diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 18 |
1 files changed, 14 insertions, 4 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.76 2006/03/25 13:17:02 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.77 2006/03/30 11:40:21 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -179,6 +179,7 @@ struct mon_table { | |||
179 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ | 179 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ |
180 | #define MON_AUTHDECIDE 0x0008 /* Decides Authentication */ | 180 | #define MON_AUTHDECIDE 0x0008 /* Decides Authentication */ |
181 | #define MON_ONCE 0x0010 /* Disable after calling */ | 181 | #define MON_ONCE 0x0010 /* Disable after calling */ |
182 | #define MON_ALOG 0x0020 /* Log auth attempt without authenticating */ | ||
182 | 183 | ||
183 | #define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE) | 184 | #define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE) |
184 | 185 | ||
@@ -239,8 +240,8 @@ struct mon_table mon_dispatch_proto15[] = { | |||
239 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, | 240 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, |
240 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, | 241 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, |
241 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 242 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
242 | {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed}, | 243 | {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed}, |
243 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, | 244 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed}, |
244 | {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, | 245 | {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, |
245 | {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, | 246 | {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, |
246 | #ifdef BSD_AUTH | 247 | #ifdef BSD_AUTH |
@@ -334,6 +335,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
334 | 335 | ||
335 | /* The first few requests do not require asynchronous access */ | 336 | /* The first few requests do not require asynchronous access */ |
336 | while (!authenticated) { | 337 | while (!authenticated) { |
338 | auth_method = "unknown"; | ||
337 | authenticated = monitor_read(pmonitor, mon_dispatch, &ent); | 339 | authenticated = monitor_read(pmonitor, mon_dispatch, &ent); |
338 | if (authenticated) { | 340 | if (authenticated) { |
339 | if (!(ent->flags & MON_AUTHDECIDE)) | 341 | if (!(ent->flags & MON_AUTHDECIDE)) |
@@ -356,7 +358,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
356 | #endif | 358 | #endif |
357 | } | 359 | } |
358 | 360 | ||
359 | if (ent->flags & MON_AUTHDECIDE) { | 361 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
360 | auth_log(authctxt, authenticated, auth_method, | 362 | auth_log(authctxt, authenticated, auth_method, |
361 | compat20 ? " ssh2" : ""); | 363 | compat20 ? " ssh2" : ""); |
362 | if (!authenticated) | 364 | if (!authenticated) |
@@ -366,6 +368,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
366 | 368 | ||
367 | if (!authctxt->valid) | 369 | if (!authctxt->valid) |
368 | fatal("%s: authenticated invalid user", __func__); | 370 | fatal("%s: authenticated invalid user", __func__); |
371 | if (strcmp(auth_method, "unknown") == 0) | ||
372 | fatal("%s: authentication method name unknown", __func__); | ||
369 | 373 | ||
370 | debug("%s: %s has been authenticated by privileged process", | 374 | debug("%s: %s has been authenticated by privileged process", |
371 | __func__, authctxt->user); | 375 | __func__, authctxt->user); |
@@ -992,17 +996,20 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
992 | case MM_USERKEY: | 996 | case MM_USERKEY: |
993 | allowed = options.pubkey_authentication && | 997 | allowed = options.pubkey_authentication && |
994 | user_key_allowed(authctxt->pw, key); | 998 | user_key_allowed(authctxt->pw, key); |
999 | auth_method = "publickey"; | ||
995 | break; | 1000 | break; |
996 | case MM_HOSTKEY: | 1001 | case MM_HOSTKEY: |
997 | allowed = options.hostbased_authentication && | 1002 | allowed = options.hostbased_authentication && |
998 | hostbased_key_allowed(authctxt->pw, | 1003 | hostbased_key_allowed(authctxt->pw, |
999 | cuser, chost, key); | 1004 | cuser, chost, key); |
1005 | auth_method = "hostbased"; | ||
1000 | break; | 1006 | break; |
1001 | case MM_RSAHOSTKEY: | 1007 | case MM_RSAHOSTKEY: |
1002 | key->type = KEY_RSA1; /* XXX */ | 1008 | key->type = KEY_RSA1; /* XXX */ |
1003 | allowed = options.rhosts_rsa_authentication && | 1009 | allowed = options.rhosts_rsa_authentication && |
1004 | auth_rhosts_rsa_key_allowed(authctxt->pw, | 1010 | auth_rhosts_rsa_key_allowed(authctxt->pw, |
1005 | cuser, chost, key); | 1011 | cuser, chost, key); |
1012 | auth_method = "rsa"; | ||
1006 | break; | 1013 | break; |
1007 | default: | 1014 | default: |
1008 | fatal("%s: unknown key type %d", __func__, type); | 1015 | fatal("%s: unknown key type %d", __func__, type); |
@@ -1023,6 +1030,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1023 | hostbased_cuser = cuser; | 1030 | hostbased_cuser = cuser; |
1024 | hostbased_chost = chost; | 1031 | hostbased_chost = chost; |
1025 | } else { | 1032 | } else { |
1033 | /* Log failed attempt */ | ||
1034 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | ||
1026 | xfree(blob); | 1035 | xfree(blob); |
1027 | xfree(cuser); | 1036 | xfree(cuser); |
1028 | xfree(chost); | 1037 | xfree(chost); |
@@ -1390,6 +1399,7 @@ mm_answer_rsa_keyallowed(int sock, Buffer *m) | |||
1390 | 1399 | ||
1391 | debug3("%s entering", __func__); | 1400 | debug3("%s entering", __func__); |
1392 | 1401 | ||
1402 | auth_method = "rsa"; | ||
1393 | if (options.rsa_authentication && authctxt->valid) { | 1403 | if (options.rsa_authentication && authctxt->valid) { |
1394 | if ((client_n = BN_new()) == NULL) | 1404 | if ((client_n = BN_new()) == NULL) |
1395 | fatal("%s: BN_new", __func__); | 1405 | fatal("%s: BN_new", __func__); |