summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/monitor.c b/monitor.c
index d672aeb72..894523da3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.76 2006/03/25 13:17:02 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.77 2006/03/30 11:40:21 dtucker Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -179,6 +179,7 @@ struct mon_table {
179#define MON_ISAUTH 0x0004 /* Required for Authentication */ 179#define MON_ISAUTH 0x0004 /* Required for Authentication */
180#define MON_AUTHDECIDE 0x0008 /* Decides Authentication */ 180#define MON_AUTHDECIDE 0x0008 /* Decides Authentication */
181#define MON_ONCE 0x0010 /* Disable after calling */ 181#define MON_ONCE 0x0010 /* Disable after calling */
182#define MON_ALOG 0x0020 /* Log auth attempt without authenticating */
182 183
183#define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE) 184#define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE)
184 185
@@ -239,8 +240,8 @@ struct mon_table mon_dispatch_proto15[] = {
239 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, 240 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
240 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, 241 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
241 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 242 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
242 {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed}, 243 {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
243 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, 244 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
244 {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, 245 {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
245 {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, 246 {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
246#ifdef BSD_AUTH 247#ifdef BSD_AUTH
@@ -334,6 +335,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
334 335
335 /* The first few requests do not require asynchronous access */ 336 /* The first few requests do not require asynchronous access */
336 while (!authenticated) { 337 while (!authenticated) {
338 auth_method = "unknown";
337 authenticated = monitor_read(pmonitor, mon_dispatch, &ent); 339 authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
338 if (authenticated) { 340 if (authenticated) {
339 if (!(ent->flags & MON_AUTHDECIDE)) 341 if (!(ent->flags & MON_AUTHDECIDE))
@@ -356,7 +358,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
356#endif 358#endif
357 } 359 }
358 360
359 if (ent->flags & MON_AUTHDECIDE) { 361 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
360 auth_log(authctxt, authenticated, auth_method, 362 auth_log(authctxt, authenticated, auth_method,
361 compat20 ? " ssh2" : ""); 363 compat20 ? " ssh2" : "");
362 if (!authenticated) 364 if (!authenticated)
@@ -366,6 +368,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
366 368
367 if (!authctxt->valid) 369 if (!authctxt->valid)
368 fatal("%s: authenticated invalid user", __func__); 370 fatal("%s: authenticated invalid user", __func__);
371 if (strcmp(auth_method, "unknown") == 0)
372 fatal("%s: authentication method name unknown", __func__);
369 373
370 debug("%s: %s has been authenticated by privileged process", 374 debug("%s: %s has been authenticated by privileged process",
371 __func__, authctxt->user); 375 __func__, authctxt->user);
@@ -992,17 +996,20 @@ mm_answer_keyallowed(int sock, Buffer *m)
992 case MM_USERKEY: 996 case MM_USERKEY:
993 allowed = options.pubkey_authentication && 997 allowed = options.pubkey_authentication &&
994 user_key_allowed(authctxt->pw, key); 998 user_key_allowed(authctxt->pw, key);
999 auth_method = "publickey";
995 break; 1000 break;
996 case MM_HOSTKEY: 1001 case MM_HOSTKEY:
997 allowed = options.hostbased_authentication && 1002 allowed = options.hostbased_authentication &&
998 hostbased_key_allowed(authctxt->pw, 1003 hostbased_key_allowed(authctxt->pw,
999 cuser, chost, key); 1004 cuser, chost, key);
1005 auth_method = "hostbased";
1000 break; 1006 break;
1001 case MM_RSAHOSTKEY: 1007 case MM_RSAHOSTKEY:
1002 key->type = KEY_RSA1; /* XXX */ 1008 key->type = KEY_RSA1; /* XXX */
1003 allowed = options.rhosts_rsa_authentication && 1009 allowed = options.rhosts_rsa_authentication &&
1004 auth_rhosts_rsa_key_allowed(authctxt->pw, 1010 auth_rhosts_rsa_key_allowed(authctxt->pw,
1005 cuser, chost, key); 1011 cuser, chost, key);
1012 auth_method = "rsa";
1006 break; 1013 break;
1007 default: 1014 default:
1008 fatal("%s: unknown key type %d", __func__, type); 1015 fatal("%s: unknown key type %d", __func__, type);
@@ -1023,6 +1030,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
1023 hostbased_cuser = cuser; 1030 hostbased_cuser = cuser;
1024 hostbased_chost = chost; 1031 hostbased_chost = chost;
1025 } else { 1032 } else {
1033 /* Log failed attempt */
1034 auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
1026 xfree(blob); 1035 xfree(blob);
1027 xfree(cuser); 1036 xfree(cuser);
1028 xfree(chost); 1037 xfree(chost);
@@ -1390,6 +1399,7 @@ mm_answer_rsa_keyallowed(int sock, Buffer *m)
1390 1399
1391 debug3("%s entering", __func__); 1400 debug3("%s entering", __func__);
1392 1401
1402 auth_method = "rsa";
1393 if (options.rsa_authentication && authctxt->valid) { 1403 if (options.rsa_authentication && authctxt->valid) {
1394 if ((client_n = BN_new()) == NULL) 1404 if ((client_n = BN_new()) == NULL)
1395 fatal("%s: BN_new", __func__); 1405 fatal("%s: BN_new", __func__);