Vikash Badal / PCS
2002-May-09 10:45 UTC
functions : server_input_channel_req userauth_pubkey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I am not sure if this is the correct place to ask these question, if I am at the wrong place please advise. I am currently working on some modifications to openssh which record the users rsa/dsa identity comment file to a log file when the user logs in (password authentication is disabled). The ssh1 portion of the modification works perfectly but the ssh2 portion has me completely lost. in userauth_pubkey() [ in auth2.c ] i defined a variable realname (char 40). which gets set after user_key_allowed2 is processed. i want to pass this variable to server_input_channel_req but i can not find where these two functions are being called from. vix at osr5: openssh-3.1p1 > grep -l "userauth_pubkey" *.c auth2.c sshconnect2.c vix at osr5: openssh-3.1p1 > grep -l server_input_channel_req *.c serverloop.c I can not determine where these two functions are called from. please advise the diffs are attached . I am not much of a programmer, I ported these mod from some-one elses mods (ssh1-1.2.17). there probabably are a lot of ugliness to them and if you could point out any idiotic things that i have done, i will greatly appreciate it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ diff -ru openssh-3.1p1/auth-rsa.c openssh-3.1p1-mods/auth-rsa.c - --- openssh-3.1p1/auth-rsa.c Thu May 9 12:18:25 2002 +++ openssh-3.1p1-mods/auth-rsa.c Thu May 9 12:19:54 2002 @@ -123,8 +123,11 @@ * successful. This may exit if there is a serious protocol violation. */ int - -auth_rsa(struct passwd *pw, BIGNUM *client_n) +auth_rsa(struct passwd *pw, BIGNUM *client_n, char *realname, int realnamesize) { char line[8192], *file; int authenticated; @@ -134,6 +137,8 @@ struct stat st; Key *key; char *fp; + char *comment; + int commentlen; /* no user given */ if (pw == NULL) @@ -219,6 +224,11 @@ continue; } /* cp now points to the comment part. */ + /* NaTIS */ + comment = cp; + commentlen = strlen(comment); + if (commentlen > 0 && comment[commentlen -1] == '\n') + comment[commentlen - 1] = '\0'; /* Check if the we have found the desired key (identified by its modulus). */ if (BN_cmp(key->rsa->n, client_n) != 0) @@ -231,6 +241,8 @@ file, linenum, BN_num_bits(key->rsa->n), bits); /* We have found the desired key. */ + debug("Found desired key for %s", comment); /* NaTIS */ + /* * If our options do not allow this key to be used, * do not send challenge. @@ -241,7 +253,10 @@ /* Perform the challenge-response dialog for this key. */ if (!auth_rsa_challenge_dialog(key->rsa)) { /* Wrong response. */ - - verbose("Wrong response to RSA authentication challenge. "); + /* + * added identity (comment) + */ + verbose("Wrong response to RSA authentication challenge for %s.", comment); packet_send_debug("Wrong response to RSA authentication challenge."); /* * Break out of the loop. Otherwise we might send @@ -264,6 +279,12 @@ key_type(key), fp); xfree(fp); + strncpy(realname, comment, commentlen - 1); break; } @@ -276,8 +297,14 @@ key_free(key); - - if (authenticated) - - packet_send_debug("RSA authentication accepted."); + if (authenticated) { + /* + * Assume that the comment field contains the real name of the + * person who owns the key. + */ + packet_send_debug("RSA authentication of %s as user %s accepted.", + comment, pw->pw_name); + } else auth_clear_options(); diff -ru openssh-3.1p1/auth.h openssh-3.1p1-mods/auth.h - --- openssh-3.1p1/auth.h Thu May 9 12:18:26 2002 +++ openssh-3.1p1-mods/auth.h Thu May 9 12:19:54 2002 @@ -94,7 +94,7 @@ int auth_rhosts_rsa(struct passwd *, const char *, Key *); int auth_password(Authctxt *, const char *); - -int auth_rsa(struct passwd *, BIGNUM *); +int auth_rsa(struct passwd *, BIGNUM *, char *realname, int realnamesize); int auth_rsa_challenge_dialog(RSA *); #ifdef KRB4 diff -ru openssh-3.1p1/auth1.c openssh-3.1p1-mods/auth1.c - --- openssh-3.1p1/auth1.c Thu May 9 12:18:26 2002 +++ openssh-3.1p1-mods/auth1.c Thu May 9 12:19:54 2002 @@ -63,7 +63,7 @@ * return only if authentication is successful */ static void - -do_authloop(Authctxt *authctxt) +do_authloop(Authctxt *authctxt, const char *realname) { int authenticated = 0; u_int bits; @@ -229,7 +229,7 @@ fatal("do_authloop: BN_new failed"); packet_get_bignum(n); packet_check_eom(); - - authenticated = auth_rsa(pw, n); + authenticated = auth_rsa(pw, n, realname, sizeof(realname)); BN_clear_free(n); break; @@ -363,6 +363,12 @@ u_int ulen; char *p, *user, *style = NULL; + /* Added the following so that the real ID of the owner of the + * public key used for successful authentication, can be returned by + * auth_rsa. + */ + char realname[40] = "unknown"; + /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); @@ -411,7 +417,7 @@ * Loop until the user has been authenticated or the connection is * closed, do_authloop() returns only if authentication is successful */ - - do_authloop(authctxt); + do_authloop(authctxt, realname); /* The user has been authenticated and accepted. */ packet_start(SSH_SMSG_SUCCESS); @@ -419,5 +425,5 @@ packet_write_wait(); /* Perform session preparation. */ - - do_authenticated(authctxt); + do_authenticated(authctxt, realname); } diff -ru openssh-3.1p1/auth2.c openssh-3.1p1-mods/auth2.c - --- openssh-3.1p1/auth2.c Thu May 9 12:18:26 2002 +++ openssh-3.1p1-mods/auth2.c Thu May 9 12:19:55 2002 @@ -75,7 +75,7 @@ /* helper */ static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); - -static int user_key_allowed(struct passwd *, Key *); +static int user_key_allowed(struct passwd *, Key *, char *realname); static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); /* auth */ @@ -105,6 +105,28 @@ {NULL, NULL, NULL} }; +/* VIX + * this piece is my attempt to pass the value of realname from userauth_pubkey + * to server_input_channel_req but i have no idea what is really happening + * the value gets passed in from userauthkey but gets destroyed by + * server_input_channel_req wtf ??? + */ +char sshid(char *realname, int oopt, char temprealname[40]) +{ + int lengrn; + + debug("realname passed in %s var is %d ", realname, oopt); + if (oopt == 1) { + /* write value to realname */ + debug("writing temp value for realname"); + lengrn = strlen(realname); + strncpy(temprealname, realname, lengrn ); + debug(" VIX tempvar is %s", temprealname); + } else { + /* rewrite realname from temprealname */ + debug("reading temp value for realname"); + lengrn = strlen(temprealname); + strncpy(realname,&temprealname,lengrn); + } + debug(" VIX realname passed out is %s", realname); + debug(" VIX tempvar passed out %s", temprealname); +} + /* * loop until authctxt->success == TRUE */ @@ -114,8 +136,11 @@ { Authctxt *authctxt = authctxt_new(); + char realname[40] = "unknown"; + x_authctxt = authctxt; /*XXX*/ + /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; @@ -125,7 +150,7 @@ dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - - do_authenticated(authctxt); + do_authenticated(authctxt, realname); } static void @@ -403,6 +428,13 @@ u_int alen, blen, slen; int have_sig, pktype; int authenticated = 0; + + char realname[40] = "UNKNOWN" ; + char tempreal[40] = "UNKNOWN" ; + + debug("**************************"); + debug("VIX userauth_pubkey called"); + debug("**************************"); if (!authctxt->valid) { debug2("userauth_pubkey: disabled because of invalid user"); @@ -467,7 +499,7 @@ buffer_dump(&b); #endif /* test for correct signature */ - - if (user_key_allowed(authctxt->pw, key) && + if (user_key_allowed(authctxt->pw, key, realname) && key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) = 1) authenticated = 1; buffer_clear(&b); @@ -484,7 +516,7 @@ * if a user is not allowed to login. is this an * issue? -markus */ - - if (user_key_allowed(authctxt->pw, key)) { + if (user_key_allowed(authctxt->pw, key, realname)) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); @@ -505,6 +537,10 @@ if (check_nt_auth(0, authctxt->pw) == 0) return(0); #endif + sshid(realname, 1, tempreal); + debug("**************************"); + debug("VIX userauth_pubkey done"); + debug("**************************"); return authenticated; } @@ -638,7 +674,7 @@ /* return 1 if user allows given key */ static int - -user_key_allowed2(struct passwd *pw, Key *key, char *file) +user_key_allowed2(struct passwd *pw, Key *key, char *file, char *realname) { char line[8192]; int found_key = 0; @@ -647,6 +683,8 @@ struct stat st; Key *found; char *fp; + char *comment; + int commentlen; if (pw == NULL) return 0; @@ -714,6 +752,12 @@ found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); + + comment = cp; + commentlen = strlen(comment); + if (commentlen > 0 && comment[commentlen -1] == '\n') + comment[commentlen - 1] = '\0'; + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); @@ -721,6 +765,9 @@ break; } } + + strncpy(realname, comment, commentlen); + restore_uid(); fclose(f); key_free(found); @@ -731,20 +778,19 @@ /* check whether given key is in .ssh/authorized_keys* */ static int - -user_key_allowed(struct passwd *pw, Key *key) +user_key_allowed(struct passwd *pw, Key *key, char *realname) { int success; char *file; file = authorized_keys_file(pw); - - success = user_key_allowed2(pw, key, file); + success = user_key_allowed2(pw, key, file, realname); xfree(file); if (success) return success; - - /* try suffix "2" for backward compat, too */ file = authorized_keys_file2(pw); - - success = user_key_allowed2(pw, key, file); + success = user_key_allowed2(pw, key, file, realname); xfree(file); return success; } diff -ru openssh-3.1p1/serverloop.c openssh-3.1p1-mods/serverloop.c - --- openssh-3.1p1/serverloop.c Thu May 9 12:18:34 2002 +++ openssh-3.1p1-mods/serverloop.c Thu May 9 12:20:03 2002 @@ -734,12 +734,13 @@ } void - -server_loop2(Authctxt *authctxt) +server_loop2(Authctxt *authctxt, const char *realname) { fd_set *readset = NULL, *writeset = NULL; int rekeying = 0, max_fd, nalloc = 0; debug("Entering interactive session for SSH2."); + debug("VIX realname is %s ", realname); mysignal(SIGCHLD, sigchld_handler); child_terminated = 0; @@ -996,10 +997,20 @@ } static void server_input_channel_req(int type, u_int32_t seq, void *ctxt) +/* + * VIX expected to get realname from calling funtion + * but i can't find the calling function !!!!!! +server_input_channel_req(int type, u_int32_t seq, void *ctxt, const char *realn ame) +*/ { Channel *c; int id, reply, success = 0; char *rtype; + char realname[40] = "UNDEFINED"; + char tempreal[40] = "UNDEFINED"; + + debug("*******************************"); + debug("server_input_channel_req called"); + debug("*******************************"); id = packet_get_int(); rtype = packet_get_string(NULL); @@ -1012,7 +1023,7 @@ packet_disconnect("server_input_channel_req: " "unknown channel %d", id); if (c->type == SSH_CHANNEL_LARVAL || c->type =SSH_CHANNEL_OPEN) - - success = session_input_channel_req(c, rtype); + success = session_input_channel_req(c, rtype, realname); if (reply) { packet_start(success ? SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); @@ -1020,6 +1031,10 @@ packet_send(); } xfree(rtype); + sshid(realname, 0, tempreal); + debug("*****************************"); + debug("server_input_channel_req done"); + debug("*****************************"); } static void diff -ru openssh-3.1p1/serverloop.h openssh-3.1p1-mods/serverloop.h - --- openssh-3.1p1/serverloop.h Thu May 9 12:18:34 2002 +++ openssh-3.1p1-mods/serverloop.h Thu May 9 12:20:03 2002 @@ -22,6 +22,6 @@ #define SERVERLOOP_H void server_loop(pid_t, int, int, int); - -void server_loop2(Authctxt *); +void server_loop2(Authctxt *, const char *realname); #endif diff -ru openssh-3.1p1/session.c openssh-3.1p1-mods/session.c - --- openssh-3.1p1/session.c Thu May 9 12:18:34 2002 +++ openssh-3.1p1-mods/session.c Thu May 9 12:20:03 2002 @@ -98,10 +98,10 @@ static void session_pty_cleanup(void *); void session_proctitle(Session *); int session_setup_x11fwd(Session *); - -void do_exec_pty(Session *, const char *); +void do_exec_pty(Session *, const char *, const char *realname); void do_exec_no_pty(Session *, const char *); - -void do_exec(Session *, const char *); - -void do_login(Session *, const char *); +void do_exec(Session *, const char *, const char *realname); +void do_login(Session *, const char *, const char *realname); #ifdef LOGIN_NEEDS_UTMPX static void do_pre_login(Session *s); #endif @@ -109,8 +109,8 @@ void do_motd(void); int