Commit f14b2aa6 authored by Darren Tucker's avatar Darren Tucker

- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor

   and slave, we can remove the special-case handling in the audit hook in
   auth_log.
parent f58b29d5
20050517
20060521
- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
and slave, we can remove the special-case handling in the audit hook in
auth_log.
20060517
- (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
pointer leak. From kjhall at us.ibm.com, found by coverity.
20050515
20060515
- (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
_res, prevents problems on some platforms that have _res as a global but
don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
......@@ -12,7 +17,7 @@
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails. ok djm@
20050506
20060506
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2006/04/25 08:02:27
[authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
......@@ -4625,4 +4630,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.4329 2006/05/17 12:24:56 dtucker Exp $
$Id: ChangeLog,v 1.4330 2006/05/21 08:26:40 dtucker Exp $
......@@ -271,42 +271,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
get_canonical_hostname(options.use_dns), "ssh");
#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed) {
ssh_audit_event_t event;
debug3("audit failed auth attempt, method %s euid %d",
method, (int)geteuid());
/*
* Because the auth loop is used in both monitor and slave,
* we must be careful to send each event only once and with
* enough privs to write the event.
*/
event = audit_classify_auth(method);
switch(event) {
case SSH_AUTH_FAIL_NONE:
case SSH_AUTH_FAIL_PASSWD:
case SSH_AUTH_FAIL_KBDINT:
if (geteuid() == 0)
audit_event(event);
break;
case SSH_AUTH_FAIL_PUBKEY:
case SSH_AUTH_FAIL_HOSTBASED:
case SSH_AUTH_FAIL_GSSAPI:
/*
* This is required to handle the case where privsep
* is enabled but it's root logging in, since
* use_privsep won't be cleared until after a
* successful login.
*/
if (geteuid() == 0)
audit_event(event);
else
PRIVSEP(audit_event(event));
break;
default:
error("unknown authentication audit event %d", event);
}
}
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
#endif
}
......
......@@ -909,6 +909,7 @@ mm_answer_pam_query(int sock, Buffer *m)
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
auth_method = "keyboard-interactive/pam";
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
......@@ -951,6 +952,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive/pam";
return (sshpam_authok == sshpam_ctxt);
}
#endif
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment