From 269a1ea1c80a855d1eb74fccba6dd5c75947c5d2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 3 Feb 2005 00:20:53 +1100 Subject: - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: (first stage) Add audit instrumentation to sshd, currently disabled by default. with suggestions from and djm@ --- monitor_wrap.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'monitor_wrap.h') diff --git a/monitor_wrap.h b/monitor_wrap.h index e5cf5718c..7ed241aa8 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -74,6 +74,12 @@ int mm_sshpam_respond(void *, u_int, char **); void mm_sshpam_free_ctx(void *); #endif +#ifdef AUDIT_EVENTS +#include "audit.h" +void mm_audit_event(ssh_audit_event_t); +void mm_audit_run_command(const char *); +#endif + struct Session; void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); -- cgit v1.2.3 From 2e0cf0dca20e56eb5d95a80ba0004769c5bc4ba7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 8 Feb 2005 21:52:47 +1100 Subject: - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit defines and enums with SSH_ to prevent namespace collisions on some platforms (eg AIX). --- ChangeLog | 6 +++++- audit.c | 56 ++++++++++++++++++++++++++++---------------------------- audit.h | 30 +++++++++++++++--------------- auth.c | 20 ++++++++++---------- auth1.c | 8 ++++---- auth2.c | 12 ++++++------ loginrec.c | 4 ++-- monitor.c | 30 +++++++++++++++--------------- monitor_wrap.c | 4 ++-- monitor_wrap.h | 2 +- session.c | 6 +++--- sshd.c | 10 +++++----- 12 files changed, 96 insertions(+), 92 deletions(-) (limited to 'monitor_wrap.h') diff --git a/ChangeLog b/ChangeLog index 89424da03..60e5374ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ regress tests so newer versions of GNU head(1) behave themselves. Patch by djm, so ok me. - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings. + - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c + monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit + defines and enums with SSH_ to prevent namespace collisions on some + platforms (eg AIX). 20050204 - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. @@ -2082,4 +2086,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3638 2005/02/08 10:06:55 dtucker Exp $ +$Id: ChangeLog,v 1.3639 2005/02/08 10:52:47 dtucker Exp $ diff --git a/audit.c b/audit.c index 13852a05e..18fc41047 100644 --- a/audit.c +++ b/audit.c @@ -1,4 +1,4 @@ -/* $Id: audit.c,v 1.1 2005/02/02 13:37:14 dtucker Exp $ */ +/* $Id: audit.c,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -26,7 +26,7 @@ #include "includes.h" -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS #include "audit.h" #include "log.h" @@ -44,22 +44,22 @@ ssh_audit_event_t audit_classify_auth(const char *method) { if (strcmp(method, "none") == 0) - return AUTH_FAIL_NONE; + return SSH_AUTH_FAIL_NONE; else if (strcmp(method, "password") == 0) - return AUTH_FAIL_PASSWD; + return SSH_AUTH_FAIL_PASSWD; else if (strcmp(method, "publickey") == 0 || strcmp(method, "rsa") == 0) - return AUTH_FAIL_PUBKEY; + return SSH_AUTH_FAIL_PUBKEY; else if (strncmp(method, "keyboard-interactive", 20) == 0 || strcmp(method, "challenge-response") == 0) - return AUTH_FAIL_KBDINT; + return SSH_AUTH_FAIL_KBDINT; else if (strcmp(method, "hostbased") == 0 || strcmp(method, "rhosts-rsa") == 0) - return AUTH_FAIL_HOSTBASED; + return SSH_AUTH_FAIL_HOSTBASED; else if (strcmp(method, "gssapi-with-mic") == 0) - return AUTH_FAIL_GSSAPI; + return SSH_AUTH_FAIL_GSSAPI; else - return AUDIT_UNKNOWN; + return SSH_AUDIT_UNKNOWN; } /* helper to return supplied username */ @@ -84,32 +84,32 @@ audit_event_lookup(ssh_audit_event_t ev) ssh_audit_event_t event; const char *name; } event_lookup[] = { - {LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, - {LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, - {AUTH_SUCCESS, "AUTH_SUCCESS"}, - {AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, - {AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, - {AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, - {AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, - {AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, - {AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, - {INVALID_USER, "INVALID_USER"}, - {NOLOGIN, "NOLOGIN"}, - {CONNECTION_CLOSE, "CONNECTION_CLOSE"}, - {CONNECTION_ABANDON, "CONNECTION_ABANDON"}, - {AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} + {SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, + {SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, + {SSH_AUTH_SUCCESS, "AUTH_SUCCESS"}, + {SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, + {SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, + {SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, + {SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, + {SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, + {SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, + {SSH_INVALID_USER, "INVALID_USER"}, + {SSH_NOLOGIN, "NOLOGIN"}, + {SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"}, + {SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"}, + {SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} }; - for (i = 0; event_lookup[i].event != AUDIT_UNKNOWN; i++) + for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++) if (event_lookup[i].event == ev) break; return(event_lookup[i].name); } -# ifndef CUSTOM_AUDIT_EVENTS +# ifndef CUSTOM_SSH_AUDIT_EVENTS /* * Null implementations of audit functions. - * These get used if AUDIT_EVENTS is defined but no audit module is enabled. + * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled. */ /* @@ -177,5 +177,5 @@ audit_run_command(const char *command) debug("audit run command euid %d user %s command '%.200s'", geteuid(), audit_username(), command); } -# endif /* !defined CUSTOM_AUDIT_EVENTS */ -#endif /* AUDIT_EVENTS */ +# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */ diff --git a/audit.h b/audit.h index 2c1437391..78e58966f 100644 --- a/audit.h +++ b/audit.h @@ -1,4 +1,4 @@ -/* $Id: audit.h,v 1.1 2005/02/02 13:37:14 dtucker Exp $ */ +/* $Id: audit.h,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -29,20 +29,20 @@ #ifndef _SSH_AUDIT_H # define _SSH_AUDIT_H enum ssh_audit_event_type { - LOGIN_EXCEED_MAXTRIES, - LOGIN_ROOT_DENIED, - AUTH_SUCCESS, - AUTH_FAIL_NONE, - AUTH_FAIL_PASSWD, - AUTH_FAIL_KBDINT, /* keyboard-interactive or challenge-response */ - AUTH_FAIL_PUBKEY, /* ssh2 pubkey or ssh1 rsa */ - AUTH_FAIL_HOSTBASED, /* ssh2 hostbased or ssh1 rhostsrsa */ - AUTH_FAIL_GSSAPI, - INVALID_USER, - NOLOGIN, /* denied by /etc/nologin, not implemented */ - CONNECTION_CLOSE, /* closed after attempting auth or session */ - CONNECTION_ABANDON, /* closed without completing auth */ - AUDIT_UNKNOWN + SSH_LOGIN_EXCEED_MAXTRIES, + SSH_LOGIN_ROOT_DENIED, + SSH_AUTH_SUCCESS, + SSH_AUTH_FAIL_NONE, + SSH_AUTH_FAIL_PASSWD, + SSH_AUTH_FAIL_KBDINT, /* keyboard-interactive or challenge-response */ + SSH_AUTH_FAIL_PUBKEY, /* ssh2 pubkey or ssh1 rsa */ + SSH_AUTH_FAIL_HOSTBASED, /* ssh2 hostbased or ssh1 rhostsrsa */ + SSH_AUTH_FAIL_GSSAPI, + SSH_INVALID_USER, + SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */ + SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */ + SSH_CONNECTION_ABANDON, /* closed without completing auth */ + SSH_AUDIT_UNKNOWN }; typedef enum ssh_audit_event_type ssh_audit_event_t; diff --git a/auth.c b/auth.c index 4b62ad8f7..e6dcab209 100644 --- a/auth.c +++ b/auth.c @@ -252,7 +252,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) record_failed_login(authctxt->user, get_canonical_hostname(options.use_dns), "ssh"); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) { ssh_audit_event_t event; @@ -265,15 +265,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) */ event = audit_classify_auth(method); switch(event) { - case AUTH_FAIL_NONE: - case AUTH_FAIL_PASSWD: - case AUTH_FAIL_KBDINT: + case SSH_AUTH_FAIL_NONE: + case SSH_AUTH_FAIL_PASSWD: + case SSH_AUTH_FAIL_KBDINT: if (geteuid() == 0) audit_event(event); break; - case AUTH_FAIL_PUBKEY: - case AUTH_FAIL_HOSTBASED: - case AUTH_FAIL_GSSAPI: + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: /* * This is required to handle the case where privsep * is enabled but it's root logging in, since @@ -515,9 +515,9 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif -#ifdef AUDIT_EVENTS - audit_event(INVALID_USER); -#endif /* AUDIT_EVENTS */ +#ifdef SSH_AUDIT_EVENTS + audit_event(SSH_INVALID_USER); +#endif /* SSH_AUDIT_EVENTS */ return (NULL); } if (!allowed_user(pw)) diff --git a/auth1.c b/auth1.c index aeb5d8cb9..d08928455 100644 --- a/auth1.c +++ b/auth1.c @@ -249,8 +249,8 @@ do_authloop(Authctxt *authctxt) if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) { authenticated = 0; -# ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_ROOT_DENIED)); +# ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); # endif } #endif @@ -288,8 +288,8 @@ do_authloop(Authctxt *authctxt) return; if (authctxt->failures++ > options.max_authtries) { -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } diff --git a/auth2.c b/auth2.c index 2727e0ff5..2265d311e 100644 --- a/auth2.c +++ b/auth2.c @@ -167,8 +167,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (options.use_pam) PRIVSEP(start_pam(authctxt)); #endif -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(INVALID_USER)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_INVALID_USER)); #endif } setproctitle("%s%s", authctxt->valid ? user : "unknown", @@ -219,8 +219,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) { authenticated = 0; -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_ROOT_DENIED)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); #endif } @@ -263,8 +263,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authctxt->success = 1; } else { if (authctxt->failures++ > options.max_authtries) { -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } diff --git a/loginrec.c b/loginrec.c index 0fa9bdea7..c033582ad 100644 --- a/loginrec.c +++ b/loginrec.c @@ -164,7 +164,7 @@ # include #endif -RCSID("$Id: loginrec.c,v 1.64 2005/02/02 13:20:53 dtucker Exp $"); +RCSID("$Id: loginrec.c,v 1.65 2005/02/08 10:52:48 dtucker Exp $"); /** ** prototypes for helper functions in this file @@ -444,7 +444,7 @@ login_write(struct logininfo *li) !sys_auth_record_login(li->username,li->hostname,li->line)) logit("Writing login record failed for %s", li->username); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS if (li->type == LTYPE_LOGIN) audit_session_open(li->line); else if (li->type == LTYPE_LOGOUT) diff --git a/monitor.c b/monitor.c index 04534d759..d6df656b0 100644 --- a/monitor.c +++ b/monitor.c @@ -143,7 +143,7 @@ int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_command(int, Buffer *); #endif @@ -191,7 +191,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, #endif #ifdef BSD_AUTH @@ -219,7 +219,7 @@ struct mon_table mon_dispatch_postauth20[] = { {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, #endif @@ -251,7 +251,7 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event}, #endif {0, 0, NULL} @@ -261,7 +261,7 @@ struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, #endif @@ -628,7 +628,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) if (options.use_pam) monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1); #endif @@ -1513,7 +1513,7 @@ mm_answer_term(int sock, Buffer *req) exit(res); } -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS /* Report that an audit event occurred */ int mm_answer_audit_event(int socket, Buffer *m) @@ -1525,13 +1525,13 @@ mm_answer_audit_event(int socket, Buffer *m) event = buffer_get_int(m); buffer_free(m); switch(event) { - case AUTH_FAIL_PUBKEY: - case AUTH_FAIL_HOSTBASED: - case AUTH_FAIL_GSSAPI: - case LOGIN_EXCEED_MAXTRIES: - case LOGIN_ROOT_DENIED: - case CONNECTION_CLOSE: - case INVALID_USER: + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: + case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_ROOT_DENIED: + case SSH_CONNECTION_CLOSE: + case SSH_INVALID_USER: audit_event(event); break; default: @@ -1555,7 +1555,7 @@ mm_answer_audit_command(int socket, Buffer *m) buffer_free(m); return (0); } -#endif /* AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */ void monitor_apply_keystate(struct monitor *pmonitor) diff --git a/monitor_wrap.c b/monitor_wrap.c index 983b24072..e1b6512b4 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1103,7 +1103,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS void mm_audit_event(ssh_audit_event_t event) { @@ -1131,7 +1131,7 @@ mm_audit_run_command(const char *command) mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); buffer_free(&m); } -#endif /* AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */ #ifdef GSSAPI OM_uint32 diff --git a/monitor_wrap.h b/monitor_wrap.h index 7ed241aa8..310b42513 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -74,7 +74,7 @@ int mm_sshpam_respond(void *, u_int, char **); void mm_sshpam_free_ctx(void *); #endif -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS #include "audit.h" void mm_audit_event(ssh_audit_event_t); void mm_audit_run_command(const char *); diff --git a/session.c b/session.c index b645144c5..a50bfcff7 100644 --- a/session.c +++ b/session.c @@ -665,7 +665,7 @@ do_exec(Session *s, const char *command) debug("Forced command '%.900s'", command); } -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); else if (s->ttyfd == -1) { @@ -2333,8 +2333,8 @@ do_cleanup(Authctxt *authctxt) } #endif -#ifdef AUDIT_EVENTS - PRIVSEP(audit_event(CONNECTION_CLOSE)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_CONNECTION_CLOSE)); #endif /* remove agent socket */ diff --git a/sshd.c b/sshd.c index e61870ea5..6b379521b 100644 --- a/sshd.c +++ b/sshd.c @@ -1628,7 +1628,7 @@ main(int ac, char **av) remote_port = get_remote_port(); remote_ip = get_remote_ipaddr(); -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif #ifdef LIBWRAP @@ -1700,8 +1700,8 @@ main(int ac, char **av) } authenticated: -#ifdef AUDIT_EVENTS - audit_event(AUTH_SUCCESS); +#ifdef SSH_AUDIT_EVENTS + audit_event(SSH_AUTH_SUCCESS); #endif /* @@ -2017,10 +2017,10 @@ cleanup_exit(int i) { if (the_authctxt) do_cleanup(the_authctxt); -#ifdef AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS /* done after do_cleanup so it can cancel the PAM auth 'thread' */ if (!use_privsep || mm_is_monitor()) - audit_event(CONNECTION_ABANDON); + audit_event(SSH_CONNECTION_ABANDON); #endif _exit(i); } -- cgit v1.2.3