forked from rpms/openssh
Use correct audit event for pubkey auth
This commit is contained in:
parent
427beb2f9e
commit
57349a88a8
@ -31,7 +31,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
+audit_keyusage(int host_user, char *fp, int rv)
|
||||||
+{
|
+{
|
||||||
+ /* not implemented */
|
+ /* not implemented */
|
||||||
+}
|
+}
|
||||||
@ -122,7 +122,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
|||||||
return (the_authctxt->user);
|
return (the_authctxt->user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -109,6 +113,37 @@ audit_event_lookup(ssh_audit_event_t ev)
|
@@ -109,6 +113,35 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||||
return(event_lookup[i].name);
|
return(event_lookup[i].name);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -130,11 +130,9 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
|||||||
+audit_key(int host_user, int *rv, const Key *key)
|
+audit_key(int host_user, int *rv, const Key *key)
|
||||||
+{
|
+{
|
||||||
+ char *fp;
|
+ char *fp;
|
||||||
+ const char *crypto_name;
|
|
||||||
+
|
+
|
||||||
+ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
|
+ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
|
||||||
+ crypto_name = key_ssh_name(key);
|
+ if (audit_keyusage(host_user, fp, (*rv == 0)) == 0)
|
||||||
+ if (audit_keyusage(host_user, crypto_name, sshkey_size(key), fp, (*rv == 0)) == 0)
|
|
||||||
+ *rv = -SSH_ERR_INTERNAL_ERROR;
|
+ *rv = -SSH_ERR_INTERNAL_ERROR;
|
||||||
+ free(fp);
|
+ free(fp);
|
||||||
+}
|
+}
|
||||||
@ -214,10 +212,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
|||||||
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
|
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
|
||||||
+ */
|
+ */
|
||||||
+int
|
+int
|
||||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
+audit_keyusage(int host_user, char *fp, int rv)
|
||||||
+{
|
+{
|
||||||
+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
+ debug("audit %s key usage euid %d user %s fingerprint %s, result %d",
|
||||||
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
|
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(),
|
||||||
+ fp, rv);
|
+ fp, rv);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
@ -297,7 +295,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
|||||||
+int audit_run_command(const char *);
|
+int audit_run_command(const char *);
|
||||||
+void audit_end_command(int, const char *);
|
+void audit_end_command(int, const char *);
|
||||||
ssh_audit_event_t audit_classify_auth(const char *);
|
ssh_audit_event_t audit_classify_auth(const char *);
|
||||||
+int audit_keyusage(int, const char *, unsigned, char *, int);
|
+int audit_keyusage(int, char *, int);
|
||||||
+void audit_key(int, int *, const Key *);
|
+void audit_key(int, int *, const Key *);
|
||||||
+void audit_unsupported(int);
|
+void audit_unsupported(int);
|
||||||
+void audit_kex(int, char *, char *, char *, char *);
|
+void audit_kex(int, char *, char *, char *, char *);
|
||||||
@ -360,7 +358,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
|||||||
saved_errno = errno;
|
saved_errno = errno;
|
||||||
close(audit_fd);
|
close(audit_fd);
|
||||||
|
|
||||||
@@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const
|
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
|
||||||
rc = 0;
|
rc = 0;
|
||||||
errno = saved_errno;
|
errno = saved_errno;
|
||||||
|
|
||||||
@ -424,7 +422,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
+audit_keyusage(int host_user, char *fp, int rv)
|
||||||
+{
|
+{
|
||||||
+ char buf[AUDIT_LOG_SIZE];
|
+ char buf[AUDIT_LOG_SIZE];
|
||||||
+ int audit_fd, rc, saved_errno;
|
+ int audit_fd, rc, saved_errno;
|
||||||
@ -442,10 +440,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
|||||||
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
||||||
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
|
+ snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", fp);
|
||||||
+ type, bits, fp, ssh_remote_port(active_state));
|
+ rc = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL,
|
||||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
+ ssh_remote_ipaddr(active_state), NULL, rv);
|
||||||
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
|
||||||
+out:
|
+out:
|
||||||
+ saved_errno = errno;
|
+ saved_errno = errno;
|
||||||
+ audit_close(audit_fd);
|
+ audit_close(audit_fd);
|
||||||
|
Loading…
Reference in New Issue
Block a user