+ Index: b/channels.c

+ ===================================================================

+ --- b.orig/channels.c

+ +++ b/channels.c

+ @@ -3774,6 +3774,7 @@ int

+  channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,

+      int *allocated_listen_port, struct ForwardOptions *fwd_opts)

+  {

+ +  int success = 0;

+  	if (!check_rfwd_permission(ssh, fwd)) {

+  		ssh_packet_send_debug(ssh, "port forwarding refused");

+  		if (fwd->listen_path != NULL)

+ @@ -3795,14 +3796,23 @@ channel_setup_remote_fwd_listener(struct

+  			    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));

+  		return 0;

+  	}

+ -	if (fwd->listen_path != NULL) {

+ -		return channel_setup_fwd_listener_streamlocal(ssh,

+ +  if (fwd->listen_path != NULL) {

+ +		success = channel_setup_fwd_listener_streamlocal(ssh,

+  		    SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);

+  	} else {

+ -		return channel_setup_fwd_listener_tcpip(ssh,

+ +		success = channel_setup_fwd_listener_tcpip(ssh,

+  		    SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,

+  		    fwd_opts);

+  	}

+ +  logit("Remote forward request %s: listen=%s:%d connect=%s:%d"

+ +         " uid=%d",

+ +         success ? "succeeded" : "failed",

+ +         fwd->listen_host,

+ +         fwd->listen_port,

+ +         ssh_remote_ipaddr(ssh),

+ +         ssh_remote_port(ssh),

+ +         getuid());

+ +  return success;

+  }

+  

+  /*

+ @@ -4593,7 +4603,7 @@ x11_create_display_inet(struct ssh *ssh,

+  				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)

+  #ifdef EPFNOSUPPORT

+  				    && (errno != EPFNOSUPPORT)

+ -#endif 

+ +#endif

+  				    ) {

+  					error("socket: %.100s", strerror(errno));

+  					freeaddrinfo(aitop);

+ Index: b/auth2-pubkey.c

+ ===================================================================

+ --- b.orig/auth2-pubkey.c

+ +++ b/auth2-pubkey.c

+ @@ -389,6 +389,10 @@ check_principals_line(struct ssh *ssh, c

+  			continue;

+  		debug3("%s: matched principal \"%.100s\"",

+  		    loc, cert->principals[i]);

+ +		verbose("Matched principal \"%.100s\" from %s against \"%.100s\" "

+ +		    "from cert",

+ +		    cp, loc, cert->principals[i]);

+ +

+  		found = 1;

+  		slog_set_principal(cp);

+  	}

+ @@ -432,6 +436,8 @@ process_principals(struct ssh *ssh, FILE

+  			found_principal = 1;

+  	}

+  	free(line);

+ +	if (!found_principal)

+ +		verbose("Did not match any principals from auth_principals_* files");

+  	return found_principal;

+  }

+  

+ @@ -710,7 +716,7 @@ check_authkey_line(struct ssh *ssh, stru

+  	    &reason) != 0)

+  		goto fail_reason;

+  

+ -	verbose("Accepted certificate ID \"%s\" (serial %llu) "

+ +	verbose("Accepted cert ID \"%s\" (serial %llu) "

+  	    "signed by CA %s %s found at %s",

+  	    key->cert->key_id,

+  	    (unsigned long long)key->cert->serial,

+ @@ -780,7 +786,7 @@ static int

+  user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key,

+      struct sshauthopt **authoptsp)

+  {

+ -	char *ca_fp, *principals_file = NULL;

+ +	char *ca_fp, *key_fp, *principals_file = NULL;

+  	const char *reason;

+  	struct sshauthopt *principals_opts = NULL, *cert_opts = NULL;

+  	struct sshauthopt *final_opts = NULL;

+ @@ -796,11 +802,16 @@ user_cert_trusted_ca(struct ssh *ssh, st

+  	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

+  		return 0;

+  

+ +	key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);

+ +

+  	if ((r = sshkey_in_file(key->cert->signature_key,

+  	    options.trusted_user_ca_keys, 1, 0)) != 0) {

+  		debug2_fr(r, "CA %s %s is not listed in %s",

+  		    sshkey_type(key->cert->signature_key), ca_fp,

+  		    options.trusted_user_ca_keys);

