|
Jan F |
1732b0 |
diff -up openssh-5.8p1/audit-bsm.c.audit1 openssh-5.8p1/audit-bsm.c
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/audit-bsm.c.audit1 2011-01-17 11:15:29.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/audit-bsm.c 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
825921 |
@@ -298,10 +298,23 @@ audit_connection_from(const char *host,
|
|
Jan F |
825921 |
#endif
|
|
Jan F |
1732b0 |
}
|
|
Jan F |
1732b0 |
|
|
Jan F |
825921 |
-void
|
|
Jan F |
825921 |
+int
|
|
Jan F |
825921 |
audit_run_command(const char *command)
|
|
Jan F |
825921 |
{
|
|
Jan F |
825921 |
/* not implemented */
|
|
Jan F |
825921 |
+ return 0;
|
|
Jan F |
825921 |
+}
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+void
|
|
Jan F |
825921 |
+audit_end_command(int handle, const char *command)
|
|
Jan F |
1732b0 |
+{
|
|
Jan F |
1732b0 |
+ /* not implemented */
|
|
Jan F |
1732b0 |
+}
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+void
|
|
Jan F |
825921 |
+audit_count_session_open(void)
|
|
Jan F |
825921 |
+{
|
|
Jan F |
825921 |
+ /* not necessary */
|
|
Jan F |
825921 |
}
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
void
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/audit.c.audit1 openssh-5.8p1/audit.c
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/audit.c 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
825921 |
@@ -140,6 +140,17 @@ audit_event(ssh_audit_event_t event)
|
|
Jan F |
825921 |
}
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
/*
|
|
Jan F |
825921 |
+ * Called when a child process has called, or will soon call,
|
|
Jan F |
825921 |
+ * audit_session_open.
|
|
Jan F |
825921 |
+ */
|
|
Jan F |
825921 |
+void
|
|
Jan F |
825921 |
+audit_count_session_open(void)
|
|
Jan F |
825921 |
+{
|
|
Jan F |
825921 |
+ debug("audit count session open euid %d user %s", geteuid(),
|
|
Jan F |
825921 |
+ audit_username());
|
|
Jan F |
825921 |
+}
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+/*
|
|
Jan F |
825921 |
* Called when a user session is started. Argument is the tty allocated to
|
|
Jan F |
825921 |
* the session, or NULL if no tty was allocated.
|
|
Jan F |
825921 |
*
|
|
Jan F |
825921 |
@@ -174,13 +185,29 @@ audit_session_close(struct logininfo *li
|
|
Jan F |
825921 |
/*
|
|
Jan F |
825921 |
* This will be called when a user runs a non-interactive command. Note that
|
|
Jan F |
825921 |
* it may be called multiple times for a single connection since SSH2 allows
|
|
Jan F |
825921 |
- * multiple sessions within a single connection.
|
|
Jan F |
825921 |
+ * multiple sessions within a single connection. Returns a "handle" for
|
|
Jan F |
825921 |
+ * audit_end_command.
|
|
Jan F |
825921 |
*/
|
|
Jan F |
825921 |
-void
|
|
Jan F |
825921 |
+int
|
|
Jan F |
825921 |
audit_run_command(const char *command)
|
|
Jan F |
825921 |
{
|
|
Jan F |
1732b0 |
debug("audit run command euid %d user %s command '%.200s'", geteuid(),
|
|
Jan F |
1732b0 |
audit_username(), command);
|
|
Jan F |
825921 |
+ return 0;
|
|
Jan F |
825921 |
+}
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+/*
|
|
Jan F |
1732b0 |
+ * This will be called when the non-interactive command finishes. Note that
|
|
Jan F |
1732b0 |
+ * it may be called multiple times for a single connection since SSH2 allows
|
|
Jan F |
825921 |
+ * multiple sessions within a single connection. "handle" should come from
|
|
Jan F |
825921 |
+ * the corresponding audit_run_command.
