tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2013/05/19 02:42:42

Browse Source 
[auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
     Standardise logging of supplemental information during userauth. Keys
     and ruser is now logged in the auth success/failure message alongside
     the local username, remote host/port and protocol in use. Certificates
     contents and CA are logged too.
     Pushing all logging onto a single line simplifies log analysis as it is
     no longer necessary to relate information scattered across multiple log
     entries. "I like it" markus@
This commit is contained in:
Darren Tucker 2013-06-02 07:41:51 +10:00
parent 74836ae0fa
commit 0acca3797d
9 changed files with 76 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -26,6 +26,15 @@
[auth2-pubkey.c] [auth2-pubkey.c]
fix failure to recognise cert-authority keys if a key of a different type fix failure to recognise cert-authority keys if a key of a different type
appeared in authorized_keys before it; ok markus@ appeared in authorized_keys before it; ok markus@
- djm@cvs.openbsd.org 2013/05/19 02:42:42
[auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@
20130529 20130529
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null

16
auth-rsa.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-rsa.c,v 1.82 2013/05/17 00:13:13 djm Exp $ */ /* $OpenBSD: auth-rsa.c,v 1.83 2013/05/19 02:42:42 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -164,7 +164,7 @@ static int
rsa_key_allowed_in_file(struct passwd *pw, char *file, rsa_key_allowed_in_file(struct passwd *pw, char *file,
const BIGNUM *client_n, Key **rkey) const BIGNUM *client_n, Key **rkey)
{ {
char line[SSH_MAX_PUBKEY_BYTES]; char *fp, line[SSH_MAX_PUBKEY_BYTES];
int allowed = 0; int allowed = 0;
u_int bits; u_int bits;
FILE *f; FILE *f;
@ -232,6 +232,11 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
"actual %d vs. announced %d.", "actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits); file, linenum, BN_num_bits(key->rsa->n), bits);
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
/* Never accept a revoked key */ /* Never accept a revoked key */
if (auth_key_is_revoked(key)) if (auth_key_is_revoked(key))
break; break;
@ -298,7 +303,6 @@ int
auth_rsa(Authctxt *authctxt, BIGNUM *client_n) auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
{ {
Key *key; Key *key;
char *fp;
struct passwd *pw = authctxt->pw; struct passwd *pw = authctxt->pw;
/* no user given */ /* no user given */
@ -328,11 +332,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
* options; this will be reset if the options cause the * options; this will be reset if the options cause the
* authentication to be rejected. * authentication to be rejected.
*/ */
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); pubkey_auth_info(authctxt, key);
verbose("Found matching %s key: %s",
key_type(key), fp);
free(fp);
key_free(key);
packet_send_debug("RSA authentication accepted."); packet_send_debug("RSA authentication accepted.");
return (1); return (1);

30
auth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.c,v 1.102 2013/05/17 00:13:13 djm Exp $ */ /* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -72,6 +72,7 @@
#include "authfile.h" #include "authfile.h"
#include "monitor_wrap.h" #include "monitor_wrap.h"
#include "krl.h" #include "krl.h"
#include "compat.h"
/* import */ /* import */
extern ServerOptions options; extern ServerOptions options;
@ -251,9 +252,26 @@ allowed_user(struct passwd * pw)
return 1; return 1;
} }
void
auth_info(Authctxt *authctxt, const char *fmt, ...)
{
va_list ap;
int i;
free(authctxt->info);
authctxt->info = NULL;
va_start(ap, fmt);
i = vasprintf(&authctxt->info, fmt, ap);
va_end(ap);
if (i < 0 || authctxt->info == NULL)
fatal("vasprintf failed");
}
void void
auth_log(Authctxt *authctxt, int authenticated, int partial, auth_log(Authctxt *authctxt, int authenticated, int partial,
const char *method, const char *submethod, const char *info) const char *method, const char *submethod)
{ {
void (*authlog) (const char *fmt,...) = verbose; void (*authlog) (const char *fmt,...) = verbose;
char *authmsg; char *authmsg;
@ -275,7 +293,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
else else
authmsg = authenticated ? "Accepted" : "Failed"; authmsg = authenticated ? "Accepted" : "Failed";
authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
authmsg, authmsg,
method, method,
submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
@ -283,7 +301,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
authctxt->user, authctxt->user,
get_remote_ipaddr(), get_remote_ipaddr(),
get_remote_port(), get_remote_port(),
info); compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
free(authctxt->info);
authctxt->info = NULL;
#ifdef CUSTOM_FAILED_LOGIN #ifdef CUSTOM_FAILED_LOGIN
if (authenticated == 0 && !authctxt->postponed && if (authenticated == 0 && !authctxt->postponed &&

