another audit improovements
This commit is contained in:
parent
842f4397cd
commit
1732b09b93
@ -1,6 +1,55 @@
|
|||||||
|
diff -up openssh-5.8p1/audit-bsm.c.audit1 openssh-5.8p1/audit-bsm.c
|
||||||
|
--- openssh-5.8p1/audit-bsm.c.audit1 2011-01-17 11:15:29.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/audit-bsm.c 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -305,6 +305,12 @@ audit_run_command(const char *command)
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
+audit_end_command(const char *command)
|
||||||
|
+{
|
||||||
|
+ /* not implemented */
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
audit_session_open(struct logininfo *li)
|
||||||
|
{
|
||||||
|
/* not implemented */
|
||||||
|
diff -up openssh-5.8p1/audit.c.audit1 openssh-5.8p1/audit.c
|
||||||
|
--- openssh-5.8p1/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/audit.c 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -182,5 +182,18 @@ audit_run_command(const char *command)
|
||||||
|
debug("audit run command euid %d user %s command '%.200s'", geteuid(),
|
||||||
|
audit_username(), command);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * This will be called when the non-interactive command finishes. Note that
|
||||||
|
+ * it may be called multiple times for a single connection since SSH2 allows
|
||||||
|
+ * multiple sessions within a single connection.
|
||||||
|
+ */
|
||||||
|
+void
|
||||||
|
+audit_end_command(const char *command)
|
||||||
|
+{
|
||||||
|
+ debug("audit end nopty exec euid %d user %s command '%.200s'", geteuid(),
|
||||||
|
+ audit_username(), command);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
|
diff -up openssh-5.8p1/audit.h.audit1 openssh-5.8p1/audit.h
|
||||||
|
--- openssh-5.8p1/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/audit.h 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -52,6 +52,7 @@ void audit_event(ssh_audit_event_t);
|
||||||
|
void audit_session_open(struct logininfo *);
|
||||||
|
void audit_session_close(struct logininfo *);
|
||||||
|
void audit_run_command(const char *);
|
||||||
|
+void audit_end_command(const char *);
|
||||||
|
ssh_audit_event_t audit_classify_auth(const char *);
|
||||||
|
|
||||||
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||||
--- openssh-5.8p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
--- openssh-5.8p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 20:01:00.000000000 +0100
|
+++ openssh-5.8p1/audit-linux.c 2011-02-23 09:46:43.000000000 +0100
|
||||||
@@ -35,13 +35,20 @@
|
@@ -35,13 +35,20 @@
|
||||||
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -40,7 +89,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|||||||
NULL, "login", username ? username : "(unknown)",
|
NULL, "login", username ? username : "(unknown)",
|
||||||
username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||||
saved_errno = errno;
|
saved_errno = errno;
|
||||||
@@ -65,35 +72,102 @@ linux_audit_record_event(int uid, const
|
@@ -65,35 +72,112 @@ linux_audit_record_event(int uid, const
|
||||||
if ((rc == -EPERM) && (geteuid() != 0))
|
if ((rc == -EPERM) && (geteuid() != 0))
|
||||||
rc = 0;
|
rc = 0;
|
||||||
errno = saved_errno;
|
errno = saved_errno;
|
||||||
@ -118,11 +167,21 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|||||||
audit_run_command(const char *command)
|
audit_run_command(const char *command)
|
||||||
{
|
{
|
||||||
- /* not implemented */
|
- /* not implemented */
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_START);
|
|
||||||
+ if (!user_login_count++)
|
+ if (!user_login_count++)
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
|
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
|
||||||
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||||
|
+ NULL, "ssh", 1, AUDIT_USER_START);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+audit_end_command(const char *command)
|
||||||
|
+{
|
||||||
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||||
|
+ NULL, "ssh", 1, AUDIT_USER_END);
|
||||||
|
+ if (!--user_login_count)
|
||||||
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||||
|
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@ -131,11 +190,11 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|||||||
- if (linux_audit_record_event(li->uid, NULL, li->hostname,
|
- if (linux_audit_record_event(li->uid, NULL, li->hostname,
|
||||||
- NULL, li->line, 1) == 0)
|
- NULL, li->line, 1) == 0)
|
||||||
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
||||||
+ NULL, li->line, 1, AUDIT_USER_START);
|
|
||||||
+ if (!user_login_count++)
|
+ if (!user_login_count++)
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
|
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
|
||||||
|
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
|
+ NULL, li->line, 1, AUDIT_USER_START);
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@ -150,7 +209,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@@ -101,21 +175,34 @@ audit_event(ssh_audit_event_t event)
|
@@ -101,21 +185,43 @@ audit_event(ssh_audit_event_t event)
|
||||||
{
|
{
|
||||||
switch(event) {
|
switch(event) {
|
||||||
case SSH_AUTH_SUCCESS:
|
case SSH_AUTH_SUCCESS:
|
||||||
@ -180,6 +239,15 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ case SSH_CONNECTION_CLOSE:
|
+ case SSH_CONNECTION_CLOSE:
|
||||||
|
+ if (user_login_count) {
|
||||||
|
+ while (user_login_count--)
|
||||||
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||||
|
+ NULL, "ssh", 1, AUDIT_USER_END);
|
||||||
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||||
|
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
+ case SSH_CONNECTION_ABANDON:
|
+ case SSH_CONNECTION_ABANDON:
|
||||||
case SSH_INVALID_USER:
|
case SSH_INVALID_USER:
|
||||||
- linux_audit_record_event(-1, audit_username(), NULL,
|
- linux_audit_record_event(-1, audit_username(), NULL,
|
||||||
@ -189,3 +257,147 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
|
diff -up openssh-5.8p1/monitor.c.audit1 openssh-5.8p1/monitor.c
|
||||||
|
--- openssh-5.8p1/monitor.c.audit1 2010-09-10 03:23:34.000000000 +0200
|
||||||
|
+++ openssh-5.8p1/monitor.c 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -177,6 +177,7 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
int mm_answer_audit_event(int, Buffer *);
|
||||||
|
int mm_answer_audit_command(int, Buffer *);
|
||||||
|
+int mm_answer_audit_end_command(int, Buffer *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static Authctxt *authctxt;
|
||||||
|
@@ -261,6 +262,7 @@ struct mon_table mon_dispatch_postauth20
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||||
|
+ {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
|
#endif
|
||||||
|
{0, 0, NULL}
|
||||||
|
};
|
||||||
|
@@ -303,6 +305,7 @@ struct mon_table mon_dispatch_postauth15
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||||