|
|
Jan F |
1732b0 |
+ */
|
|
Jan F |
1732b0 |
+void
|
|
Jan F |
825921 |
+audit_end_command(int handle, const char *command)
|
|
Jan F |
1732b0 |
+{
|
|
Jan F |
1732b0 |
+ debug("audit end nopty exec euid %d user %s command '%.200s'", geteuid(),
|
|
Jan F |
1732b0 |
+ audit_username(), command);
|
|
Jan F |
825921 |
}
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
|
Jan F |
1732b0 |
#endif /* SSH_AUDIT_EVENTS */
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/audit.h.audit1 openssh-5.8p1/audit.h
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/audit.h 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
825921 |
@@ -49,9 +49,11 @@ typedef enum ssh_audit_event_type ssh_au
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
void audit_connection_from(const char *, int);
|
|
Jan F |
825921 |
void audit_event(ssh_audit_event_t);
|
|
Jan F |
825921 |
+void audit_count_session_open(void);
|
|
Jan F |
1732b0 |
void audit_session_open(struct logininfo *);
|
|
Jan F |
1732b0 |
void audit_session_close(struct logininfo *);
|
|
Jan F |
825921 |
-void audit_run_command(const char *);
|
|
Jan F |
825921 |
+int audit_run_command(const char *);
|
|
Jan F |
825921 |
+void audit_end_command(int, const char *);
|
|
Jan F |
1732b0 |
ssh_audit_event_t audit_classify_auth(const char *);
|
|
Jan F |
1732b0 |
|
|
Jan F |
1732b0 |
#endif /* _SSH_AUDIT_H */
|
|
Jan F |
483c73 |
diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|
Jan F |
b9127e |
--- openssh-5.8p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/audit-linux.c 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
c2b009 |
@@ -35,13 +35,20 @@
|
|
Jan F |
483c73 |
|
|
Jan F |
c2b009 |
#include "log.h"
|
|
Jan F |
c2b009 |
#include "audit.h"
|
|
Jan F |
c2b009 |
+#include "key.h"
|
|
Jan F |
c2b009 |
+#include "hostfile.h"
|
|
Jan F |
c2b009 |
+#include "auth.h"
|
|
Jan F |
c2b009 |
+#include "servconf.h"
|
|
Jan F |
c2b009 |
#include "canohost.h"
|
|
Jan F |
c2b009 |
|
|
Jan F |
c2b009 |
+extern ServerOptions options;
|
|
Jan F |
c2b009 |
+extern Authctxt *the_authctxt;
|
|
Jan F |
c2b009 |
+extern u_int utmp_len;
|
|
Jan F |
483c73 |
const char* audit_username(void);
|
|
Jan F |
483c73 |
|
|
Jan F |
483c73 |
-int
|
|
Jan F |
483c73 |
-linux_audit_record_event(int uid, const char *username,
|
|
Jan F |
c2b009 |
- const char *hostname, const char *ip, const char *ttyn, int success)
|
|
Jan F |
b9127e |
+static void
|
|
Jan F |
c2b009 |
+linux_audit_user_logxxx(int uid, const char *username,
|
|
Jan F |
c2b009 |
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
int audit_fd, rc, saved_errno;
|
|
Jan F |
c2b009 |
|
|
Jan F |
c2b009 |
@@ -49,11 +56,11 @@ linux_audit_record_event(int uid, const
|
|
Jan F |
b9127e |
if (audit_fd < 0) {
|
|
Jan F |
b9127e |
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
Jan F |
b9127e |
errno == EAFNOSUPPORT)
|
|
Jan F |
b9127e |
- return 1; /* No audit support in kernel */
|
|
Jan F |
b9127e |
+ return; /* No audit support in kernel */
|
|
Jan F |
b9127e |
else
|
|
Jan F |
b9127e |
- return 0; /* Must prevent login */
|
|
Jan F |
b9127e |
+ goto fatal_report; /* Must prevent login */
|
|
Jan F |
b9127e |
}
|
|
Jan F |
c2b009 |
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
|
Jan F |
c2b009 |
+ rc = audit_log_acct_message(audit_fd, event,
|
|
Jan F |
b9127e |
NULL, "login", username ? username : "(unknown)",
|
|
Jan F |
c2b009 |
username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
|
Jan F |
c2b009 |
saved_errno = errno;
|
|
Jan F |
825921 |
@@ -65,35 +72,119 @@ linux_audit_record_event(int uid, const
|
|
Jan F |
b9127e |
if ((rc == -EPERM) && (geteuid() != 0))
|
|
Jan F |
b9127e |
rc = 0;
|
|
Jan F |
b9127e |
errno = saved_errno;
|
|
Jan F |
b9127e |
- return (rc >= 0);
|
|
Jan F |
b9127e |
+ if (rc < 0) {
|
|
Jan F |
b9127e |
+fatal_report:
|
|
Jan F |
b9127e |
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
|
Jan F |
b9127e |
+ }
|
|
Jan F |
b9127e |
+}
|
|
Jan F |
b9127e |
+
|
|
Jan F |
b9127e |
+static void
|
|
Jan F |
483c73 |
+linux_audit_user_auth(int uid, const char *username,
|
|
Jan F |
483c73 |
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
|
|
Jan F |
483c73 |
+{
|
|
Jan F |
483c73 |
+ int audit_fd, rc, saved_errno;
