From 77fc29eeb382974ae063227c249ee3b98646e38a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 11 Sep 2004 23:07:03 +1000 Subject: - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] Bug #892: Send messages from failing PAM account modules to the client via SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ --- monitor.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'monitor.c') diff --git a/monitor.c b/monitor.c index b7463400e..00d4a785f 100644 --- a/monitor.c +++ b/monitor.c @@ -810,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer *m) ret = do_pam_account(); buffer_put_int(m, ret); + buffer_append(&loginmsg, "\0", 1); + buffer_put_cstring(m, buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); -- cgit v1.2.3 From 269a1ea1c80a855d1eb74fccba6dd5c75947c5d2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 3 Feb 2005 00:20:53 +1100 Subject: - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: (first stage) Add audit instrumentation to sshd, currently disabled by default. with suggestions from and djm@ --- ChangeLog | 6 +++++- Makefile.in | 4 ++-- auth.c | 42 +++++++++++++++++++++++++++++++++++++ auth.h | 1 + auth1.c | 12 +++++++++-- auth2.c | 15 ++++++++++++-- loginrec.c | 9 +++++++- monitor.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ monitor.h | 1 + monitor_wrap.c | 30 +++++++++++++++++++++++++++ monitor_wrap.h | 6 ++++++ session.c | 16 +++++++++++++++ sshd.c | 12 +++++++++++ 13 files changed, 211 insertions(+), 8 deletions(-) (limited to 'monitor.c') diff --git a/ChangeLog b/ChangeLog index 07ae663d7..e2dc30e5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ attempts (currently only for password, kbdint and C/R, only on Linux and HP-UX), based on code from login.c from util-linux. With ashok_kovai at hotmail.com, ok djm@ + - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c + monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: + (first stage) Add audit instrumentation to sshd, currently disabled by + default. with suggestions from and djm@ 20050201 - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some @@ -2068,4 +2072,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3632 2005/02/02 12:30:24 dtucker Exp $ +$Id: ChangeLog,v 1.3633 2005/02/02 13:20:53 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index 8a1c9f7c0..c6cfef11a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.267 2005/01/18 01:05:18 dtucker Exp $ +# $Id: Makefile.in,v 1.268 2005/02/02 13:20:53 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff --git a/auth.c b/auth.c index b6c00c12b..bbf3a54a4 100644 --- a/auth.c +++ b/auth.c @@ -51,6 +51,7 @@ RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $"); #include "bufaux.h" #include "packet.h" #include "loginrec.h" +#include "monitor_wrap.h" /* import */ extern ServerOptions options; @@ -251,6 +252,44 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) record_failed_login(authctxt->user, get_canonical_hostname(options.use_dns), "ssh"); #endif +#ifdef AUDIT_EVENTS + if (authenticated == 0 && !authctxt->postponed) { + ssh_audit_event_t event; + + debug3("audit failed auth attempt, method %s euid %d", + method, (int)geteuid()); + /* + * Because the auth loop is used in both monitor and slave, + * we must be careful to send each event only once and with + * enough privs to write the event. + */ + event = audit_classify_auth(method); + switch(event) { + case AUTH_FAIL_NONE: + case AUTH_FAIL_PASSWD: + case AUTH_FAIL_KBDINT: + if (geteuid() == 0) + audit_event(event); + break; + case AUTH_FAIL_PUBKEY: + case AUTH_FAIL_HOSTBASED: + case AUTH_FAIL_GSSAPI: + /* + * This is required to handle the case where privsep + * is enabled but it's root logging in, since + * use_privsep won't be cleared until after a + * successful login. + */ + if (geteuid() == 0) + audit_event(event); + else + PRIVSEP(audit_event(event)); + break; + default: + error("unknown authentication audit event %d", event); + } + } +#endif } /* @@ -476,6 +515,9 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif +#ifdef AUDIT_EVENTS + audit_event(INVALID_USER); +#endif /* AUDIT_EVENTS */ return (NULL); } if (!allowed_user(pw)) diff --git a/auth.h b/auth.h index 6c0089dc7..8d1f93403 100644 --- a/auth.h +++ b/auth.h @@ -130,6 +130,7 @@ int