|
+ {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
|
#endif
|
||||||
|
{0, 0, NULL}
|
||||||
|
};
|
||||||
|
@@ -1618,6 +1621,20 @@ mm_answer_audit_command(int socket, Buff
|
||||||
|
xfree(cmd);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+mm_answer_audit_end_command(int socket, Buffer *m)
|
||||||
|
+{
|
||||||
|
+ u_int len;
|
||||||
|
+ char *cmd;
|
||||||
|
+
|
||||||
|
+ debug3("%s entering", __func__);
|
||||||
|
+ cmd = buffer_get_string(m, &len);
|
||||||
|
+ /* sanity check command, if so how? */
|
||||||
|
+ audit_end_command(cmd);
|
||||||
|
+ xfree(cmd);
|
||||||
|
+ return (0);
|
||||||
|
+}
|
||||||
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
|
|
||||||
|
void
|
||||||
|
diff -up openssh-5.8p1/monitor.h.audit1 openssh-5.8p1/monitor.h
|
||||||
|
--- openssh-5.8p1/monitor.h.audit1 2008-11-05 06:20:46.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/monitor.h 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -60,6 +60,7 @@ enum monitor_reqtype {
|
||||||
|
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
|
||||||
|
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
|
||||||
|
MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
|
||||||
|
+ MONITOR_REQ_AUDIT_END_COMMAND,
|
||||||
|
MONITOR_REQ_TERM,
|
||||||
|
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
||||||
|
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||||
|
diff -up openssh-5.8p1/monitor_wrap.c.audit1 openssh-5.8p1/monitor_wrap.c
|
||||||
|
--- openssh-5.8p1/monitor_wrap.c.audit1 2010-08-31 14:41:14.000000000 +0200
|
||||||
|
+++ openssh-5.8p1/monitor_wrap.c 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -1163,6 +1163,20 @@ mm_audit_run_command(const char *command
|
||||||
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
|
||||||
|
buffer_free(&m);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+mm_audit_end_command(const char *command)
|
||||||
|
+{
|
||||||
|
+ Buffer m;
|
||||||
|
+
|
||||||
|
+ debug3("%s entering command %s", __func__, command);
|
||||||
|
+
|
||||||
|
+ buffer_init(&m);
|
||||||
|
+ buffer_put_cstring(&m, command);
|
||||||
|
+
|
||||||
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
|
||||||
|
+ buffer_free(&m);
|
||||||
|
+}
|
||||||
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
|
|
||||||
|
#ifdef GSSAPI
|
||||||
|
diff -up openssh-5.8p1/monitor_wrap.h.audit1 openssh-5.8p1/monitor_wrap.h
|
||||||
|
--- openssh-5.8p1/monitor_wrap.h.audit1 2009-03-05 14:58:22.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/monitor_wrap.h 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -74,6 +74,7 @@ void mm_sshpam_free_ctx(void *);
|
||||||
|
#include "audit.h"
|
||||||
|
void mm_audit_event(ssh_audit_event_t);
|
||||||
|
void mm_audit_run_command(const char *);
|
||||||
|
+void mm_audit_end_command(const char *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
struct Session;
|
||||||
|
diff -up openssh-5.8p1/session.c.audit1 openssh-5.8p1/session.c
|
||||||
|
--- openssh-5.8p1/session.c.audit1 2010-12-01 02:02:59.000000000 +0100
|
||||||
|
+++ openssh-5.8p1/session.c 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -809,14 +809,16 @@ do_exec(Session *s, const char *command)
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
- if (command != NULL)
|
||||||
|
+ if (command != NULL) {
|
||||||
|
PRIVSEP(audit_run_command(command));
|
||||||
|
- else if (s->ttyfd == -1) {
|
||||||
|
+ command = xstrdup(command);
|
||||||
|
+ } else if (s->ttyfd == -1) {
|
||||||
|
char *shell = s->pw->pw_shell;
|
||||||
|
|
||||||
|
if (shell[0] == '\0') /* empty shell means /bin/sh */
|
||||||
|
shell =_PATH_BSHELL;
|
||||||
|
PRIVSEP(audit_run_command(shell));
|
||||||
|
+ command = xstrdup(shell);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (s->ttyfd != -1)
|
||||||
|
@@ -2456,6 +2458,12 @@ session_close(Session *s)
|
||||||
|
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
|
||||||
|
if (s->ttyfd != -1)
|
||||||
|
session_pty_cleanup(s);
|
||||||
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
|
+ if (s->command) {
|
||||||
|
+ PRIVSEP(audit_end_command(s->command));
|
||||||
|
+ xfree(s->command);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
if (s->term)
|
||||||
|
xfree(s->term);
|
||||||
|
if (s->display)
|
||||||
|
diff -up openssh-5.8p1/session.h.audit1 openssh-5.8p1/session.h
|
||||||
|
--- openssh-5.8p1/session.h.audit1 2008-05-19 07:34:50.000000000 +0200
|
||||||
|
+++ openssh-5.8p1/session.h 2011-02-23 09:45:05.000000000 +0100
|
||||||
|
@@ -60,6 +60,11 @@ struct Session {
|
||||||
|
char *name;
|
||||||
|
char *val;
|
||||||
|
} *env;
|
||||||
|
+
|
||||||
|
+ /* exec */
|
||||||
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
|
+ char *command;
|
||||||
|
+#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
void do_authenticated(Authctxt *);
|
||||||
|
@ -1,15 +0,0 @@
|
|||||||
diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
|
|
||||||
--- openssh-5.8p1/audit-linux.c.audit1a 2011-02-22 14:42:30.000000000 +0100
|
|
||||||
+++ openssh-5.8p1/audit-linux.c 2011-02-22 14:47:03.000000000 +0100
|
|
||||||
@@ -199,6 +199,11 @@ audit_event(ssh_audit_event_t event)
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SSH_CONNECTION_CLOSE:
|
|
||||||
+ if (user_login_count)
|
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
case SSH_CONNECTION_ABANDON:
|
|
||||||
case SSH_INVALID_USER:
|
|
||||||
linux_audit_user_logxxx(-1, audit_username(), NULL,
|
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
||||||
--- openssh-5.8p1/audit-bsm.c.audit2 2011-01-17 11:15:29.000000000 +0100
|
--- openssh-5.8p1/audit-bsm.c.audit2 2011-02-23 07:46:37.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/audit-bsm.c 2011-02-23 07:46:37.000000000 +0100
|
||||||
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
|
@@ -322,6 +322,12 @@ audit_session_close(struct logininfo *li
|
||||||
/* not implemented */
|
/* not implemented */
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -15,8 +15,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
|||||||
audit_event(ssh_audit_event_t event)
|
audit_event(ssh_audit_event_t event)
|
||||||
{
|
{
|
||||||
diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
||||||
--- openssh-5.8p1/audit.c.audit2 2011-01-17 11:15:30.000000000 +0100
|
--- openssh-5.8p1/audit.c.audit2 2011-02-23 07:46:37.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.c 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/audit.c 2011-02-23 07:47:32.000000000 +0100
|
||||||
@@ -36,6 +36,7 @@
|
@@ -36,6 +36,7 @@
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
@ -48,11 +48,10 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
|||||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||||
/*
|
/*
|
||||||
* Null implementations of audit functions.
|
* Null implementations of audit functions.
