- djm@cvs.openbsd.org 2006/07/10 12:08:08

[openssh.git] / auth2.c

diff --git a/auth2.c b/auth2.c
index 60e261f7f452caa55fe3a2086ff91e5337a92607..ad57c64e6b7022f27591e5ed128b27b6619e4108 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2.c,v 1.111 2006/07/06 16:03:53 stevesk Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,7 +24,10 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
+
+#include <sys/types.h>
+
+#include <pwd.h>
 
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -96,6 +100,7 @@ do_authentication2(Authctxt *authctxt)
        dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
 }
 
+/*ARGSUSED*/
 static void
 input_service_request(int type, u_int32_t seq, void *ctxt)
 {
@@ -129,6 +134,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
        xfree(service);
 }
 
+/*ARGSUSED*/
 static void
 input_userauth_request(int type, u_int32_t seq, void *ctxt)
 {
@@ -156,18 +162,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
-#ifdef USE_PAM
-                       if (options.use_pam)
-                               PRIVSEP(start_pam(authctxt));
-#endif
                } else {
                        logit("input_userauth_request: invalid user %s", user);
                        authctxt->pw = fakepw();
-#ifdef USE_PAM
-                       if (options.use_pam)
-                               PRIVSEP(start_pam(authctxt));
+#ifdef SSH_AUDIT_EVENTS
+                       PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
                }
+#ifdef USE_PAM
+               if (options.use_pam)
+                       PRIVSEP(start_pam(authctxt));
+#endif
                setproctitle("%s%s", authctxt->valid ? user : "unknown",
                    use_privsep ? " [net]" : "");
                authctxt->service = xstrdup(service);
@@ -214,8 +219,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 
        /* Special handling for root */
        if (authenticated && authctxt->pw->pw_uid == 0 &&
-           !auth_root_allowed(method))
+           !auth_root_allowed(method)) {
                authenticated = 0;
+#ifdef SSH_AUDIT_EVENTS
+               PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+#endif
+       }
 
 #ifdef USE_PAM
        if (options.use_pam && authenticated) {
@@ -227,7 +236,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                                packet_write_wait();
                        }
                        fatal("Access denied for user %s by PAM account "
-                          "configuration", authctxt->user);
+                           "configuration", authctxt->user);
                }
        }
 #endif
@@ -255,8 +264,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-               if (authctxt->failures++ > options.max_authtries)
+               if (authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+                       PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+               }
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);