- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor

and slave, we can remove the special-case handling in the audit hook in
   auth_log.

ChangeLog

@@ -1,8 +1,13 @@
-20050517
+20060521
+ - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
+   and slave, we can remove the special-case handling in the audit hook in
+   auth_log.
+
+20060517
  - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
    pointer leak.  From kjhall at us.ibm.com, found by coverity.
 
-20050515
+20060515
  - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
    _res, prevents problems on some platforms that have _res as a global but
    don't have getrrsetbyname(), eg IRIX 5.3.  Found and tested by
@@ -12,7 +17,7 @@
  - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
    do not allow kbdint again after the PAM account check fails.  ok djm@
 
-20050506
+20060506
  - (dtucker) OpenBSD CVS Sync
    - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
      [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
@@ -4625,4 +4630,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4329 2006/05/17 12:24:56 dtucker Exp $
+$Id: ChangeLog,v 1.4330 2006/05/21 08:26:40 dtucker Exp $

auth.c

@@ -271,42 +271,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
 #ifdef SSH_AUDIT_EVENTS
-	if (authenticated == 0 && !authctxt->postponed) {
+	if (authenticated == 0 && !authctxt->postponed)
-		ssh_audit_event_t event;
+		audit_event(audit_classify_auth(method));
-
-		debug3("audit failed auth attempt, method %s euid %d",
-		    method, (int)geteuid());
-		/*
-		 * Because the auth loop is used in both monitor and slave,
-		 * we must be careful to send each event only once and with
-		 * enough privs to write the event.
-		 */
-		event = audit_classify_auth(method);
-		switch(event) {
-		case SSH_AUTH_FAIL_NONE:
-		case SSH_AUTH_FAIL_PASSWD:
-		case SSH_AUTH_FAIL_KBDINT:
-			if (geteuid() == 0)
-				audit_event(event);
-			break;
-		case SSH_AUTH_FAIL_PUBKEY:
-		case SSH_AUTH_FAIL_HOSTBASED:
-		case SSH_AUTH_FAIL_GSSAPI:
-			/*
-			 * This is required to handle the case where privsep
-			 * is enabled but it's root logging in, since
-			 * use_privsep won't be cleared until after a
-			 * successful login.
-			 */
-			if (geteuid() == 0)
-				audit_event(event);
-			else
-				PRIVSEP(audit_event(event));
-			break;
-		default:
-			error("unknown authentication audit event %d", event);
-		}
-	}
 #endif
 }
 

monitor.c

@@ -909,6 +909,7 @@ mm_answer_pam_query(int sock, Buffer *m)
 		xfree(prompts);
 	if (echo_on != NULL)
 		xfree(echo_on);
+	auth_method = "keyboard-interactive/pam";
 	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
 	return (0);
 }
@@ -951,6 +952,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
 	(sshpam_device.free_ctx)(sshpam_ctxt);
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+	auth_method = "keyboard-interactive/pam";
 	return (sshpam_authok == sshpam_ctxt);
 }
 #endif