|
||||||
@@ -182,5 +199,17 @@ audit_run_command(const char *command)
|
@@ -195,5 +212,16 @@ audit_end_command(const char *command)
|
||||||
debug("audit run command euid %d user %s command '%.200s'", geteuid(),
|
|
||||||
audit_username(), command);
|
audit_username(), command);
|
||||||
}
|
}
|
||||||
+
|
|
||||||
+/*
|
+/*
|
||||||
+ * This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
|
+ * This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
|
||||||
+ *
|
+ *
|
||||||
@ -62,13 +61,13 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
|||||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
||||||
+{
|
+{
|
||||||
+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
||||||
+ host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, bits, fp, rv);
|
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits, fp, rv);
|
||||||
+}
|
+}
|
||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
||||||
--- openssh-5.8p1/audit.h.audit2 2011-01-17 11:15:30.000000000 +0100
|
--- openssh-5.8p1/audit.h.audit2 2011-02-23 07:46:37.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.h 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/audit.h 2011-02-23 07:48:16.000000000 +0100
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
# define _SSH_AUDIT_H
|
# define _SSH_AUDIT_H
|
||||||
|
|
||||||
@ -77,17 +76,17 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
|||||||
|
|
||||||
enum ssh_audit_event_type {
|
enum ssh_audit_event_type {
|
||||||
SSH_LOGIN_EXCEED_MAXTRIES,
|
SSH_LOGIN_EXCEED_MAXTRIES,
|
||||||
@@ -53,5 +54,7 @@ void audit_session_open(struct logininfo
|
@@ -54,5 +55,7 @@ void audit_session_close(struct logininf
|
||||||
void audit_session_close(struct logininfo *);
|
|
||||||
void audit_run_command(const char *);
|
void audit_run_command(const char *);
|
||||||
|
void audit_end_command(const char *);
|
||||||
ssh_audit_event_t audit_classify_auth(const char *);
|
ssh_audit_event_t audit_classify_auth(const char *);
|
||||||
+int audit_keyusage(int, const char *, unsigned, char *, int);
|
+int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||||
+void audit_key(int, int *, const Key *);
|
+void audit_key(int, int *, const Key *);
|
||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
||||||
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-22 14:04:27.000000000 +0100
|
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-23 07:46:37.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-linux.c 2011-02-22 14:05:28.000000000 +0100
|
+++ openssh-5.8p1/audit-linux.c 2011-02-23 07:46:37.000000000 +0100
|
||||||
@@ -41,6 +41,8 @@
|
@@ -41,6 +41,8 @@
|
||||||
#include "servconf.h"
|
#include "servconf.h"
|
||||||
#include "canohost.h"
|
#include "canohost.h"
|
||||||
@ -115,7 +114,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
|||||||
+ else
|
+ else
|
||||||
+ return 0; /* Must prevent login */
|
+ return 0; /* Must prevent login */
|
||||||
+ }
|
+ }
|
||||||
+ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "hostbased" : "pubkey", get_remote_port());
|
+ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "pubkey" : "hostbased", get_remote_port());
|
||||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
||||||
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
|
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
|
||||||
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
||||||
@ -137,7 +136,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
|||||||
/* Below is the sshd audit API code */
|
/* Below is the sshd audit API code */
|
||||||
diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
||||||
--- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
--- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
||||||
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-23 07:46:37.000000000 +0100
|
||||||
@@ -136,6 +136,18 @@ done:
|
@@ -136,6 +136,18 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
@ -159,7 +158,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
|||||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||||
diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
||||||
--- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100
|
--- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100
|
||||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-23 07:46:37.000000000 +0100
|
||||||
@@ -177,6 +177,18 @@ done:
|
@@ -177,6 +177,18 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
@ -181,7 +180,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
|||||||
{
|
{
|
||||||
diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
||||||
--- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
--- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
||||||
+++ openssh-5.8p1/auth.h 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/auth.h 2011-02-23 07:46:37.000000000 +0100
|
||||||
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
|
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
|
||||||
char *authorized_keys_file(struct passwd *);
|
char *authorized_keys_file(struct passwd *);
|
||||||
char *authorized_keys_file2(struct passwd *);
|
char *authorized_keys_file2(struct passwd *);
|
||||||
@ -200,7 +199,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
|||||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||||
diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
||||||
--- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100
|
--- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100
|
||||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/auth-rsa.c 2011-02-23 07:46:37.000000000 +0100
|
||||||
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||||
{
|
{
|
||||||
u_char buf[32], mdbuf[16];
|
u_char buf[32], mdbuf[16];
|
||||||
@ -238,9 +237,9 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
|
diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
|
||||||
--- openssh-5.8p1/monitor.c.audit2 2010-09-10 03:23:34.000000000 +0200
|
--- openssh-5.8p1/monitor.c.audit2 2011-02-23 07:46:37.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor.c 2011-02-22 14:04:27.000000000 +0100
|
+++ openssh-5.8p1/monitor.c 2011-02-23 07:46:37.000000000 +0100
|
||||||
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
@@ -1238,7 +1238,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||||
if (!valid_data)
|
if (!valid_data)
|
||||||
fatal("%s: bad signature data blob", __func__);
|
fatal("%s: bad signature data blob", __func__);
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
|
diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
|
||||||
--- openssh-5.8p1/audit-bsm.c.audit3 2011-02-21 20:09:33.000000000 +0100
|
--- openssh-5.8p1/audit-bsm.c.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/audit-bsm.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
|
@@ -389,4 +389,16 @@ audit_event(ssh_audit_event_t event)
|
||||||
debug("%s: unhandled event %d", __func__, event);
|
debug("%s: unhandled event %d", __func__, event);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -19,8 +19,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
|
|||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
||||||
--- openssh-5.8p1/audit.c.audit3 2011-02-21 20:09:33.000000000 +0100
|
--- openssh-5.8p1/audit.c.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/audit.c 2011-02-23 10:07:53.000000000 +0100
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
|
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
@ -57,9 +57,9 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
|||||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||||
/*
|
/*
|
||||||
* Null implementations of audit functions.
|
* Null implementations of audit functions.
|
||||||
@@ -211,5 +226,26 @@ audit_keyusage(int host_user, const char
|
@@ -223,5 +238,26 @@ audit_keyusage(int host_user, const char
|
||||||
debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
||||||
host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, bits, fp, rv);
|
host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits, fp, rv);
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
+/*
|
+/*
|
||||||
@ -69,7 +69,7 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
|||||||
+audit_unsupported_body(int what)
|
+audit_unsupported_body(int what)
|
||||||
+{
|
+{
|
||||||
+ debug("audit unsupported protocol ieuid %d type %d", geteuid(), what);
|
+ debug("audit unsupported protocol ieuid %d type %d", geteuid(), what);
|
||||||
+
|
+}
|
||||||
+
|
+
|
||||||
+/*
|
+/*
|
||||||
+ * This will be called on succesfull protocol negotiation.
|
+ * This will be called on succesfull protocol negotiation.
|
||||||
@ -85,9 +85,9 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
|||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
|
diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
|
||||||
--- openssh-5.8p1/audit.h.audit3 2011-02-21 20:09:33.000000000 +0100
|
--- openssh-5.8p1/audit.h.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.h 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/audit.h 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -56,5 +56,9 @@ void audit_run_command(const char *);
|
@@ -57,5 +57,9 @@ void audit_end_command(const char *);
|
||||||
ssh_audit_event_t audit_classify_auth(const char *);
|
ssh_audit_event_t audit_classify_auth(const char *);
|
||||||
int audit_keyusage(int, const char *, unsigned, char *, int);
|
int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||||
void audit_key(int, int *, const Key *);
|
void audit_key(int, int *, const Key *);
|
||||||
@ -98,8 +98,8 @@ diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
|
|||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
|
diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
|
||||||
--- openssh-5.8p1/audit-linux.c.audit3 2011-02-21 20:09:33.000000000 +0100
|
--- openssh-5.8p1/audit-linux.c.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/audit-linux.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -40,6 +40,8 @@
|
@@ -40,6 +40,8 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "servconf.h"
|
#include "servconf.h"
|
||||||
@ -109,7 +109,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
|
|||||||
|
|
||||||
#define AUDIT_LOG_SIZE 128
|
#define AUDIT_LOG_SIZE 128
|
||||||
|
|
||||||
@@ -243,4 +245,56 @@ audit_event(ssh_audit_event_t event)
|
@@ -262,4 +264,56 @@ audit_event(ssh_audit_event_t event)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -167,8 +167,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
