Attachment #2011 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch




#endif
}

int
audit_run_command(const char *command)
{
	/* not implemented */
	return 0;
}

void
audit_end_command(int handle, const char *command)
{
	/* not implemented */
}

void
audit_count_session_open(void)
{
	/* not necessary */
}

void




}

/*
 * Called when a child process has called, or will soon call,
 * audit_session_open.
 */
void
audit_count_session_open(void)
{
	debug("audit count session open euid %d user %s", geteuid(),
	      audit_username());
}

/*
 * Called when a user session is started.  Argument is the tty allocated to
 * the session, or NULL if no tty was allocated.
 *

/*
 * This will be called when a user runs a non-interactive command.  Note that
 * it may be called multiple times for a single connection since SSH2 allows
 * multiple sessions within a single connection.  Returns a "handle" for
 * audit_end_command.
 */
int
audit_run_command(const char *command)
{
	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
	    audit_username(), command);
	return 0;
}

/*
 * This will be called when the non-interactive command finishes.  Note that
 * it may be called multiple times for a single connection since SSH2 allows
 * multiple sessions within a single connection.  "handle" should come from
 * the corresponding audit_run_command.
 */
void
audit_end_command(int handle, const char *command)
{
	debug("audit end nopty exec  euid %d user %s command '%.200s'", geteuid(),
	    audit_username(), command);
}

# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */

Lines 49-57 typedef enum ssh_audit_event_type ssh_au Link Here

(-)openssh-5.8p1/audit.h.audit1 (-1 / +3 lines)
49		49
50	void audit_connection_from(const char *, int);	50	void audit_connection_from(const char *, int);
51	void audit_event(ssh_audit_event_t);	51	void audit_event(ssh_audit_event_t);
		52	void audit_count_session_open(void);
52	void audit_session_open(struct logininfo *);	53	void audit_session_open(struct logininfo *);
53	void audit_session_close(struct logininfo *);	54	void audit_session_close(struct logininfo *);
54	void audit_run_command(const char *);	55	int audit_run_command(const char *);
		56	void audit_end_command(int, const char *);
55	ssh_audit_event_t audit_classify_auth(const char *);	57	ssh_audit_event_t audit_classify_auth(const char *);
56		58
57	#endif /* _SSH_AUDIT_H */	59	#endif /* _SSH_AUDIT_H */

Lines 35-47 Link Here

(-)openssh-5.8p1/audit-linux.c.audit1 (-18 / +131 lines)
35		35
36	#include "log.h"	36	#include "log.h"
37	#include "audit.h"	37	#include "audit.h"
		38	#include "key.h"
		39	#include "hostfile.h"
		40	#include "auth.h"
		41	#include "servconf.h"
38	#include "canohost.h"	42	#include "canohost.h"
39		43
		44	extern ServerOptions options;
		45	extern Authctxt *the_authctxt;
		46	extern u_int utmp_len;
40	const char* audit_username(void);	47	const char* audit_username(void);
41		48
42	int	49	static void
43	linux_audit_record_event(int uid, const char *username,	50	linux_audit_user_logxxx(int uid, const char *username,
44	const char hostname, const char ip, const char *ttyn, int success)	51	const char hostname, const char ip, const char *ttyn, int success, int event)
45	{	52	{
46	int audit_fd, rc, saved_errno;	53	int audit_fd, rc, saved_errno;
47		54
Lines 49-59 linux_audit_record_event(int uid, const Link Here
49	if (audit_fd < 0) {	56	if (audit_fd < 0) {
50	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|	57	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
51	errno == EAFNOSUPPORT)	58	errno == EAFNOSUPPORT)
52	return 1; /* No audit support in kernel */	59	return; /* No audit support in kernel */
53	else	60	else
54	return 0; /* Must prevent login */	61	goto fatal_report; /* Must prevent login */
55	}	62	}
56	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,	63	rc = audit_log_acct_message(audit_fd, event,
57	NULL, "login", username ? username : "(unknown)",	64	NULL, "login", username ? username : "(unknown)",
58	username == NULL ? uid : -1, hostname, ip, ttyn, success);	65	username == NULL ? uid : -1, hostname, ip, ttyn, success);
59	saved_errno = errno;	66	saved_errno = errno;
Lines 65-99 linux_audit_record_event(int uid, const Link Here
65	if ((rc == -EPERM) && (geteuid() != 0))	72	if ((rc == -EPERM) && (geteuid() != 0))
66	rc = 0;	73	rc = 0;
67	errno = saved_errno;	74	errno = saved_errno;
68	return (rc >= 0);	75	if (rc < 0) {
		76	fatal_report:
		77	fatal("linux_audit_write_entry failed: %s", strerror(errno));
		78	}
		79	}
		80
		81	static void
		82	linux_audit_user_auth(int uid, const char *username,
		83	const char hostname, const char ip, const char *ttyn, int success, int event)
		84	{
		85	int audit_fd, rc, saved_errno;
		86	static const char *event_name[] = {
		87	"maxtries exceeded",
		88	"root denied",
		89	"success",
		90	"none",
		91	"password",
		92	"challenge-response",
		93	"pubkey",
		94	"hostbased",
		95	"gssapi",
		96	"invalid user",
		97	"nologin",
		98	"connection closed",
		99	"connection abandoned",
		100	"unknown"
		101	};
		102
		103	audit_fd = audit_open();
		104	if (audit_fd < 0) {
		105	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		106	errno == EAFNOSUPPORT)
		107	return; /* No audit support in kernel */
		108	else
		109	goto fatal_report; /* Must prevent login */
		110	}
		111
		112	if ((event < 0) \|\| (event > SSH_AUDIT_UNKNOWN))
		113	event = SSH_AUDIT_UNKNOWN;
		114
		115	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
		116	NULL, event_name[event], username ? username : "(unknown)",
		117	username == NULL ? uid : -1, hostname, ip, ttyn, success);
		118	saved_errno = errno;
		119	close(audit_fd);
		120	/*
		121	* Do not report error if the error is EPERM and sshd is run as non
		122	* root user.
		123	*/
		124	if ((rc == -EPERM) && (geteuid() != 0))
		125	rc = 0;
		126	errno = saved_errno;
		127	if (rc < 0) {
		128	fatal_report:
		129	fatal("linux_audit_write_entry failed: %s", strerror(errno));
		130	}
69	}	131	}
70		132
		133	static int user_login_count = 0;
		134
71	/* Below is the sshd audit API code */	135	/* Below is the sshd audit API code */
72		136
73	void	137	void
74	audit_connection_from(const char *host, int port)	138	audit_connection_from(const char *host, int port)
75	{	139	{
76	}
77	/* not implemented */	140	/* not implemented */
		141	}
78		142
79	void	143	int
80	audit_run_command(const char *command)	144	audit_run_command(const char *command)
81	{	145	{
82	/* not implemented */	146	if (!user_login_count++)
		147	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		148	NULL, "ssh", 1, AUDIT_USER_LOGIN);
		149	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		150	NULL, "ssh", 1, AUDIT_USER_START);
		151	return 0;
		152	}
		153
		154	void
		155	audit_end_command(int handle, const char *command)
		156	{
		157	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		158	NULL, "ssh", 1, AUDIT_USER_END);
		159	if (user_login_count && !--user_login_count)
		160	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		161	NULL, "ssh", 1, AUDIT_USER_LOGOUT);
		162	}
		163
		164	void
		165	audit_count_session_open(void)
		166	{
		167	user_login_count++;
83	}	168	}
84		169
85	void	170	void
86	audit_session_open(struct logininfo *li)	171	audit_session_open(struct logininfo *li)
87	{	172	{
88	if (linux_audit_record_event(li->uid, NULL, li->hostname,	173	if (!user_login_count++)
89	NULL, li->line, 1) == 0)	174	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
90	fatal("linux_audit_write_entry failed: %s", strerror(errno));	175	NULL, li->line, 1, AUDIT_USER_LOGIN);
		176	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
		177	NULL, li->line, 1, AUDIT_USER_START);
91	}	178	}
92		179
93	void	180	void
94	audit_session_close(struct logininfo *li)	181	audit_session_close(struct logininfo *li)
95	{	182	{
96	/* not implemented */	183	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
		184	NULL, li->line, 1, AUDIT_USER_END);
		185	if (user_login_count && !--user_login_count)
		186	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
		187	NULL, li->line, 1, AUDIT_USER_LOGOUT);
97	}	188	}
98		189
99	void	190	void
Lines 101-121 audit_event(ssh_audit_event_t event) Link Here
101	{	192	{
102	switch(event) {	193	switch(event) {
103	case SSH_AUTH_SUCCESS:	194	case SSH_AUTH_SUCCESS:
104	case SSH_CONNECTION_CLOSE:	195	linux_audit_user_auth(-1, audit_username(), NULL,
		196	get_remote_ipaddr(), "ssh", 1, event);
		197	break;
		198
105	case SSH_NOLOGIN:	199	case SSH_NOLOGIN:
106	case SSH_LOGIN_EXCEED_MAXTRIES:
107	case SSH_LOGIN_ROOT_DENIED:	200	case SSH_LOGIN_ROOT_DENIED:
		201	linux_audit_user_auth(-1, audit_username(), NULL,
		202	get_remote_ipaddr(), "ssh", 0, event);
		203	linux_audit_user_logxxx(-1, audit_username(), NULL,
		204	get_remote_ipaddr(), "ssh", 0, AUDIT_USER_LOGIN);
108	break;	205	break;
109		206
		207	case SSH_LOGIN_EXCEED_MAXTRIES:
110	case SSH_AUTH_FAIL_NONE:	208	case SSH_AUTH_FAIL_NONE:
111	case SSH_AUTH_FAIL_PASSWD:	209	case SSH_AUTH_FAIL_PASSWD:
112	case SSH_AUTH_FAIL_KBDINT:	210	case SSH_AUTH_FAIL_KBDINT:
113	case SSH_AUTH_FAIL_PUBKEY:	211	case SSH_AUTH_FAIL_PUBKEY:
114	case SSH_AUTH_FAIL_HOSTBASED:	212	case SSH_AUTH_FAIL_HOSTBASED:
115	case SSH_AUTH_FAIL_GSSAPI:	213	case SSH_AUTH_FAIL_GSSAPI:
		214	linux_audit_user_auth(-1, audit_username(), NULL,
		215	get_remote_ipaddr(), "ssh", 0, event);
		216	break;
		217
		218	case SSH_CONNECTION_CLOSE:
		219	if (user_login_count) {
		220	while (user_login_count--)
		221	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		222	NULL, "ssh", 1, AUDIT_USER_END);
		223	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		224	NULL, "ssh", 1, AUDIT_USER_LOGOUT);
		225	}
		226	break;
		227
		228	case SSH_CONNECTION_ABANDON:
116	case SSH_INVALID_USER:	229	case SSH_INVALID_USER:
117	linux_audit_record_event(-1, audit_username(), NULL,	230	linux_audit_user_logxxx(-1, audit_username(), NULL,
118	get_remote_ipaddr(), "sshd", 0);	231	get_remote_ipaddr(), "ssh", 0, AUDIT_USER_LOGIN);
119	break;	232	break;
120		233
121	default:	234	default:




#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
int mm_answer_audit_command(int, Buffer *);
int mm_answer_audit_end_command(int, Buffer *);
#endif

static Authctxt *authctxt;

#ifdef SSH_AUDIT_EVENTS
    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
    {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
#endif
    {0, 0, NULL}
};

#ifdef SSH_AUDIT_EVENTS
    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
    {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
#endif
    {0, 0, NULL}
};

		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
		session_pty_cleanup2(s);
	}
#ifdef SSH_AUDIT_EVENTS
	if (s->command != NULL) {
		debug3("%s: command %d", __func__, s->command_handle);
		session_end_command2(s);
	}
#endif
	session_unused(s->self);
}


{
	u_int len;
	char *cmd;
	Session *s;

	debug3("%s entering", __func__);
	cmd = buffer_get_string(m, &len);

	/* sanity check command, if so how? */
	s = session_new();
	if (s == NULL)
		fatal("%s: error allocating a session", __func__);
	s->command = cmd;
	s->command_handle = audit_run_command(cmd);

	buffer_clear(m);
	buffer_put_int(m, s->self);

	mm_request_send(socket, MONITOR_ANS_AUDIT_COMMAND, m);

	return (0);
}

int
mm_answer_audit_end_command(int socket, Buffer *m)
{
	int handle;
	u_int len;
	char *cmd;
	Session *s;

	debug3("%s entering", __func__);
	handle = buffer_get_int(m);
	cmd = buffer_get_string(m, &len);

	s = session_by_id(handle);
	if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
	    strcmp(s->command, cmd) != 0)
		fatal("%s: invalid handle", __func__);
	mm_session_close(s);

	xfree(cmd);
	return (0);
}

Lines 60-65 enum monitor_reqtype { Link Here

(-)openssh-5.8p1/monitor.h.audit1 (+1 lines)
60	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,	60	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
61	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,	61	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
62	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,	62	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
		63	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
63	MONITOR_REQ_TERM,	64	MONITOR_REQ_TERM,
64	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,	65	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
65	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,	66	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,




	buffer_free(&m);
}

int
mm_audit_run_command(const char *command)
{
	Buffer m;
	int handle;

	debug3("%s entering command %s", __func__, command);


	buffer_put_cstring(&m, command);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, &m);

	handle = buffer_get_int(&m);
	buffer_free(&m);

	return (handle);
}

void
mm_audit_end_command(int handle, const char *command)
{
	Buffer m;

	debug3("%s entering command %s", __func__, command);

	buffer_init(&m);
	buffer_put_int(&m, handle);
	buffer_put_cstring(&m, command);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
	buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */

Lines 73-79 void mm_sshpam_free_ctx(void *); Link Here

(-)openssh-5.8p1/monitor_wrap.h.audit1 (-1 / +2 lines)
73	#ifdef SSH_AUDIT_EVENTS	73	#ifdef SSH_AUDIT_EVENTS
74	#include "audit.h"	74	#include "audit.h"
75	void mm_audit_event(ssh_audit_event_t);	75	void mm_audit_event(ssh_audit_event_t);
76	void mm_audit_run_command(const char *);	76	int mm_audit_run_command(const char *);
		77	void mm_audit_end_command(int, const char *);
77	#endif	78	#endif
78		79
79	struct Session;	80	struct Session;

Lines 738-743 do_exec_pty(Session s, const char comm Link Here

(-)openssh-5.8p1/session.c.audit1 (-3 / +66 lines)
738	/* Parent. Close the slave side of the pseudo tty. */	738	/* Parent. Close the slave side of the pseudo tty. */
739	close(ttyfd);	739	close(ttyfd);
740		740
		741	#ifndef HAVE_OSF_SIA
		742	/* do_login in the child did not affect state in this process,
		743	compensate. From an architectural standpoint, this is extremely
		744	ugly. */
		745	if (!(options.use_login && command == NULL))
		746	audit_count_session_open();
		747	#endif
		748
741	/* Enter interactive session. */	749	/* Enter interactive session. */
742	s->ptymaster = ptymaster;	750	s->ptymaster = ptymaster;
743	packet_set_interactive(1,	751	packet_set_interactive(1,
Lines 809-823 do_exec(Session s, const char command) Link Here
809	}	817	}
810		818
811	#ifdef SSH_AUDIT_EVENTS	819	#ifdef SSH_AUDIT_EVENTS
		820	if (s->command != NULL \|\| s->command_handle != -1)
		821	fatal("do_exec: command already set");
812	if (command != NULL)	822	if (command != NULL)
813	PRIVSEP(audit_run_command(command));	823	s->command = xstrdup(command);
814	else if (s->ttyfd == -1) {	824	else if (s->ttyfd == -1) {
815	char *shell = s->pw->pw_shell;	825	char *shell = s->pw->pw_shell;
816		826
817	if (shell[0] == '\0') /* empty shell means /bin/sh */	827	if (shell[0] == '\0') /* empty shell means /bin/sh */
818	shell =_PATH_BSHELL;	828	shell =_PATH_BSHELL;
819	PRIVSEP(audit_run_command(shell));	829	s->command = xstrdup(shell);
820	}	830	}
		831	if (s->command != NULL)
		832	s->command_handle = PRIVSEP(audit_run_command(s->command));
821	#endif	833	#endif
822	if (s->ttyfd != -1)	834	if (s->ttyfd != -1)
823	ret = do_exec_pty(s, command);	835	ret = do_exec_pty(s, command);
Lines 1841-1846 session_unused(int id) Link Here
1841	sessions[id].ttyfd = -1;	1853	sessions[id].ttyfd = -1;
1842	sessions[id].ptymaster = -1;	1854	sessions[id].ptymaster = -1;
1843	sessions[id].x11_chanids = NULL;	1855	sessions[id].x11_chanids = NULL;
		1856	sessions[id].command_handle = -1;
1844	sessions[id].next_unused = sessions_first_unused;	1857	sessions[id].next_unused = sessions_first_unused;
1845	sessions_first_unused = id;	1858	sessions_first_unused = id;
1846	}	1859	}
Lines 1923-1928 session_open(Authctxt *authctxt, int cha Link Here
1923	}	1936	}
1924		1937
1925	Session *	1938	Session *
		1939	session_by_id(int id)
		1940	{
		1941	if (id >= 0 && id < sessions_nalloc) {
		1942	Session *s = &sessions[id];
		1943	if (s->used)
		1944	return s;
		1945	}
		1946	debug("session_by_id: unknown id %d", id);
		1947	session_dump();
		1948	return NULL;
		1949	}
		1950
		1951	Session *
1926	session_by_tty(char *tty)	1952	session_by_tty(char *tty)
1927	{	1953	{
1928	int i;	1954	int i;
Lines 2448-2453 session_exit_message(Session *s, int sta Link Here
2448	chan_write_failed(c);	2474	chan_write_failed(c);
2449	}	2475	}
2450		2476
		2477	#ifdef SSH_AUDIT_EVENTS
		2478	void
		2479	session_end_command2(Session *s)
		2480	{
		2481	if (s->command != NULL) {
		2482	audit_end_command(s->command_handle, s->command);
		2483	xfree(s->command);
		2484	s->command = NULL;
		2485	s->command_handle = -1;
		2486	}
		2487	}
		2488
		2489	static void
		2490	session_end_command(Session *s)
		2491	{
		2492	if (s->command != NULL) {
		2493	PRIVSEP(audit_end_command(s->command_handle, s->command));
		2494	xfree(s->command);
		2495	s->command = NULL;
		2496	s->command_handle = -1;
		2497	}
		2498	}
		2499	#endif
		2500
2451	void	2501	void
2452	session_close(Session *s)	2502	session_close(Session *s)
2453	{	2503	{
Lines 2456-2461 session_close(Session *s) Link Here
2456	debug("session_close: session %d pid %ld", s->self, (long)s->pid);	2506	debug("session_close: session %d pid %ld", s->self, (long)s->pid);
2457	if (s->ttyfd != -1)	2507	if (s->ttyfd != -1)
2458	session_pty_cleanup(s);	2508	session_pty_cleanup(s);
		2509	#ifdef SSH_AUDIT_EVENTS
		2510	if (s->command)
		2511	session_end_command(s);
		2512	#endif
2459	if (s->term)	2513	if (s->term)
2460	xfree(s->term);	2514	xfree(s->term);
2461	if (s->display)	2515	if (s->display)
Lines 2675-2680 do_authenticated2(Authctxt *authctxt) Link Here
2675	server_loop2(authctxt);	2729	server_loop2(authctxt);
2676	}	2730	}
2677		2731
		2732	static void
		2733	do_cleanup_one_session(Session *s)
		2734	{
		2735	session_pty_cleanup2(s);
		2736	#ifdef SSH_AUDIT_EVENTS
		2737	session_end_command2(s);
		2738	#endif
		2739	}
		2740
2678	void	2741	void
2679	do_cleanup(Authctxt *authctxt)	2742	do_cleanup(Authctxt *authctxt)
2680	{	2743	{
Lines 2723-2727 do_cleanup(Authctxt *authctxt) Link Here
2723	* or if running in monitor.	2786	* or if running in monitor.
2724	*/	2787	*/
2725	if (!use_privsep \|\| mm_is_monitor())	2788	if (!use_privsep \|\| mm_is_monitor())
2726	session_destroy_all(session_pty_cleanup2);	2789	session_destroy_all(do_cleanup_one_session);
2727	}	2790	}

