diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-06-24 06:34:38 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-06-24 16:56:11 +1000 |
| commit | 8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch) | |
| tree | 51ab66a6011af6459e0d4ca15a4b4b78368607a1 /auth.c | |
| parent | e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff) | |
| download | openssh-git-8f574959272ac7fe9239c4f5d10fd913f8920ab0.tar.gz | |
upstream commit
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 62 |
1 files changed, 44 insertions, 18 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.121 2017/05/30 08:52:19 markus Exp $ */ +/* $OpenBSD: auth.c,v 1.122 2017/06/24 06:34:38 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -267,21 +267,41 @@ allowed_user(struct passwd * pw) return 1; } -void -auth_info(Authctxt *authctxt, const char *fmt, ...) +/* + * Formats any key left in authctxt->auth_method_key for inclusion in + * auth_log()'s message. Also includes authxtct->auth_method_info if present. + */ +static char * +format_method_key(Authctxt *authctxt) { - va_list ap; - int i; - - free(authctxt->info); - authctxt->info = NULL; + const struct sshkey *key = authctxt->auth_method_key; + const char *methinfo = authctxt->auth_method_info; + char *fp, *ret = NULL; - va_start(ap, fmt); - i = vasprintf(&authctxt->info, fmt, ap); - va_end(ap); + if (key == NULL) + return NULL; - if (i < 0 || authctxt->info == NULL) - fatal("vasprintf failed"); + if (key_is_cert(key)) { + fp = sshkey_fingerprint(key->cert->signature_key, + options.fingerprint_hash, SSH_FP_DEFAULT); + xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s", + sshkey_type(key), key->cert->key_id, + (unsigned long long)key->cert->serial, + sshkey_type(key->cert->signature_key), + fp == NULL ? "(null)" : fp, + methinfo == NULL ? "" : ", ", + methinfo == NULL ? "" : methinfo); + free(fp); + } else { + fp = sshkey_fingerprint(key, options.fingerprint_hash, + SSH_FP_DEFAULT); + xasprintf(&ret, "%s %s%s%s", sshkey_type(key), + fp == NULL ? "(null)" : fp, + methinfo == NULL ? "" : ", ", + methinfo == NULL ? "" : methinfo); + free(fp); + } + return ret; } void @@ -290,7 +310,8 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, { struct ssh *ssh = active_state; /* XXX */ void (*authlog) (const char *fmt,...) = verbose; - char *authmsg; + const char *authmsg; + char *extra = NULL; if (use_privsep && !mm_is_monitor() && !authctxt->postponed) return; @@ -309,6 +330,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, else authmsg = authenticated ? "Accepted" : "Failed"; + if ((extra = format_method_key(authctxt)) == NULL) { + if (authctxt->auth_method_info != NULL) + extra = xstrdup(authctxt->auth_method_info); + } + authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", authmsg, method, @@ -317,10 +343,10 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, authctxt->user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), - authctxt->info != NULL ? ": " : "", - authctxt->info != NULL ? authctxt->info : ""); - free(authctxt->info); - authctxt->info = NULL; + extra != NULL ? ": " : "", + extra != NULL ? extra : ""); + + free(extra); #ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && !authctxt->postponed && |