|
Line
Link Here
|
| 0 |
-- Orginal/openssh/auth.c 2004-08-12 18:10:25.000000000 +0530 |
0 |
++ Patched/openssh/auth.c 2005-01-24 11:37:20.402341928 +0530 |
|
Lines 50-55
Link Here
|
| 50 |
#include "misc.h" |
50 |
#include "misc.h" |
| 51 |
#include "bufaux.h" |
51 |
#include "bufaux.h" |
| 52 |
#include "packet.h" |
52 |
#include "packet.h" |
|
|
53 |
#include "monitor_wrap.h" |
| 53 |
/* import */ |
54 |
/* import */ |
| 54 |
extern ServerOptions options; |
55 |
extern ServerOptions options; |
|
Lines 229-234
Link Here
|
| 229 |
authmsg = "Postponed"; |
230 |
authmsg = "Postponed"; |
| 230 |
else |
231 |
else |
| 231 |
authmsg = authenticated ? "Accepted" : "Failed"; |
232 |
authmsg = authenticated ? "Accepted" : "Failed"; |
|
|
233 |
if (!authenticated && !authctxt->postponed && strcmp(method, "none")) { |
| 234 |
debug("Entering log_btmp uid %d ", getuid()); |
| 235 |
if((!strcmp(method, "gssapi-with-mic") || !strcmp(method, "publickey") || !strcmp(method, "hostbased"))) |
| 236 |
PRIVSEP(log_btmp(authctxt->user,get_canonical_hostname(options.use_dns))); |
| 237 |
else if ( getuid()==0) |
| 238 |
log_btmp(authctxt->user,get_canonical_hostname(options.use_dns)); |
| 239 |
} |
| 232 |
authlog("%s %s for %s%.100s from %.200s port %d%s", |
240 |
authlog("%s %s for %s%.100s from %.200s port %d%s", |
| 233 |
authmsg, |
241 |
authmsg, |
| 234 |
-- Orginal/openssh/loginrec.c 2004-09-12 10:56:01.000000000 +0530 |
242 |
++ Patched/openssh/loginrec.c 2005-01-24 11:38:45.582392592 +0530 |
|
Lines 124-129
Link Here
|
| 124 |
* Otherwise, patches to the specific method(s) are very helpful! |
124 |
* Otherwise, patches to the specific method(s) are very helpful! |
| 125 |
*/ |
125 |
*/ |
|
|
126 |
/* |
| 127 |
* Copyright (c) 1980, 1987, 1988 The Regents of the University of California. |
| 128 |
* All rights reserved. |
| 129 |
* |
| 130 |
* Redistribution and use in source and binary forms are permitted |
| 131 |
* provided that the above copyright notice and this paragraph are |
| 132 |
* duplicated in all such forms and that any documentation, |
| 133 |
* advertising materials, and other materials related to such |
| 134 |
* distribution and use acknowledge that the software was developed |
| 135 |
* by the University of California, Berkeley. The name of the |
| 136 |
* University may not be used to endorse or promote products derived |
| 137 |
* from this software without specific prior written permission. |
| 138 |
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR |
| 139 |
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED |
| 140 |
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. |
| 141 |
*/ |
| 142 |
|
| 143 |
|
| 144 |
|
| 126 |
#include "includes.h" |
145 |
#include "includes.h" |
| 127 |
#include "ssh.h" |
146 |
#include "ssh.h" |
|
Lines 1563-1565
Link Here
|
| 1563 |
return (0); |
1582 |
return (0); |
| 1564 |
} |
1583 |
} |
| 1565 |
#endif /* USE_LASTLOG */ |
1584 |
#endif /* USE_LASTLOG */ |
| 1566 |
-- Orginal/openssh/monitor.h 2003-11-17 16:48:22.000000000 +0530 |
1585 |
|
|
|
1586 |
/* |
| 1587 |
* Logs failed login attempts in _PATH_BTMP if that exists. |
| 1588 |
* The most common login failure is to give password instead of username. |
| 1589 |
