[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] fix sshd double-logging of authentications



Hi all.

Some folks may have noticed sshd is logging some authentication events
twice when UsePrivilegeSeparation is enabled (the default).

This is because the auth_log function is used by both the monitor
and slave, and there is a /dev/log in the privsep chroot so both end
up in syslog.

If anyone wants to try a patch to fix this, please try the one below.
Test reports would be appreciated, especially for less commonly used
authentication methods such as skey or kerberos.  Reports to me directly
(please mention the auth methods that you tested).

Thanks.

Index: auth.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.61
diff -u -r1.61 auth.c
--- auth.c	2006/02/08 12:15:27	1.61
+++ auth.c	2006/02/16 13:17:06
@@ -45,6 +45,7 @@
 
 /* import */
 extern ServerOptions options;
+extern int use_privsep;
 
 /* Debugging messages */
 Buffer auth_debug;
@@ -162,6 +163,9 @@
 {
 	void (*authlog) (const char *fmt,...) = verbose;
 	char *authmsg;
+
+	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
+		return;
 
 	/* Raise logging level */
 	if (authenticated == 1 ||
Index: monitor.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor.c,v
retrieving revision 1.67
diff -u -r1.67 monitor.c
--- monitor.c	2006/02/10 01:44:26	1.67
+++ monitor.c	2006/02/16 13:17:06
@@ -156,6 +156,7 @@
 #define MON_ISAUTH	0x0004	/* Required for Authentication */
 #define MON_AUTHDECIDE	0x0008	/* Decides Authentication */
 #define MON_ONCE	0x0010	/* Disable after calling */
+#define MON_ALOG	0x0020	/* Log auth attempt without permitting */
 
 #define MON_AUTH	(MON_ISAUTH|MON_AUTHDECIDE)
 
@@ -201,8 +202,8 @@
     {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
     {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
-    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
+    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
+    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
     {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
     {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
 #ifdef BSD_AUTH
@@ -289,7 +290,7 @@
 				authenticated = 0;
 		}
 
-		if (ent->flags & MON_AUTHDECIDE) {
+		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
 			auth_log(authctxt, authenticated, auth_method,
 			    compat20 ? " ssh2" : "");
 			if (!authenticated)
@@ -781,17 +782,20 @@
 		case MM_USERKEY:
 			allowed = options.pubkey_authentication &&
 			    user_key_allowed(authctxt->pw, key);
+			auth_method = "publickey";
 			break;
 		case MM_HOSTKEY:
 			allowed = options.hostbased_authentication &&
 			    hostbased_key_allowed(authctxt->pw,
 			    cuser, chost, key);
+			auth_method = "hostbased";
 			break;
 		case MM_RSAHOSTKEY:
 			key->type = KEY_RSA1; /* XXX */
 			allowed = options.rhosts_rsa_authentication &&
 			    auth_rhosts_rsa_key_allowed(authctxt->pw,
 			    cuser, chost, key);
+			auth_method = "rsa";
 			break;
 		default:
 			fatal("%s: unknown key type %d", __func__, type);
@@ -811,6 +815,9 @@
 		key_blobtype = type;
 		hostbased_cuser = cuser;
 		hostbased_chost = chost;
+	} else {
+		/* Log failed attempt */
+		auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
 	}
 
 	debug3("%s: key %p is %s",
@@ -1175,6 +1182,7 @@
 
 	debug3("%s entering", __func__);
 
+	auth_method = "rsa";
 	if (options.rsa_authentication && authctxt->valid) {
 		if ((client_n = BN_new()) == NULL)
 			fatal("%s: BN_new", __func__);

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



Visit your host, monkey.org