +515,9 @@ getpwnamallow(const char *user)
476	record_failed_login(user,	515	record_failed_login(user,
477	get_canonical_hostname(options.use_dns), "ssh");	516	get_canonical_hostname(options.use_dns), "ssh");
478	#endif	517	#endif
		518	#ifdef AUDIT_EVENTS
		519	audit_event(INVALID_USER);
		520	#endif /* AUDIT_EVENTS */
479	return (NULL);	521	return (NULL);
480	}	522	}
481	if (!allowed_user(pw))	523	if (!allowed_user(pw))