+ +		verbose("CA %s %s is not listed in %s",

+ +		    sshkey_type(key->cert->signature_key), ca_fp,

+ +		    options.trusted_user_ca_keys);

+  		goto out;

+  	}

+  	/*

+ @@ -851,6 +862,11 @@ user_cert_trusted_ca(struct ssh *ssh, st

+  		if ((final_opts = sshauthopt_merge(principals_opts,

+  		    cert_opts, &reason)) == NULL) {

+   fail_reason:

+ +			verbose("Rejected cert ID \"%s\" with signature "

+ +			    "%s signed by %s CA %s via %s",

+ +			    key->cert->key_id, key_fp,

+ +			    sshkey_type(key->cert->signature_key), ca_fp,

+ +			    options.trusted_user_ca_keys);

+  			error("%s", reason);

+  			auth_debug_add("%s", reason);

+  			goto out;

+ @@ -858,9 +874,10 @@ user_cert_trusted_ca(struct ssh *ssh, st

+  	}

+  

+  	/* Success */

+ -	verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "

+ -	    "%s CA %s via %s", key->cert->key_id,

+ -	    (unsigned long long)key->cert->serial,

+ +	verbose("Accepted cert ID \"%s\" (serial %llu) with signature %s "

+ +	    "signed by %s CA %s via %s",

+ +	    key->cert->key_id,

+ +	    (unsigned long long)key->cert->serial, key_fp,

+  	    sshkey_type(key->cert->signature_key), ca_fp,

+  	    options.trusted_user_ca_keys);

+  	if (authoptsp != NULL) {

+ @@ -875,6 +892,7 @@ user_cert_trusted_ca(struct ssh *ssh, st

+  	sshauthopt_free(final_opts);

+  	free(principals_file);

+  	free(ca_fp);

+ +	free(key_fp);

+  	return ret;

+  }

+  

+ Index: b/regress/cert-logging.sh

+ ===================================================================

+ --- /dev/null

+ +++ b/regress/cert-logging.sh

+ @@ -0,0 +1,84 @@

+ +tid="cert logging"

+ +

+ +CERT_ID="cert_id"

+ +PRINCIPAL=$USER

+ +SERIAL=0

+ +

+ +log_grep() {

+ +    if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then

+ +        return 1;

+ +    else

+ +        return 0;

+ +    fi

+ +}

+ +

+ +cat << EOF >> $OBJ/sshd_config

+ +TrustedUserCAKeys $OBJ/ssh-rsa.pub

+ +Protocol 2

+ +PubkeyAuthentication yes

+ +AuthenticationMethods publickey

+ +AuthorizedPrincipalsFile $OBJ/auth_principals

+ +EOF

+ +

+ +if [ ! -f $OBJ/trusted_rsa ]; then

+ +    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa

+ +fi

+ +if [ ! -f $OBJ/untrusted_rsa ]; then

+ +    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa

+ +fi

+ +

+ +${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub ||

+ +    fatal "Could not create trusted SSH cert"

+ +

+ +${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub ||

+ +    fatal "Could not create untrusted SSH cert"

+ +

+ +CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa | cut -d' ' -f2)"

+ +KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa | cut -d' ' -f2)"

+ +UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa | cut -d' ' -f2)"

+ +

+ +start_sshd

+ +

+ +

+ +test_no_principals() {

+ +    echo > $OBJ/auth_principals

+ +    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||

+ +        fatal "SSH failed"

+ +

+ +    if ! log_grep 'Did not match any principals from auth_principals_\* files'; then

+ +        fail "No 'Did not match any principals' message"

+ +    fi

+ +

+ +    if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then

+ +        fail "No 'Rejected cert ID' message"

+ +    fi

+ +}

+ +

+ +

+ +test_with_principals() {

+ +    echo $USER > $OBJ/auth_principals

+ +    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||

+ +        fatal "SSH failed"

+ +

+ +    if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then

+ +        fail "No 'Matched principal' message"

+ +    fi

+ +    if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then

+ +        fail "No 'Accepted cert ID' message"