|
|
Jan F |
483c73 |
+ static const char *event_name[] = {
|
|
Jan F |
c2b009 |
+ "maxtries exceeded",
|
|
Jan F |
483c73 |
+ "root denied",
|
|
Jan F |
483c73 |
+ "success",
|
|
Jan F |
483c73 |
+ "none",
|
|
Jan F |
c2b009 |
+ "password",
|
|
Jan F |
c2b009 |
+ "challenge-response",
|
|
Jan F |
483c73 |
+ "pubkey",
|
|
Jan F |
483c73 |
+ "hostbased",
|
|
Jan F |
483c73 |
+ "gssapi",
|
|
Jan F |
483c73 |
+ "invalid user",
|
|
Jan F |
483c73 |
+ "nologin",
|
|
Jan F |
c2b009 |
+ "connection closed",
|
|
Jan F |
c2b009 |
+ "connection abandoned",
|
|
Jan F |
483c73 |
+ "unknown"
|
|
Jan F |
483c73 |
+ };
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ audit_fd = audit_open();
|
|
Jan F |
483c73 |
+ if (audit_fd < 0) {
|
|
Jan F |
483c73 |
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
Jan F |
483c73 |
+ errno == EAFNOSUPPORT)
|
|
Jan F |
b9127e |
+ return; /* No audit support in kernel */
|
|
Jan F |
483c73 |
+ else
|
|
Jan F |
b9127e |
+ goto fatal_report; /* Must prevent login */
|
|
Jan F |
483c73 |
+ }
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
|
|
Jan F |
483c73 |
+ event = SSH_AUDIT_UNKNOWN;
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
|
|
Jan F |
483c73 |
+ NULL, event_name[event], username ? username : "(unknown)",
|
|
Jan F |
483c73 |
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
|
Jan F |
483c73 |
+ saved_errno = errno;
|
|
Jan F |
483c73 |
+ close(audit_fd);
|
|
Jan F |
483c73 |
+ /*
|
|
Jan F |
483c73 |
+ * Do not report error if the error is EPERM and sshd is run as non
|
|
Jan F |
483c73 |
+ * root user.
|
|
Jan F |
483c73 |
+ */
|
|
Jan F |
483c73 |
+ if ((rc == -EPERM) && (geteuid() != 0))
|
|
Jan F |
483c73 |
+ rc = 0;
|
|
Jan F |
483c73 |
+ errno = saved_errno;
|
|
Jan F |
b9127e |
+ if (rc < 0) {
|
|
Jan F |
b9127e |
+fatal_report:
|
|
Jan F |
b9127e |
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
|
Jan F |
b9127e |
+ }
|
|
Jan F |
b9127e |
}
|
|
Jan F |
483c73 |
|
|
Jan F |
c2b009 |
+static int user_login_count = 0;
|
|
Jan F |
c2b009 |
+
|
|
Jan F |
b9127e |
/* Below is the sshd audit API code */
|
|
Jan F |
c2b009 |
|
|
Jan F |
483c73 |
void
|
|
Jan F |
483c73 |
audit_connection_from(const char *host, int port)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
-}
|
|
Jan F |
483c73 |
/* not implemented */
|
|
Jan F |
483c73 |
+}
|
|
Jan F |
483c73 |
|
|
Jan F |
825921 |
-void
|
|
Jan F |
825921 |
+int
|
|
Jan F |
483c73 |
audit_run_command(const char *command)
|
|
Jan F |
c2b009 |
{
|
|
Jan F |
c2b009 |
- /* not implemented */
|
|
Jan F |
c2b009 |
+ if (!user_login_count++)
|
|
Jan F |
c2b009 |
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
Jan F |
c2b009 |
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
|
|
Jan F |
1732b0 |
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
Jan F |
1732b0 |
+ NULL, "ssh", 1, AUDIT_USER_START);
|
|
Jan F |
825921 |
+ return 0;
|
|
Jan F |
1732b0 |
+}
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+void
|
|
Jan F |
825921 |
+audit_end_command(int handle, const char *command)
|
|
Jan F |
1732b0 |
+{
|
|
Jan F |
1732b0 |
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
Jan F |
1732b0 |
+ NULL, "ssh", 1, AUDIT_USER_END);
|
|
Jan F |
1499a2 |
+ if (user_login_count && !--user_login_count)
|
|
Jan F |
1732b0 |
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
Jan F |
1732b0 |
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
|
Jan F |
825921 |
+}
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+void
|
|
Jan F |
825921 |
+audit_count_session_open(void)
|
|
Jan F |
825921 |
+{
|
|
Jan F |
825921 |
+ user_login_count++;
|
|
Jan F |
c2b009 |
}
|
|
Jan F |
c2b009 |
|
|
Jan F |
483c73 |
void
|
|
Jan F |
483c73 |
audit_session_open(struct logininfo *li)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
- if (linux_audit_record_event(li->uid, NULL, li->hostname,
|
|
Jan F |
b9127e |
- NULL, li->line, 1) == 0)
|
|
Jan F |
b9127e |
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
|
Jan F |
c2b009 |
+ if (!user_login_count++)
|
|
Jan F |
c2b009 |
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
Jan F |
c2b009 |
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
|
|
Jan F |
1732b0 |