auth_shadow_pwexpired(Authctxt *); #endif #include "auth-pam.h" +#include "audit.h" void remove_kbdint_device(const char *); void disable_forwarding(void); diff --git a/auth1.c b/auth1.c index 2a9d18b9a..aeb5d8cb9 100644 --- a/auth1.c +++ b/auth1.c @@ -247,8 +247,12 @@ do_authloop(Authctxt *authctxt) #else /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && - !auth_root_allowed(get_authname(type))) + !auth_root_allowed(get_authname(type))) { authenticated = 0; +# ifdef AUDIT_EVENTS + PRIVSEP(audit_event(LOGIN_ROOT_DENIED)); +# endif + } #endif #ifdef USE_PAM @@ -283,8 +287,12 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > options.max_authtries) + if (authctxt->failures++ > options.max_authtries) { +#ifdef AUDIT_EVENTS + PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); +#endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } packet_start(SSH_SMSG_FAILURE); packet_send(); diff --git a/auth2.c b/auth2.c index 60e261f7f..2727e0ff5 100644 --- a/auth2.c +++ b/auth2.c @@ -166,6 +166,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #ifdef USE_PAM if (options.use_pam) PRIVSEP(start_pam(authctxt)); +#endif +#ifdef AUDIT_EVENTS + PRIVSEP(audit_event(INVALID_USER)); #endif } setproctitle("%s%s", authctxt->valid ? user : "unknown", @@ -214,8 +217,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && - !auth_root_allowed(method)) + !auth_root_allowed(method)) { authenticated = 0; +#ifdef AUDIT_EVENTS + PRIVSEP(audit_event(LOGIN_ROOT_DENIED)); +#endif + } #ifdef USE_PAM if (options.use_pam && authenticated) { @@ -255,8 +262,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > options.max_authtries) + if (authctxt->failures++ > options.max_authtries) { +#ifdef AUDIT_EVENTS + PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); +#endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); diff --git a/loginrec.c b/loginrec.c index e77318ba3..0fa9bdea7 100644 --- a/loginrec.c +++ b/loginrec.c @@ -154,6 +154,7 @@ #include "atomicio.h" #include "packet.h" #include "canohost.h" +#include "auth.h" #ifdef HAVE_UTIL_H # include @@ -163,7 +164,7 @@ # include #endif -RCSID("$Id: loginrec.c,v 1.63 2005/02/02 12:30:25 dtucker Exp $"); +RCSID("$Id: loginrec.c,v 1.64 2005/02/02 13:20:53 dtucker Exp $"); /** ** prototypes for helper functions in this file @@ -442,6 +443,12 @@ login_write(struct logininfo *li) if (li->type == LTYPE_LOGIN && !sys_auth_record_login(li->username,li->hostname,li->line)) logit("Writing login record failed for %s", li->username); +#endif +#ifdef AUDIT_EVENTS + if (li->type == LTYPE_LOGIN) + audit_session_open(li->line); + else if (li->type == LTYPE_LOGOUT) + audit_session_close(li->line); #endif return (0); } diff --git a/monitor.c b/monitor.c index 00d4a785f..ce7784aa1 100644 --- a/monitor.c +++ b/monitor.c @@ -143,6 +143,11 @@ int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); #endif +#ifdef AUDIT_EVENTS +int mm_answer_audit_event(int, Buffer *); +int mm_answer_audit_command(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -186,6 +191,9 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif +#ifdef AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, +#endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond}, @@ -211,6 +219,10 @@ struct mon_table mon_dispatch_postauth20[] = { {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, +#endif {0, 0, NULL} }; @@ -238,6 +250,9 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, +#endif +#ifdef AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, #endif {0, 0, NULL} }; @@ -246,6 +261,10 @@ struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, +#endif {0, 0, NULL} }; @@ -609,6 +628,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) if (options.use_pam) monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); #endif +#ifdef AUDIT_EVENTS + monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1); +#endif return (0); } @@ -1491,6 +1513,49 @@ mm_answer_term(int sock, Buffer *req) exit(res); } +#ifdef AUDIT_EVENTS +/* Report that an audit event occurred */ +int +mm_answer_audit_event(int socket, Buffer *m) +{ + ssh_audit_event_t event; + + debug3("%s entering", __func__); + + event = buffer_get_int(m); + buffer_free(m); + switch(event) { + case AUTH_FAIL_PUBKEY: + case