diff options
-rw-r--r-- | usr.bin/ssh/auth2.c | 46 |
1 files changed, 29 insertions, 17 deletions
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index 41c924d8f9b..452885e6514 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -27,7 +27,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.5 2000/05/01 23:13:39 djm Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.6 2000/05/05 18:50:57 markus Exp $"); #include <openssl/dsa.h> #include <openssl/rsa.h> @@ -183,9 +183,29 @@ input_userauth_request(int type, int plen) get_canonical_hostname()); } - /* XXX todo: check if multiple auth methods are needed */ + /* Raise logging level */ + if (authenticated == 1 || + attempt == AUTH_FAIL_LOG || + strcmp(method, "password") == 0) + authlog = log; + + /* Log before sending the reply */ if (authenticated == 1) { authmsg = "Accepted"; + } else if (authenticated == 0) { + authmsg = "Failed"; + } else { + authmsg = "Postponed"; + } + authlog("%s %s for %.200s from %.200s port %d ssh2", + authmsg, + method, + pw && pw->pw_uid == 0 ? "ROOT" : user, + get_remote_ipaddr(), + get_remote_port()); + + /* XXX todo: check if multiple auth methods are needed */ + if (authenticated == 1) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); packet_start(SSH2_MSG_USERAUTH_SUCCESS); @@ -194,27 +214,12 @@ input_userauth_request(int type, int plen) /* now we can break out */ userauth_success = 1; } else if (authenticated == 0) { - authmsg = "Failed"; packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring("publickey,password"); /* XXX dynamic */ packet_put_char(0); /* XXX partial success, unused */ packet_send(); packet_write_wait(); - } else { - authmsg = "Postponed"; } - /* Raise logging level */ - if (authenticated == 1|| - attempt == AUTH_FAIL_LOG || - strcmp(method, "password") == 0) - authlog = log; - - authlog("%s %s for %.200s from %.200s port %d ssh2", - authmsg, - method, - pw && pw->pw_uid == 0 ? "ROOT" : user, - get_remote_ipaddr(), - get_remote_port()); xfree(service); xfree(user); @@ -293,6 +298,13 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen) debug("test key..."); /* test whether pkalg/pkblob are acceptable */ /* XXX fake reply and always send PK_OK ? */ + /* + * XXX this allows testing whether a user is allowed + * to login: if you happen to have a valid pubkey this + * message is sent. the message is NEVER sent at all + * if a user is not allowed to login. is this an + * issue? -markus + */ if (user_dsa_key_allowed(pw, key)) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); |