1 files changed, 71 insertions, 2 deletions
diff --git a/monitor.c b/monitor.c
index b7463400e..301e150b3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.62 2005/01/30 11:18:08 dtucker Exp $");
 #include <openssl/dh.h>
@@ -143,6 +143,11 @@ int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
 #endif
+#ifdef SSH_AUDIT_EVENTS
+int mm_answer_audit_event(int, Buffer *);
+int mm_answer_audit_command(int, Buffer *);
+#endif
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;   /* used for ssh1 rsa auth */
@@ -186,6 +191,9 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+#endif
 #ifdef BSD_AUTH
    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
@@ -211,6 +219,10 @@ struct mon_table mon_dispatch_postauth20[] = {
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
    {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
    {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
+#endif
    {0, 0, NULL}
 };
@@ -239,6 +251,9 @@ struct mon_table mon_dispatch_proto15[] = {
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+#endif
    {0, 0, NULL}
 };
@@ -246,6 +261,10 @@ struct mon_table mon_dispatch_postauth15[] = {
    {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
    {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
    {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
+#endif
    {0, 0, NULL}
 };
@@ -609,6 +628,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        if (options.use_pam)
                monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
 #endif
+#ifdef SSH_AUDIT_EVENTS
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
+#endif
        return (0);
 }
@@ -810,6 +832,9 @@ mm_answer_pam_account(int sock, Buffer *m)
        ret = do_pam_account();
        buffer_put_int(m, ret);
+        buffer_append(&loginmsg, "\0", 1);
+        buffer_put_cstring(m, buffer_ptr(&loginmsg));
+        buffer_clear(&loginmsg);
        mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
@@ -1297,7 +1322,7 @@ mm_answer_sesskey(int sock, Buffer *m)
        int rsafail;
        /* Turn off permissions */
-        monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0);
        if ((p = BN_new()) == NULL)
                fatal("%s: BN_new", __func__);
@@ -1488,6 +1513,50 @@ mm_answer_term(int sock, Buffer *req)
        exit(res);
 }
+#ifdef SSH_AUDIT_EVENTS
+/* Report that an audit event occurred */
+int
+mm_answer_audit_event(int socket, Buffer *m)
+{
+        ssh_audit_event_t event;
+        debug3("%s entering", __func__);
+        event = buffer_get_int(m);
+        buffer_free(m);
+        switch(event) {
+        case SSH_AUTH_FAIL_PUBKEY:
+        case SSH_AUTH_FAIL_HOSTBASED:
+        case SSH_AUTH_FAIL_GSSAPI:
+        case SSH_LOGIN_EXCEED_MAXTRIES:
+        case SSH_LOGIN_ROOT_DENIED:
+        case SSH_CONNECTION_CLOSE:
+        case SSH_INVALID_USER:
+                audit_event(event);
+                break;
+        default:
+                fatal("Audit event type %d not permitted", event);
+        }
+        return (0);
+}
+int
+mm_answer_audit_command(int socket, Buffer *m)
+{
+        u_int len;
+        char *cmd;
+        debug3("%s entering", __func__);
+        cmd = buffer_get_string(m, &len);
+        /* sanity check command, if so how? */
+        audit_run_command(cmd);
+        xfree(cmd);
+        buffer_free(m);
+        return (0);
+}
+#endif /* SSH_AUDIT_EVENTS */
 void
 monitor_apply_keystate(struct monitor *pmonitor)
 {

diff --git a/monitor.c b/monitor.c index b7463400e..301e150b3 100644 --- a/monitor.c +++ b/monitor.c
@@ -25,7 +25,7 @@
25	*/	25	*/
26		26
27	#include "includes.h"	27	#include "includes.h"
28	RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");	28	RCSID("$OpenBSD: monitor.c,v 1.62 2005/01/30 11:18:08 dtucker Exp $");
29		29
30	#include <openssl/dh.h>	30	#include <openssl/dh.h>
31		31
@@ -143,6 +143,11 @@ int mm_answer_gss_userok(int, Buffer *);
143	int mm_answer_gss_checkmic(int, Buffer *);	143	int mm_answer_gss_checkmic(int, Buffer *);
144	#endif	144	#endif
145		145
		146	#ifdef SSH_AUDIT_EVENTS
		147	int mm_answer_audit_event(int, Buffer *);
		148	int mm_answer_audit_command(int, Buffer *);
		149	#endif
		150
146	static Authctxt *authctxt;	151	static Authctxt *authctxt;
147	static BIGNUM ssh1_challenge = NULL; / used for ssh1 rsa auth */	152	static BIGNUM ssh1_challenge = NULL; / used for ssh1 rsa auth */
148		153
@@ -186,6 +191,9 @@ struct mon_table mon_dispatch_proto20[] = {
186	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	191	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
187	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},	192	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
188	#endif	193	#endif
