diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 81 |
1 files changed, 66 insertions, 15 deletions
| @@ -23,7 +23,7 @@ | |||
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include "includes.h" | 25 | #include "includes.h" |
| 26 | RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $"); | 26 | RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $"); |
| 27 | 27 | ||
| 28 | #ifdef HAVE_LOGIN_H | 28 | #ifdef HAVE_LOGIN_H |
| 29 | #include <login.h> | 29 | #include <login.h> |
| @@ -50,6 +50,8 @@ RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $"); | |||
| 50 | #include "misc.h" | 50 | #include "misc.h" |
| 51 | #include "bufaux.h" | 51 | #include "bufaux.h" |
| 52 | #include "packet.h" | 52 | #include "packet.h" |
| 53 | #include "loginrec.h" | ||
| 54 | #include "monitor_wrap.h" | ||
| 53 | 55 | ||
| 54 | /* import */ | 56 | /* import */ |
| 55 | extern ServerOptions options; | 57 | extern ServerOptions options; |
| @@ -153,8 +155,9 @@ allowed_user(struct passwd * pw) | |||
| 153 | for (i = 0; i < options.num_deny_users; i++) | 155 | for (i = 0; i < options.num_deny_users; i++) |
| 154 | if (match_user(pw->pw_name, hostname, ipaddr, | 156 | if (match_user(pw->pw_name, hostname, ipaddr, |
| 155 | options.deny_users[i])) { | 157 | options.deny_users[i])) { |
| 156 | logit("User %.100s not allowed because listed in DenyUsers", | 158 | logit("User %.100s from %.100s not allowed " |
| 157 | pw->pw_name); | 159 | "because listed in DenyUsers", |
| 160 | pw->pw_name, hostname); | ||
| 158 | return 0; | 161 | return 0; |
| 159 | } | 162 | } |
| 160 | } | 163 | } |
| @@ -166,16 +169,16 @@ allowed_user(struct passwd * pw) | |||
| 166 | break; | 169 | break; |
| 167 | /* i < options.num_allow_users iff we break for loop */ | 170 | /* i < options.num_allow_users iff we break for loop */ |
| 168 | if (i >= options.num_allow_users) { | 171 | if (i >= options.num_allow_users) { |
| 169 | logit("User %.100s not allowed because not listed in AllowUsers", | 172 | logit("User %.100s from %.100s not allowed because " |
| 170 | pw->pw_name); | 173 | "not listed in AllowUsers", pw->pw_name, hostname); |
| 171 | return 0; | 174 | return 0; |
| 172 | } | 175 | } |
| 173 | } | 176 | } |
| 174 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { | 177 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { |
| 175 | /* Get the user's group access list (primary and supplementary) */ | 178 | /* Get the user's group access list (primary and supplementary) */ |
| 176 | if (ga_init(pw->pw_name, pw->pw_gid) == 0) { | 179 | if (ga_init(pw->pw_name, pw->pw_gid) == 0) { |
| 177 | logit("User %.100s not allowed because not in any group", | 180 | logit("User %.100s from %.100s not allowed because " |
| 178 | pw->pw_name); | 181 | "not in any group", pw->pw_name, hostname); |
| 179 | return 0; | 182 | return 0; |
| 180 | } | 183 | } |
| 181 | 184 | ||
| @@ -184,8 +187,9 @@ allowed_user(struct passwd * pw) | |||
| 184 | if (ga_match(options.deny_groups, | 187 | if (ga_match(options.deny_groups, |
| 185 | options.num_deny_groups)) { | 188 | options.num_deny_groups)) { |
| 186 | ga_free(); | 189 | ga_free(); |
| 187 | logit("User %.100s not allowed because a group is listed in DenyGroups", | 190 | logit("User %.100s from %.100s not allowed " |
| 188 | pw->pw_name); | 191 | "because a group is listed in DenyGroups", |
| 192 | pw->pw_name, hostname); | ||
| 189 | return 0; | 193 | return 0; |
| 190 | } | 194 | } |
| 191 | /* | 195 | /* |
| @@ -196,15 +200,16 @@ allowed_user(struct passwd * pw) | |||
| 196 | if (!ga_match(options.allow_groups, | 200 | if (!ga_match(options.allow_groups, |
| 197 | options.num_allow_groups)) { | 201 | options.num_allow_groups)) { |