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
Jan F |
1732b0 |
+ NULL, li->line, 1, AUDIT_USER_START);
|
|
Jan F |
c2b009 |
}
|
|
Jan F |
c2b009 |
|
|
Jan F |
c2b009 |
void
|
|
Jan F |
c2b009 |
audit_session_close(struct logininfo *li)
|
|
Jan F |
c2b009 |
{
|
|
Jan F |
c2b009 |
- /* not implemented */
|
|
Jan F |
c2b009 |
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
Jan F |
c2b009 |
+ NULL, li->line, 1, AUDIT_USER_END);
|
|
Jan F |
1499a2 |
+ if (user_login_count && !--user_login_count)
|
|
Jan F |
c2b009 |
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
Jan F |
c2b009 |
+ NULL, li->line, 1, AUDIT_USER_LOGOUT);
|
|
Jan F |
483c73 |
}
|
|
Jan F |
b9127e |
|
|
Jan F |
b9127e |
void
|
|
Jan F |
825921 |
@@ -101,21 +192,43 @@ audit_event(ssh_audit_event_t event)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
switch(event) {
|
|
Jan F |
483c73 |
case SSH_AUTH_SUCCESS:
|
|
Jan F |
483c73 |
- case SSH_CONNECTION_CLOSE:
|
|
Jan F |
b9127e |
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
|
Jan F |
b9127e |
+ get_remote_ipaddr(), "sshd", 1, event);
|
|
Jan F |
483c73 |
+ break;
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
case SSH_NOLOGIN:
|
|
Jan F |
b9127e |
- case SSH_LOGIN_EXCEED_MAXTRIES:
|
|
Jan F |
483c73 |
case SSH_LOGIN_ROOT_DENIED:
|
|
Jan F |
483c73 |
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
|
Jan F |
483c73 |
+ get_remote_ipaddr(), "sshd", 0, event);
|
|
Jan F |
c2b009 |
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
|
Jan F |
c2b009 |
+ get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
|
|
Jan F |
483c73 |
break;
|
|
Jan F |
483c73 |
|
|
Jan F |
b9127e |
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_NONE:
|
|
Jan F |
b9127e |
case SSH_AUTH_FAIL_PASSWD:
|
|
Jan F |
b9127e |
case SSH_AUTH_FAIL_KBDINT:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_PUBKEY:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_HOSTBASED:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_GSSAPI:
|
|
Jan F |
483c73 |
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
|
Jan F |
483c73 |
+ get_remote_ipaddr(), "sshd", 0, event);
|
|
Jan F |
483c73 |
+ break;
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ case SSH_CONNECTION_CLOSE:
|
|
Jan F |
1732b0 |
+ if (user_login_count) {
|
|
Jan F |
1732b0 |
+ while (user_login_count--)
|
|
Jan F |
1732b0 |
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
Jan F |
1732b0 |
+ NULL, "ssh", 1, AUDIT_USER_END);
|
|
Jan F |
1732b0 |
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
|
Jan F |
1732b0 |
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
|
Jan F |
1732b0 |
+ }
|
|
Jan F |
1732b0 |
+ break;
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
483c73 |
+ case SSH_CONNECTION_ABANDON:
|
|
Jan F |
483c73 |
case SSH_INVALID_USER:
|
|
Jan F |
483c73 |
- linux_audit_record_event(-1, audit_username(), NULL,
|
|
Jan F |
c2b009 |
- get_remote_ipaddr(), "sshd", 0);
|
|
Jan F |
c2b009 |
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
|
Jan F |
c2b009 |
+ get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
|
|
Jan F |
483c73 |
break;
|
|
Jan F |
483c73 |
|
|
Jan F |
c2b009 |
default:
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/monitor.c.audit1 openssh-5.8p1/monitor.c
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/monitor.c.audit1 2010-09-10 03:23:34.000000000 +0200
|
|
Jan F |
825921 |
+++ openssh-5.8p1/monitor.c 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
1732b0 |
@@ -177,6 +177,7 @@ int mm_answer_gss_checkmic(int, Buffer *
|
|
Jan F |
1732b0 |
#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
1732b0 |
int mm_answer_audit_event(int, Buffer *);
|
|
Jan F |
1732b0 |
int mm_answer_audit_command(int, Buffer *);
|
|
Jan F |
1732b0 |
+int mm_answer_audit_end_command(int, Buffer *);
|
|
Jan F |
1732b0 |
#endif
|
|
Jan F |
1732b0 |
|
|
Jan F |
1732b0 |
static Authctxt *authctxt;
|
|
Jan F |
1732b0 |
@@ -261,6 +262,7 @@ struct mon_table mon_dispatch_postauth20
|
|
Jan F |
1732b0 |
#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
1732b0 |
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
|
Jan F |
1732b0 |
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
|
Jan F |
1732b0 |
+ {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
