Hi All.
This is a re-send of a patch I submitted before 3.6p1.
As noted in a previous post, the logging of failed user logins is
somewhat spread out. This patch creates a record_failed_login()
function in sshlogin.c and moves the AIX and UNICOS code to it,
eliminating 3 #ifdefs from the main code. It also provides an obvious
place to add the code for any other platforms that support this.
I've tested this on AIX 4.3.3. Wendy Palm was kind enough to
test it
on UNICOS (this patch includes the cast required to placate the Cray
compiler).
NOTE: this will call record_failed_login() in the case of a
login
attempt by a non-existant user. This is fine for AIX (loginfailed
replaces the username with UNKNOWN_USER). I'm not sure if UNICOS does
the same thing.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
retrieving revision 1.67
diff -u -r1.67 auth.c
--- auth.c 18 Jan 2003 05:24:06 -0000 1.67
+++ auth.c 25 Feb 2003 09:52:31 -0000
@@ -268,13 +268,10 @@
get_remote_port(),
info);
-#ifdef WITH_AIXAUTHENTICATE
if (authenticated == 0 && strcmp(method, "password") == 0)
- loginfailed(authctxt->user,
- get_canonical_hostname(options.verify_reverse_mapping),
- "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-
+ record_failed_login(authctxt->user,
+ get_canonical_hostname(options.verify_reverse_mapping),
+ "ssh");
}
/*
@@ -496,11 +493,9 @@
if (pw == NULL) {
log("Illegal user %.100s from %.100s",
user, get_remote_ipaddr());
-#ifdef WITH_AIXAUTHENTICATE
- loginfailed(user,
+ record_failed_login(user,
get_canonical_hostname(options.verify_reverse_mapping),
"ssh");
-#endif
return (NULL);
}
if (!allowed_user(pw))
Index: auth1.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
retrieving revision 1.79
diff -u -r1.79 auth1.c
--- auth1.c 24 Feb 2003 00:59:27 -0000 1.79
+++ auth1.c 25 Feb 2003 09:45:10 -0000
@@ -311,8 +311,6 @@
authctxt->user);
#ifdef _UNICOS
- if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
- cray_login_failure(authctxt->user, IA_UDBERR);
if (authenticated && cray_access_denied(authctxt->user)) {
authenticated = 0;
fatal("Access denied for user %s.",authctxt->user);
Index: auth2.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
retrieving revision 1.112
diff -u -r1.112 auth2.c
--- auth2.c 24 Feb 2003 00:59:27 -0000 1.112
+++ auth2.c 25 Feb 2003 09:45:10 -0000
@@ -241,10 +241,6 @@
if (authctxt->failures++ > AUTH_FAIL_MAX) {
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
}
-#ifdef _UNICOS
- if (strcmp(method, "password") == 0)
- cray_login_failure(authctxt->user, IA_UDBERR);
-#endif /* _UNICOS */
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
Index: sshlogin.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/sshlogin.c,v
retrieving revision 1.9
diff -u -r1.9 sshlogin.c
--- sshlogin.c 1 Jan 2003 23:43:56 -0000 1.9
+++ sshlogin.c 28 Feb 2003 08:01:49 -0000
@@ -99,3 +99,15 @@
login_logout(li);
login_free_entry(li);
}
+
+/* Record a failed login attempt. */
+void
+record_failed_login(const char *user, const char *host, const char *ttyname)
+{
+#ifdef WITH_AIXAUTHENTICATE
+ loginfailed(user, host, ttyname);
+#endif
+#ifdef _UNICOS
+ cray_login_failure((char *)user, IA_UDBERR);
+#endif /* _UNICOS */
+}