+ +    fi

+ +}

+ +

+ +

+ +test_untrusted_cert() {

+ +    ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true ||

+ +        fatal "SSH failed"

+ +

+ +    if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then

+ +        fail "No 'CA is not listed' message"

+ +    fi

+ +}

+ +

+ +

+ +test_no_principals

+ +test_with_principals

+ +test_untrusted_cert

+ Index: b/session.c

+ ===================================================================

+ --- b.orig/session.c

+ +++ b/session.c

+ @@ -2049,6 +2049,8 @@ session_pty_req(struct ssh *ssh, Session

+  		return 0;

+  	}

+  	debug("session_pty_req: session %d alloc %s", s->self, s->tty);

+ +	verbose("Allocated pty %s for user %s session %d",

+ +					s->tty, s->pw->pw_name, s->self);

+  

+  	ssh_tty_parse_modes(ssh, s->ttyfd);

+  

+ @@ -2148,6 +2150,7 @@ session_shell_req(struct ssh *ssh, Sessi

+  

+  	if ((r = sshpkt_get_end(ssh)) != 0)

+  		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);

+ +	verbose("Shell Request for user %s", s->pw->pw_name);

+  	return do_exec(ssh, s, NULL) == 0;

+  }

+  

+ @@ -2163,6 +2166,7 @@ session_exec_req(struct ssh *ssh, Sessio

+  		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);

+  

+  	slog_set_command(command);

+ +	verbose("Exec Request for user %s with command %s", s->pw->pw_name, command);

+  	success = do_exec(ssh, s, command) == 0;

+  	free(command);

+  	return success;

+ Index: b/regress/session-req.sh

+ ===================================================================

+ --- /dev/null

+ +++ b/regress/session-req.sh

+ @@ -0,0 +1,39 @@

+ +tid="session req"

+ +

+ +start_sshd

+ +

+ +test_user_shell_exec_req() {

+ +  session_shell_req_expected="Exec Request for user $USER with command true"

+ +  cnt=$(grep -c "$session_shell_req_expected" "$TEST_SSHD_LOGFILE")

+ +  if [ $cnt == "0" ]; then

+ +  	fail "No exec request for user log lines found"

+ +  fi

+ +}

+ +

+ +test_user_pty() {

+ +  session_pty_req_expected="Allocated pty .* for user $USER session .*"

+ +  line_count=$(grep -c "$session_req_expected" "$TEST_SSHD_LOGFILE")

+ +  if [ $line_count == "0" ]; then

+ +  	fail "No Allocated pty for user session found in log lines"

+ +  fi

+ +}

+ +

+ +test_user_shell_req() {

+ +  exit | ${SSH} -F $OBJ/ssh_config somehost

+ +  if [ $? -ne 0 ]; then

+ +  	fail "ssh connect with failed"

+ +  fi

+ +  session_shell_req_expected="Shell Request for user $USER"

+ +  line_count=$(grep -c "$session_shell_req_expected" "$TEST_SSHD_LOGFILE")

+ +  if [ $line_count == "0" ]; then

+ +  	fail "No session request for user log lines found"

+ +  fi

+ +}

+ +

+ +${SSH} -F $OBJ/ssh_config somehost true

+ +if [ $? -ne 0 ]; then

+ +	fail "ssh connect with failed"

+ +fi

+ +test_user_shell_exec_req

+ +test_user_pty

+ +test_user_shell_req

+ Index: b/sshkey.h

+ ===================================================================

+ --- b.orig/sshkey.h

+ +++ b/sshkey.h

+ @@ -106,7 +106,7 @@ enum sshkey_private_format {

+  /* key is stored in external hardware */

+  #define SSHKEY_FLAG_EXT		0x0001

+  

+ -#define SSHKEY_CERT_MAX_PRINCIPALS	256

+ +#define SSHKEY_CERT_MAX_PRINCIPALS	1024

+  /* XXX opaquify? */

+  struct sshkey_cert {

+  	struct sshbuf	*certblob; /* Kept around for use on wire */

+ Index: b/session.c

+ ===================================================================

+ --- b.orig/session.c

+ +++ b/session.c

+ @@ -2206,7 +2206,7 @@ session_env_req(struct ssh *ssh, Session

+  

+  	for (i = 0; i < options.num_accept_env; i++) {

+  		if (match_pattern(name, options.accept_env[i])) {

+ -			debug2("Setting env %d: %s=%s", s->num_env, name, val);

