mirror of git://anongit.mindrot.org/openssh.git
- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
and slave, we can remove the special-case handling in the audit hook in auth_log.
This commit is contained in:
parent
f58b29d515
commit
f14b2aa672
13
ChangeLog
13
ChangeLog
|
@ -1,8 +1,13 @@
|
|||
20050517
|
||||
20060521
|
||||
- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
|
||||
and slave, we can remove the special-case handling in the audit hook in
|
||||
auth_log.
|
||||
|
||||
20060517
|
||||
- (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
|
||||
pointer leak. From kjhall at us.ibm.com, found by coverity.
|
||||
|
||||
20050515
|
||||
20060515
|
||||
- (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
|
||||
_res, prevents problems on some platforms that have _res as a global but
|
||||
don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
|
||||
|
@ -12,7 +17,7 @@
|
|||
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
|
||||
do not allow kbdint again after the PAM account check fails. ok djm@
|
||||
|
||||
20050506
|
||||
20060506
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- dtucker@cvs.openbsd.org 2006/04/25 08:02:27
|
||||
[authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
|
||||
|
@ -4625,4 +4630,4 @@
|
|||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.4329 2006/05/17 12:24:56 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.4330 2006/05/21 08:26:40 dtucker Exp $
|
||||
|
|
38
auth.c
38
auth.c
|
@ -271,42 +271,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
|||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed) {
|
||||
ssh_audit_event_t event;
|
||||
|
||||
debug3("audit failed auth attempt, method %s euid %d",
|
||||
method, (int)geteuid());
|
||||
/*
|
||||
* Because the auth loop is used in both monitor and slave,
|
||||
* we must be careful to send each event only once and with
|
||||
* enough privs to write the event.
|
||||
*/
|
||||
event = audit_classify_auth(method);
|
||||
switch(event) {
|
||||
case SSH_AUTH_FAIL_NONE:
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
if (geteuid() == 0)
|
||||
audit_event(event);
|
||||
break;
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
case SSH_AUTH_FAIL_HOSTBASED:
|
||||
case SSH_AUTH_FAIL_GSSAPI:
|
||||
/*
|
||||
* This is required to handle the case where privsep
|
||||
* is enabled but it's root logging in, since
|
||||
* use_privsep won't be cleared until after a
|
||||
* successful login.
|
||||
*/
|
||||
if (geteuid() == 0)
|
||||
audit_event(event);
|
||||
else
|
||||
PRIVSEP(audit_event(event));
|
||||
break;
|
||||
default:
|
||||
error("unknown authentication audit event %d", event);
|
||||
}
|
||||
}
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
|
@ -909,6 +909,7 @@ mm_answer_pam_query(int sock, Buffer *m)
|
|||
xfree(prompts);
|
||||
if (echo_on != NULL)
|
||||
xfree(echo_on);
|
||||
auth_method = "keyboard-interactive/pam";
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
|
||||
return (0);
|
||||
}
|
||||
|
@ -951,6 +952,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
|
|||
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||
buffer_clear(m);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||
auth_method = "keyboard-interactive/pam";
|
||||
return (sshpam_authok == sshpam_ctxt);
|
||||
}
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue