- djm@cvs.openbsd.org 2012/12/02 20:34:10
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
[monitor.c monitor.h]
Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.
Fix multiple authentication when one of the methods is
keyboard-interactive.
ok markus@
diff --git a/auth2.c b/auth2.c
index 8114ec8..e367a10 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -286,7 +286,7 @@
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(authctxt);
}
- userauth_finish(authctxt, authenticated, method);
+ userauth_finish(authctxt, authenticated, method, NULL);
xfree(service);
xfree(user);
@@ -294,7 +294,8 @@
}
void
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
+ const char *submethod)
{
char *methods;
int partial = 0;
@@ -302,6 +303,8 @@
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
authctxt->user);
+ if (authenticated && authctxt->postponed)
+ fatal("INTERNAL ERROR: authenticated and postponed");
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
@@ -312,6 +315,19 @@
#endif
}
+ if (authenticated && options.num_auth_methods != 0) {
+ if (!auth2_update_methods_lists(authctxt, method)) {
+ authenticated = 0;
+ partial = 1;
+ }
+ }
+
+ /* Log before sending the reply */
+ auth_log(authctxt, authenticated, partial, method, submethod, " ssh2");
+
+ if (authctxt->postponed)
+ return;
+
#ifdef USE_PAM
if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) {
@@ -330,23 +346,10 @@
#ifdef _UNICOS
if (authenticated && cray_access_denied(authctxt->user)) {
authenticated = 0;
- fatal("Access denied for user %s.",authctxt->user);
+ fatal("Access denied for user %s.", authctxt->user);
}
#endif /* _UNICOS */
- /* Log before sending the reply */
- auth_log(authctxt, authenticated, method, " ssh2");
-
- if (authctxt->postponed)
- return;
-
- if (authenticated && options.num_auth_methods != 0) {
- if (!auth2_update_methods_lists(authctxt, method)) {
- authenticated = 0;
- partial = 1;
- }
- }
-
if (authenticated == 1) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);