From 57349a88a86d3fa7644e660cb24b6f0457881731 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Jan 22 2018 11:58:09 +0000 Subject: Use correct audit event for pubkey auth --- diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index a05e64b..bd23def 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -31,7 +31,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c } +int -+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv) ++audit_keyusage(int host_user, char *fp, int rv) +{ + /* not implemented */ +} @@ -122,7 +122,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c return (the_authctxt->user); } -@@ -109,6 +113,37 @@ audit_event_lookup(ssh_audit_event_t ev) +@@ -109,6 +113,35 @@ audit_event_lookup(ssh_audit_event_t ev) return(event_lookup[i].name); } @@ -130,11 +130,9 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c +audit_key(int host_user, int *rv, const Key *key) +{ + char *fp; -+ const char *crypto_name; + + fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); -+ crypto_name = key_ssh_name(key); -+ if (audit_keyusage(host_user, crypto_name, sshkey_size(key), fp, (*rv == 0)) == 0) ++ if (audit_keyusage(host_user, fp, (*rv == 0)) == 0) + *rv = -SSH_ERR_INTERNAL_ERROR; + free(fp); +} @@ -214,10 +212,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c + * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key. + */ +int -+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv) ++audit_keyusage(int host_user, char *fp, int rv) +{ -+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", -+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits, ++ debug("audit %s key usage euid %d user %s fingerprint %s, result %d", ++ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), + fp, rv); +} + @@ -297,7 +295,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h +int audit_run_command(const char *); +void audit_end_command(int, const char *); ssh_audit_event_t audit_classify_auth(const char *); -+int audit_keyusage(int, const char *, unsigned, char *, int); ++int audit_keyusage(int, char *, int); +void audit_key(int, int *, const Key *); +void audit_unsupported(int); +void audit_kex(int, char *, char *, char *, char *); @@ -360,7 +358,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c saved_errno = errno; close(audit_fd); -@@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const +@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const rc = 0; errno = saved_errno; @@ -424,7 +422,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c +} + +int -+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv) ++audit_keyusage(int host_user, char *fp, int rv) +{ + char buf[AUDIT_LOG_SIZE]; + int audit_fd, rc, saved_errno; @@ -442,10 +440,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c + buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv); + if ((rc < 0) && ((rc != -1) || (getuid() == 0))) + goto out; -+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d", -+ type, bits, fp, ssh_remote_port(active_state)); -+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, -+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv); ++ snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", fp); ++ rc = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL, ++ ssh_remote_ipaddr(active_state), NULL, rv); +out: + saved_errno = errno; + audit_close(audit_fd);