From 7cd7f302d3a072748299f362f9e241d81fcecd26 Mon Sep 17 00:00:00 2001 From: Vincent Brillault Date: Sun, 24 May 2020 09:15:06 +0200 Subject: [PATCH] auth_log: dont log partial successes as failures By design, 'partial' logins are successful logins, so initially with authenticated set to 1, for which another authentication is required. As a result, authenticated is always reset to 0 when partial is set to 1. However, even if authenticated is 0, those are not failed login attempts, similarly to attempts with authctxt->postponed set to 1. --- auth.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/auth.c b/auth.c index b560eed14..929f59a9d 100644 --- a/auth.c +++ b/auth.c @@ -352,23 +352,26 @@ auth_log(struct ssh *ssh, int authenticated, int partial, free(extra); -#ifdef CUSTOM_FAILED_LOGIN - if (authenticated == 0 && !authctxt->postponed && - (strcmp(method, "password") == 0 || - strncmp(method, "keyboard-interactive", 20) == 0 || - strcmp(method, "challenge-response") == 0)) - record_failed_login(ssh, authctxt->user, - auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); -# ifdef WITH_AIXAUTHENTICATE +#if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS) + if (authenticated == 0 && !(authctxt->postponed || partial)) { + /* Log failed login attempt */ +# ifdef CUSTOM_FAILED_LOGIN + if (strcmp(method, "password") == 0 || + strncmp(method, "keyboard-interactive", 20) == 0 || + strcmp(method, "challenge-response") == 0) + record_failed_login(ssh, authctxt->user, + auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); +# endif +# ifdef SSH_AUDIT_EVENTS + audit_event(ssh, audit_classify_auth(method)); +# endif + } +#endif +#if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE) if (authenticated) sys_auth_record_login(authctxt->user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh", loginmsg); -# endif -#endif -#ifdef SSH_AUDIT_EVENTS - if (authenticated == 0 && !authctxt->postponed) - audit_event(ssh, audit_classify_auth(method)); #endif }