summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2000-05-05 18:50:58 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2000-05-05 18:50:58 +0000
commitba08124ef132a43146f229ee67092b9efd4706de (patch)
tree066847d1e9e8c8cbc0734e0af0a9781795f5941e
parent058227a10b81e3f708f8e0014b94b06564eb72ed (diff)
log failure before sending the reply
-rw-r--r--usr.bin/ssh/auth2.c46
1 files changed, 29 insertions, 17 deletions
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 41c924d8f9b..452885e6514 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -27,7 +27,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.5 2000/05/01 23:13:39 djm Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.6 2000/05/05 18:50:57 markus Exp $");
#include <openssl/dsa.h>
#include <openssl/rsa.h>
@@ -183,9 +183,29 @@ input_userauth_request(int type, int plen)
get_canonical_hostname());
}
- /* XXX todo: check if multiple auth methods are needed */
+ /* Raise logging level */
+ if (authenticated == 1 ||
+ attempt == AUTH_FAIL_LOG ||
+ strcmp(method, "password") == 0)
+ authlog = log;
+
+ /* Log before sending the reply */
if (authenticated == 1) {
authmsg = "Accepted";
+ } else if (authenticated == 0) {
+ authmsg = "Failed";
+ } else {
+ authmsg = "Postponed";
+ }
+ authlog("%s %s for %.200s from %.200s port %d ssh2",
+ authmsg,
+ method,
+ pw && pw->pw_uid == 0 ? "ROOT" : user,
+ get_remote_ipaddr(),
+ get_remote_port());
+
+ /* XXX todo: check if multiple auth methods are needed */
+ if (authenticated == 1) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
packet_start(SSH2_MSG_USERAUTH_SUCCESS);
@@ -194,27 +214,12 @@ input_userauth_request(int type, int plen)
/* now we can break out */
userauth_success = 1;
} else if (authenticated == 0) {
- authmsg = "Failed";
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring("publickey,password"); /* XXX dynamic */
packet_put_char(0); /* XXX partial success, unused */
packet_send();
packet_write_wait();
- } else {
- authmsg = "Postponed";
}
- /* Raise logging level */
- if (authenticated == 1||
- attempt == AUTH_FAIL_LOG ||
- strcmp(method, "password") == 0)
- authlog = log;
-
- authlog("%s %s for %.200s from %.200s port %d ssh2",
- authmsg,
- method,
- pw && pw->pw_uid == 0 ? "ROOT" : user,
- get_remote_ipaddr(),
- get_remote_port());
xfree(service);
xfree(user);
@@ -293,6 +298,13 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
debug("test key...");
/* test whether pkalg/pkblob are acceptable */
/* XXX fake reply and always send PK_OK ? */
+ /*
+ * XXX this allows testing whether a user is allowed
+ * to login: if you happen to have a valid pubkey this
+ * message is sent. the message is NEVER sent at all
+ * if a user is not allowed to login. is this an
+ * issue? -markus
+ */
if (user_dsa_key_allowed(pw, key)) {
packet_start(SSH2_MSG_USERAUTH_PK_OK);
packet_put_string(pkalg, alen);