|
Jan F |
1732b0 |
#endif
|
|
Jan F |
1732b0 |
{0, 0, NULL}
|
|
Jan F |
1732b0 |
};
|
|
Jan F |
1732b0 |
@@ -303,6 +305,7 @@ struct mon_table mon_dispatch_postauth15
|
|
Jan F |
1732b0 |
#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
1732b0 |
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
|
Jan F |
1732b0 |
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
|
Jan F |
1732b0 |
+ {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
|
Jan F |
1732b0 |
#endif
|
|
Jan F |
1732b0 |
{0, 0, NULL}
|
|
Jan F |
1732b0 |
};
|
|
Jan F |
825921 |
@@ -1288,6 +1291,12 @@ mm_session_close(Session *s)
|
|
Jan F |
825921 |
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
|
Jan F |
825921 |
session_pty_cleanup2(s);
|
|
Jan F |
825921 |
}
|
|
Jan F |
825921 |
+#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
825921 |
+ if (s->command != NULL) {
|
|
Jan F |
825921 |
+ debug3("%s: command %d", __func__, s->command_handle);
|
|
Jan F |
825921 |
+ session_end_command2(s);
|
|
Jan F |
825921 |
+ }
|
|
Jan F |
825921 |
+#endif
|
|
Jan F |
825921 |
session_unused(s->self);
|
|
Jan F |
1732b0 |
}
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
@@ -1610,11 +1619,44 @@ mm_answer_audit_command(int socket, Buff
|
|
Jan F |
825921 |
{
|
|
Jan F |
825921 |
u_int len;
|
|
Jan F |
825921 |
char *cmd;
|
|
Jan F |
825921 |
+ Session *s;
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
debug3("%s entering", __func__);
|
|
Jan F |
825921 |
cmd = buffer_get_string(m, &len;;
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
/* sanity check command, if so how? */
|
|
Jan F |
825921 |
- audit_run_command(cmd);
|
|
Jan F |
825921 |
+ s = session_new();
|
|
Jan F |
825921 |
+ if (s == NULL)
|
|
Jan F |
825921 |
+ fatal("%s: error allocating a session", __func__);
|
|
Jan F |
825921 |
+ s->command = cmd;
|
|
Jan F |
825921 |
+ s->command_handle = audit_run_command(cmd);
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+ buffer_clear(m);
|
|
Jan F |
825921 |
+ buffer_put_int(m, s->self);
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+ mm_request_send(socket, MONITOR_ANS_AUDIT_COMMAND, m);
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+ return (0);
|
|
Jan F |
825921 |
+}
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+int
|
|
Jan F |
1732b0 |
+mm_answer_audit_end_command(int socket, Buffer *m)
|
|
Jan F |
1732b0 |
+{
|
|
Jan F |
825921 |
+ int handle;
|
|
Jan F |
1732b0 |
+ u_int len;
|
|
Jan F |
1732b0 |
+ char *cmd;
|
|
Jan F |
825921 |
+ Session *s;
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+ debug3("%s entering", __func__);
|
|
Jan F |
825921 |
+ handle = buffer_get_int(m);
|
|
Jan F |
1732b0 |
+ cmd = buffer_get_string(m, &len;;
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+ s = session_by_id(handle);
|
|
Jan F |
825921 |
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
|
Jan F |
825921 |
+ strcmp(s->command, cmd) != 0)
|
|
Jan F |
825921 |
+ fatal("%s: invalid handle", __func__);
|
|
Jan F |
825921 |
+ mm_session_close(s);
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
xfree(cmd);
|
|
Jan F |
825921 |
return (0);
|
|
Jan F |
825921 |
}
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/monitor.h.audit1 openssh-5.8p1/monitor.h
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/monitor.h.audit1 2008-11-05 06:20:46.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/monitor.h 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
1732b0 |
@@ -60,6 +60,7 @@ enum monitor_reqtype {
|
|
Jan F |
1732b0 |
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
|
|
Jan F |
1732b0 |
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
|
|
Jan F |
1732b0 |
MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
|
|
Jan F |
825921 |
+ MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
|
|
Jan F |
1732b0 |
MONITOR_REQ_TERM,
|
|
Jan F |
1732b0 |
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
|
Jan F |
1732b0 |
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/monitor_wrap.c.audit1 openssh-5.8p1/monitor_wrap.c
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/monitor_wrap.c.audit1 2010-08-31 14:41:14.000000000 +0200
|
|
Jan F |
825921 |