Lines 60-65 struct Session { Link Here

(-)openssh-5.8p1/session.h.audit1 (+8 lines)
60	char *name;	60	char *name;
61	char *val;	61	char *val;
62	} *env;	62	} *env;
		63
		64	/* exec */
		65	#ifdef SSH_AUDIT_EVENTS
		66	int command_handle;
		67	char *command;
		68	#endif
63	};	69	};
64		70
65	void do_authenticated(Authctxt *);	71	void do_authenticated(Authctxt *);
Lines 72-79 void session_close_by_pid(pid_t, int); Link Here
72	void session_close_by_channel(int, void *);	78	void session_close_by_channel(int, void *);
73	void session_destroy_all(void ()(Session ));	79	void session_destroy_all(void ()(Session ));
74	void session_pty_cleanup2(Session *);	80	void session_pty_cleanup2(Session *);
		81	void session_end_command2(Session *);
75		82
76	Session *session_new(void);	83	Session *session_new(void);
		84	Session *session_by_id(int);
77	Session session_by_tty(char );	85	Session session_by_tty(char );
78	void session_close(Session *);	86	void session_close(Session *);
79	void do_setusercontext(struct passwd *);	87	void do_setusercontext(struct passwd *);

Lines 2342-2348 cleanup_exit(int i) Link Here

(-)openssh-5.8p1/sshd.c.audit1 (-1 / +2 lines)
2342	do_cleanup(the_authctxt);	2342	do_cleanup(the_authctxt);
2343	#ifdef SSH_AUDIT_EVENTS	2343	#ifdef SSH_AUDIT_EVENTS
2344	/* done after do_cleanup so it can cancel the PAM auth 'thread' */	2344	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
2345	if (!use_privsep \|\| mm_is_monitor())	2345	if ((the_authctxt == NULL \|\| !the_authctxt->authenticated) &&
		2346	(!use_privsep \|\| mm_is_monitor()))
2346	audit_event(SSH_CONNECTION_ABANDON);	2347	audit_event(SSH_CONNECTION_ABANDON);
2347	#endif	2348	#endif
2348	_exit(i);	2349	_exit(i);

Return to bug 1402

Lines 298-307 audit_connection_from(const char *host, Link Here

(-)openssh-5.8p1/audit-bsm.c.audit1 (-1 / +14 lines)
298	#endif	298	#endif
299	}	299	}
300		300
301	void	301	int
302	audit_run_command(const char *command)	302	audit_run_command(const char *command)
303	{	303	{
304	/* not implemented */	304	/* not implemented */
		305	return 0;
		306	}
		307
		308	void
		309	audit_end_command(int handle, const char *command)
		310	{
		311	/* not implemented */
		312	}
		313
		314	void
		315	audit_count_session_open(void)
		316	{
		317	/* not necessary */
305	}	318	}
306		319
307	void	320	void

