tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-26 23:34:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: log certificate fingerprint in authentication

Browse Source 
success/failure message (previously we logged only key ID and CA key
fingerprint).

ok markus@

OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
This commit is contained in:
djm@openbsd.org 2018-09-12 01:19:12 +00:00 committed by Damien Miller
parent de37ca9094
commit 50e2687ee0
1 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
auth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.c,v 1.132 2018/07/11 08:19:35 martijn Exp $ */ /* $OpenBSD: auth.c,v 1.133 2018/09/12 01:19:12 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -275,22 +275,26 @@ format_method_key(Authctxt *authctxt)
{ {
const struct sshkey *key = authctxt->auth_method_key; const struct sshkey *key = authctxt->auth_method_key;
const char *methinfo = authctxt->auth_method_info; const char *methinfo = authctxt->auth_method_info;
char *fp, *ret = NULL; char *fp, *cafp, *ret = NULL;
if (key == NULL) if (key == NULL)
return NULL; return NULL;
if (sshkey_is_cert(key)) { if (sshkey_is_cert(key)) {
fp = sshkey_fingerprint(key->cert->signature_key, fp = sshkey_fingerprint(key,
options.fingerprint_hash, SSH_FP_DEFAULT); options.fingerprint_hash, SSH_FP_DEFAULT);
xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s", cafp = sshkey_fingerprint(key->cert->signature_key,
sshkey_type(key), key->cert->key_id, options.fingerprint_hash, SSH_FP_DEFAULT);
xasprintf(&ret, "%s %s ID %s (serial %llu) CA %s %s%s%s",
sshkey_type(key), fp == NULL ? "(null)" : fp,
key->cert->key_id,
(unsigned long long)key->cert->serial, (unsigned long long)key->cert->serial,
sshkey_type(key->cert->signature_key), sshkey_type(key->cert->signature_key),
fp == NULL ? "(null)" : fp, cafp == NULL ? "(null)" : cafp,
methinfo == NULL ? "" : ", ", methinfo == NULL ? "" : ", ",
methinfo == NULL ? "" : methinfo); methinfo == NULL ? "" : methinfo);
free(fp); free(fp);
free(cafp);
} else { } else {
fp = sshkey_fingerprint(key, options.fingerprint_hash, fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT); SSH_FP_DEFAULT);
@ -308,7 +312,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
const char *method, const char *submethod) const char *method, const char *submethod)
{ {
struct ssh *ssh = active_state; /* XXX */ struct ssh *ssh = active_state; /* XXX */
void (*authlog) (const char *fmt,...) = verbose; int level = SYSLOG_LEVEL_VERBOSE;
const char *authmsg; const char *authmsg;
char *extra = NULL; char *extra = NULL;
@ -320,7 +324,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
!authctxt->valid || !authctxt->valid ||
authctxt->failures >= options.max_authtries / 2 || authctxt->failures >= options.max_authtries / 2 ||
strcmp(method, "password") == 0) strcmp(method, "password") == 0)
authlog = logit; level = SYSLOG_LEVEL_INFO;
if (authctxt->postponed) if (authctxt->postponed)
authmsg = "Postponed"; authmsg = "Postponed";
@ -334,7 +338,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
extra = xstrdup(authctxt->auth_method_info); extra = xstrdup(authctxt->auth_method_info);
} }
authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
authmsg, authmsg,
method, method,
submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,