tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-25 14:54:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream commit

Browse Source 
use ssh_packet_set_log_preamble() to include connection
username in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
This commit is contained in:
djm@openbsd.org 2017-02-03 23:05:57 +00:00 committed by Damien Miller
parent 07edd7e953
commit f1a193464a
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
auth2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.136 2016/05/02 08:49:03 djm Exp $ */ /* $OpenBSD: auth2.c,v 1.137 2017/02/03 23:05:57 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -212,6 +212,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
static int static int
input_userauth_request(int type, u_int32_t seq, void *ctxt) input_userauth_request(int type, u_int32_t seq, void *ctxt)
{ {
struct ssh *ssh = active_state; /* XXX */
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
char *user, *service, *method, *style = NULL; char *user, *service, *method, *style = NULL;
@ -235,9 +236,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
authctxt->user = xstrdup(user); authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) { if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1; authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user); debug2("%s: setting up authctxt for %s",
__func__, user);
} else { } else {
logit("input_userauth_request: invalid user %s", user); /* Invalid user, fake password information */
authctxt->pw = fakepw(); authctxt->pw = fakepw();
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER)); PRIVSEP(audit_event(SSH_INVALID_USER));
@ -247,6 +249,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
if (options.use_pam) if (options.use_pam)
PRIVSEP(start_pam(authctxt)); PRIVSEP(start_pam(authctxt));
#endif #endif
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating " : "invalid ", user);
setproctitle("%s%s", authctxt->valid ? user : "unknown", setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : ""); use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service); authctxt->service = xstrdup(service);
@ -292,6 +296,7 @@ void
userauth_finish(Authctxt *authctxt, int authenticated, const char *method, userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
const char *submethod) const char *submethod)
{ {
struct ssh *ssh = active_state; /* XXX */
char *methods; char *methods;
int partial = 0; int partial = 0;
@ -353,6 +358,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
packet_write_wait(); packet_write_wait();
/* now we can break out */ /* now we can break out */
authctxt->success = 1; authctxt->success = 1;
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
} else { } else {
/* Allow initial try of "none" auth without failure penalty */ /* Allow initial try of "none" auth without failure penalty */

7
monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.166 2016/09/28 16:33:06 djm Exp $ */ /* $OpenBSD: monitor.c,v 1.167 2017/02/03 23:05:57 djm Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -283,6 +283,7 @@ monitor_permit_authentications(int permit)
void void
monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
{ {
struct ssh *ssh = active_state; /* XXX */
struct mon_table *ent; struct mon_table *ent;
int authenticated = 0, partial = 0; int authenticated = 0, partial = 0;
@ -356,6 +357,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
debug("%s: %s has been authenticated by privileged process", debug("%s: %s has been authenticated by privileged process",
__func__, authctxt->user); __func__, authctxt->user);
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
mm_get_keystate(pmonitor); mm_get_keystate(pmonitor);
@ -695,6 +697,7 @@ mm_answer_sign(int sock, Buffer *m)
int int
mm_answer_pwnamallow(int sock, Buffer *m) mm_answer_pwnamallow(int sock, Buffer *m)
{ {
struct ssh *ssh = active_state; /* XXX */
char *username; char *username;
struct passwd *pwent; struct passwd *pwent;
int allowed = 0; int allowed = 0;
@ -739,6 +742,8 @@ mm_answer_pwnamallow(int sock, Buffer *m)
buffer_put_cstring(m, pwent->pw_shell); buffer_put_cstring(m, pwent->pw_shell);
out: out:
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
buffer_put_string(m, &options, sizeof(options)); buffer_put_string(m, &options, sizeof(options));
#define M_CP_STROPT(x) do { \ #define M_CP_STROPT(x) do { \