Lines 177-182 int mm_answer_gss_checkmic(int, Buffer * Link Here

(-)openssh-5.8p1/monitor.c.audit1 (-1 / +43 lines)
177	#ifdef SSH_AUDIT_EVENTS	177	#ifdef SSH_AUDIT_EVENTS
178	int mm_answer_audit_event(int, Buffer *);	178	int mm_answer_audit_event(int, Buffer *);
179	int mm_answer_audit_command(int, Buffer *);	179	int mm_answer_audit_command(int, Buffer *);
		180	int mm_answer_audit_end_command(int, Buffer *);
180	#endif	181	#endif
181		182
182	static Authctxt *authctxt;	183	static Authctxt *authctxt;
Lines 261-266 struct mon_table mon_dispatch_postauth20 Link Here
261	#ifdef SSH_AUDIT_EVENTS	262	#ifdef SSH_AUDIT_EVENTS
262	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	263	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
263	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},	264	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
		265	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
264	#endif	266	#endif
265	{0, 0, NULL}	267	{0, 0, NULL}
266	};	268	};
Lines 303-308 struct mon_table mon_dispatch_postauth15 Link Here
303	#ifdef SSH_AUDIT_EVENTS	305	#ifdef SSH_AUDIT_EVENTS
304	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	306	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
305	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},	307	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},
		308	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
306	#endif	309	#endif
307	{0, 0, NULL}	310	{0, 0, NULL}
308	};	311	};
Lines 1288-1293 mm_session_close(Session *s) Link Here
1288	debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);	1291	debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
1289	session_pty_cleanup2(s);	1292	session_pty_cleanup2(s);
1290	}	1293	}
		1294	#ifdef SSH_AUDIT_EVENTS
		1295	if (s->command != NULL) {
		1296	debug3("%s: command %d", __func__, s->command_handle);
		1297	session_end_command2(s);
		1298	}
		1299	#endif
1291	session_unused(s->self);	1300	session_unused(s->self);
1292	}	1301	}
1293		1302
Lines 1610-1620 mm_answer_audit_command(int socket, Buff Link Here
1610	{	1619	{
1611	u_int len;	1620	u_int len;
1612	char *cmd;	1621	char *cmd;
		1622	Session *s;
1613		1623
1614	debug3("%s entering", __func__);	1624	debug3("%s entering", __func__);
1615	cmd = buffer_get_string(m, &len);	1625	cmd = buffer_get_string(m, &len);
		1626
1616	/* sanity check command, if so how? */	1627	/* sanity check command, if so how? */
1617	audit_run_command(cmd);	1628	s = session_new();
		1629	if (s == NULL)
		1630	fatal("%s: error allocating a session", __func__);
		1631	s->command = cmd;
		1632	s->command_handle = audit_run_command(cmd);
		1633
		1634	buffer_clear(m);
		1635	buffer_put_int(m, s->self);
		1636
		1637	mm_request_send(socket, MONITOR_ANS_AUDIT_COMMAND, m);
		1638
		1639	return (0);
		1640	}
		1641
		1642	int
		1643	mm_answer_audit_end_command(int socket, Buffer *m)
		1644	{
		1645	int handle;
		1646	u_int len;
		1647	char *cmd;
		1648	Session *s;
		1649
		1650	debug3("%s entering", __func__);
		1651	handle = buffer_get_int(m);
		1652	cmd = buffer_get_string(m, &len);
		1653
		1654	s = session_by_id(handle);
		1655	if (s == NULL \|\| s->ttyfd != -1 \|\| s->command == NULL \|\|
		1656	strcmp(s->command, cmd) != 0)
		1657	fatal("%s: invalid handle", __func__);
		1658	mm_session_close(s);
		1659
1618	xfree(cmd);	1660	xfree(cmd);
1619	return (0);	1661	return (0);
1620	}	1662	}

