Don't skip audit before exitting cleanup_exit

This fixes an issue where the SSH_CONNECTION_ABANDON event is not audited because cleanup_exit overrides the regular _exit too soon and as a result, failed auth attempts are not logged correctly. The problem was introduced in 81c1099d22 where the code from upstream was merged before the audit_event call when it should have been merged right before the _exit call in order to honor the comment that just mentions an override of the exit value.
2025-02-17 22:36:53 +00:00 · 2024-08-23 12:21:06 +02:00 · 2024-08-23 12:21:06 +02:00 · 05f2b141cf
commit 05f2b141cf
parent 16eaf9d401
1 changed files with 3 additions and 3 deletions
--- a/sshd-session.c
+++ b/sshd-session.c
@ -1502,13 +1502,13 @@ cleanup_exit(int i)
 			}
 		}
 	}
-	/* Override default fatal exit value when auth was attempted */
-	if (i == 255 && auth_attempted)
-		_exit(EXIT_AUTH_ATTEMPTED);
 #ifdef SSH_AUDIT_EVENTS
 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
 	if (the_active_state != NULL && mm_is_monitor())
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
+	/* Override default fatal exit value when auth was attempted */
+	if (i == 255 && auth_attempted)
+		_exit(EXIT_AUTH_ATTEMPTED);
 	_exit(i);
 }