diff options
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 31 |
1 files changed, 27 insertions, 4 deletions
| @@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); | |||
| 35 | #include "dispatch.h" | 35 | #include "dispatch.h" |
| 36 | #include "pathnames.h" | 36 | #include "pathnames.h" |
| 37 | #include "monitor_wrap.h" | 37 | #include "monitor_wrap.h" |
| 38 | #include "buffer.h" | ||
| 38 | 39 | ||
| 39 | #ifdef GSSAPI | 40 | #ifdef GSSAPI |
| 40 | #include "ssh-gss.h" | 41 | #include "ssh-gss.h" |
| @@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); | |||
| 44 | extern ServerOptions options; | 45 | extern ServerOptions options; |
| 45 | extern u_char *session_id2; | 46 | extern u_char *session_id2; |
| 46 | extern u_int session_id2_len; | 47 | extern u_int session_id2_len; |
| 48 | extern Buffer loginmsg; | ||
| 47 | 49 | ||
| 48 | /* methods */ | 50 | /* methods */ |
| 49 | 51 | ||
| @@ -165,6 +167,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 165 | if (options.use_pam) | 167 | if (options.use_pam) |
| 166 | PRIVSEP(start_pam(authctxt)); | 168 | PRIVSEP(start_pam(authctxt)); |
| 167 | #endif | 169 | #endif |
| 170 | #ifdef SSH_AUDIT_EVENTS | ||
| 171 | PRIVSEP(audit_event(SSH_INVALID_USER)); | ||
| 172 | #endif | ||
| 168 | } | 173 | } |
| 169 | setproctitle("%s%s", authctxt->valid ? user : "unknown", | 174 | setproctitle("%s%s", authctxt->valid ? user : "unknown", |
| 170 | use_privsep ? " [net]" : ""); | 175 | use_privsep ? " [net]" : ""); |
| @@ -212,12 +217,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
| 212 | 217 | ||
| 213 | /* Special handling for root */ | 218 | /* Special handling for root */ |
| 214 | if (authenticated && authctxt->pw->pw_uid == 0 && | 219 | if (authenticated && authctxt->pw->pw_uid == 0 && |
| 215 | !auth_root_allowed(method)) | 220 | !auth_root_allowed(method)) { |
| 216 | authenticated = 0; | 221 | authenticated = 0; |
| 222 | #ifdef SSH_AUDIT_EVENTS | ||
| 223 | PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); | ||
| 224 | #endif | ||
| 225 | } | ||
| 217 | 226 | ||
| 218 | #ifdef USE_PAM | 227 | #ifdef USE_PAM |
| 219 | if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) | 228 | if (options.use_pam && authenticated) { |
| 220 | authenticated = 0; | 229 | if (!PRIVSEP(do_pam_account())) { |
| 230 | /* if PAM returned a message, send it to the user */ | ||
| 231 | if (buffer_len(&loginmsg) > 0) { | ||
| 232 | buffer_append(&loginmsg, "\0", 1); | ||
| 233 | userauth_send_banner(buffer_ptr(&loginmsg)); | ||
| 234 | packet_write_wait(); | ||
| 235 | } | ||
| 236 | fatal("Access denied for user %s by PAM account " | ||
| 237 | "configuration", authctxt->user); | ||
| 238 | } | ||
| 239 | } | ||
| 221 | #endif | 240 | #endif |
| 222 | 241 | ||
| 223 | #ifdef _UNICOS | 242 | #ifdef _UNICOS |
| @@ -243,8 +262,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
| 243 | /* now we can break out */ | 262 | /* now we can break out */ |
| 244 | authctxt->success = 1; | 263 | authctxt->success = 1; |
| 245 | } else { | 264 | } else { |
| 246 | if (authctxt->failures++ > options.max_authtries) | 265 | if (authctxt->failures++ > options.max_authtries) { |
| 266 | #ifdef SSH_AUDIT_EVENTS | ||
| 267 | PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); | ||
| 268 | #endif | ||
| 247 | packet_disconnect(AUTH_FAIL_MSG, authctxt->user); | 269 | packet_disconnect(AUTH_FAIL_MSG, authctxt->user); |
| 270 | } | ||
| 248 | methods = authmethods_get(); | 271 | methods = authmethods_get(); |
| 249 | packet_start(SSH2_MSG_USERAUTH_FAILURE); | 272 | packet_start(SSH2_MSG_USERAUTH_FAILURE); |
| 250 | packet_put_cstring(methods); | 273 | packet_put_cstring(methods); |