+++ openssh-5.8p1/monitor_wrap.c 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
825921 |
@@ -1150,10 +1150,11 @@ mm_audit_event(ssh_audit_event_t event)
|
|
Jan F |
1732b0 |
buffer_free(&m);
|
|
Jan F |
1732b0 |
}
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
-void
|
|
Jan F |
825921 |
+int
|
|
Jan F |
825921 |
mm_audit_run_command(const char *command)
|
|
Jan F |
825921 |
{
|
|
Jan F |
825921 |
Buffer m;
|
|
Jan F |
825921 |
+ int handle;
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
debug3("%s entering command %s", __func__, command);
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
@@ -1161,6 +1162,26 @@ mm_audit_run_command(const char *command
|
|
Jan F |
825921 |
buffer_put_cstring(&m, command);
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
|
|
Jan F |
825921 |
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, &m);
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+ handle = buffer_get_int(&m);
|
|
Jan F |
825921 |
+ buffer_free(&m);
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+ return (handle);
|
|
Jan F |
825921 |
+}
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+void
|
|
Jan F |
825921 |
+mm_audit_end_command(int handle, const char *command)
|
|
Jan F |
1732b0 |
+{
|
|
Jan F |
1732b0 |
+ Buffer m;
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+ debug3("%s entering command %s", __func__, command);
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+ buffer_init(&m);
|
|
Jan F |
825921 |
+ buffer_put_int(&m, handle);
|
|
Jan F |
1732b0 |
+ buffer_put_cstring(&m, command);
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
|
|
Jan F |
825921 |
buffer_free(&m);
|
|
Jan F |
825921 |
}
|
|
Jan F |
1732b0 |
#endif /* SSH_AUDIT_EVENTS */
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/monitor_wrap.h.audit1 openssh-5.8p1/monitor_wrap.h
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/monitor_wrap.h.audit1 2009-03-05 14:58:22.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/monitor_wrap.h 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
825921 |
@@ -73,7 +73,8 @@ void mm_sshpam_free_ctx(void *);
|
|
Jan F |
825921 |
#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
1732b0 |
#include "audit.h"
|
|
Jan F |
1732b0 |
void mm_audit_event(ssh_audit_event_t);
|
|
Jan F |
825921 |
-void mm_audit_run_command(const char *);
|
|
Jan F |
825921 |
+int mm_audit_run_command(const char *);
|
|
Jan F |
825921 |
+void mm_audit_end_command(int, const char *);
|
|
Jan F |
1732b0 |
#endif
|
|
Jan F |
1732b0 |
|
|
Jan F |
1732b0 |
struct Session;
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/session.c.audit1 openssh-5.8p1/session.c
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/session.c.audit1 2010-12-01 02:02:59.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/session.c 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
825921 |
@@ -738,6 +738,14 @@ do_exec_pty(Session *s, const char *comm
|
|
Jan F |
825921 |
/* Parent. Close the slave side of the pseudo tty. */
|
|
Jan F |
825921 |
close(ttyfd);
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
+#ifndef HAVE_OSF_SIA
|
|
Jan F |
825921 |
+ /* do_login in the child did not affect state in this process,
|
|
Jan F |
825921 |
+ compensate. From an architectural standpoint, this is extremely
|
|
Jan F |
825921 |
+ ugly. */
|
|
Jan F |
825921 |
+ if (!(options.use_login && command == NULL))
|
|
Jan F |
825921 |
+ audit_count_session_open();
|
|
Jan F |
825921 |
+#endif
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
/* Enter interactive session. */
|
|
Jan F |
825921 |
s->ptymaster = ptymaster;
|
|
Jan F |
825921 |
packet_set_interactive(1,
|
|
Jan F |
825921 |
@@ -809,15 +817,19 @@ do_exec(Session *s, const char *command)
|
|
Jan F |
1732b0 |
}
|
|
Jan F |
1732b0 |
|
|
Jan F |
1732b0 |
#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
825921 |
+ if (s->command != NULL || s->command_handle != -1)
|
|
Jan F |
825921 |
+ fatal("do_exec: command already set");
|
|
Jan F |
825921 |
if (command != NULL)
|
|
Jan F |
825921 |
- PRIVSEP(audit_run_command(command));
|
|
Jan F |
f9ff10 |
+ s->command = xstrdup(command);
|
|
Jan F |
825921 |
else if (s->ttyfd == -1) {
|
|
Jan F |
1732b0 |
char *shell = s->pw->pw_shell;
|
|
Jan F |
1732b0 |
|
|