| 198 | ga_free(); | 202 | ga_free(); |
| 199 | logit("User %.100s not allowed because none of user's groups are listed in AllowGroups", | 203 | logit("User %.100s from %.100s not allowed " |
| 200 | pw->pw_name); | 204 | "because none of user's groups are listed " |
| 205 | "in AllowGroups", pw->pw_name, hostname); | ||
| 201 | return 0; | 206 | return 0; |
| 202 | } | 207 | } |
| 203 | ga_free(); | 208 | ga_free(); |
| 204 | } | 209 | } |
| 205 | 210 | ||
| 206 | #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER | 211 | #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER |
| 207 | if (!sys_auth_allowed_user(pw)) | 212 | if (!sys_auth_allowed_user(pw, &loginmsg)) |
| 208 | return 0; | 213 | return 0; |
| 209 | #endif | 214 | #endif |
| 210 | 215 | ||
| @@ -240,8 +245,50 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | |||
| 240 | info); | 245 | info); |
| 241 | 246 | ||
| 242 | #ifdef CUSTOM_FAILED_LOGIN | 247 | #ifdef CUSTOM_FAILED_LOGIN |
| 243 | if (authenticated == 0 && strcmp(method, "password") == 0) | 248 | if (authenticated == 0 && !authctxt->postponed && |
| 244 | record_failed_login(authctxt->user, "ssh"); | 249 | (strcmp(method, "password") == 0 || |
| 250 | strncmp(method, "keyboard-interactive", 20) == 0 || | ||
| 251 | strcmp(method, "challenge-response") == 0)) | ||
| 252 | record_failed_login(authctxt->user, | ||
| 253 | get_canonical_hostname(options.use_dns), "ssh"); | ||
| 254 | #endif | ||
| 255 | #ifdef SSH_AUDIT_EVENTS | ||
| 256 | if (authenticated == 0 && !authctxt->postponed) { | ||
| 257 | ssh_audit_event_t event; | ||
| 258 | |||
| 259 | debug3("audit failed auth attempt, method %s euid %d", | ||
| 260 | method, (int)geteuid()); | ||
| 261 | /* | ||
| 262 | * Because the auth loop is used in both monitor and slave, | ||
| 263 | * we must be careful to send each event only once and with | ||
| 264 | * enough privs to write the event. | ||
| 265 | */ | ||
| 266 | event = audit_classify_auth(method); | ||
| 267 | switch(event) { | ||
| 268 | case SSH_AUTH_FAIL_NONE: | ||
| 269 | case SSH_AUTH_FAIL_PASSWD: | ||
| 270 | case SSH_AUTH_FAIL_KBDINT: | ||
| 271 | if (geteuid() == 0) | ||
| 272 | audit_event(event); | ||
| 273 | break; | ||
| 274 | case SSH_AUTH_FAIL_PUBKEY: | ||
| 275 | case SSH_AUTH_FAIL_HOSTBASED: | ||
| 276 | case SSH_AUTH_FAIL_GSSAPI: | ||
| 277 | /* | ||
| 278 | * This is required to handle the case where privsep | ||
| 279 | * is enabled but it's root logging in, since | ||
| 280 | * use_privsep won't be cleared until after a | ||
| 281 | * successful login. | ||
| 282 | */ | ||
| 283 | if (geteuid() == 0) | ||
| 284 | audit_event(event); | ||
| 285 | else | ||
| 286 | PRIVSEP(audit_event(event)); | ||
| 287 | break; | ||
| 288 | default: | ||
| 289 | error("unknown authentication audit event %d", event); | ||
| 290 | } | ||
| 291 | } | ||
| 245 | #endif | 292 | #endif |
| 246 | } | 293 | } |
| 247 | 294 | ||
| @@ -465,8 +512,12 @@ getpwnamallow(const char *user) | |||
| 465 | logit("Invalid user %.100s from %.100s", | 512 | logit("Invalid user %.100s from %.100s", |
| 466 | user, get_remote_ipaddr()); | 513 | user, get_remote_ipaddr()); |
| 467 | #ifdef CUSTOM_FAILED_LOGIN | 514 | #ifdef CUSTOM_FAILED_LOGIN |
| 468 | record_failed_login(user, "ssh"); | 515 | record_failed_login(user, |
| 516 | get_canonical_hostname(options.use_dns), "ssh"); | ||
| 469 | #endif | 517 | #endif |
| 518 | #ifdef SSH_AUDIT_EVENTS | ||
| 519 | audit_event(SSH_INVALID_USER); | ||
| 520 | #endif /* SSH_AUDIT_EVENTS */ | ||
| 470 | return (NULL); | 521 | return (NULL); |
| 471 | } | 522 | } |
| 472 | if (!allowed_user(pw)) | 523 | if (!allowed_user(pw)) |