Lines 1150-1159 mm_audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.8p1/monitor_wrap.c.audit1 (-1 / +22 lines)
1150	buffer_free(&m);	1150	buffer_free(&m);
1151	}	1151	}
1152		1152
1153	void	1153	int
1154	mm_audit_run_command(const char *command)	1154	mm_audit_run_command(const char *command)
1155	{	1155	{
1156	Buffer m;	1156	Buffer m;
		1157	int handle;
1157		1158
1158	debug3("%s entering command %s", __func__, command);	1159	debug3("%s entering command %s", __func__, command);
1159		1160
Lines 1161-1166 mm_audit_run_command(const char *command Link Here
1161	buffer_put_cstring(&m, command);	1162	buffer_put_cstring(&m, command);
1162		1163
1163	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);	1164	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
		1165	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, &m);
		1166
		1167	handle = buffer_get_int(&m);
		1168	buffer_free(&m);
		1169
		1170	return (handle);
		1171	}
		1172
		1173	void
		1174	mm_audit_end_command(int handle, const char *command)
		1175	{
		1176	Buffer m;
		1177
		1178	debug3("%s entering command %s", __func__, command);
		1179
		1180	buffer_init(&m);
		1181	buffer_put_int(&m, handle);
		1182	buffer_put_cstring(&m, command);
		1183
		1184	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
1164	buffer_free(&m);	1185	buffer_free(&m);
1165	}	1186	}
1166	#endif /* SSH_AUDIT_EVENTS */	1187	#endif /* SSH_AUDIT_EVENTS */

Lines 140-145 audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.8p1/audit.c.audit1 (-2 / +29 lines)
140	}	140	}
141		141
142	/*	142	/*
		143	* Called when a child process has called, or will soon call,
		144	* audit_session_open.
		145	*/
		146	void
		147	audit_count_session_open(void)
		148	{
		149	debug("audit count session open euid %d user %s", geteuid(),
		150	audit_username());
		151	}
		152
		153	/*
143	* Called when a user session is started. Argument is the tty allocated to	154	* Called when a user session is started. Argument is the tty allocated to
144	* the session, or NULL if no tty was allocated.	155	* the session, or NULL if no tty was allocated.
145	*	156	*
Lines 174-186 audit_session_close(struct logininfo *li Link Here
174	/*	185	/*
175	* This will be called when a user runs a non-interactive command. Note that	186	* This will be called when a user runs a non-interactive command. Note that
176	* it may be called multiple times for a single connection since SSH2 allows	187	* it may be called multiple times for a single connection since SSH2 allows
177	* multiple sessions within a single connection.	188	* multiple sessions within a single connection. Returns a "handle" for
		189	* audit_end_command.
178	*/	190	*/
179	void	191	int
180	audit_run_command(const char *command)	192	audit_run_command(const char *command)
181	{	193	{
182	debug("audit run command euid %d user %s command '%.200s'", geteuid(),	194	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
183	audit_username(), command);	195	audit_username(), command);
		196	return 0;
		197	}
		198
		199	/*
		200	* This will be called when the non-interactive command finishes. Note that
		201	* it may be called multiple times for a single connection since SSH2 allows
		202	* multiple sessions within a single connection. "handle" should come from
		203	* the corresponding audit_run_command.
		204	*/
		205	void
		206	audit_end_command(int handle, const char *command)
		207	{
		208	debug("audit end nopty exec euid %d user %s command '%.200s'", geteuid(),
		209	audit_username(), command);
184	}	210	}
		211
185	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	212	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
186	#endif /* SSH_AUDIT_EVENTS */	213	#endif /* SSH_AUDIT_EVENTS */