+ +			verbose("Setting env %d: %s=%s user=%s", s->num_env, name, val, s->pw->pw_name);

+  			s->env = xrecallocarray(s->env, s->num_env,

+  			    s->num_env + 1, sizeof(*s->env));

+  			s->env[s->num_env].name = name;

+ @@ -2215,7 +2215,7 @@ session_env_req(struct ssh *ssh, Session

+  			return (1);

+  		}

+  	}

+ -	debug2("Ignoring env request %s: disallowed name", name);

+ +	verbose("Ignoring env request %s user=%s : disallowed name", name, s->pw->pw_name);

+  

+   fail:

+  	free(name);

+ Index: b/regress/slog.sh

+ ===================================================================

+ --- b.orig/regress/slog.sh

+ +++ b/regress/slog.sh

+ @@ -1,41 +1,60 @@

+  tid='structured log'

+  

+ -port="4242"

+  log_prefix="sshd_auth_msg:"

+ -log_keys="server_ip server_port remote_ip remote_port pid session_id method cert_id cert_serial principal user session_state auth_successful _time command end_time duration auth_info client_version"

+ +log_keys="server_ip server_port remote_ip remote_port pid session_id method cert_id cert_serial principal user session_state auth_successful command end_time duration auth_info client_version"

+  do_log_json="yes"

+ -test_config="$OBJ/sshd2_config"

+ -old_config="$OBJ/sshd_config"

+ -PIDFILE=$OBJ/pidfile

+ -

+ -cat << EOF > $test_config

+ -	#*:

+ -	StrictModes             no

+ -	Port                    $port

+ -	AddressFamily           inet

+ -	ListenAddress           127.0.0.1

+ -	#ListenAddress          ::1

+ -	PidFile                 $PIDFILE

+ -	AuthorizedKeysFile      $OBJ/authorized_keys_%u

+ -	LogLevel                ERROR

+ -	AcceptEnv               _XXX_TEST_*

+ -	AcceptEnv               _XXX_TEST

+ -	HostKey $OBJ/host.ssh-ed25519

+ -	LogFormatPrefix $log_prefix

+ -	LogFormatJson $do_log_json

+ -	LogFormatKeys $log_keys

+ +

+ +AUTH_PRINC_FILE="$OBJ/auth_principals"

+ +CA_FILE="$OBJ/ca-rsa"

+ +IDENTITY_FILE="$OBJ/$USER-rsa"

+ +CERT_ID=$USER

+ +

+ +cat << EOF >>	$OBJ/sshd_config

+ +TrustedUserCAKeys $CA_FILE.pub

+ +PubkeyAuthentication yes

+ +AuthenticationMethods publickey

+ +AuthorizedPrincipalsFile $AUTH_PRINC_FILE

+ +LogFormatPrefix $log_prefix

+ +LogFormatJson $do_log_json

+ +LogFormatKeys $log_keys

+  EOF

+  

+ +sed -i 's/DEBUG3/VERBOSE/g' $OBJ/sshd_config

+  

+ -cp $test_config $old_config

+ -start_sshd

+ +cleanup() {

+ +	rm -f $CA_FILE{.pub,}

+ +	rm -f $IDENTITY_FILE{-cert.pub,.pub,}

+ +	rm -f $AUTH_PRINC_FILE

+ +	rm -f $TEST_SSHD_LOGFILE

+ +}

+ +

+ +make_keys() {

+ +	local keytype=$1

+ +

+ +	rm -f $IDENTITY_FILE{.pub,}

+ +	${SSHKEYGEN} -q -t $keytype -C '' -N '' -f $IDENTITY_FILE ||

+ +	    fatal 'Could not create keypair'

+ +

+ +	cat $IDENTITY_FILE.pub > authorized_keys_$USER

+ +	${SSHKEYGEN} -lf $IDENTITY_FILE

+ +}

+  

+ -${SSH} -F $OBJ/ssh_config somehost true

+ -if [ $? -ne 0 ]; then

+ -	fail "ssh connect with failed"