* So the _PATH_BTMP file checked for the correct permission, so that |
| 1590 |
* only root can read it. |
| 1591 |
*/ |
| 1592 |
|
| 1593 |
#define _PATH_BTMP "/var/adm/btmp" |
| 1594 |
void |
| 1595 |
log_btmp(const char *username, const char *hostname) |
| 1596 |
{ |
| 1597 |
int fd, n; |
| 1598 |
struct utmp ut; |
| 1599 |
time_t t; |
| 1600 |
struct stat fst; |
| 1601 |
|
| 1602 |
memset(&ut, 0, sizeof(ut)); |
| 1603 |
strncpy(ut.ut_user, username, sizeof(ut.ut_user)); |
| 1604 |
strcpy(ut.ut_line,"ssh:notty"); |
| 1605 |
|
| 1606 |
time(&t); |
| 1607 |
ut.ut_time = t; /* ut_time is not always a time_t */ |
| 1608 |
|
| 1609 |
ut.ut_type = LOGIN_PROCESS; |
| 1610 |
ut.ut_pid = getpid(); |
| 1611 |
if (stat(_PATH_BTMP,&fst) == -1){ |
| 1612 |
log("btmp file %s does not exist\n",_PATH_BTMP); |
| 1613 |
return; |
| 1614 |
} |
| 1615 |
|
| 1616 |
if((fst.st_mode & (S_IRWXG | S_IRWXO))||(fst.st_uid != 0)){ |
| 1617 |
log("Excess permission or bad ownership on file %s\n",_PATH_BTMP); |
| 1618 |
return; |
| 1619 |
} |
| 1620 |
if (hostname) { |
| 1621 |
struct hostent *he; |
| 1622 |
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host)); |
| 1623 |
if ((he = gethostbyname(hostname))) |
| 1624 |
memcpy(&ut.ut_addr, he->h_addr_list[0], sizeof(ut.ut_addr)); |
| 1625 |
} |
| 1626 |
|
| 1627 |
fd = open(_PATH_BTMP, O_WRONLY | O_APPEND); |
| 1628 |
if (fd == -1) { |
| 1629 |
log("Unable to open the btmp file %s\n",_PATH_BTMP); |
| 1630 |
return; |
| 1631 |
} |
| 1632 |
n = atomicio(vwrite,fd, &ut, sizeof(ut)); |
| 1633 |
close(fd); |
| 1634 |
|
| 1635 |
} |
| 1636 |
|
|
|
1637 |
++ Patched/openssh/monitor.h 2005-01-24 11:37:55.067072088 +0530 |
|
Lines 59-65
Link Here
|
| 59 |
MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, |
59 |
MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, |
| 60 |
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, |
60 |
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, |
| 61 |
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, |
61 |
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, |
| 62 |
MONITOR_REQ_TERM |
62 |
MONITOR_REQ_TERM, |
|
|
63 |
MONITOR_REQ_BADLOGIN |
| 63 |
}; |
64 |
}; |
| 64 |
struct mm_master; |
65 |
struct mm_master; |
| 65 |
-- Orginal/openssh/monitor.c 2004-09-11 18:37:03.000000000 +0530 |
66 |
++ Patched/openssh/monitor.c 2005-01-25 15:05:33.154358456 +0530 |
|
Lines 126-131
Link Here
|
| 126 |
int mm_answer_rsa_response(int, Buffer *); |
126 |
int mm_answer_rsa_response(int, Buffer *); |
| 127 |
int mm_answer_sesskey(int, Buffer *); |
127 |
int mm_answer_sesskey(int, Buffer *); |
| 128 |
int mm_answer_sessid(int, Buffer *); |
128 |
int mm_answer_sessid(int, Buffer *); |
|
|
129 |
int mm_answer_log_btmp(); |
| 129 |
#ifdef USE_PAM |
130 |
#ifdef USE_PAM |
| 130 |
int mm_answer_pam_start(int, Buffer *); |
131 |
int mm_answer_pam_start(int, Buffer *); |
|
Lines 202-207
Link Here
|
| 202 |
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
203 |
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
| 203 |
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
204 |
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
| 204 |
#endif |
205 |
#endif |
|
|
206 |
{MONITOR_REQ_BADLOGIN, MON_ISAUTH, mm_answer_log_btmp}, |
| 205 |
{0, 0, NULL} |
207 |
