From f14b2aa6725f93dce537a0d693d3562c53a85b19 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 21 May 2006 18:26:40 +1000 Subject: - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor and slave, we can remove the special-case handling in the audit hook in auth_log. --- ChangeLog | 13 +++++++++---- auth.c | 38 ++------------------------------------ monitor.c | 2 ++ 3 files changed, 13 insertions(+), 40 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8dc22c86b..767208bf3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,13 @@ -20050517 +20060521 + - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor + and slave, we can remove the special-case handling in the audit hook in + auth_log. + +20060517 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file pointer leak. From kjhall at us.ibm.com, found by coverity. -20050515 +20060515 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of _res, prevents problems on some platforms that have _res as a global but don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by @@ -12,7 +17,7 @@ - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and do not allow kbdint again after the PAM account check fails. ok djm@ -20050506 +20060506 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2006/04/25 08:02:27 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c] @@ -4625,4 +4630,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4329 2006/05/17 12:24:56 dtucker Exp $ +$Id: ChangeLog,v 1.4330 2006/05/21 08:26:40 dtucker Exp $ diff --git a/auth.c b/auth.c index e43c81658..ffa94e886 100644 --- a/auth.c +++ b/auth.c @@ -271,42 +271,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) get_canonical_hostname(options.use_dns), "ssh"); #endif #ifdef SSH_AUDIT_EVENTS - if (authenticated == 0 && !authctxt->postponed) { - ssh_audit_event_t event; - - debug3("audit failed auth attempt, method %s euid %d", - method, (int)geteuid()); - /* - * Because the auth loop is used in both monitor and slave, - * we must be careful to send each event only once and with - * enough privs to write the event. - */ - event = audit_classify_auth(method); - switch(event) { - case SSH_AUTH_FAIL_NONE: - case SSH_AUTH_FAIL_PASSWD: - case SSH_AUTH_FAIL_KBDINT: - if (geteuid() == 0) - audit_event(event); - break; - case SSH_AUTH_FAIL_PUBKEY: - case SSH_AUTH_FAIL_HOSTBASED: - case SSH_AUTH_FAIL_GSSAPI: - /* - * This is required to handle the case where privsep - * is enabled but it's root logging in, since - * use_privsep won't be cleared until after a - * successful login. - */ - if (geteuid() == 0) - audit_event(event); - else - PRIVSEP(audit_event(event)); - break; - default: - error("unknown authentication audit event %d", event); - } - } + if (authenticated == 0 && !authctxt->postponed) + audit_event(audit_classify_auth(method)); #endif } diff --git a/monitor.c b/monitor.c index 4b8287d85..08919ddfc 100644 --- a/monitor.c +++ b/monitor.c @@ -909,6 +909,7 @@ mm_answer_pam_query(int sock, Buffer *m) xfree(prompts); if (echo_on != NULL) xfree(echo_on); + auth_method = "keyboard-interactive/pam"; mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); return (0); } @@ -951,6 +952,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) (sshpam_device.free_ctx)(sshpam_ctxt); buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive/pam"; return (sshpam_authok == sshpam_ctxt); } #endif -- cgit v1.2.3