+ -fi

+ +make_cert() {

+ +	local princs=$1

+ +	local certtype=$2

+ +	local serial=$3

+  

+ -test_log_counts() {

+ +	rm -f $CA_FILE

+ +	rm -f "$IDENTITY_FILE-cert.pub"

+ +

+ +	${SSHKEYGEN} -q -t $certtype -C '' -N '' -f $CA_FILE ||

+ +	    fatal 'Could not create CA key'

+ +

+ +	${SSHKEYGEN} -q -s $CA_FILE -I $CERT_ID -n "$princs" -z $serial "$IDENTITY_FILE.pub" ||

+ +	    fatal "Could not create SSH cert"

+ +}

+ +

+ +do_test_log_counts() {

+  	cnt=$(grep -c "$log_prefix" "$TEST_SSHD_LOGFILE")

+  	if [ $cnt -ne 2 ]; then

+  		fail "expected 2 structured logging lines, got $cnt"

+ @@ -43,7 +62,10 @@ test_log_counts() {

+  }

+  

+  test_json_valid() {

+ -	which python &>/dev/null || echo 'python not found in path, skipping tests'

+ +	if ! $(which python &>/dev/null) ; then

+ +		 echo 'python not found in path, skipping JSON tests'

+ +		 return 1

+ +	fi

+  

+  	loglines=$(cat "$TEST_SSHD_LOGFILE" | grep "$log_prefix")

+  	first=$(echo "$loglines" | head -n1)

+ @@ -55,5 +77,72 @@ test_json_valid() {

+  	    || fail "invalid json structure $last"

+  }

+  

+ -test_log_counts

+ -test_json_valid

+ +# todo: first/last line

+ +extract_key() {

+ +	local key=$1

+ +	loglines=$(cat "$TEST_SSHD_LOGFILE" | grep "$log_prefix")

+ +	last=$(echo "$loglines" | tail -n1)

+ +	json=${last:$(expr length $log_prefix)}

+ +

+ +	val=$(echo $json | python -c "import sys, json; print(json.load(sys.stdin)[\"$key\"])") ||

+ +	    fail "error extracting $key from $json"

+ +	echo "$val"

+ +}

+ +

+ +test_basic_logging() {

+ +	${SSH} -F $OBJ/ssh_config -v -i "$IDENTITY_FILE" somehost true ||

+ +		    fatal "SSH failed"

+ +

+ +	do_test_log_counts

+ +	test_json_valid || return 1

+ +}

+ +

+ +extract_hash() {

+ +	local source=$1

+ +	echo $source | sed "s/.*\(SHA256:[[:print:]]\{43\}\).*$/\1/"

+ +}

+ +

+ +test_auth_info() {

+ +	local keyfp=$1

+ +	local keytype=$2

+ +	local princ=$3

+ +	local serial=$4

+ +

+ +	${SSH} -F $OBJ/ssh_config -v -i "$IDENTITY_FILE" somehost true ||

+ +	    fatal "SSH failed"

+ +

+ +	auth_info=$(extract_key 'auth_info')

+ +	digest=$(extract_hash "$keyfp")

+ +

+ +	[ -z "$keyfp" ] || echo "$auth_info" | grep -q "$digest" ||

+ +		echo "hash digest not found"

+ +	[ -z "$keytype" ] || echo "$auth_info" | grep -q "$keytype" ||

+ +		echo "keytype not found"

+ +	[ -z "$princ" ] || echo "$auth_info" | grep -q "$princ" ||

+ +		echo "princ not found"

+ +	[ -z "$serial" ] || echo "$auth_info" | grep -q "$serial" ||

+ +		echo "serial not found"

+ +}

+ +

+ +test_cert_serial() {

+ +	local serial=$1

+ +	logged_serial=$(extract_key 'cert_serial')

+ +	 [ $serial = $logged_serial ] || fail 'cert serial mismatch'

+ +}

+ +

+ +start_sshd

+ +

+ +keytype="RSA"

+ +keyfp=$(make_keys $keytype)

+ +test_basic_logging || return

+ +test_auth_info "$keyfp" "$keytype"

+ +

+ +rm authorized_keys_$USER # force cert auth

+ +

+ +princ="$USER"

