diff options
author | Vincent Brillault <vincent.brillault@cern.ch> | 2020-05-24 09:15:06 +0200 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2021-06-04 16:25:32 +1000 |
commit | 7cd7f302d3a072748299f362f9e241d81fcecd26 (patch) | |
tree | 2b72b8be872e2092df3b317af02aca5c42ae5555 /auth.c | |
parent | e7606919180661edc7f698e6a1b4ef2cfb363ebf (diff) | |
download | openssh-git-7cd7f302d3a072748299f362f9e241d81fcecd26.tar.gz |
auth_log: dont log partial successes as failures
By design, 'partial' logins are successful logins, so initially with
authenticated set to 1, for which another authentication is required. As
a result, authenticated is always reset to 0 when partial is set to 1.
However, even if authenticated is 0, those are not failed login
attempts, similarly to attempts with authctxt->postponed set to 1.
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 29 |
1 files changed, 16 insertions, 13 deletions
@@ -352,23 +352,26 @@ auth_log(struct ssh *ssh, int authenticated, int partial, free(extra); -#ifdef CUSTOM_FAILED_LOGIN - if (authenticated == 0 && !authctxt->postponed && - (strcmp(method, "password") == 0 || - strncmp(method, "keyboard-interactive", 20) == 0 || - strcmp(method, "challenge-response") == 0)) - record_failed_login(ssh, authctxt->user, - auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); -# ifdef WITH_AIXAUTHENTICATE +#if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS) + if (authenticated == 0 && !(authctxt->postponed || partial)) { + /* Log failed login attempt */ +# ifdef CUSTOM_FAILED_LOGIN + if (strcmp(method, "password") == 0 || + strncmp(method, "keyboard-interactive", 20) == 0 || + strcmp(method, "challenge-response") == 0) + record_failed_login(ssh, authctxt->user, + auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); +# endif +# ifdef SSH_AUDIT_EVENTS + audit_event(ssh, audit_classify_auth(method)); +# endif + } +#endif +#if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE) if (authenticated) sys_auth_record_login(authctxt->user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh", loginmsg); -# endif -#endif -#ifdef SSH_AUDIT_EVENTS - if (authenticated == 0 && !authctxt->postponed) - audit_event(ssh, audit_classify_auth(method)); #endif } |