Bugzilla – Attachment 1939 Details for
Bug 1402
Support auditing through Linux Audit subsystem
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
aditinal patch fr auditing authrized keys usage
openssh-5.6p1-audit2.patch (text/plain), 5.49 KB, created by
jchadima
on 2010-10-26 13:13:07 AEDT
(
hide
)
Description:
aditinal patch fr auditing authrized keys usage
Filename:
MIME Type:
Creator:
jchadima
Created:
2010-10-26 13:13:07 AEDT
Size:
5.49 KB
patch
obsolete
>diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c >--- openssh-5.6p1/audit-bsm.c.audit2 2010-10-25 15:41:28.000000000 +0200 >+++ openssh-5.6p1/audit-bsm.c 2010-10-25 15:41:28.000000000 +0200 >@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li > /* not implemented */ > } > >+int >+audit_keyusage(const char *type, unsigned len, char *fp) >+{ >+ /* not implemented */ >+} >+ > void > audit_event(ssh_audit_event_t event) > { >diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c >--- openssh-5.6p1/audit.c.audit2 2010-10-25 15:41:28.000000000 +0200 >+++ openssh-5.6p1/audit.c 2010-10-25 15:41:28.000000000 +0200 >@@ -182,5 +182,17 @@ audit_run_command(const char *command) > debug("audit run command euid %d user %s command '%.200s'", geteuid(), > audit_username(), command); > } >+ >+/* >+ * This will be called when user is successfully autherized by the RSA1/RSA/DSA key. >+ * >+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key. >+ */ >+int >+audit_keyusage(const char *type, unsigned len, char *fp) >+{ >+ debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s", geteuid(), >+ audit_username(), type, len, fp); >+} > # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ > #endif /* SSH_AUDIT_EVENTS */ >diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h >--- openssh-5.6p1/audit.h.audit2 2010-10-25 15:41:28.000000000 +0200 >+++ openssh-5.6p1/audit.h 2010-10-25 15:41:28.000000000 +0200 >@@ -53,5 +53,6 @@ void audit_session_open(struct logininfo > void audit_session_close(struct logininfo *); > void audit_run_command(const char *); > ssh_audit_event_t audit_classify_auth(const char *); >+int audit_keyusage(const char *, unsigned, char *); > > #endif /* _SSH_AUDIT_H */ >diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c >--- openssh-5.6p1/audit-linux.c.audit2 2010-10-25 15:41:28.000000000 +0200 >+++ openssh-5.6p1/audit-linux.c 2010-10-25 15:41:28.000000000 +0200 >@@ -37,6 +37,8 @@ > #include "audit.h" > #include "canohost.h" > >+#define AUDIT_LOG_SIZE 128 >+ > const char* audit_username(void); > > int >@@ -62,6 +64,31 @@ linux_audit_record_event(int uid, const > return (rc >= 0); > } > >+int >+audit_keyusage(const char *type, unsigned len, char *fp) >+{ >+ char buf[AUDIT_LOG_SIZE]; >+ int audit_fd, rc, saved_errno; >+ >+ snprintf(buf, sizeof(buf), "pubkey_auth algo=%s size=%d fp=%s rhost=%s rport=%d", >+ type, 8 * len, fp, get_remote_ipaddr(), get_remote_port()); >+ >+ audit_fd = audit_open(); >+ if (audit_fd < 0) { >+ if (errno == EINVAL || errno == EPROTONOSUPPORT || >+ errno == EAFNOSUPPORT) >+ return 1; /* No audit support in kernel */ >+ else >+ return 0; /* Must prevent login */ >+ } >+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, >+ buf, audit_username(), -1, NULL, NULL, NULL, 1); >+ saved_errno = errno; >+ audit_close(audit_fd); >+ errno = saved_errno; >+ return (rc >= 0); >+} >+ > /* Below is the sshd audit API code */ > > void >diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c >--- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200 >+++ openssh-5.6p1/auth2-pubkey.c 2010-10-25 15:41:28.000000000 +0200 >@@ -177,6 +177,40 @@ done: > return authenticated; > } > >+int >+pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) >+{ >+#ifdef SSH_AUDIT_EVENTS >+ char *fp; >+ unsigned size = 0; >+ const char *crypto_name[] = { >+ "ssh-rsa1", >+ "ssh-rsa", >+ "ssh-dsa", >+ "unknown" }; >+#endif >+ >+ if (key_verify(key, sig, slen, data, datalen) == 0) >+ return 0; >+#ifdef SSH_AUDIT_EVENTS >+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >+ switch(key->type) { >+ case KEY_RSA1: >+ case KEY_RSA: >+ size = RSA_size(key->rsa); >+ break; >+ case KEY_DSA: >+ size = DSA_size(key->dsa); >+ break; >+ } >+ >+ if (audit_keyusage(crypto_name[key->type], size, fp) == 0) >+ return 0; >+ xfree(fp); >+#endif >+ return 1; >+} >+ > static int > match_principals_option(const char *principal_list, struct KeyCert *cert) > { >diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c >--- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200 >+++ openssh-5.6p1/auth-rsa.c 2010-10-25 15:41:28.000000000 +0200 >@@ -275,6 +275,20 @@ auth_rsa_key_allowed(struct passwd *pw, > *rkey = key; > else > key_free(key); >+ >+#ifdef SSH_AUDIT_EVENTS >+ if (allowed) { >+ char *fp; >+ >+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >+ if (audit_keyusage("ssh-rsa1", RSA_size(key->rsa), fp) == 0) { >+ debug("unsuccessful audit"); >+ allowed = 0; >+ } >+ xfree(fp); >+ } >+#endif >+ > return (allowed); > } > >diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c >--- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200 >+++ openssh-5.6p1/monitor.c 2010-10-25 15:46:16.000000000 +0200 >@@ -1235,7 +1235,19 @@ mm_answer_keyverify(int sock, Buffer *m) > if (!valid_data) > fatal("%s: bad signature data blob", __func__); > >- verified = key_verify(key, signature, signaturelen, data, datalen); >+ switch (key_blobtype) { >+ case MM_USERKEY: >+ verified = pubkey_key_verify(key, signature, signaturelen, data, datalen); >+ break; >+ case MM_HOSTKEY: >+ verified = key_verify(key, signature, signaturelen, data, datalen); >+ valid_data = monitor_valid_hostbasedblob(data, datalen, >+ hostbased_cuser, hostbased_chost); >+ break; >+ default: >+ verified = 0; >+ break; >+ } > debug3("%s: key %p signature %s", > __func__, key, (verified == 1) ? "verified" : "unverified"); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1939">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1402
:
1396
|
1930
|
1931
|
1934
|
1939
|
1940
|
1942
|
1943
|
1945
|
1950
|
1951
|
1952
|
1954
|
1974
|
1975
|
1976
|
1981
|
2010
|
2011
|
2012
|
2013
|
2014
|
2015
|
2085
|
2086
|
2087
|
2088
|
2089
|
2090
|
2795