X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/d77347cc4f322168ec99e158bcb0124b379244a3..b5765e1d53dbb9696187d1ad465a02582b5fbafe:/auth.c

diff --git a/auth.c b/auth.c
index 0956b0b1..46b01313 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -50,6 +50,8 @@ RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
 #include "misc.h"
 #include "bufaux.h"
 #include "packet.h"
+#include "loginrec.h"
+#include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
@@ -143,7 +145,8 @@ allowed_user(struct passwd * pw)
 		return 0;
 	}
 
-	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
+	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
+	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
 		hostname = get_canonical_hostname(options.use_dns);
 		ipaddr = get_remote_ipaddr();
 	}
@@ -153,8 +156,9 @@ allowed_user(struct passwd * pw)
 		for (i = 0; i < options.num_deny_users; i++)
 			if (match_user(pw->pw_name, hostname, ipaddr,
 			    options.deny_users[i])) {
-				logit("User %.100s not allowed because listed in DenyUsers",
-				    pw->pw_name);
+				logit("User %.100s from %.100s not allowed "
+				    "because listed in DenyUsers",
+				    pw->pw_name, hostname);
 				return 0;
 			}
 	}
@@ -166,16 +170,16 @@ allowed_user(struct passwd * pw)
 				break;
 		/* i < options.num_allow_users iff we break for loop */
 		if (i >= options.num_allow_users) {
-			logit("User %.100s not allowed because not listed in AllowUsers",
-			    pw->pw_name);
+			logit("User %.100s from %.100s not allowed because "
+			    "not listed in AllowUsers", pw->pw_name, hostname);
 			return 0;
 		}
 	}
 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
 		/* Get the user's group access list (primary and supplementary) */
 		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
-			logit("User %.100s not allowed because not in any group",
-			    pw->pw_name);
+			logit("User %.100s from %.100s not allowed because "
+			    "not in any group", pw->pw_name, hostname);
 			return 0;
 		}
 
@@ -184,8 +188,9 @@ allowed_user(struct passwd * pw)
 			if (ga_match(options.deny_groups,
 			    options.num_deny_groups)) {
 				ga_free();
-				logit("User %.100s not allowed because a group is listed in DenyGroups",
-				    pw->pw_name);
+				logit("User %.100s from %.100s not allowed "
+				    "because a group is listed in DenyGroups",
+				    pw->pw_name, hostname);
 				return 0;
 			}
 		/*
@@ -196,15 +201,16 @@ allowed_user(struct passwd * pw)
 			if (!ga_match(options.allow_groups,
 			    options.num_allow_groups)) {
 				ga_free();
-				logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
-				    pw->pw_name);
+				logit("User %.100s from %.100s not allowed "
+				    "because none of user's groups are listed "
+				    "in AllowGroups", pw->pw_name, hostname);
 				return 0;
 			}
 		ga_free();
 	}
 
 #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
-	if (!sys_auth_allowed_user(pw))
+	if (!sys_auth_allowed_user(pw, &loginmsg))
 		return 0;
 #endif
 
@@ -240,8 +246,50 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
 	    info);
 
 #ifdef CUSTOM_FAILED_LOGIN
-	if (authenticated == 0 && strcmp(method, "password") == 0)
-		record_failed_login(authctxt->user, "ssh");
+	if (authenticated == 0 && !authctxt->postponed &&
+	    (strcmp(method, "password") == 0 ||
+	    strncmp(method, "keyboard-interactive", 20) == 0 ||
+	    strcmp(method, "challenge-response") == 0))
+		record_failed_login(authctxt->user,
+		    get_canonical_hostname(options.use_dns), "ssh");
+#endif
+#ifdef SSH_AUDIT_EVENTS
+	if (authenticated == 0 && !authctxt->postponed) {
+		ssh_audit_event_t event;
+
+		debug3("audit failed auth attempt, method %s euid %d",
+		    method, (int)geteuid());
+		/*
+		 * Because the auth loop is used in both monitor and slave,
+		 * we must be careful to send each event only once and with
+		 * enough privs to write the event.
+		 */
+		event = audit_classify_auth(method);
+		switch(event) {
+		case SSH_AUTH_FAIL_NONE:
+		case SSH_AUTH_FAIL_PASSWD:
+		case SSH_AUTH_FAIL_KBDINT:
+			if (geteuid() == 0)
+				audit_event(event);
+			break;
+		case SSH_AUTH_FAIL_PUBKEY:
+		case SSH_AUTH_FAIL_HOSTBASED:
+		case SSH_AUTH_FAIL_GSSAPI:
+			/*
+			 * This is required to handle the case where privsep
+			 * is enabled but it's root logging in, since
+			 * use_privsep won't be cleared until after a
+			 * successful login.
+			 */
+			if (geteuid() == 0)
+				audit_event(event);
+			else
+				PRIVSEP(audit_event(event));
+			break;
+		default:
+			error("unknown authentication audit event %d", event);
+		}
+	}
 #endif
 }
 
@@ -465,8 +513,12 @@ getpwnamallow(const char *user)
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN
-		record_failed_login(user, "ssh");
+		record_failed_login(user,
+		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef SSH_AUDIT_EVENTS
+		audit_event(SSH_INVALID_USER);
+#endif /* SSH_AUDIT_EVENTS */
 		return (NULL);
 	}
 	if (!allowed_user(pw))