|
|||||||
+
|
+
|
||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
|
diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
|
||||||
--- openssh-5.8p1/auditstub.c.audit3 2011-02-21 20:09:33.000000000 +0100
|
--- openssh-5.8p1/auditstub.c.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/auditstub.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/auditstub.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -0,0 +1,39 @@
|
@@ -0,0 +1,39 @@
|
||||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||||
+
|
+
|
||||||
@ -211,7 +211,7 @@ diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
|
|||||||
+
|
+
|
||||||
diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
|
diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
|
||||||
--- openssh-5.8p1/cipher.c.audit3 2011-02-09 15:24:23.000000000 +0100
|
--- openssh-5.8p1/cipher.c.audit3 2011-02-09 15:24:23.000000000 +0100
|
||||||
+++ openssh-5.8p1/cipher.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/cipher.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
|
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
|
||||||
extern const EVP_CIPHER *evp_aes_128_ctr(void);
|
extern const EVP_CIPHER *evp_aes_128_ctr(void);
|
||||||
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
||||||
@ -231,7 +231,7 @@ diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
|
|||||||
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
|
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
|
||||||
diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
|
diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
|
||||||
--- openssh-5.8p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
--- openssh-5.8p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
||||||
+++ openssh-5.8p1/cipher.h 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/cipher.h 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -61,7 +61,16 @@
|
@@ -61,7 +61,16 @@
|
||||||
typedef struct Cipher Cipher;
|
typedef struct Cipher Cipher;
|
||||||
typedef struct CipherContext CipherContext;
|
typedef struct CipherContext CipherContext;
|
||||||
@ -252,7 +252,7 @@ diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
|
|||||||
EVP_CIPHER_CTX evp;
|
EVP_CIPHER_CTX evp;
|
||||||
diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
|
diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
|
||||||
--- openssh-5.8p1/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200
|
--- openssh-5.8p1/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200
|
||||||
+++ openssh-5.8p1/kex.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/kex.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -49,6 +49,7 @@
|
@@ -49,6 +49,7 @@
|
||||||
#include "dispatch.h"
|
#include "dispatch.h"
|
||||||
#include "monitor.h"
|
#include "monitor.h"
|
||||||
@ -317,7 +317,7 @@ diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
|
|||||||
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||||
diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
|
diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
|
||||||
--- openssh-5.8p1/Makefile.in.audit3 2011-02-04 01:42:13.000000000 +0100
|
--- openssh-5.8p1/Makefile.in.audit3 2011-02-04 01:42:13.000000000 +0100
|
||||||
+++ openssh-5.8p1/Makefile.in 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/Makefile.in 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -76,7 +76,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
@@ -76,7 +76,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||||
@ -328,8 +328,8 @@ diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
|
|||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||||
diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
||||||
--- openssh-5.8p1/monitor.c.audit3 2011-02-21 20:09:33.000000000 +0100
|
--- openssh-5.8p1/monitor.c.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/monitor.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -89,6 +89,7 @@
|
@@ -89,6 +89,7 @@
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "jpake.h"
|
#include "jpake.h"
|
||||||
@ -338,16 +338,16 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
|||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
static Gssctxt *gsscontext = NULL;
|
static Gssctxt *gsscontext = NULL;
|
||||||
@@ -177,6 +178,8 @@ int mm_answer_gss_checkmic(int, Buffer *
|
@@ -178,6 +179,8 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
int mm_answer_audit_event(int, Buffer *);
|
int mm_answer_audit_event(int, Buffer *);
|
||||||
int mm_answer_audit_command(int, Buffer *);
|
int mm_answer_audit_command(int, Buffer *);
|
||||||
|
int mm_answer_audit_end_command(int, Buffer *);
|
||||||
+int mm_answer_audit_unsupported_body(int, Buffer *);
|
+int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||||
+int mm_answer_audit_kex_body(int, Buffer *);
|
+int mm_answer_audit_kex_body(int, Buffer *);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static Authctxt *authctxt;
|
static Authctxt *authctxt;
|
||||||
@@ -225,6 +228,8 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -226,6 +229,8 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
#endif
|
#endif
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
@ -356,16 +356,16 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -261,6 +266,8 @@ struct mon_table mon_dispatch_postauth20
|
@@ -263,6 +268,8 @@ struct mon_table mon_dispatch_postauth20
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||||
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -292,6 +299,8 @@ struct mon_table mon_dispatch_proto15[]
|
@@ -294,6 +301,8 @@ struct mon_table mon_dispatch_proto15[]
|
||||||
#endif
|
#endif
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
@ -374,16 +374,16 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -303,6 +312,8 @@ struct mon_table mon_dispatch_postauth15
|
@@ -306,6 +315,8 @@ struct mon_table mon_dispatch_postauth15
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||||
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
+ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
+ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -2206,3 +2217,44 @@ mm_answer_jpake_check_confirm(int sock,
|
@@ -2223,3 +2234,44 @@ mm_answer_jpake_check_confirm(int sock,
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* JPAKE */
|
#endif /* JPAKE */
|
||||||
@ -429,9 +429,9 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
|||||||
+
|
+
|
||||||
+#endif /* SSH_AUDIT_EVENTS */
|
+#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
|
diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
|
||||||
--- openssh-5.8p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
|
--- openssh-5.8p1/monitor.h.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor.h 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/monitor.h 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -66,6 +66,8 @@ enum monitor_reqtype {
|
@@ -67,6 +67,8 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
||||||
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
||||||
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
||||||
@ -441,9 +441,9 @@ diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
|
|||||||
|
|
||||||
struct mm_master;
|
struct mm_master;
|
||||||
diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
|
diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
|
||||||
--- openssh-5.8p1/monitor_wrap.c.audit3 2010-08-31 14:41:14.000000000 +0200
|
--- openssh-5.8p1/monitor_wrap.c.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/monitor_wrap.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -1412,3 +1412,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
@@ -1426,3 +1426,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||||
return success;
|
return success;
|
||||||
}
|
}
|
||||||
#endif /* JPAKE */
|
#endif /* JPAKE */
|
||||||
@ -486,12 +486,12 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
|
|||||||
+}
|
+}
|
||||||
+#endif /* SSH_AUDIT_EVENTS */
|
+#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
|
diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
|
||||||
--- openssh-5.8p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
|
--- openssh-5.8p1/monitor_wrap.h.audit3 2011-02-23 10:05:33.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/monitor_wrap.h 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
|
@@ -75,6 +75,8 @@ void mm_sshpam_free_ctx(void *);
|
||||||
#include "audit.h"
|
|
||||||
void mm_audit_event(ssh_audit_event_t);
|
void mm_audit_event(ssh_audit_event_t);
|
||||||
void mm_audit_run_command(const char *);
|
void mm_audit_run_command(const char *);
|
||||||
|
void mm_audit_end_command(const char *);
|
||||||
+void mm_audit_unsupported_body(int);
|
+void mm_audit_unsupported_body(int);
|
||||||
+void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
+void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||||
#endif
|
#endif
|
||||||
@ -499,7 +499,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
|
|||||||
struct Session;
|
struct Session;
|
||||||
diff -up openssh-5.8p1/sshd.c.audit3 openssh-5.8p1/sshd.c
|
diff -up openssh-5.8p1/sshd.c.audit3 openssh-5.8p1/sshd.c
|
||||||
--- openssh-5.8p1/sshd.c.audit3 2011-01-11 07:20:31.000000000 +0100
|
--- openssh-5.8p1/sshd.c.audit3 2011-01-11 07:20:31.000000000 +0100
|
||||||
+++ openssh-5.8p1/sshd.c 2011-02-21 20:09:33.000000000 +0100
|
+++ openssh-5.8p1/sshd.c 2011-02-23 10:05:33.000000000 +0100
|
||||||
@@ -118,6 +118,7 @@
|
@@ -118,6 +118,7 @@
|
||||||
#endif
|
#endif
|
||||||
#include "monitor_wrap.h"
|
#include "monitor_wrap.h"
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
||||||
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/audit-bsm.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
|
@@ -401,4 +401,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||||
{
|
{
|
||||||
/* not implemented */
|
/* not implemented */
|
||||||
}
|
}
|
||||||
@ -13,8 +13,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
|||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
||||||
--- openssh-5.8p1/audit.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/audit.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/audit.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||||
}
|
}
|
||||||
@ -28,7 +28,7 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
|||||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||||
/*
|
/*
|
||||||
* Null implementations of audit functions.
|
* Null implementations of audit functions.