10
auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.73 2013/03/07 19:27:25 markus Exp $ */ /* $OpenBSD: auth.h,v 1.74 2013/05/19 02:42:42 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -60,6 +60,7 @@ struct Authctxt {
struct passwd *pw; /* set if 'valid' */ struct passwd *pw; /* set if 'valid' */
char *style; char *style;
void *kbdintctxt; void *kbdintctxt;
char *info; /* Extra info for next auth_log */
void *jpake_ctx; void *jpake_ctx;
#ifdef BSD_AUTH #ifdef BSD_AUTH
auth_session_t *as; auth_session_t *as;
@ -121,6 +122,7 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *); int user_key_allowed(struct passwd *, Key *);
void pubkey_auth_info(Authctxt *, const Key *);
struct stat; struct stat;
int auth_secure_path(const char *, struct stat *, const char *, uid_t, int auth_secure_path(const char *, struct stat *, const char *, uid_t,
@ -148,8 +150,10 @@ void disable_forwarding(void);
void do_authentication(Authctxt *); void do_authentication(Authctxt *);
void do_authentication2(Authctxt *); void do_authentication2(Authctxt *);
void auth_log(Authctxt *, int, int, const char *, const char *, void auth_info(Authctxt *authctxt, const char *, ...)
const char *); __attribute__((__format__ (printf, 2, 3)))
__attribute__((__nonnull__ (2)));
void auth_log(Authctxt *, int, int, const char *, const char *);
void userauth_finish(Authctxt *, int, const char *, const char *); void userauth_finish(Authctxt *, int, const char *, const char *);
int auth_root_allowed(const char *); int auth_root_allowed(const char *);

35
auth1.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth1.c,v 1.78 2013/05/17 00:13:13 djm Exp $ */ /* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -45,11 +45,11 @@
extern ServerOptions options; extern ServerOptions options;
extern Buffer loginmsg; extern Buffer loginmsg;
static int auth1_process_password(Authctxt *, char *, size_t); static int auth1_process_password(Authctxt *);
static int auth1_process_rsa(Authctxt *, char *, size_t); static int auth1_process_rsa(Authctxt *);
static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t); static int auth1_process_rhosts_rsa(Authctxt *);
static int auth1_process_tis_challenge(Authctxt *, char *, size_t); static int auth1_process_tis_challenge(Authctxt *);
static int auth1_process_tis_response(Authctxt *, char *, size_t); static int auth1_process_tis_response(Authctxt *);
static char *client_user = NULL; /* Used to fill in remote user for PAM */ static char *client_user = NULL; /* Used to fill in remote user for PAM */
@ -57,7 +57,7 @@ struct AuthMethod1 {
int type; int type;
char *name; char *name;
int *enabled; int *enabled;
int (*method)(Authctxt *, char *, size_t); + int (*method)(Authctxt *);
}; };
const struct AuthMethod1 auth1_methods[] = { const struct AuthMethod1 auth1_methods[] = {
@ -112,7 +112,7 @@ get_authname(int type)
/*ARGSUSED*/ /*ARGSUSED*/
static int static int
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) auth1_process_password(Authctxt *authctxt)
{ {
int authenticated = 0; int authenticated = 0;
char *password; char *password;
@ -137,7 +137,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
/*ARGSUSED*/ /*ARGSUSED*/
static int static int
auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) auth1_process_rsa(Authctxt *authctxt)
{ {
int authenticated = 0; int authenticated = 0;
BIGNUM *n; BIGNUM *n;
@ -155,7 +155,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
/*ARGSUSED*/ /*ARGSUSED*/
static int static int
auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) auth1_process_rhosts_rsa(Authctxt *authctxt)
{ {
int keybits, authenticated = 0; int keybits, authenticated = 0;
u_int bits; u_int bits;
@ -187,14 +187,14 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
client_host_key); client_host_key);
key_free(client_host_key); key_free(client_host_key);
snprintf(info, infolen, " ruser %.100s", client_user); auth_info(authctxt, "ruser %.100s", client_user);
return (authenticated); return (authenticated);
} }
/*ARGSUSED*/ /*ARGSUSED*/
static int static int
auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) auth1_process_tis_challenge(Authctxt *authctxt)
{ {
char *challenge; char *challenge;
@ -213,7 +213,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
/*ARGSUSED*/ /*ARGSUSED*/
static int static int
auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) auth1_process_tis_response(Authctxt *authctxt)
{ {
int authenticated = 0; int authenticated = 0;
char *response; char *response;
@ -236,7 +236,6 @@ static void
do_authloop(Authctxt *authctxt) do_authloop(Authctxt *authctxt)
{ {
int authenticated = 0; int authenticated = 0;
char info[1024];
int prev = 0, type = 0; int prev = 0, type = 0;
const struct AuthMethod1 *meth; const struct AuthMethod1 *meth;
@ -254,7 +253,7 @@ do_authloop(Authctxt *authctxt)
#endif #endif
{ {
auth_log(authctxt, 1, 0, "without authentication", auth_log(authctxt, 1, 0, "without authentication",
NULL, ""); NULL);
return; return;
} }
} }
@ -268,7 +267,6 @@ do_authloop(Authctxt *authctxt)
/* default to fail */ /* default to fail */
authenticated = 0; authenticated = 0;
info[0] = '\0';
/* Get a packet from the client. */ /* Get a packet from the client. */
prev = type; prev = type;
@ -298,7 +296,7 @@ do_authloop(Authctxt *authctxt)
goto skip; goto skip;
} }
authenticated = meth->method(authctxt, info, sizeof(info)); authenticated = meth->method(authctxt);
if (authenticated == -1) if (authenticated == -1)
continue; /* "postponed" */ continue; /* "postponed" */
@ -353,8 +351,7 @@ do_authloop(Authctxt *authctxt)
skip: skip:
/* Log before sending the reply */ /* Log before sending the reply */
auth_log(authctxt, authenticated, 0, get_authname(type), auth_log(authctxt, authenticated, 0, get_authname(type), NULL);
NULL, info);
free(client_user); free(client_user);
client_user = NULL; client_user = NULL;