{0, 0, NULL} |
| 206 |
}; |
208 |
}; |
|
Lines 239-244
Link Here
|
| 239 |
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, |
241 |
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, |
| 240 |
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, |
242 |
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, |
| 241 |
#endif |
243 |
#endif |
|
|
244 |
{MONITOR_REQ_BADLOGIN , MON_ISAUTH , mm_answer_log_btmp}, |
| 242 |
{0, 0, NULL} |
245 |
{0, 0, NULL} |
| 243 |
}; |
246 |
}; |
|
Lines 378-383
Link Here
|
| 378 |
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
381 |
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
| 379 |
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); |
382 |
monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); |
| 380 |
} |
383 |
} |
|
|
384 |
monitor_permit(mon_dispatch, MONITOR_REQ_BADLOGIN, 1); |
| 381 |
for (;;) |
385 |
for (;;) |
| 382 |
monitor_read(pmonitor, mon_dispatch, NULL); |
386 |
monitor_read(pmonitor, mon_dispatch, NULL); |
|
Lines 1850-1852
Link Here
|
| 1850 |
return (authenticated); |
1854 |
return (authenticated); |
| 1851 |
} |
1855 |
} |
| 1852 |
#endif /* GSSAPI */ |
1856 |
#endif /* GSSAPI */ |
| 1853 |
-- Orginal/openssh/monitor_wrap.c 2004-09-11 18:37:03.000000000 +0530 |
1857 |
|
|
|
1858 |
/* RECORD_BADLOGINS |
| 1859 |
* Receive a "bad login request" from the unpriviledged |
| 1860 |
* process. The priviledged process will receive the user |
| 1861 |
* and the hostname. Record the bad login attempt. |
| 1862 |
*/ |
| 1863 |
int |
| 1864 |
mm_answer_log_btmp(int socket, Buffer *m) |
| 1865 |
{ |
| 1866 |
debug("#### Priviledged process: received user %s host %s",authctxt->user,get_canonical_hostname(options.use_dns)); |
| 1867 |
log_btmp(authctxt->user,get_canonical_hostname(options.use_dns)); |
| 1868 |
} |
| 1869 |
|
| 1870 |
|
|
|
1871 |
++ Patched/openssh/monitor_wrap.c 2005-01-24 11:38:17.255698904 +0530 |
|
Lines 1188-1190
Link Here
|
| 1188 |
return (authenticated); |
1188 |
return (authenticated); |
| 1189 |
} |
1189 |
} |
| 1190 |
#endif /* GSSAPI */ |
1190 |
#endif /* GSSAPI */ |
| 1191 |
-- Orginal/openssh/monitor_wrap.h 2004-06-22 08:26:02.000000000 +0530 |
1191 |
|
|
|
1192 |
/* BADLOGINS FIX |
| 1193 |
* Only the priviledged process can update the /var/adm/btmp. |
| 1194 |
* Send user and hostname name to the priviledged process. |
| 1195 |
*/ |
| 1196 |
|
| 1197 |
int |
| 1198 |
mm_log_btmp(const char *username, const char *hostname) |
| 1199 |
{ |
| 1200 |
Buffer m; |
| 1201 |
buffer_init(&m); |
| 1202 |
|
| 1203 |
buffer_put_string(&m, username,strlen(username)); |
| 1204 |
buffer_put_string(&m, hostname,strlen(hostname)); |
| 1205 |
|
| 1206 |
debug("Entering log_btmp uid %d by a priviledged process", getuid()); |
| 1207 |
|
| 1208 |
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BADLOGIN, &m); |
| 1209 |
|
| 1210 |
buffer_free(&m); |
| 1211 |
} |
|
|
1212 |
++ Patched/openssh/monitor_wrap.h 2005-01-24 11:38:04.584625200 +0530 |
|
Lines 106-108
Link Here
|
| 106 |
void mm_init_compression(struct mm_master *); |
106 |
void mm_init_compression(struct mm_master *); |
| 107 |
#endif /* _MM_H_ */ |
107 |
#endif /* _MM_H_ */ |
|
|
108 |
|
| 109 |
int mm_log_btmp(const char *username, const char *hostname); |