|
||||||
@@ -247,5 +253,15 @@ audit_kex_body(int ctos, char *enc, char
|
@@ -259,5 +265,15 @@ audit_kex_body(int ctos, char *enc, char
|
||||||
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
||||||
(unsigned)uid);
|
(unsigned)uid);
|
||||||
}
|
}
|
||||||
@ -45,9 +45,9 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
|||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
|
diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
|
||||||
--- openssh-5.8p1/audit.h.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/audit.h.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.h 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/audit.h 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -60,5 +60,7 @@ void audit_unsupported(int);
|
@@ -61,5 +61,7 @@ void audit_unsupported(int);
|
||||||
void audit_kex(int, char *, char *, char *);
|
void audit_kex(int, char *, char *, char *);
|
||||||
void audit_unsupported_body(int);
|
void audit_unsupported_body(int);
|
||||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||||
@ -56,9 +56,9 @@ diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
|
|||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
||||||
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/audit-linux.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -266,6 +266,8 @@ audit_unsupported_body(int what)
|
@@ -281,6 +281,8 @@ audit_unsupported_body(int what)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -67,7 +67,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
|||||||
void
|
void
|
||||||
audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||||
uid_t uid)
|
uid_t uid)
|
||||||
@@ -273,7 +275,6 @@ audit_kex_body(int ctos, char *enc, char
|
@@ -288,7 +290,6 @@ audit_kex_body(int ctos, char *enc, char
|
||||||
#ifdef AUDIT_CRYPTO_SESSION
|
#ifdef AUDIT_CRYPTO_SESSION
|
||||||
char buf[AUDIT_LOG_SIZE];
|
char buf[AUDIT_LOG_SIZE];
|
||||||
int audit_fd, audit_ok;
|
int audit_fd, audit_ok;
|
||||||
@ -75,7 +75,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
|||||||
Cipher *cipher = cipher_by_name(enc);
|
Cipher *cipher = cipher_by_name(enc);
|
||||||
|
|
||||||
snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
|
snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
|
||||||
@@ -297,4 +298,30 @@ audit_kex_body(int ctos, char *enc, char
|
@@ -312,4 +313,30 @@ audit_kex_body(int ctos, char *enc, char
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -107,9 +107,18 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
|||||||
+
|
+
|
||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
||||||
--- openssh-5.8p1/auditstub.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/auditstub.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/auditstub.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/auditstub.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
|
@@ -27,6 +27,8 @@
|
||||||
|
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+
|
||||||
|
void
|
||||||
|
audit_unsupported(int n)
|
||||||
|
{
|
||||||
|
@@ -37,3 +39,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -117,9 +126,14 @@ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
|||||||
+audit_session_key_free(int ctos)
|
+audit_session_key_free(int ctos)
|
||||||
+{
|
+{
|
||||||
+}
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||||
|
+{
|
||||||
|
+}
|
||||||
diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
||||||
--- openssh-5.8p1/kex.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/kex.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/kex.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/kex.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||||
fprintf(stderr, "\n");
|
fprintf(stderr, "\n");
|
||||||
}
|
}
|
||||||
@ -157,7 +171,7 @@ diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
|||||||
+
|
+
|
||||||
diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
||||||
--- openssh-5.8p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
--- openssh-5.8p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||||
+++ openssh-5.8p1/kex.h 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/kex.h 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||||
void kexecdh_client(Kex *);
|
void kexecdh_client(Kex *);
|
||||||
void kexecdh_server(Kex *);
|
void kexecdh_server(Kex *);
|
||||||
@ -169,7 +183,7 @@ diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
|||||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||||
diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
||||||
--- openssh-5.8p1/mac.c.audit4 2008-06-13 02:58:50.000000000 +0200
|
--- openssh-5.8p1/mac.c.audit4 2008-06-13 02:58:50.000000000 +0200
|
||||||
+++ openssh-5.8p1/mac.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/mac.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
|
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
|
||||||
mac->umac_ctx = NULL;
|
mac->umac_ctx = NULL;
|
||||||
}
|
}
|
||||||
@ -193,24 +207,24 @@ diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
|||||||
int
|
int
|
||||||
diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
|
diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
|
||||||
--- openssh-5.8p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
--- openssh-5.8p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||||
+++ openssh-5.8p1/mac.h 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/mac.h 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||||
int mac_init(Mac *);
|
int mac_init(Mac *);
|
||||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||||
void mac_clear(Mac *);
|
void mac_clear(Mac *);
|
||||||
+void mac_destroy(Mac *);
|
+void mac_destroy(Mac *);
|
||||||
diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
||||||
--- openssh-5.8p1/monitor.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/monitor.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/monitor.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
|
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
|
||||||
int mm_answer_audit_command(int, Buffer *);
|
int mm_answer_audit_end_command(int, Buffer *);
|
||||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||||
int mm_answer_audit_kex_body(int, Buffer *);
|
int mm_answer_audit_kex_body(int, Buffer *);
|
||||||
+int mm_answer_audit_session_key_free_body(int, Buffer *);
|
+int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static Authctxt *authctxt;
|
static Authctxt *authctxt;
|
||||||
@@ -230,6 +231,7 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -231,6 +232,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -218,15 +232,15 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -268,6 +270,7 @@ struct mon_table mon_dispatch_postauth20
|
@@ -270,6 +272,7 @@ struct mon_table mon_dispatch_postauth20
|
||||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -301,6 +304,7 @@ struct mon_table mon_dispatch_proto15[]
|
@@ -303,6 +306,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -234,15 +248,46 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -314,6 +318,7 @@ struct mon_table mon_dispatch_postauth15
|
@@ -317,6 +321,7 @@ struct mon_table mon_dispatch_postauth15
|
||||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -2257,4 +2262,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
@@ -1783,11 +1788,13 @@ mm_get_keystate(struct monitor *pmonitor
|
||||||
|
|
||||||
|
blob = buffer_get_string(&m, &bloblen);
|
||||||
|
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
||||||
|
+ memset(blob, 0, bloblen);
|
||||||
|
xfree(blob);
|
||||||
|
|
||||||
|
debug3("%s: Waiting for second key", __func__);
|
||||||
|
blob = buffer_get_string(&m, &bloblen);
|
||||||
|
current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
|
||||||
|
+ memset(blob, 0, bloblen);
|
||||||
|
xfree(blob);
|
||||||
|
|
||||||
|
/* Now get sequence numbers for the packets */
|
||||||
|
@@ -1833,6 +1840,16 @@ mm_get_keystate(struct monitor *pmonitor
|
||||||
|
}
|
||||||
|
|
||||||
|
buffer_free(&m);
|
||||||
|
+
|
||||||
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
|
+ if (compat20) {
|
||||||
|
+ buffer_init(&m);
|
||||||
|
+ mm_request_receive_expect(pmonitor->m_sendfd,
|
||||||
|
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
|
||||||
|
+ mm_answer_audit_session_key_free_body(pmonitor->m_sendfd, &m);
|
||||||
|
+ buffer_free(&m);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@@ -2274,4 +2291,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -266,9 +311,9 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
|||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
||||||
--- openssh-5.8p1/monitor.h.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/monitor.h.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor.h 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/monitor.h 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -68,6 +68,7 @@ enum monitor_reqtype {