Jan F |
1732b0 |
if (shell[0] == '\0') /* empty shell means /bin/sh */
|
|
Jan F |
1732b0 |
shell =_PATH_BSHELL;
|
|
Jan F |
825921 |
- PRIVSEP(audit_run_command(shell));
|
|
Jan F |
f9ff10 |
+ s->command = xstrdup(shell);
|
|
Jan F |
1732b0 |
}
|
|
Jan F |
825921 |
+ if (s->command != NULL)
|
|
Jan F |
825921 |
+ s->command_handle = PRIVSEP(audit_run_command(s->command));
|
|
Jan F |
1732b0 |
#endif
|
|
Jan F |
1732b0 |
if (s->ttyfd != -1)
|
|
Jan F |
825921 |
ret = do_exec_pty(s, command);
|
|
Jan F |
825921 |
@@ -1841,6 +1853,7 @@ session_unused(int id)
|
|
Jan F |
825921 |
sessions[id].ttyfd = -1;
|
|
Jan F |
825921 |
sessions[id].ptymaster = -1;
|
|
Jan F |
825921 |
sessions[id].x11_chanids = NULL;
|
|
Jan F |
825921 |
+ sessions[id].command_handle = -1;
|
|
Jan F |
825921 |
sessions[id].next_unused = sessions_first_unused;
|
|
Jan F |
825921 |
sessions_first_unused = id;
|
|
Jan F |
825921 |
}
|
|
Jan F |
825921 |
@@ -1923,6 +1936,19 @@ session_open(Authctxt *authctxt, int cha
|
|
Jan F |
825921 |
}
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
Session *
|
|
Jan F |
825921 |
+session_by_id(int id)
|
|
Jan F |
825921 |
+{
|
|
Jan F |
825921 |
+ if (id >= 0 && id < sessions_nalloc) {
|
|
Jan F |
825921 |
+ Session *s = &sessions[id];
|
|
Jan F |
825921 |
+ if (s->used)
|
|
Jan F |
825921 |
+ return s;
|
|
Jan F |
825921 |
+ }
|
|
Jan F |
825921 |
+ debug("session_by_id: unknown id %d", id);
|
|
Jan F |
825921 |
+ session_dump();
|
|
Jan F |
825921 |
+ return NULL;
|
|
Jan F |
825921 |
+}
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+Session *
|
|
Jan F |
825921 |
session_by_tty(char *tty)
|
|
Jan F |
825921 |
{
|
|
Jan F |
825921 |
int i;
|
|
Jan F |
825921 |
@@ -2448,6 +2474,30 @@ session_exit_message(Session *s, int sta
|
|
Jan F |
825921 |
chan_write_failed(c);
|
|
Jan F |
825921 |
}
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
+#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
825921 |
+void
|
|
Jan F |
825921 |
+session_end_command2(Session *s)
|
|
Jan F |
825921 |
+{
|
|
Jan F |
825921 |
+ if (s->command != NULL) {
|
|
Jan F |
825921 |
+ audit_end_command(s->command_handle, s->command);
|
|
Jan F |
825921 |
+ xfree(s->command);
|
|
Jan F |
825921 |
+ s->command = NULL;
|
|
Jan F |
825921 |
+ s->command_handle = -1;
|
|
Jan F |
825921 |
+ }
|
|
Jan F |
825921 |
+}
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
+static void
|
|
Jan F |
825921 |
+session_end_command(Session *s)
|
|
Jan F |
825921 |
+{
|
|
Jan F |
825921 |
+ if (s->command != NULL) {
|
|
Jan F |
825921 |
+ PRIVSEP(audit_end_command(s->command_handle, s->command));
|
|
Jan F |
825921 |
+ xfree(s->command);
|
|
Jan F |
825921 |
+ s->command = NULL;
|
|
Jan F |
825921 |
+ s->command_handle = -1;
|
|
Jan F |
825921 |
+ }
|
|
Jan F |
825921 |
+}
|
|
Jan F |
825921 |
+#endif
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
void
|
|
Jan F |
825921 |
session_close(Session *s)
|
|
Jan F |
825921 |
{
|
|
Jan F |
825921 |
@@ -2456,6 +2506,10 @@ session_close(Session *s)
|
|
Jan F |
1732b0 |
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
|
|
Jan F |
1732b0 |
if (s->ttyfd != -1)
|
|
Jan F |
1732b0 |
session_pty_cleanup(s);
|
|
Jan F |
1732b0 |
+#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
825921 |
+ if (s->command)
|
|
Jan F |
825921 |
+ session_end_command(s);
|
|
Jan F |
1732b0 |
+#endif
|
|
Jan F |
1732b0 |
if (s->term)
|
|
Jan F |
1732b0 |
xfree(s->term);
|
|
Jan F |
1732b0 |
if (s->display)
|
|
Jan F |
825921 |
@@ -2675,6 +2729,15 @@ do_authenticated2(Authctxt *authctxt)
|
|
Jan F |
825921 |
server_loop2(authctxt);
|
|
Jan F |
825921 |
}
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
+static void
|
|
Jan F |
825921 |
+do_cleanup_one_session(Session *s)
|
|
Jan F |
825921 |
+{
|
|
Jan F |
825921 |
+ session_pty_cleanup2(s);
|
|
Jan F |
825921 |
+#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
825921 |
+ session_end_command2(s);
|
|
Jan F |
825921 |
+#endif
|
|
Jan F |
825921 |
+}
|
|
Jan F |
825921 |
+
|
|
Jan F |
825921 |
void
|
|
Jan F |
825921 |
do_cleanup(Authctxt *authctxt)
|
|
Jan F |
825921 |
{
|
|
Jan F |
825921 |
@@ -2723,5 +2786,5 @@ do_cleanup(Authctxt *authctxt)
|
|
Jan F |
825921 |
* or if running in monitor.