check_quietlogin(Session *, const char *); - -static void do_authenticated1(Authctxt *); - -static void do_authenticated2(Authctxt *); +static void do_authenticated1(Authctxt *, const char *realname); +static void do_authenticated2(Authctxt *, const char *realname); static void session_close(Session *); static int session_pty_req(Session *); @@ -140,7 +140,7 @@ #endif void - -do_authenticated(Authctxt *authctxt) +do_authenticated(Authctxt *authctxt, const char *realname) { /* * Cancel the alarm we set to limit the time taken for @@ -176,9 +176,9 @@ channel_permit_all_opens(); if (compat20) - - do_authenticated2(authctxt); + do_authenticated2(authctxt, realname); else - - do_authenticated1(authctxt); + do_authenticated1(authctxt, realname); /* remove agent socket */ if (auth_get_socket_name()) @@ -200,7 +200,7 @@ * are requested, etc. */ static void - -do_authenticated1(Authctxt *authctxt) +do_authenticated1(Authctxt *authctxt, const char *realname) { Session *s; char *command; @@ -352,10 +352,10 @@ if (type == SSH_CMSG_EXEC_CMD) { command = packet_get_string(&dlen); debug("Exec command '%.500s'", command); - - do_exec(s, command); + do_exec(s, command, realname); xfree(command); } else { - - do_exec(s, NULL); + do_exec(s, NULL, realname); } packet_check_eom(); session_close(s); @@ -517,7 +517,7 @@ * lastlog, and other such operations. */ void - -do_exec_pty(Session *s, const char *command) +do_exec_pty(Session *s, const char *command, const char *realname) { int fdout, ptyfd, ttyfd, ptymaster; pid_t pid; @@ -557,7 +557,7 @@ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) - - do_login(s, command); + do_login(s, command, realname); # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); @@ -637,7 +637,7 @@ * to be forced, execute that instead. */ void - -do_exec(Session *s, const char *command) +do_exec(Session *s, const char *command, const char *realname) { if (forced_command) { original_command = command; @@ -646,7 +646,7 @@ } if (s->ttyfd != -1) - - do_exec_pty(s, command); + do_exec_pty(s, command, realname); else do_exec_no_pty(s, command); @@ -656,7 +656,7 @@ /* administrative, login(1)-like work */ void - -do_login(Session *s, const char *command) +do_login(Session *s, const char *command, const char *realname) { char *time_string; char hostname[MAXHOSTNAMELEN]; @@ -690,7 +690,7 @@ /* Record that there was a login on that tty from the remote host. */ record_login(pid, s->tty, pw->pw_name, pw->pw_uid, get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), - - (struct sockaddr *)&from); + (struct sockaddr *)&from, realname); #ifdef USE_PAM /* @@ -1509,7 +1509,7 @@ } static int - -session_subsystem_req(Session *s) +session_subsystem_req(Session *s, const char *realname) { struct stat st; u_int len; @@ -1530,7 +1530,7 @@ } debug("subsystem: exec() %s", cmd); s->is_subsystem = 1; - - do_exec(s, cmd); + do_exec(s, cmd, realname); success = 1; break; } @@ -1566,20 +1566,22 @@ } static int - -session_shell_req(Session *s) +session_shell_req(Session *s, const char *realname) { + char test1111[40] = "Unknown" ; + packet_check_eom(); - - do_exec(s, NULL); + do_exec(s, NULL, realname); return 1; } static int - -session_exec_req(Session *s) +session_exec_req(Session *s, const char *realname) { u_int len; char *command = packet_get_string(&len); packet_check_eom(); - - do_exec(s, command); + do_exec(s, command, realname); xfree(command); return 1; } @@ -1602,7 +1604,7 @@ } int - -session_input_channel_req(Channel *c, const char *rtype) +session_input_channel_req(Channel *c, const char *rtype, const char *realname) { int success = 0; Session *s; @@ -1620,9 +1622,9 @@ */ if (c->type == SSH_CHANNEL_LARVAL) { if (strcmp(rtype, "shell") == 0) { - - success = session_shell_req(s); + success = session_shell_req(s, realname); } else if (strcmp(rtype, "exec") == 0) { - - success = session_exec_req(s); + success = session_exec_req(s, realname); } else if (strcmp(rtype, "pty-req") == 0) { success = session_pty_req(s); } else if (strcmp(rtype, "x11-req") == 0) { @@ -1630,7 +1632,7 @@ } else if (strcmp(rtype, "auth-agent-req at openssh.com") == 0) { success = session_auth_agent_req(s); } else