diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 22 |
1 files changed, 13 insertions, 9 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.145 2015/02/20 22:17:21 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.150 2015/06/22 23:42:16 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -432,7 +432,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
432 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 432 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
433 | auth_log(authctxt, authenticated, partial, | 433 | auth_log(authctxt, authenticated, partial, |
434 | auth_method, auth_submethod); | 434 | auth_method, auth_submethod); |
435 | if (!authenticated) | 435 | if (!partial && !authenticated) |
436 | authctxt->failures++; | 436 | authctxt->failures++; |
437 | } | 437 | } |
438 | } | 438 | } |
@@ -1244,7 +1244,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1244 | Key *key; | 1244 | Key *key; |
1245 | char *cuser, *chost; | 1245 | char *cuser, *chost; |
1246 | u_char *blob; | 1246 | u_char *blob; |
1247 | u_int bloblen; | 1247 | u_int bloblen, pubkey_auth_attempt; |
1248 | enum mm_keytype type = 0; | 1248 | enum mm_keytype type = 0; |
1249 | int allowed = 0; | 1249 | int allowed = 0; |
1250 | 1250 | ||
@@ -1254,6 +1254,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1254 | cuser = buffer_get_string(m, NULL); | 1254 | cuser = buffer_get_string(m, NULL); |
1255 | chost = buffer_get_string(m, NULL); | 1255 | chost = buffer_get_string(m, NULL); |
1256 | blob = buffer_get_string(m, &bloblen); | 1256 | blob = buffer_get_string(m, &bloblen); |
1257 | pubkey_auth_attempt = buffer_get_int(m); | ||
1257 | 1258 | ||
1258 | key = key_from_blob(blob, bloblen); | 1259 | key = key_from_blob(blob, bloblen); |
1259 | 1260 | ||
@@ -1274,19 +1275,19 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1274 | allowed = options.pubkey_authentication && | 1275 | allowed = options.pubkey_authentication && |
1275 | !auth2_userkey_already_used(authctxt, key) && | 1276 | !auth2_userkey_already_used(authctxt, key) && |
1276 | match_pattern_list(sshkey_ssh_name(key), | 1277 | match_pattern_list(sshkey_ssh_name(key), |
1277 | options.pubkey_key_types, | 1278 | options.pubkey_key_types, 0) == 1 && |
1278 | strlen(options.pubkey_key_types), 0) == 1 && | 1279 | user_key_allowed(authctxt->pw, key, |
1279 | user_key_allowed(authctxt->pw, key); | 1280 | pubkey_auth_attempt); |
1280 | pubkey_auth_info(authctxt, key, NULL); | 1281 | pubkey_auth_info(authctxt, key, NULL); |
1281 | auth_method = "publickey"; | 1282 | auth_method = "publickey"; |
1282 | if (options.pubkey_authentication && allowed != 1) | 1283 | if (options.pubkey_authentication && |
1284 | (!pubkey_auth_attempt || allowed != 1)) | ||
1283 | auth_clear_options(); | 1285 | auth_clear_options(); |
1284 | break; | 1286 | break; |
1285 | case MM_HOSTKEY: | 1287 | case MM_HOSTKEY: |
1286 | allowed = options.hostbased_authentication && | 1288 | allowed = options.hostbased_authentication && |
1287 | match_pattern_list(sshkey_ssh_name(key), | 1289 | match_pattern_list(sshkey_ssh_name(key), |
1288 | options.hostbased_key_types, | 1290 | options.hostbased_key_types, 0) == 1 && |
1289 | strlen(options.hostbased_key_types), 0) == 1 && | ||
1290 | hostbased_key_allowed(authctxt->pw, | 1291 | hostbased_key_allowed(authctxt->pw, |
1291 | cuser, chost, key); | 1292 | cuser, chost, key); |
1292 | pubkey_auth_info(authctxt, key, | 1293 | pubkey_auth_info(authctxt, key, |
@@ -1533,6 +1534,9 @@ mm_record_login(Session *s, struct passwd *pw) | |||
1533 | socklen_t fromlen; | 1534 | socklen_t fromlen; |
1534 | struct sockaddr_storage from; | 1535 | struct sockaddr_storage from; |
1535 | 1536 | ||
1537 | if (options.use_login) | ||
1538 | return; | ||
1539 | |||
1536 | /* | 1540 | /* |
1537 | * Get IP address of client. If the connection is not a socket, let | 1541 | * Get IP address of client. If the connection is not a socket, let |
1538 | * the address be 0.0.0.0. | 1542 | * the address be 0.0.0.0. |