log failure before sending the reply

1 files changed, 29 insertions, 17 deletions

diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 41c924d8f9b..452885e6514 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -27,7 +27,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.5 2000/05/01 23:13:39 djm Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.6 2000/05/05 18:50:57 markus Exp $");
 
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
@@ -183,9 +183,29 @@ input_userauth_request(int type, int plen)
 		    get_canonical_hostname());
 	}
 
-	/* XXX todo: check if multiple auth methods are needed */
+	/* Raise logging level */
+	if (authenticated == 1 ||
+	    attempt == AUTH_FAIL_LOG ||
+	    strcmp(method, "password") == 0)
+		authlog = log;
+
+	/* Log before sending the reply */
 	if (authenticated == 1) {
 		authmsg = "Accepted";
+	} else if (authenticated == 0) {
+		authmsg = "Failed";
+	} else {
+		authmsg = "Postponed";
+	}
+	authlog("%s %s for %.200s from %.200s port %d ssh2",
+		authmsg,
+		method,
+		pw && pw->pw_uid == 0 ? "ROOT" : user,
+		get_remote_ipaddr(),
+		get_remote_port());
+
+	/* XXX todo: check if multiple auth methods are needed */
+	if (authenticated == 1) {
 		/* turn off userauth */
 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
 		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
@@ -194,27 +214,12 @@ input_userauth_request(int type, int plen)
 		/* now we can break out */
 		userauth_success = 1;
 	} else if (authenticated == 0) {
-		authmsg = "Failed";
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring("publickey,password");	/* XXX dynamic */
 		packet_put_char(0);				/* XXX partial success, unused */
 		packet_send();
 		packet_write_wait();
-	} else {
-		authmsg = "Postponed";
 	}
-	/* Raise logging level */
-	if (authenticated == 1||
-	    attempt == AUTH_FAIL_LOG ||
-	    strcmp(method, "password") == 0)
-		authlog = log;
-
-	authlog("%s %s for %.200s from %.200s port %d ssh2",
-		authmsg,
-		method,
-		pw && pw->pw_uid == 0 ? "ROOT" : user,
-		get_remote_ipaddr(),
-		get_remote_port());
 
 	xfree(service);
 	xfree(user);
@@ -293,6 +298,13 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
 			debug("test key...");
 			/* test whether pkalg/pkblob are acceptable */
 			/* XXX fake reply and always send PK_OK ? */
+			/*
+			 * XXX this allows testing whether a user is allowed
+			 * to login: if you happen to have a valid pubkey this
+			 * message is sent. the message is NEVER sent at all
+			 * if a user is not allowed to login. is this an
+			 * issue? -markus
+			 */
 			if (user_dsa_key_allowed(pw, key)) {
 				packet_start(SSH2_MSG_USERAUTH_PK_OK);
 				packet_put_string(pkalg, alen);