+ +echo $princ > $AUTH_PRINC_FILE

+ +

+ +serial='42'

+ +make_cert "$princ" "$keytype" "$serial"

+ +test_auth_info "$keyfp" "$keytype" "$princ" "$serial"

+ +test_cert_serial "$serial"

+ Index: b/auth.c

+ ===================================================================

+ --- b.orig/auth.c

+ +++ b/auth.c

+ @@ -351,6 +351,8 @@ auth_log(struct ssh *ssh, int authentica

+  	    extra != NULL ? ": " : "",

+  	    extra != NULL ? extra : "");

+  

+ +	if (extra != NULL)

+ +		slog_set_auth_info(extra);

+  	free(extra);

+  	slog_set_auth_data(authenticated, method, authctxt->user);

+  

+ Index: b/auth2-pubkey.c

+ ===================================================================

+ --- b.orig/auth2-pubkey.c

+ +++ b/auth2-pubkey.c

+ @@ -722,7 +722,7 @@ check_authkey_line(struct ssh *ssh, stru

+  	    (unsigned long long)key->cert->serial,

+  	    sshkey_type(found), fp, loc);

+  

+ -	    slog_set_cert_serial(key->cert->serial);

+ +	slog_set_cert_serial(key->cert->serial);

+   success:

+  	if (finalopts == NULL)

+  		fatal_f("internal error: missing options");

+ @@ -885,6 +885,8 @@ user_cert_trusted_ca(struct ssh *ssh, st

+  		final_opts = NULL;

+  	}

+  	slog_set_cert_id(key->cert->key_id);

+ +	slog_set_cert_serial(key->cert->serial);

+ +

+  	ret = 1;

+   out:

+  	sshauthopt_free(principals_opts);

+ Index: b/serverloop.c

+ ===================================================================

+ --- b.orig/serverloop.c

+ +++ b/serverloop.c

+ @@ -433,6 +433,7 @@ server_request_direct_tcpip(struct ssh *

+  	char *target = NULL, *originator = NULL;

+  	u_int target_port = 0, originator_port = 0;

+  	int r;

+ +	uid_t user;

+  

+  	if ((r = sshpkt_get_cstring(ssh, &target, NULL)) != 0 ||

+  	    (r = sshpkt_get_u32(ssh, &target_port)) != 0 ||

+ @@ -451,6 +452,11 @@ server_request_direct_tcpip(struct ssh *

+  		goto out;

+  	}

+  

+ +	user = getuid();

+ +	logit("Tunnel: %s:%d -> %s:%d UID(%d) user %s",

+ +	    originator, originator_port, target, target_port, user,

+ +	    getpwuid(user)->pw_name);

+ +

+  	debug_f("originator %s port %u, target %s port %u",

+  	    originator, originator_port, target, target_port);

+  

+ Index: b/sshd.c

+ ===================================================================

+ --- b.orig/sshd.c

+ +++ b/sshd.c

+ @@ -1420,6 +1420,8 @@ server_accept_loop(struct ssh *ssh, int

+  				    options.log_level,

+  				    options.log_facility,

+  				    log_stderr);

+ +

+ +				set_log_session_id();  // Set log session ID for this session

+  				if (rexec_flag)

+  					close(config_s[0]);

+  				else {

+ Index: b/auth-pam.c

+ ===================================================================

+ --- b.orig/auth-pam.c

+ +++ b/auth-pam.c

+ @@ -766,7 +766,20 @@ sshpam_init(struct ssh *ssh, Authctxt *a

+  		return (-1);

+  	}

+  #endif

+ -	return (0);

+ +	debug("PAM: setting PAM LOG_SESSION_ID to \"%s\"", get_log_session_id());

+ +	{

+ +		char log_session_id_env[HOST_NAME_MAX + 50];

+ +		snprintf(log_session_id_env, sizeof(log_session_id_env),

+ +				"LOG_SESSION_ID=%s", get_log_session_id());

+ +		sshpam_err = pam_putenv(sshpam_handle, log_session_id_env);

+ +		if (sshpam_err != PAM_SUCCESS) {

+ +			pam_end(sshpam_handle, sshpam_err);

