-20050517
+20060521
+ - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
+ and slave, we can remove the special-case handling in the audit hook in
+ auth_log.
+
+20060517
- (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
pointer leak. From kjhall at us.ibm.com, found by coverity.
-20050515
+20060515
- (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
_res, prevents problems on some platforms that have _res as a global but
don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails. ok djm@
-20050506
+20060506
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2006/04/25 08:02:27
[authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
get_canonical_hostname(options.use_dns), "ssh");
#endif
#ifdef SSH_AUDIT_EVENTS
- if (authenticated == 0 && !authctxt->postponed) {
- ssh_audit_event_t event;
-
- debug3("audit failed auth attempt, method %s euid %d",
- method, (int)geteuid());
- /*
- * Because the auth loop is used in both monitor and slave,
- * we must be careful to send each event only once and with
- * enough privs to write the event.
- */
- event = audit_classify_auth(method);
- switch(event) {
- case SSH_AUTH_FAIL_NONE:
- case SSH_AUTH_FAIL_PASSWD:
- case SSH_AUTH_FAIL_KBDINT:
- if (geteuid() == 0)
- audit_event(event);
- break;
- case SSH_AUTH_FAIL_PUBKEY:
- case SSH_AUTH_FAIL_HOSTBASED:
- case SSH_AUTH_FAIL_GSSAPI:
- /*
- * This is required to handle the case where privsep
- * is enabled but it's root logging in, since
- * use_privsep won't be cleared until after a
- * successful login.
- */
- if (geteuid() == 0)
- audit_event(event);
- else
- PRIVSEP(audit_event(event));
- break;
- default:
- error("unknown authentication audit event %d", event);
- }
- }
+ if (authenticated == 0 && !authctxt->postponed)
+ audit_event(audit_classify_auth(method));
#endif
}
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
+ auth_method = "keyboard-interactive/pam";
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ auth_method = "keyboard-interactive/pam";
return (sshpam_authok == sshpam_ctxt);
}
#endif