diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2012-12-02 20:34:11 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2012-12-02 20:34:11 +0000 |
| commit | 0eed917c5b4dc3c4c3e1f9e5a7bf5a722d71ab56 (patch) | |
| tree | 7e35123a6d78e02c04cd0e09c17a726aca97b958 /usr.bin/ssh/auth2.c | |
| parent | e5abe9c12536dd70c239fc106dc89d43e3b89c45 (diff) | |
Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.
Fix multiple authentication when one of the methods is
keyboard-interactive.
ok markus@
Diffstat (limited to 'usr.bin/ssh/auth2.c')
| -rw-r--r-- | usr.bin/ssh/auth2.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index a1359b74dca..8b157b4bed9 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -266,7 +266,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); } - userauth_finish(authctxt, authenticated, method); + userauth_finish(authctxt, authenticated, method, NULL); xfree(service); xfree(user); @@ -274,7 +274,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } void -userauth_finish(Authctxt *authctxt, int authenticated, char *method) +userauth_finish(Authctxt *authctxt, int authenticated, const char *method, + const char *submethod) { char *methods; int partial = 0; @@ -282,18 +283,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); + if (authenticated && authctxt->postponed) + fatal("INTERNAL ERROR: authenticated and postponed"); /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) authenticated = 0; - /* Log before sending the reply */ - auth_log(authctxt, authenticated, method, " ssh2"); - - if (authctxt->postponed) - return; - if (authenticated && options.num_auth_methods != 0) { if (!auth2_update_methods_lists(authctxt, method)) { authenticated = 0; @@ -301,6 +298,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) } } + /* Log before sending the reply */ + auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); + + if (authctxt->postponed) + return; + if (authenticated == 1) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); |