diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2017-06-24 06:34:39 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2017-06-24 06:34:39 +0000 |
| commit | 088cbd83831e88dbcf96ee9f711b7913792b095d (patch) | |
| tree | 4618d4e69f58daa028a3327dbc8ca1390837cf19 /usr.bin/ssh/session.c | |
| parent | 8dd4c06c2ed3fa9130d2fa5549be60acaf4b2cec (diff) | |
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/session.c')
| -rw-r--r-- | usr.bin/ssh/session.c | 54 |
1 files changed, 53 insertions, 1 deletions
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index 32046efdb6a..2f4ca7a37e0 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.289 2017/06/24 05:24:11 djm Exp $ */ +/* $OpenBSD: session.c,v 1.290 2017/06/24 06:34:38 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -85,6 +85,7 @@ #endif #include "monitor_wrap.h" #include "sftp.h" +#include "atomicio.h" #ifdef KRB5 #include <kafs.h> @@ -142,6 +143,9 @@ login_cap_t *lc; static int is_child = 0; static int in_chroot = 0; +/* File containing userauth info, if ExposeAuthInfo set */ +static char *auth_info_file = NULL; + /* Name and directory of socket for authentication agent forwarding. */ static char *auth_sock_name = NULL; static char *auth_sock_dir = NULL; @@ -231,6 +235,40 @@ display_loginmsg(void) } } +static void +prepare_auth_info_file(struct passwd *pw, struct sshbuf *info) +{ + int fd = -1, success = 0; + + if (!options.expose_userauth_info || info == NULL) + return; + + temporarily_use_uid(pw); + auth_info_file = xstrdup("/tmp/sshauth.XXXXXXXXXXXXXXX"); + if ((fd = mkstemp(auth_info_file)) == -1) { + error("%s: mkstemp: %s", __func__, strerror(errno)); + goto out; + } + if (atomicio(vwrite, fd, sshbuf_mutable_ptr(info), + sshbuf_len(info)) != sshbuf_len(info)) { + error("%s: write: %s", __func__, strerror(errno)); + goto out; + } + if (close(fd) != 0) { + error("%s: close: %s", __func__, strerror(errno)); + goto out; + } + success = 1; + out: + if (!success) { + if (fd != -1) + close(fd); + free(auth_info_file); + auth_info_file = NULL; + } + restore_uid(); +} + void do_authenticated(Authctxt *authctxt) { @@ -246,7 +284,10 @@ do_authenticated(Authctxt *authctxt) auth_debug_send(); + prepare_auth_info_file(authctxt->pw, authctxt->session_info); + do_authenticated2(authctxt); + do_cleanup(authctxt); } @@ -845,6 +886,8 @@ do_setup_env(Session *s, const char *shell) free(laddr); child_set_env(&env, &envsize, "SSH_CONNECTION", buf); + if (auth_info_file != NULL) + child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file); if (s->ttyfd != -1) child_set_env(&env, &envsize, "SSH_TTY", s->tty); if (s->term) @@ -2147,6 +2190,15 @@ do_cleanup(Authctxt *authctxt) /* remove agent socket */ auth_sock_cleanup_proc(authctxt->pw); + /* remove userauth info */ + if (auth_info_file != NULL) { + temporarily_use_uid(authctxt->pw); + unlink(auth_info_file); + restore_uid(); + free(auth_info_file); + auth_info_file = NULL; + } + /* * Cleanup ptys/utmp only if privsep is disabled, * or if running in monitor. |