|
@@ -69,6 +69,7 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
||||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||||
@ -277,9 +322,24 @@ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
|||||||
|
|
||||||
struct mm_master;
|
struct mm_master;
|
||||||
diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
||||||
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/monitor_wrap.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -1449,4 +1449,19 @@ mm_audit_kex_body(int ctos, char *cipher
|
@@ -601,12 +601,14 @@ mm_send_keystate(struct monitor *monitor
|
||||||
|
fatal("%s: conversion of newkeys failed", __func__);
|
||||||
|
|
||||||
|
buffer_put_string(&m, blob, bloblen);
|
||||||
|
+ memset(blob, 0, bloblen);
|
||||||
|
xfree(blob);
|
||||||
|
|
||||||
|
if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
|
||||||
|
fatal("%s: conversion of newkeys failed", __func__);
|
||||||
|
|
||||||
|
buffer_put_string(&m, blob, bloblen);
|
||||||
|
+ memset(blob, 0, bloblen);
|
||||||
|
xfree(blob);
|
||||||
|
|
||||||
|
packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
|
||||||
|
@@ -1463,4 +1465,19 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||||
|
|
||||||
buffer_free(&m);
|
buffer_free(&m);
|
||||||
}
|
}
|
||||||
@ -300,10 +360,10 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
|||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
|
diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
|
||||||
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/monitor_wrap.h 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
|
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
|
||||||
void mm_audit_run_command(const char *);
|
void mm_audit_end_command(const char *);
|
||||||
void mm_audit_unsupported_body(int);
|
void mm_audit_unsupported_body(int);
|
||||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||||
+void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
+void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||||
@ -312,8 +372,16 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
|
|||||||
struct Session;
|
struct Session;
|
||||||
diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
||||||
--- openssh-5.8p1/packet.c.audit4 2010-11-24 00:46:37.000000000 +0100
|
--- openssh-5.8p1/packet.c.audit4 2010-11-24 00:46:37.000000000 +0100
|
||||||
+++ openssh-5.8p1/packet.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/packet.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -497,6 +497,7 @@ packet_close(void)
|
@@ -60,6 +60,7 @@
|
||||||
|
#include <signal.h>
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
+#include "audit.h"
|
||||||
|
#include "buffer.h"
|
||||||
|
#include "packet.h"
|
||||||
|
#include "crc32.h"
|
||||||
|
@@ -497,6 +498,7 @@ packet_close(void)
|
||||||
}
|
}
|
||||||
cipher_cleanup(&active_state->send_context);
|
cipher_cleanup(&active_state->send_context);
|
||||||
cipher_cleanup(&active_state->receive_context);
|
cipher_cleanup(&active_state->receive_context);
|
||||||
@ -321,15 +389,52 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Sets remote side protocol flags. */
|
/* Sets remote side protocol flags. */
|
||||||
@@ -756,6 +757,7 @@ set_newkeys(int mode)
|
@@ -731,6 +733,23 @@ packet_send1(void)
|
||||||
|
*/
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+newkeys_destroy_and_free(Newkeys *newkeys)
|
||||||
|
+{
|
||||||
|
+ if (newkeys == NULL)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ xfree(newkeys->enc.name);
|
||||||
|
+
|
||||||
|
+ mac_clear(&newkeys->mac);
|
||||||
|
+ xfree(newkeys->mac.name);
|
||||||
|
+
|
||||||
|
+ xfree(newkeys->comp.name);
|
||||||
|
+
|
||||||
|
+ newkeys_destroy(newkeys);
|
||||||
|
+ xfree(newkeys);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void
|
||||||
|
set_newkeys(int mode)
|
||||||
|
{
|
||||||
|
@@ -756,18 +775,9 @@ set_newkeys(int mode)
|
||||||
}
|
}
|
||||||
if (active_state->newkeys[mode] != NULL) {
|
if (active_state->newkeys[mode] != NULL) {
|
||||||
debug("set_newkeys: rekeying");
|
debug("set_newkeys: rekeying");
|
||||||
+ audit_session_key_free(mode);
|
+ audit_session_key_free(mode);
|
||||||
cipher_cleanup(cc);
|
cipher_cleanup(cc);
|
||||||
enc = &active_state->newkeys[mode]->enc;
|
- enc = &active_state->newkeys[mode]->enc;
|
||||||
mac = &active_state->newkeys[mode]->mac;
|
- mac = &active_state->newkeys[mode]->mac;
|
||||||
@@ -1912,6 +1914,34 @@ packet_get_newkeys(int mode)
|
- comp = &active_state->newkeys[mode]->comp;
|
||||||
|
- mac_clear(mac);
|
||||||
|
- xfree(enc->name);
|
||||||
|
- xfree(enc->iv);
|
||||||
|
- xfree(enc->key);
|
||||||
|
- xfree(mac->name);
|
||||||
|
- xfree(mac->key);
|
||||||
|
- xfree(comp->name);
|
||||||
|
- xfree(active_state->newkeys[mode]);
|
||||||
|
+ newkeys_destroy_and_free(active_state->newkeys[mode]);
|
||||||
|
}
|
||||||
|
active_state->newkeys[mode] = kex_get_newkeys(mode);
|
||||||
|
if (active_state->newkeys[mode] == NULL)
|
||||||
|
@@ -1912,6 +1922,55 @@ packet_get_newkeys(int mode)
|
||||||
return (void *)active_state->newkeys[mode];
|
return (void *)active_state->newkeys[mode];
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -347,24 +452,45 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
|||||||
+ buffer_free(&state->outgoing_packet);
|
+ buffer_free(&state->outgoing_packet);
|
||||||
+ buffer_free(&state->incoming_packet);
|
+ buffer_free(&state->incoming_packet);
|
||||||
+ buffer_free(&state->compression_buffer);
|
+ buffer_free(&state->compression_buffer);
|
||||||
+ newkeys_destroy(state->newkeys[MODE_IN]);
|
+ newkeys_destroy_and_free(state->newkeys[MODE_IN]);
|
||||||
+ newkeys_destroy(state->newkeys[MODE_OUT]);
|
+ state->newkeys[MODE_IN] = NULL;
|
||||||
|
+ newkeys_destroy_and_free(state->newkeys[MODE_OUT]);
|
||||||
|
+ state->newkeys[MODE_OUT] = NULL;
|
||||||
+ mac_destroy(state->packet_discard_mac);
|
+ mac_destroy(state->packet_discard_mac);
|
||||||
+// TAILQ_HEAD(, packet) outgoing;
|
+// TAILQ_HEAD(, packet) outgoing;
|
||||||
+// memset(state, 0, sizeof(state));
|
+// memset(state, 0, sizeof(state));
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+static int
|
||||||
+packet_destroy_all(void)
|
+packet_state_has_keys (const struct session_state *state)
|
||||||
+{
|
+{
|
||||||
|
+ return state != NULL &&
|
||||||
|
+ (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+packet_destroy_all(int privsep)
|
||||||
|
+{
|
||||||
|
+ int audit_it;
|
||||||
|
+
|
||||||
|
+ audit_it = packet_state_has_keys (active_state) ||
|
||||||
|
+ packet_state_has_keys (backup_state);
|
||||||
+ packet_destroy_state(active_state);
|
+ packet_destroy_state(active_state);
|
||||||
+ packet_destroy_state(backup_state);
|
+ packet_destroy_state(backup_state);
|
||||||
|
+ if (audit_it) {
|
||||||
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
|
+ if (privsep)
|
||||||
|
+ audit_session_key_free(2);
|
||||||
|
+ else
|
||||||
|
+ audit_session_key_free_body(2, getpid(), getuid());
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
/*
|
/*
|
||||||
* Save the state for the real connection, and use a separate state when
|
* Save the state for the real connection, and use a separate state when
|
||||||
* resuming a suspended connection.
|
* resuming a suspended connection.
|
||||||
@@ -1919,18 +1949,12 @@ packet_get_newkeys(int mode)
|
@@ -1919,18 +1978,12 @@ packet_get_newkeys(int mode)
|
||||||
void
|
void
|
||||||
packet_backup_state(void)
|
packet_backup_state(void)
|
||||||
{
|
{
|
||||||
@ -384,7 +510,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1947,9 +1971,7 @@ packet_restore_state(void)
|
@@ -1947,9 +2000,7 @@ packet_restore_state(void)
|
||||||
backup_state = active_state;
|
backup_state = active_state;
|
||||||
active_state = tmp;
|
active_state = tmp;
|
||||||
active_state->connection_in = backup_state->connection_in;
|
active_state->connection_in = backup_state->connection_in;
|
||||||
@ -394,7 +520,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
|||||||
len = buffer_len(&backup_state->input);
|
len = buffer_len(&backup_state->input);
|
||||||
if (len > 0) {
|
if (len > 0) {
|
||||||
buf = buffer_ptr(&backup_state->input);
|
buf = buffer_ptr(&backup_state->input);
|
||||||
@@ -1957,4 +1979,10 @@ packet_restore_state(void)
|
@@ -1957,4 +2008,10 @@ packet_restore_state(void)
|
||||||
buffer_clear(&backup_state->input);
|
buffer_clear(&backup_state->input);
|
||||||
add_recv_bytes(len);
|
add_recv_bytes(len);
|
||||||
}
|
}
|
||||||
@ -407,16 +533,16 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
|||||||
+
|
+
|
||||||
diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
|
diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
|
||||||
--- openssh-5.8p1/packet.h.audit4 2010-11-20 05:19:38.000000000 +0100
|