		194	#ifdef SSH_AUDIT_EVENTS
		195	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		196	#endif
189	#ifdef BSD_AUTH	197	#ifdef BSD_AUTH
190	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},	198	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
191	{MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},	199	{MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
@@ -211,6 +219,10 @@ struct mon_table mon_dispatch_postauth20[] = {
211	{MONITOR_REQ_PTY, 0, mm_answer_pty},	219	{MONITOR_REQ_PTY, 0, mm_answer_pty},
212	{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},	220	{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
213	{MONITOR_REQ_TERM, 0, mm_answer_term},	221	{MONITOR_REQ_TERM, 0, mm_answer_term},
		222	#ifdef SSH_AUDIT_EVENTS
		223	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		224	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
		225	#endif
214	{0, 0, NULL}	226	{0, 0, NULL}
215	};	227	};
216		228
@@ -239,6 +251,9 @@ struct mon_table mon_dispatch_proto15[] = {
239	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	251	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
240	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},	252	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
241	#endif	253	#endif
		254	#ifdef SSH_AUDIT_EVENTS
		255	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		256	#endif
242	{0, 0, NULL}	257	{0, 0, NULL}
243	};	258	};
244		259
@@ -246,6 +261,10 @@ struct mon_table mon_dispatch_postauth15[] = {
246	{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},	261	{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
247	{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},	262	{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
248	{MONITOR_REQ_TERM, 0, mm_answer_term},	263	{MONITOR_REQ_TERM, 0, mm_answer_term},
		264	#ifdef SSH_AUDIT_EVENTS
		265	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		266	{MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
		267	#endif
249	{0, 0, NULL}	268	{0, 0, NULL}
250	};	269	};
251		270
@@ -609,6 +628,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
609	if (options.use_pam)	628	if (options.use_pam)
610	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);	629	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
611	#endif	630	#endif
		631	#ifdef SSH_AUDIT_EVENTS
		632	monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
		633	#endif
612		634
613	return (0);	635	return (0);
614	}	636	}
@@ -810,6 +832,9 @@ mm_answer_pam_account(int sock, Buffer *m)
810	ret = do_pam_account();	832	ret = do_pam_account();
811		833
812	buffer_put_int(m, ret);	834	buffer_put_int(m, ret);
		835	buffer_append(&loginmsg, "\0", 1);
		836	buffer_put_cstring(m, buffer_ptr(&loginmsg));
		837	buffer_clear(&loginmsg);
813		838
814	mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);	839	mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
815		840
@@ -1297,7 +1322,7 @@ mm_answer_sesskey(int sock, Buffer *m)
1297	int rsafail;	1322	int rsafail;
1298		1323
1299	/* Turn off permissions */	1324	/* Turn off permissions */
1300	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);	1325	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0);
1301		1326
1302	if ((p = BN_new()) == NULL)	1327	if ((p = BN_new()) == NULL)
1303	fatal("%s: BN_new", __func__);	1328	fatal("%s: BN_new", __func__);
@@ -1488,6 +1513,50 @@ mm_answer_term(int sock, Buffer *req)
1488	exit(res);	1513	exit(res);
1489	}	1514	}
1490		1515
		1516	#ifdef SSH_AUDIT_EVENTS
		1517	/* Report that an audit event occurred */
		1518	int
		1519	mm_answer_audit_event(int socket, Buffer *m)
		1520	{
		1521	ssh_audit_event_t event;
		1522
		1523	debug3("%s entering", __func__);
		1524
		1525	event = buffer_get_int(m);
		1526	buffer_free(m);
		1527	switch(event) {
		1528	case SSH_AUTH_FAIL_PUBKEY:
		1529	case SSH_AUTH_FAIL_HOSTBASED:
		1530	case SSH_AUTH_FAIL_GSSAPI:
		1531	case SSH_LOGIN_EXCEED_MAXTRIES:
		1532	case SSH_LOGIN_ROOT_DENIED:
		1533	case SSH_CONNECTION_CLOSE:
		1534	case SSH_INVALID_USER:
		1535	audit_event(event);
		1536	break;
		1537	default:
		1538	fatal("Audit event type %d not permitted", event);
		1539	}
		1540
		1541	return (0);
		1542	}
		1543
		1544	int
		1545	mm_answer_audit_command(int socket, Buffer *m)
		1546	{
		1547	u_int len;
		1548	char *cmd;
		1549
		1550	debug3("%s entering", __func__);
		1551	cmd = buffer_get_string(m, &len);
		1552	/* sanity check command, if so how? */
		1553	audit_run_command(cmd);
		1554	xfree(cmd);
		1555	buffer_free(m);
		1556	return (0);
		1557	}
		1558	#endif /* SSH_AUDIT_EVENTS */
		1559
1491	void	1560	void
1492	monitor_apply_keystate(struct monitor *pmonitor)	1561	monitor_apply_keystate(struct monitor *pmonitor)
1493	{	1562	{