AUTH_FAIL_HOSTBASED: + case AUTH_FAIL_GSSAPI: + case LOGIN_EXCEED_MAXTRIES: + case LOGIN_ROOT_DENIED: + case CONNECTION_CLOSE: + audit_event(event); + break; + default: + fatal("Audit event type %d not permitted", event); + } + + return (0); +} + +int +mm_answer_audit_command(int socket, Buffer *m) +{ + u_int len; + char *cmd; + + debug3("%s entering", __func__); + cmd = buffer_get_string(m, &len); + /* sanity check command, if so how? */ + audit_run_command(cmd); + xfree(cmd); + buffer_free(m); + return (0); +} +#endif /* AUDIT_EVENTS */ + void monitor_apply_keystate(struct monitor *pmonitor) { diff --git a/monitor.h b/monitor.h index 621a4ad18..13ce3e1ca 100644 --- a/monitor.h +++ b/monitor.h @@ -59,6 +59,7 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, + MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, MONITOR_REQ_TERM }; diff --git a/monitor_wrap.c b/monitor_wrap.c index 23857639b..983b24072 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1103,6 +1103,36 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } +#ifdef AUDIT_EVENTS +void +mm_audit_event(ssh_audit_event_t event) +{ + Buffer m; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_int(&m, event); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); + buffer_free(&m); +} + +void +mm_audit_run_command(const char *command) +{ + Buffer m; + + debug3("%s entering command %s", __func__, command); + + buffer_init(&m); + buffer_put_cstring(&m, command); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); + buffer_free(&m); +} +#endif /* AUDIT_EVENTS */ + #ifdef GSSAPI OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) diff --git a/monitor_wrap.h b/monitor_wrap.h index e5cf5718c..7ed241aa8 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -74,6 +74,12 @@ int mm_sshpam_respond(void *, u_int, char **); void mm_sshpam_free_ctx(void *); #endif +#ifdef AUDIT_EVENTS +#include "audit.h" +void mm_audit_event(ssh_audit_event_t); +void mm_audit_run_command(const char *); +#endif + struct Session; void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); diff --git a/session.c b/session.c index 4d7ac9de7..b645144c5 100644 --- a/session.c +++ b/session.c @@ -665,6 +665,18 @@ do_exec(Session *s, const char *command) debug("Forced command '%.900s'", command); } +#ifdef AUDIT_EVENTS + if (command != NULL) + PRIVSEP(audit_run_command(command)); + else if (s->ttyfd == -1) { + char *shell = s->pw->pw_shell; + + if (shell[0] == '\0') /* empty shell means /bin/sh */ + shell =_PATH_BSHELL; + PRIVSEP(audit_run_command(shell)); + } +#endif + #ifdef GSSAPI if (options.gss_authentication) { temporarily_use_uid(s->pw); @@ -2321,6 +2333,10 @@ do_cleanup(Authctxt *authctxt) } #endif +#ifdef AUDIT_EVENTS + PRIVSEP(audit_event(CONNECTION_CLOSE)); +#endif + /* remove agent socket */ auth_sock_cleanup_proc(authctxt->pw); diff --git a/sshd.c b/sshd.c index 23d6962c0..e61870ea5 100644 --- a/sshd.c +++ b/sshd.c @@ -1628,6 +1628,9 @@ main(int ac, char **av) remote_port = get_remote_port(); remote_ip = get_remote_ipaddr(); +#ifdef AUDIT_EVENTS + audit_connection_from(remote_ip, remote_port); +#endif #ifdef LIBWRAP /* Check whether logins are denied from this host. */ if (packet_connection_is_on_socket()) { @@ -1697,6 +1700,10 @@ main(int ac, char **av) } authenticated: +#ifdef AUDIT_EVENTS + audit_event(AUTH_SUCCESS); +#endif + /* * In privilege separation, we fork another child and prepare * file descriptor passing. @@ -2010,5 +2017,10 @@ cleanup_exit(int i) { if (the_authctxt) do_cleanup(the_authctxt); +#ifdef AUDIT_EVENTS + /* done after do_cleanup so it can cancel the PAM auth 'thread' */ + if (!use_privsep || mm_is_monitor()) + audit_event(CONNECTION_ABANDON); +#endif _exit(i); } -- cgit v1.2.3 From 598ba7b5e20e8b4cb023069ad86a97b4032aa3da Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 4 Feb 2005 15:05:08 +1100 Subject: - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. --- ChangeLog | 5 ++++- monitor.c | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'monitor.c') diff --git a/ChangeLog b/ChangeLog index 448f3d1c3..c8f65b46b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20050204 + - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. + 20050202 - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@ @@ -2072,4 +2075,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3634 2005/02/03 04:07:37 dtucker Exp $ +$Id: ChangeLog,v 1.3635 2005/02/04 04:05:08 dtucker Exp $ diff --git a/monitor.c b/monitor.c index ce7784aa1..04534d759 100644 --- a/monitor.c +++ b/monitor.c @@ -1531,6 +1531,7 @@ mm_answer_audit_event(int socket, Buffer *m) case LOGIN_EXCEED_MAXTRIES: case LOGIN_ROOT_DENIED: case CONNECTION_CLOSE: + case INVALID_USER: audit_event(event); break; default: -- cgit v1.2.3 From 2e0cf0dca20e56eb5d95a80ba0004769c5bc4ba7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 8 Feb 2005 21:52:47 +1100 Subject: - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit defines and enums with SSH_ to prevent namespace collisions on some platforms (eg AIX). --- ChangeLog | 6 +++++- audit.c | 56 ++++++++++++++++++++++++++++---------------------------- audit.h | 30 +++++++++++++++--------------- auth.c | 20 ++++++++++---------- auth1.c | 8 ++++---- auth2.c | 12 ++++++------ loginrec.c | 4 ++-- monitor.c | 30 +++++++++++++++--------------- monitor_wrap.c | 4 ++-- monitor_wrap.h | 2 +- session.c | 6 +++--- sshd.c | 10 +++++----- 12 files changed, 96 insertions(+), 92 deletions(-) (limited to 'monitor.c') diff --git a/ChangeLog b/ChangeLog index 89424da03..60e5374ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ regress tests so newer versions of GNU head(1) behave themselves. Patch by djm, so ok me. - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings. + - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c + monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit + defines and enums with SSH_ to prevent namespace collisions on some + platforms (eg AIX). 20050204 - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. @@ -2082,4 +2086,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3638 2005/02/08 10:06:55 dtucker Exp $ +$Id: ChangeLog,v 1.3639 2005/02/08 10:52:47 dtucker Exp $ diff --git a/audit.c b/audit.c index 13852a05e..18fc41047 100644 --- a/audit.c +++ b/audit.c @@ -1,4 +1,4 @@ -/* $Id: audit.c,v 1.1 2005/02/02 13:37:14 dtucker Exp $ */ +/* $Id: audit.c,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -26,7 +26,7 @@ #include "includes.h" -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS #include "audit.h" #include "log.h" @@ -44,22 +44,22 @@ ssh_audit_event_t audit_classify_auth(const char *method) { if (strcmp(method, "none") == 0) - return AUTH_FAIL_NONE; + return SSH_AUTH_FAIL_NONE; else if (strcmp(method, "password") == 0) - return AUTH_FAIL_PASSWD; + return SSH_AUTH_FAIL_PASSWD; else if (strcmp(method, "publickey") == 0 || strcmp(method, "rsa") == 0) - return AUTH_FAIL_PUBKEY; + return SSH_AUTH_FAIL_PUBKEY; else if (strncmp(method, "keyboard-interactive", 20) == 0 || strcmp(method, "challenge-response") == 0) - return AUTH_FAIL_KBDINT; + return SSH_AUTH_FAIL_KBDINT; else if (strcmp(method, "hostbased") == 0 || strcmp(method, "rhosts-rsa") == 0) - return AUTH_FAIL_HOSTBASED; + return SSH_AUTH_FAIL_HOSTBASED; else if (strcmp(method, "gssapi-with-mic") == 0) - return AUTH_FAIL_GSSAPI; + return SSH_AUTH_FAIL_GSSAPI; else - return AUDIT_UNKNOWN; + return SSH_AUDIT_UNKNOWN; } /* helper to return supplied username */ @@ -84,32 +84,32 @@ audit_event_lookup(ssh_audit_event_t ev) ssh_audit_event_t event; const char *name; } event_lookup[] = { - {LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, - {LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, - {AUTH_SUCCESS, "AUTH_SUCCESS"}, - {AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, - {AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, - {AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, - {AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, - {AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, - {AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, - {INVALID_USER, "INVALID_USER"}, - {NOLOGIN, "NOLOGIN"}, - {CONNECTION_CLOSE, "CONNECTION_CLOSE"}, - {CONNECTION_ABANDON, "CONNECTION_ABANDON"}, - {AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} + {SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, + {SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, + {SSH_AUTH_SUCCESS, "AUTH_SUCCESS"}, + {SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, + {SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, + {SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, + {SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, + {SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, + {SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, + {SSH_INVALID_USER, "INVALID_USER"}, + {SSH_NOLOGIN, "NOLOGIN"}, + {SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"}, + {SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"}, + {SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} }; - for (i = 0; event_lookup[i].event != AUDIT_UNKNOWN; i++) + for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++) if (event_lookup[i].event == ev) break; return(event_lookup[i].name); } -# ifndef CUSTOM_AUDIT_EVENTS +# ifndef CUSTOM_SSH_AUDIT_EVENTS /* * Null implementations of audit functions. - * These get used if AUDIT_EVENTS is defined but no audit module is enabled. + * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled. */ /* @@ -177,5 +177,5 @@ audit_run_command(const char *command) debug("audit run command euid %d user %s command '%.200s'", geteuid(), audit_username(), command); } -# endif /* !defined CUSTOM_AUDIT_EVENTS */ -#endif /* AUDIT_EVENTS */ +# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */ diff --git a/audit.h b/audit.h index 2c1437391..78e58966f 100644 --- a/audit.h +++ b/audit.h @@ -1,4 +1,4 @@ -/* $Id: audit.h,v 1.1 2005/02/02 13:37:14 dtucker Exp $ */ +/* $Id: audit.h,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -29,20 +29,20 @@ #ifndef _SSH_AUDIT_H # define _SSH_AUDIT_H enum ssh_audit_event_type { - LOGIN_EXCEED_MAXTRIES, - LOGIN_ROOT_DENIED, - AUTH_SUCCESS, - AUTH_FAIL_NONE, - AUTH_FAIL_PASSWD, - AUTH_FAIL_KBDINT, /* keyboard-interactive or challenge-response */ - AUTH_FAIL_PUBKEY, /* ssh2 pubkey or ssh1 rsa */ - AUTH_FAIL_HOSTBASED, /* ssh2 hostbased or ssh1 rhostsrsa */ - AUTH_FAIL_GSSAPI, - INVALID_USER, - NOLOGIN, /* denied by /etc/nologin, not implemented */ - CONNECTION_CLOSE, /* closed after attempting auth or session */ - CONNECTION_ABANDON, /* closed without completing auth */ - AUDIT_UNKNOWN + SSH_LOGIN_EXCEED_MAXTRIES, + SSH_LOGIN_ROOT_DENIED, + SSH_AUTH_SUCCESS, + SSH_AUTH_FAIL_NONE, + SSH_AUTH_FAIL_PASSWD, + SSH_AUTH_FAIL_KBDINT, /* keyboard-interactive or challenge-response */ + SSH_AUTH_FAIL_PUBKEY, /* ssh2 pubkey or ssh1 rsa */ + SSH_AUTH_FAIL_HOSTBASED, /* ssh2 hostbased or ssh1 rhostsrsa */ + SSH_AUTH_FAIL_GSSAPI, + SSH_INVALID_USER, + SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */ + SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */ + SSH_CONNECTION_ABANDON, /* closed without completing auth */ + SSH_AUDIT_UNKNOWN }; typedef enum ssh_audit_event_type ssh_audit_event_t; diff --git a/auth.c b/auth.c index 4b62ad8f7..e6dcab209 100644 --- a/auth.c +++ b/auth.c @@ -252,7 +252,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) record_failed_login(authctxt->user, get_canonical_hostname(options.use_dns), "ssh"); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) { ssh_audit_event_t event; @@ -265,15 +265,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) */ event = audit_classify_auth(method); switch(event) { - case AUTH_FAIL_NONE: - case AUTH_FAIL_PASSWD: - case AUTH_FAIL_KBDINT: + case SSH_AUTH_FAIL_NONE: + case SSH_AUTH_FAIL_PASSWD: + case SSH_AUTH_FAIL_KBDINT: if (geteuid() == 0) audit_event(event); break; - case AUTH_FAIL_PUBKEY: - case AUTH_FAIL_HOSTBASED: - case AUTH_FAIL_GSSAPI: + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: /* * This is required to handle the case where privsep * is enabled but it's root logging in, since @@ -515,9 +515,9 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif -#ifdef AUDIT_EVENTS - audit_event(INVALID_USER); -#endif /* AUDIT_EVENTS */ +#ifdef SSH_AUDIT_EVENTS + audit_event(SSH_INVALID_USER); +#endif /* SSH_AUDIT_EVENTS */ return (NULL); } if (!allowed_user(pw)) diff --git a/auth1.c b/auth1.c index aeb5d8cb9..d08928455 100644 --- a/auth1.c +++ b/auth1.c @@ -249,8 +249,8 @@ do_authloop(Authctxt *authctxt) if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) { authenticated = 0; -# ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_ROOT_DENIED)); +# ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); # endif } #endif @@ -288,8 +288,8 @@ do_authloop(Authctxt *authctxt) return; if (authctxt->failures++ > options.max_authtries) { -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } diff --git a/auth2.c b/auth2.c index 2727e0ff5..2265d311e 100644 --- a/auth2.c +++ b/auth2.c @@ -167,8 +167,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (options.use_pam) PRIVSEP(start_pam(authctxt)); #endif -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(INVALID_USER)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_INVALID_USER)); #endif } setproctitle("%s%s", authctxt->valid ? user : "unknown", @@ -219,8 +219,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) { authenticated = 0; -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_ROOT_DENIED)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); #endif } @@ -263,8 +263,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authctxt->success = 1; } else { if (authctxt->failures++ > options.max_authtries) { -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } diff --git a/loginrec.c b/loginrec.c index 0fa9bdea7..c033582ad 100644 --- a/loginrec.c +++ b/loginrec.c @@ -164,7 +164,7 @@ # include #endif -RCSID("$Id: loginrec.c,v 1.64 2005/02/02 13:20:53 dtucker Exp $"); +RCSID("$Id: loginrec.c,v 1.65 2005/02/08 10:52:48 dtucker Exp $"); /** ** prototypes for helper functions in this file @@ -444,7 +444,7 @@ login_write(struct logininfo *li) !sys_auth_record_login(li->username,li->hostname,li->line)) logit("Writing login record failed for %s", li->username); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS if (li->type == LTYPE_LOGIN) audit_session_open(li->line); else if (li->type == LTYPE_LOGOUT) diff --git a/monitor.c b/monitor.c index 04534d759..d6df656b0 100644 --- a/monitor.c +++ b/monitor.c @@ -143,7 +143,7 @@ int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_command(int, Buffer *); #endif @@ -191,7 +191,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, #endif #ifdef BSD_AUTH @@ -219,7 +219,7 @@ struct mon_table mon_dispatch_postauth20[] = { {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, #endif @@ -251,7 +251,7 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, #endif {0, 0, NULL} @@ -261,7 +261,7 @@ struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, #endif @@ -628,7 +628,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) if (options.use_pam) monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1); #endif @@ -1513,7 +1513,7 @@ mm_answer_term(int sock, Buffer *req) exit(res); } -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS /* Report that an audit event occurred */ int mm_answer_audit_event(int socket, Buffer *m) @@ -1525,13 +1525,13 @@ mm_answer_audit_event(int socket, Buffer *m) event = buffer_get_int(m); buffer_free(m); switch(event) { - case AUTH_FAIL_PUBKEY: - case AUTH_FAIL_HOSTBASED: - case AUTH_FAIL_GSSAPI: - case LOGIN_EXCEED_MAXTRIES: - case LOGIN_ROOT_DENIED: - case CONNECTION_CLOSE: - case INVALID_USER: + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: + case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_ROOT_DENIED: + case SSH_CONNECTION_CLOSE: + case SSH_INVALID_USER: audit_event(event); break; default: @@ -1555,7 +1555,7 @@ mm_answer_audit_command(int socket, Buffer *m) buffer_free(m); return (0); } -#endif /* AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */ void monitor_apply_keystate(struct monitor *pmonitor) diff --git a/monitor_wrap.c b/monitor_wrap.c index 983b24072..e1b6512b4 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1103,7 +1103,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS void mm_audit_event(ssh_audit_event_t event) { @@ -1131,7 +1131,7 @@ mm_audit_run_command(const char *command) mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); buffer_free(&m); } -#endif /* AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */ #ifdef GSSAPI OM_uint32 diff --git a/monitor_wrap.h b/monitor_wrap.h index 7ed241aa8..310b42513 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -74,7 +74,7 @@ int mm_sshpam_respond(void *, u_int, char **); void mm_sshpam_free_ctx(void *); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS #include "audit.h" void mm_audit_event(ssh_audit_event_t); void mm_audit_run_command(const char *); diff --git a/session.c b/session.c