--- openssh-5.8p1/packet.h.audit4 2010-11-20 05:19:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/packet.h 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/packet.h 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -125,4 +125,5 @@ void packet_restore_state(void);
|
@@ -125,4 +125,5 @@ void packet_restore_state(void);
|
||||||
void *packet_get_input(void);
|
void *packet_get_input(void);
|
||||||
void *packet_get_output(void);
|
void *packet_get_output(void);
|
||||||
|
|
||||||
+void packet_destroy_all(void);
|
+void packet_destroy_all(int);
|
||||||
#endif /* PACKET_H */
|
#endif /* PACKET_H */
|
||||||
diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
||||||
--- openssh-5.8p1/sshd.c.audit4 2011-02-21 20:14:09.000000000 +0100
|
--- openssh-5.8p1/sshd.c.audit4 2011-02-23 09:23:30.000000000 +0100
|
||||||
+++ openssh-5.8p1/sshd.c 2011-02-21 20:14:10.000000000 +0100
|
+++ openssh-5.8p1/sshd.c 2011-02-23 09:23:30.000000000 +0100
|
||||||
@@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
|
@@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
@ -426,32 +552,29 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
|||||||
static void
|
static void
|
||||||
privsep_postauth(Authctxt *authctxt)
|
privsep_postauth(Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
@@ -688,6 +690,10 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -688,6 +690,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||||
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
||||||
close(pmonitor->m_recvfd);
|
close(pmonitor->m_recvfd);
|
||||||
buffer_clear(&loginmsg);
|
buffer_clear(&loginmsg);
|
||||||
+ newkeys_destroy(current_keys[MODE_OUT]);
|
+ newkeys_destroy(current_keys[MODE_OUT]);
|
||||||
+ newkeys_destroy(current_keys[MODE_IN]);
|
+ newkeys_destroy(current_keys[MODE_IN]);
|
||||||
+ packet_destroy_all();
|
+ packet_destroy_all(0);
|
||||||
+ audit_session_key_free_body(2, getpid(), getuid());
|
|
||||||
monitor_child_postauth(pmonitor);
|
monitor_child_postauth(pmonitor);
|
||||||
|
|
||||||
/* NEVERREACHED */
|
/* NEVERREACHED */
|
||||||
@@ -1974,6 +1980,8 @@ main(int ac, char **av)
|
@@ -1974,6 +1979,7 @@ main(int ac, char **av)
|
||||||
*/
|
*/
|
||||||
if (use_privsep) {
|
if (use_privsep) {
|
||||||
mm_send_keystate(pmonitor);
|
mm_send_keystate(pmonitor);
|
||||||
+ packet_destroy_all();
|
+ packet_destroy_all(1);
|
||||||
+ audit_session_key_free(2);
|
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2026,6 +2034,9 @@ main(int ac, char **av)
|
@@ -2026,6 +2032,8 @@ main(int ac, char **av)
|
||||||
do_authenticated(authctxt);
|
do_authenticated(authctxt);
|
||||||
|
|
||||||
/* The connection has been terminated. */
|
/* The connection has been terminated. */
|
||||||
+ packet_destroy_all();
|
+ packet_destroy_all(0);
|
||||||
+ audit_session_key_free(2);
|
|
||||||
+
|
+
|
||||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
||||||
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/audit-bsm.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -401,4 +401,22 @@ audit_session_key_free_body(int ctos, pi
|
@@ -407,4 +407,22 @@ audit_session_key_free_body(int ctos, pi
|
||||||
{
|
{
|
||||||
/* not implemented */
|
/* not implemented */
|
||||||
}
|
}
|
||||||
@ -25,9 +25,9 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
|||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
||||||
--- openssh-5.8p1/audit.c.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/audit.c.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/audit.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -263,5 +263,24 @@ audit_session_key_free_body(int ctos, pi
|
@@ -275,5 +275,24 @@ audit_session_key_free_body(int ctos, pi
|
||||||
debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||||
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||||
}
|
}
|
||||||
@ -53,8 +53,8 @@ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
|||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
||||||
--- openssh-5.8p1/audit.h.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/audit.h.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit.h 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/audit.h 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
|
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
|
||||||
};
|
};
|
||||||
typedef enum ssh_audit_event_type ssh_audit_event_t;
|
typedef enum ssh_audit_event_type ssh_audit_event_t;
|
||||||
@ -64,7 +64,7 @@ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
|||||||
void audit_connection_from(const char *, int);
|
void audit_connection_from(const char *, int);
|
||||||
void audit_event(ssh_audit_event_t);
|
void audit_event(ssh_audit_event_t);
|
||||||
void audit_session_open(struct logininfo *);
|
void audit_session_open(struct logininfo *);
|
||||||
@@ -62,5 +64,7 @@ void audit_unsupported_body(int);
|
@@ -63,5 +65,7 @@ void audit_unsupported_body(int);
|
||||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||||
void audit_session_key_free(int ctos);
|
void audit_session_key_free(int ctos);
|
||||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||||
@ -73,21 +73,12 @@ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
|||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
||||||
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/audit-linux.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -317,6 +317,31 @@ audit_session_key_free_body(int ctos, pi
|
@@ -339,4 +339,50 @@ audit_session_key_free_body(int ctos, pi
|
||||||
return;
|
error("cannot write into audit");
|
||||||
}
|
}
|
||||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
|
||||||
+ buf, NULL,
|
|
||||||
+ listening_for_clients() ? NULL : get_remote_ipaddr(),
|
|
||||||
+ NULL, 1);
|
|
||||||
+ audit_close(audit_fd);
|
|
||||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
|
||||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
|
||||||
+ error("cannot write into audit");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
+void
|
||||||
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||||
+{
|
+{
|
||||||
@ -104,13 +95,15 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
|||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||||
buf, NULL, get_remote_ipaddr(), NULL, 1);
|
+ buf, NULL,
|
||||||
audit_close(audit_fd);
|
+ listening_for_clients() ? NULL : get_remote_ipaddr(),
|
||||||
/* do not abort if the error is EPERM and sshd is run as non root user */
|
+ NULL, 1);
|
||||||
@@ -324,4 +349,25 @@ audit_session_key_free_body(int ctos, pi
|
+ audit_close(audit_fd);
|
||||||
error("cannot write into audit");
|
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||||
}
|
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||||
|
+ error("cannot write into audit");
|
||||||
|
+}
|
||||||
|
+
|
||||||
+void
|
+void
|
||||||
+audit_generate_ephemeral_server_key(const char *fp)
|
+audit_generate_ephemeral_server_key(const char *fp)
|
||||||
+{
|
+{
|
||||||
@ -135,7 +128,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
|||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
|
diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
|
||||||
--- openssh-5.8p1/key.c.audit5 2011-02-04 01:48:34.000000000 +0100
|
--- openssh-5.8p1/key.c.audit5 2011-02-04 01:48:34.000000000 +0100
|
||||||
+++ openssh-5.8p1/key.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/key.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -1769,6 +1769,30 @@ key_demote(const Key *k)
|
@@ -1769,6 +1769,30 @@ key_demote(const Key *k)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -169,7 +162,7 @@ diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
|
|||||||
if (k == NULL)
|
if (k == NULL)
|
||||||
diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
|
diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
|
||||||
--- openssh-5.8p1/key.h.audit5 2010-11-05 00:19:49.000000000 +0100
|
--- openssh-5.8p1/key.h.audit5 2010-11-05 00:19:49.000000000 +0100
|
||||||
+++ openssh-5.8p1/key.h 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/key.h 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -106,6 +106,7 @@ Key *key_generate(int, u_int);
|
@@ -106,6 +106,7 @@ Key *key_generate(int, u_int);
|
||||||
Key *key_from_private(const Key *);
|
Key *key_from_private(const Key *);
|
||||||
int key_type_from_name(char *);
|
int key_type_from_name(char *);
|
||||||
@ -179,9 +172,9 @@ diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
|
|||||||
int key_to_certified(Key *, int);
|
int key_to_certified(Key *, int);
|
||||||
int key_drop_cert(Key *);
|
int key_drop_cert(Key *);
|
||||||
diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||||
--- openssh-5.8p1/monitor.c.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/monitor.c.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/monitor.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
|