+ +			sshpam_handle = NULL;

+ +			return (-1);

+ +		}

+ +	}

+ +

+ +        return (0);

+  }

+  

+  static void

+ Index: b/log.c

+ ===================================================================

+ --- b.orig/log.c

+ +++ b/log.c

+ @@ -410,17 +410,17 @@ do_log(LogLevel level, int force, const

+  		tmp_handler(level, force, fmtbuf, log_handler_ctx);

+  		log_handler = tmp_handler;

+  	} else if (log_on_stderr) {

+ -		snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",

+ -		    (int)sizeof msgbuf - 3, fmtbuf);

+ +		snprintf(msgbuf, sizeof msgbuf, "%.*s session=%s\r\n",

+ +		    (int)sizeof msgbuf - 3, fmtbuf, get_log_session_id());

+  		(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));

+  	} else {

+  #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)

+  		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);

+ -		syslog_r(pri, &sdata, "%.500s", fmtbuf);

+ +		syslog_r(pri, &sdata, "%.500s session=%s", fmtbuf, get_log_session_id());

+  		closelog_r(&sdata);

+  #else

+  		openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);

+ -		syslog(pri, "%.500s", fmtbuf);

+ +		syslog(pri, "%.500s session=%s", fmtbuf, get_log_session_id());

+  		closelog();

+  #endif

+  	}

+ @@ -452,6 +452,33 @@ sshlogdie(const char *file, const char *

+  }

+  

+  void

+ +set_log_session_id()

+ +{

+ +        struct timeval tv;

+ +        char hostname[HOST_NAME_MAX + 1];

+ +        char session_id[HOST_NAME_MAX + 20];

+ +        char *s;

+ +        if (gethostname(hostname, sizeof(hostname)) != 0) {

+ +                *hostname = '\0';

+ +        }

+ +        gettimeofday(&tv, NULL);

+ +        snprintf(session_id, sizeof(session_id), "%s:%x.%x",

+ +                 hostname, tv.tv_sec, tv.tv_usec);

+ +        setenv("LOG_SESSION_ID", session_id, 1);

+ +}

+ +

+ +const char *

+ +get_log_session_id()

+ +{

+ +        const char *id = getenv("LOG_SESSION_ID");

+ +        if (!id) {

+ +                 set_log_session_id();

+ +                 id = getenv("LOG_SESSION_ID");

+ +        }

+ +        return id;

+ +}

+ +

+ +void

+  sshsigdie(const char *file, const char *func, int line, int showfunc,

+      LogLevel level, const char *suffix, const char *fmt, ...)

+  {

+ Index: b/regress/session-id.sh

+ ===================================================================

+ --- /dev/null

+ +++ b/regress/session-id.sh

+ @@ -0,0 +1,23 @@

+ +tid="session id"

+ +

+ +start_sshd

+ +

+ +${SSH} -F $OBJ/ssh_config somehost true

+ +if [ $? -ne 0 ]; then

+ +	fail "ssh connect with failed"

+ +fi

+ +

+ +expected="session=$(hostname)"

+ +

+ +# grab the first session ID which will be stable across session

+ +sessionid=$(grep -m1 $expected $TEST_SSHD_LOGFILE | sed -E 's/.*(session=.*)/\1/')

+ +

+ +line_count=$(grep -c $expected $TEST_SSHD_LOGFILE)

+ +if [ $line_count == "0" ]; then

+ +	fail "No session ID lines found"

+ +fi

+ +

+ +stable_id_count=$(grep -c $sessionid $TEST_SSHD_LOGFILE)

+ +if [ $line_count != $stable_id_count ]; then

+ +	fail 'Mismatching session ids found'

+ +fi

+ Index: b/log.h

+ ===================================================================

+ --- b.orig/log.h

+ +++ b/log.h

+ @@ -68,6 +68,9 @@ const char *	log_level_name(LogLevel);

+  void	 set_log_handler(log_handler_fn *, void *);

+  void	 cleanup_exit(int) __attribute__((noreturn));

+  

+ +void		set_log_session_id();

+ +const char *	get_log_session_id();

+ +

+  void	 sshlog(const char *, const char *, int, int,

+      LogLevel, const char *, const char *, ...)

