auth_log: dont log partial successes as failures

By design, 'partial' logins are successful logins, so initially with authenticated set to 1, for which another authentication is required. As a result, authenticated is always reset to 0 when partial is set to 1. However, even if authenticated is 0, those are not failed login attempts, similarly to attempts with authctxt->postponed set to 1.
2020-05-24 09:15:06 +02:00 · 2020-05-24 09:15:06 +02:00 · 7cd7f302d3
parent e760691918
commit 7cd7f302d3
1 changed files with 16 additions and 13 deletions
--- a/auth.c
+++ b/auth.c
@ -352,23 +352,26 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
 	free(extra);
-#ifdef CUSTOM_FAILED_LOGIN
+#if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS)
-	if (authenticated == 0 && !authctxt->postponed &&
+	if (authenticated == 0 && !(authctxt->postponed || partial)) {
-	    (strcmp(method, "password") == 0 ||
+		/* Log failed login attempt */
-	    strncmp(method, "keyboard-interactive", 20) == 0 ||
+# ifdef CUSTOM_FAILED_LOGIN
-	    strcmp(method, "challenge-response") == 0))
+		if (strcmp(method, "password") == 0 ||
-		record_failed_login(ssh, authctxt->user,
+		    strncmp(method, "keyboard-interactive", 20) == 0 ||
-		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
+		    strcmp(method, "challenge-response") == 0)
-# ifdef WITH_AIXAUTHENTICATE
+			record_failed_login(ssh, authctxt->user,
 			    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
 # endif
 # ifdef SSH_AUDIT_EVENTS
 		audit_event(ssh, audit_classify_auth(method));
 # endif
 	}
 #endif
 #if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE)
 	if (authenticated)
 		sys_auth_record_login(authctxt->user,
 		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
 		    loginmsg);
 # endif
 #endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
 		audit_event(ssh, audit_classify_auth(method));
 #endif
 }