@@ -182,6 +182,7 @@ int mm_answer_audit_end_command(int, Buf
|
||||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||||
int mm_answer_audit_kex_body(int, Buffer *);
|
int mm_answer_audit_kex_body(int, Buffer *);
|
||||||
int mm_answer_audit_session_key_free_body(int, Buffer *);
|
int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||||
@ -189,7 +182,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
static Authctxt *authctxt;
|
static Authctxt *authctxt;
|
||||||
@@ -232,6 +233,7 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -233,6 +234,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||||
@ -197,7 +190,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -271,6 +273,7 @@ struct mon_table mon_dispatch_postauth20
|
@@ -273,6 +275,7 @@ struct mon_table mon_dispatch_postauth20
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||||
@ -205,7 +198,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -305,6 +308,7 @@ struct mon_table mon_dispatch_proto15[]
|
@@ -307,6 +310,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||||
@ -213,7 +206,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -319,6 +323,7 @@ struct mon_table mon_dispatch_postauth15
|
@@ -322,6 +326,7 @@ struct mon_table mon_dispatch_postauth15
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||||
@ -221,7 +214,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -2280,4 +2285,24 @@ mm_answer_audit_session_key_free_body(in
|
@@ -2309,4 +2314,24 @@ mm_answer_audit_session_key_free_body(in
|
||||||
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -247,9 +240,9 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
|||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
||||||
--- openssh-5.8p1/monitor.h.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/monitor.h.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor.h 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/monitor.h 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -69,6 +69,7 @@ enum monitor_reqtype {
|
@@ -70,6 +70,7 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||||
MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||||
@ -258,9 +251,9 @@ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
|||||||
|
|
||||||
struct mm_master;
|
struct mm_master;
|
||||||
diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
||||||
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/monitor_wrap.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -1464,4 +1464,20 @@ mm_audit_session_key_free_body(int ctos,
|
@@ -1480,4 +1480,20 @@ mm_audit_session_key_free_body(int ctos,
|
||||||
&m);
|
&m);
|
||||||
buffer_free(&m);
|
buffer_free(&m);
|
||||||
}
|
}
|
||||||
@ -282,9 +275,9 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
|||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
|
diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
|
||||||
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/monitor_wrap.h 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
|
@@ -78,6 +78,7 @@ void mm_audit_end_command(const char *);
|
||||||
void mm_audit_unsupported_body(int);
|
void mm_audit_unsupported_body(int);
|
||||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||||
@ -293,8 +286,8 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
|
|||||||
|
|
||||||
struct Session;
|
struct Session;
|
||||||
diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
||||||
--- openssh-5.8p1/session.c.audit5 2010-12-01 02:02:59.000000000 +0100
|
--- openssh-5.8p1/session.c.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/session.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/session.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -132,7 +132,7 @@ extern int log_stderr;
|
@@ -132,7 +132,7 @@ extern int log_stderr;
|
||||||
extern int debug_flag;
|
extern int debug_flag;
|
||||||
extern u_int utmp_len;
|
extern u_int utmp_len;
|
||||||
@ -304,7 +297,7 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
|||||||
extern Buffer loginmsg;
|
extern Buffer loginmsg;
|
||||||
|
|
||||||
/* original command from peer. */
|
/* original command from peer. */
|
||||||
@@ -1614,7 +1614,7 @@ do_child(Session *s, const char *command
|
@@ -1616,7 +1616,7 @@ do_child(Session *s, const char *command
|
||||||
int r = 0;
|
int r = 0;
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
/* remove hostkey from the child's memory */
|
||||||
@ -314,8 +307,8 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
|||||||
/* Force a password change */
|
/* Force a password change */
|
||||||
if (s->authctxt->force_pwchange) {
|
if (s->authctxt->force_pwchange) {
|
||||||
diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||||
--- openssh-5.8p1/sshd.c.audit5 2011-02-21 20:16:34.000000000 +0100
|
--- openssh-5.8p1/sshd.c.audit5 2011-02-23 09:33:38.000000000 +0100
|
||||||
+++ openssh-5.8p1/sshd.c 2011-02-21 20:16:34.000000000 +0100
|
+++ openssh-5.8p1/sshd.c 2011-02-23 09:33:38.000000000 +0100
|
||||||
@@ -253,7 +253,7 @@ Buffer loginmsg;
|
@@ -253,7 +253,7 @@ Buffer loginmsg;
|
||||||
struct passwd *privsep_pw = NULL;
|
struct passwd *privsep_pw = NULL;
|
||||||
|
|
||||||
@ -429,7 +422,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
|||||||
}
|
}
|
||||||
/* Certs do not need demotion */
|
/* Certs do not need demotion */
|
||||||
}
|
}
|
||||||
@@ -1120,6 +1170,7 @@ server_accept_loop(int *sock_in, int *so
|
@@ -1119,6 +1169,7 @@ server_accept_loop(int *sock_in, int *so
|
||||||
if (received_sigterm) {
|
if (received_sigterm) {
|
||||||
logit("Received signal %d; terminating.",
|
logit("Received signal %d; terminating.",
|
||||||
(int) received_sigterm);
|
(int) received_sigterm);
|
||||||
@ -437,7 +430,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
|||||||
close_listen_socks();
|
close_listen_socks();
|
||||||
unlink(options.pid_file);
|
unlink(options.pid_file);
|
||||||
exit(255);
|
exit(255);
|
||||||
@@ -2024,7 +2075,7 @@ main(int ac, char **av)
|
@@ -2022,7 +2073,7 @@ main(int ac, char **av)
|
||||||
privsep_postauth(authctxt);
|
privsep_postauth(authctxt);
|
||||||
/* the monitor process [priv] will not return */
|
/* the monitor process [priv] will not return */
|
||||||
if (!compat20)
|
if (!compat20)
|
||||||
@ -446,7 +439,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
packet_set_timeout(options.client_alive_interval,
|
packet_set_timeout(options.client_alive_interval,
|
||||||
@@ -2264,7 +2315,7 @@ do_ssh1_kex(void)
|
@@ -2261,7 +2312,7 @@ do_ssh1_kex(void)
|
||||||
session_id[i] = session_key[i] ^ session_key[i + 16];
|
session_id[i] = session_key[i] ^ session_key[i + 16];
|
||||||
}
|
}
|
||||||
/* Destroy the private and public keys. No longer. */
|
/* Destroy the private and public keys. No longer. */
|
||||||
@ -455,13 +448,27 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
|||||||
|
|
||||||
if (use_privsep)
|
if (use_privsep)
|
||||||
mm_ssh1_session_id(session_id);
|
mm_ssh1_session_id(session_id);
|
||||||
@@ -2356,6 +2407,9 @@ cleanup_exit(int i)
|
@@ -2351,8 +2402,23 @@ do_ssh2_kex(void)
|
||||||
|
void
|
||||||
|
cleanup_exit(int i)
|
||||||
{
|
{
|
||||||
|
+ static int in_cleanup;
|
||||||
|
+
|
||||||
|
+ int is_privsep_child;
|
||||||
|
+
|
||||||
|
+ /* cleanup_exit can be called at the very least from the privsep
|
||||||
|
+ wrappers used for auditing. Make sure we don't recurse
|
||||||
|
+ indefinitely. */
|
||||||
|
+ if (in_cleanup)
|
||||||
|
+ _exit(i);
|
||||||
|
+ in_cleanup = 1;
|
||||||
|
+
|
||||||
if (the_authctxt)
|
if (the_authctxt)
|
||||||
do_cleanup(the_authctxt);
|
do_cleanup(the_authctxt);
|
||||||
|
+ is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
|
||||||
+ if (sensitive_data.host_keys != NULL)
|
+ if (sensitive_data.host_keys != NULL)
|
||||||
+ destroy_sensitive_data(use_privsep && pmonitor != NULL &&
|
+ destroy_sensitive_data(is_privsep_child);
|
||||||
+ !mm_is_monitor());
|
+ packet_destroy_all(is_privsep_child);
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||||
if (!use_privsep || mm_is_monitor())
|
if (!use_privsep || mm_is_monitor())
|
||||||
|
@ -71,7 +71,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 5.8p1
|
%define openssh_ver 5.8p1
|
||||||
%define openssh_rel 6
|
%define openssh_rel 7
|
||||||
%define pam_ssh_agent_ver 0.9.2
|
%define pam_ssh_agent_ver 0.9.2
|
||||||
%define pam_ssh_agent_rel 30
|
%define pam_ssh_agent_rel 30
|
||||||
|
|
||||||
@ -616,7 +616,7 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Feb 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-6 + 0.9.2-30
|
* Wed Feb 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-7 + 0.9.2-30
|
||||||
- another audit improovements
|
- another audit improovements
|
||||||
|
|
||||||
* Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30
|
* Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30
|
||||||
|
Loading…
Reference in New Issue
Block a user