+      __attribute__((format(printf, 7, 8)));

+ Index: b/session.c

+ ===================================================================

+ --- b.orig/session.c

+ +++ b/session.c

+ @@ -98,6 +98,7 @@

+  #include "atomicio.h"

+  #include "slog.h"

+  

+ +#define SSH_MAX_PUBKEY_BYTES 16384

+  

+  #if defined(KRB5) && defined(USE_AFS)

+  #include <kafs.h>

+ @@ -1054,11 +1055,18 @@ copy_environment(char **source, char ***

+  static char **

+  do_setup_env(struct ssh *ssh, Session *s, const char *shell)

+  {

+ -	char buf[256];

+ +	char buf[SSH_MAX_PUBKEY_BYTES];

+ +	char *pbuf = &buf[0];

+  	size_t n;

+  	u_int i, envsize;

+  	char *ocp, *cp, *value, **env, *laddr;

+  	struct passwd *pw = s->pw;

+ +	Authctxt *authctxt = s->authctxt;

+ +	struct sshkey *key;

+ +	size_t len = 0;

+ +	ssize_t total = 0;

+ +	struct sshkey_cert *cert;

+ +

+  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)

+  	char *path = NULL;

+  #endif

+ @@ -1255,9 +1263,57 @@ do_setup_env(struct ssh *ssh, Session *s

+  		child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file);

+  	if (s->ttyfd != -1)

+  		child_set_env(&env, &envsize, "SSH_TTY", s->tty);

+ -	if (original_command)

+ +	if (original_command) {

+  		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",

+  		    original_command);

+ +		/*

+ +		* Set SSH_CERT_PRINCIPALS to be the principals on the ssh certificate.

+ +		* Only do so when a force command is present to prevent the client

+ +		* from changing the value of SSH_CERT_PRINCIPALS. For example, when a

+ +		* client is given shell access, the client can easily change the

+ +		* value of an environment variable by running, e.g.,

+ +		* ssh user@host.address 'SSH_CERT_PRINCIPALS=attacker env'

+ +		*/

+ +

+ +		if (authctxt->nprev_keys > 0) {

+ +			key = authctxt->prev_keys[authctxt->nprev_keys-1];

+ +			/* If a user was authorized by a certificate, set SSH_CERT_PRINCIPALS */

+ +			if (sshkey_is_cert(key)) {

+ +				cert = key->cert;

+ +

+ +				for (i = 0; i < cert->nprincipals - 1; ++i) {

+ +					/*

+ +					* total: bytes written to buf so far

+ +					* 2: one for comma and one for '\0' to be added by snprintf

+ +					* We stop at the first principal overflowing buf.

+ +					*/

+ +					if (total + strlen(cert->principals[i]) + 2 > SSH_MAX_PUBKEY_BYTES)

+ +						break;

+ +

+ +					len = snprintf(pbuf, SSH_MAX_PUBKEY_BYTES-total, "%s,",

+ +					    cert->principals[i]);

+ +					/* pbuf advances by len, the '\0' at the end will be overwritten */

+ +					pbuf += len;

+ +					total += len;

+ +				}

+ +

+ +				if (total + strlen(cert->principals[i]) + 1 <= SSH_MAX_PUBKEY_BYTES) {

+ +					len = snprintf(pbuf, SSH_MAX_PUBKEY_BYTES-total, "%s",

+ +					    cert->principals[i]);

+ +					total += len;

+ +				} else if (total > 0)

+ +					/*

+ +					* If we hit the overflow condition, remove the trailing comma.

+ +					* We only do so if the overflowing principal is not the first one on the

+ +					* certificate so that there is at least one principal in buf

+ +					*/

+ +					buf[total-1] = '\0';

+ +

+ +				if (total > 0)

+ +					child_set_env(&env, &envsize, "SSH_CERT_PRINCIPALS", buf);

+ +			}

+ +		}

+ +	}

+  

+  	if (debug_flag) {

+  		/* dump the environment */

+ Index: b/regress/cert-princ-env.sh

+ ===================================================================

+ --- /dev/null

+ +++ b/regress/cert-princ-env.sh

+ @@ -0,0 +1,129 @@

+ +tid="cert principal env"