4
auth2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.128 2013/05/17 00:13:13 djm Exp $ */ /* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -326,7 +326,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
} }
/* Log before sending the reply */ /* Log before sending the reply */
auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); auth_log(authctxt, authenticated, partial, method, submethod);
if (authctxt->postponed) if (authctxt->postponed)
return; return;

4
key.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.c,v 1.103 2013/05/17 00:13:13 djm Exp $ */ /* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */
/* /*
* read_bignum(): * read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -569,7 +569,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
} }
char * char *
key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
{ {
char *retval = NULL; char *retval = NULL;
u_char *dgst_raw; u_char *dgst_raw;

4
key.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.h,v 1.36 2013/04/19 01:06:50 djm Exp $ */ /* $OpenBSD: key.h,v 1.37 2013/05/19 02:42:42 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -95,7 +95,7 @@ void key_free(Key *);
Key *key_demote(const Key *); Key *key_demote(const Key *);
int key_equal_public(const Key *, const Key *); int key_equal_public(const Key *, const Key *);
int key_equal(const Key *, const Key *); int key_equal(const Key *, const Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep); char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
const char *key_type(const Key *); const char *key_type(const Key *);
const char *key_cert_type(const Key *); const char *key_cert_type(const Key *);

9
monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.124 2013/05/17 00:13:13 djm Exp $ */ /* $OpenBSD: monitor.c,v 1.125 2013/05/19 02:42:42 djm Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -422,8 +422,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
} }
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(authctxt, authenticated, partial, auth_log(authctxt, authenticated, partial,
auth_method, auth_submethod, auth_method, auth_submethod);
compat20 ? " ssh2" : "");
if (!authenticated) if (!authenticated)
authctxt->failures++; authctxt->failures++;
} }
@ -1168,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
case MM_USERKEY: case MM_USERKEY:
allowed = options.pubkey_authentication && allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key); user_key_allowed(authctxt->pw, key);
pubkey_auth_info(authctxt, key);
auth_method = "publickey"; auth_method = "publickey";
if (options.pubkey_authentication && allowed != 1) if (options.pubkey_authentication && allowed != 1)
auth_clear_options(); auth_clear_options();
@ -1207,8 +1207,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
hostbased_chost = chost; hostbased_chost = chost;
} else { } else {
/* Log failed attempt */ /* Log failed attempt */
auth_log(authctxt, 0, 0, auth_method, NULL, auth_log(authctxt, 0, 0, auth_method, NULL);
compat20 ? " ssh2" : "");
free(blob); free(blob);
free(cuser); free(cuser);
free(chost); free(chost);