|
|
Jan F |
825921 |
*/
|
|
Jan F |
825921 |
if (!use_privsep || mm_is_monitor())
|
|
Jan F |
825921 |
- session_destroy_all(session_pty_cleanup2);
|
|
Jan F |
825921 |
+ session_destroy_all(do_cleanup_one_session);
|
|
Jan F |
825921 |
}
|
|
Jan F |
1732b0 |
diff -up openssh-5.8p1/session.h.audit1 openssh-5.8p1/session.h
|
|
Jan F |
1732b0 |
--- openssh-5.8p1/session.h.audit1 2008-05-19 07:34:50.000000000 +0200
|
|
Jan F |
825921 |
+++ openssh-5.8p1/session.h 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
825921 |
@@ -60,6 +60,12 @@ struct Session {
|
|
Jan F |
1732b0 |
char *name;
|
|
Jan F |
1732b0 |
char *val;
|
|
Jan F |
1732b0 |
} *env;
|
|
Jan F |
1732b0 |
+
|
|
Jan F |
1732b0 |
+ /* exec */
|
|
Jan F |
1732b0 |
+#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
825921 |
+ int command_handle;
|
|
Jan F |
1732b0 |
+ char *command;
|
|
Jan F |
1732b0 |
+#endif
|
|
Jan F |
1732b0 |
};
|
|
Jan F |
1732b0 |
|
|
Jan F |
1732b0 |
void do_authenticated(Authctxt *);
|
|
Jan F |
825921 |
@@ -72,8 +78,10 @@ void session_close_by_pid(pid_t, int);
|
|
Jan F |
825921 |
void session_close_by_channel(int, void *);
|
|
Jan F |
825921 |
void session_destroy_all(void (*)(Session *));
|
|
Jan F |
825921 |
void session_pty_cleanup2(Session *);
|
|
Jan F |
825921 |
+void session_end_command2(Session *);
|
|
Jan F |
825921 |
|
|
Jan F |
825921 |
Session *session_new(void);
|
|
Jan F |
825921 |
+Session *session_by_id(int);
|
|
Jan F |
825921 |
Session *session_by_tty(char *);
|
|
Jan F |
825921 |
void session_close(Session *);
|
|
Jan F |
825921 |
void do_setusercontext(struct passwd *);
|
|
Jan F |
f9ff10 |
diff -up openssh-5.8p1/sshd.c.audit1 openssh-5.8p1/sshd.c
|
|
Jan F |
1499a2 |
--- openssh-5.8p1/sshd.c.audit1 2011-01-11 07:20:31.000000000 +0100
|
|
Jan F |
825921 |
+++ openssh-5.8p1/sshd.c 2011-03-04 14:16:25.000000000 +0100
|
|
Jan F |
f9ff10 |
@@ -2342,7 +2342,8 @@ cleanup_exit(int i)
|
|
Jan F |
f9ff10 |
do_cleanup(the_authctxt);
|
|
Jan F |
f9ff10 |
#ifdef SSH_AUDIT_EVENTS
|
|
Jan F |
f9ff10 |
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
|
Jan F |
f9ff10 |
- if (!use_privsep || mm_is_monitor())
|
|
Jan F |
f9ff10 |
+ if ((the_authctxt == NULL || !the_authctxt->authenticated) &&
|
|
Jan F |
f9ff10 |
+ (!use_privsep || mm_is_monitor()))
|
|
Jan F |
f9ff10 |
audit_event(SSH_CONNECTION_ABANDON);
|
|
Jan F |
f9ff10 |
#endif
|
|
Jan F |
f9ff10 |
_exit(i);
|