index b645144c5..a50bfcff7 100644 --- a/session.c +++ b/session.c @@ -665,7 +665,7 @@ do_exec(Session *s, const char *command) debug("Forced command '%.900s'", command); } -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); else if (s->ttyfd == -1) { @@ -2333,8 +2333,8 @@ do_cleanup(Authctxt *authctxt) } #endif -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(CONNECTION_CLOSE)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_CONNECTION_CLOSE)); #endif /* remove agent socket */ diff --git a/sshd.c b/sshd.c index e61870ea5..6b379521b 100644 --- a/sshd.c +++ b/sshd.c @@ -1628,7 +1628,7 @@ main(int ac, char **av) remote_port = get_remote_port(); remote_ip = get_remote_ipaddr(); -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif #ifdef LIBWRAP @@ -1700,8 +1700,8 @@ main(int ac, char **av) } authenticated: -#ifdef AUDIT_EVENTS - audit_event(AUTH_SUCCESS); +#ifdef SSH_AUDIT_EVENTS + audit_event(SSH_AUTH_SUCCESS); #endif /* @@ -2017,10 +2017,10 @@ cleanup_exit(int i) { if (the_authctxt) do_cleanup(the_authctxt); -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS /* done after do_cleanup so it can cancel the PAM auth 'thread' */ if (!use_privsep || mm_is_monitor()) - audit_event(CONNECTION_ABANDON); + audit_event(SSH_CONNECTION_ABANDON); #endif _exit(i); } -- cgit v1.2.3 From 5b53026f719bc0b2fc13a58ea0b6a0385e373bec Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 9 Feb 2005 09:52:17 +1100 Subject: - dtucker@cvs.openbsd.org 2005/01/30 11:18:08 [monitor.c] Make code match intent; ok djm@ --- ChangeLog | 5 ++++- monitor.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'monitor.c') diff --git a/ChangeLog b/ChangeLog index bc54485a0..9a7351396 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ [ssh_config.5] wording; ok markus@ + - dtucker@cvs.openbsd.org 2005/01/30 11:18:08 + [monitor.c] + Make code match intent; ok djm@ 20050208 - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the @@ -2101,4 +2104,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3642 2005/02/08 22:51:08 dtucker Exp $ +$Id: ChangeLog,v 1.3643 2005/02/08 22:52:17 dtucker Exp $ diff --git a/monitor.c b/monitor.c index d6df656b0..a94e2cd28 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.62 2005/01/30 11:18:08 dtucker Exp $"); #include @@ -1322,7 +1322,7 @@ mm_answer_sesskey(int sock, Buffer *m) int rsafail; /* Turn off permissions */ - monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0); if ((p = BN_new()) == NULL) fatal("%s: BN_new", __func__); -- cgit v1.2.3 From 3745e2bb6261b9ee9408b103b2c003f5320ceff2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 6 Mar 2005 22:31:35 +1100 Subject: - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor when attempting to audit disconnect events. Reported by Phil Dibowitz. --- ChangeLog | 6 +++++- monitor.c | 8 ++++---- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'monitor.c') diff --git a/ChangeLog b/ChangeLog index 941843a73..bf2ca3620 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20050306 + - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor + when attempting to audit disconnect events. Reported by Phil Dibowitz. + 20050305 - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch from vinschen at redhat.com @@ -2277,4 +2281,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3691 2005/03/05 00:22:50 djm Exp $ +$Id: ChangeLog,v 1.3692 2005/03/06 11:31:35 dtucker Exp $ diff --git a/monitor.c b/monitor.c index a94e2cd28..301e150b3 100644 --- a/monitor.c +++ b/monitor.c @@ -192,7 +192,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif #ifdef SSH_AUDIT_EVENTS - {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, @@ -252,7 +252,7 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif #ifdef SSH_AUDIT_EVENTS - {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, #endif {0, 0, NULL} }; @@ -263,7 +263,7 @@ struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, - {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, + {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command}, #endif {0, 0, NULL} }; @@ -629,7 +629,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); #endif #ifdef SSH_AUDIT_EVENTS - monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1); #endif return (0); -- cgit v1.2.3