if (strcmp(rtype, "subsystem") == 0) { - - success = session_subsystem_req(s); + success = session_subsystem_req(s, realname); } } if (strcmp(rtype, "window-change") == 0) { @@ -1679,6 +1681,18 @@ if (s->pid != 0) record_logout(s->pid, s->tty, s->pw->pw_name); + /* Remove the file which contains login info. */ + { + char filename[80]; + char *cp; + + cp = strrchr(s->tty, '/'); + if (cp != NULL) { + sprintf(filename, "/usr/adm/sshd/%s", cp); + unlink(filename); + } + } + /* Release the pseudo-tty. */ pty_release(s->tty); @@ -1921,7 +1935,7 @@ } static void - -do_authenticated2(Authctxt *authctxt) +do_authenticated2(Authctxt *authctxt, const char *realname) { - - server_loop2(authctxt); + server_loop2(authctxt, realname); } diff -ru openssh-3.1p1/session.h openssh-3.1p1-mods/session.h - --- openssh-3.1p1/session.h Thu May 9 12:18:34 2002 +++ openssh-3.1p1-mods/session.h Thu May 9 12:20:03 2002 @@ -26,10 +26,10 @@ #ifndef SESSION_H #define SESSION_H - -void do_authenticated(Authctxt *); +void do_authenticated(Authctxt *, const char *realname); int session_open(Authctxt*, int); - -int session_input_channel_req(Channel *, const char *); +int session_input_channel_req(Channel *, const char *, const char *realname ); void session_close_by_pid(pid_t, int); void session_close_by_channel(int, void *); void session_destroy_all(void); diff -ru openssh-3.1p1/sshd.c openssh-3.1p1-mods/sshd.c - --- openssh-3.1p1/sshd.c Thu May 9 12:18:37 2002 +++ openssh-3.1p1-mods/sshd.c Thu May 9 12:20:06 2002 @@ -1519,3 +1519,4 @@ #endif debug("KEX done"); } + diff -ru openssh-3.1p1/sshlogin.c openssh-3.1p1-mods/sshlogin.c - --- openssh-3.1p1/sshlogin.c Thu May 9 12:18:37 2002 +++ openssh-3.1p1-mods/sshlogin.c Thu May 9 12:20:07 2002 @@ -67,14 +67,64 @@ void record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, - - const char *host, struct sockaddr * addr) + const char *host, struct sockaddr * addr, const char *realname) { struct logininfo *li; + char filename[80], line[132]; + char *cp; + time_t Now; + struct tm *tp; + int fd; li = login_alloc_entry(pid, user, host, ttyname); login_set_addr(li, addr, sizeof(struct sockaddr)); login_login(li); login_free_entry(li); + + /* We will create a separate file in "/usr/adm/sshd" for each user + ** who logs in. The filename will be the same as the ttyname. The + ** file will contain only one line, showing: + ** username + ** ttyname + ** Date and time when login started + ** PID + ** hostname of client. + ** Real name of public key's owner + */ + cp = strrchr(ttyname, '/'); + if (cp != NULL) + { + cp++; + sprintf(filename, "/usr/adm/sshd/%s", cp); + if (strcmp(user, "") != 0) + { + /* We are recording a login, not a logout */ + fd = open(filename, O_WRONLY|O_CREAT, 0644); + chmod(filename, 0644); /* to make sure */ + if (fd >= 0) + { + char namebuffer[21]; + + time(&Now); + tp = localtime(&Now); + strncpy(namebuffer, realname, 20); + namebuffer[20] = '\0'; /* prevent overruning line buffer */ + sprintf(line, "%-12s %-8s %02d/%02d %02d:%02d:%02d %-5u %-12s %-20s\n", + user, cp, tp->tm_mon, tp->tm_mday, + tp->tm_hour, tp->tm_min, tp->tm_sec, + pid, host, namebuffer); + if (write(fd, line, strlen(line)) != strlen(line)) + verbose("Could not write to %s", filename); + close(fd); + } + else + verbose("Could not open %s: %s", filename, strerror(errno)); + } + else /* This is a logout, not a login */ + { + unlink(filename); + } + } } #ifdef LOGIN_NEEDS_UTMPX diff -ru openssh-3.1p1/sshlogin.h openssh-3.1p1-mods/sshlogin.h - --- openssh-3.1p1/sshlogin.h Thu May 9 12:18:37 2002 +++ openssh-3.1p1-mods/sshlogin.h Thu May 9 12:20:07 2002 @@ -16,7 +16,7 @@ void record_login(pid_t, const char *, const char *, uid_t, - - const char *, struct sockaddr *); + const char *, struct sockaddr *, const char *realname); void record_logout(pid_t, const char *, const char *); u_long get_last_login_time(uid_t, const char *, char *, u_int); Thanks Vikash -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i for non-commercial use <http://www.pgpi.com/> iQA/AwUBPNo3XhvA3JmlEONgEQLeDACg6WjQR6l77RQ5PpXt2S9G5Ta08QAAoPNy 2S4TWi5B3YXtr61j8g03sJHk =fJSw -----END PGP SIGNATURE-----