Attachment 799 Details for Bug 974 – btmp logging: normalise mapped 4in6 addresses too.

[patch] btmp logging: normalise mapped 4in6 addresses too.

openssh-btmp.patch (text/plain), 7.21 KB, created by Darren Tucker on 2005-02-02 17:48:08 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2005-02-02 17:48:08 AEDT

Size: 7.21 KB

patch

obsolete

>Index: auth.c
>===================================================================
>RCS file: /var/cvs/openssh/auth.c,v
>retrieving revision 1.91
>diff -u -p -r1.91 auth.c
>--- auth.c	2 Feb 2005 06:10:11 -0000	1.91
>+++ auth.c	2 Feb 2005 06:45:55 -0000
>@@ -244,7 +244,9 @@ auth_log(Authctxt *authctxt, int authent
> 	    info);
> 
> #ifdef CUSTOM_FAILED_LOGIN
>-	if (authenticated == 0 && strcmp(method, "password") == 0)
>+	if (authenticated == 0 && !authctxt->postponed &&
>+	    (strcmp(method, "password") == 0 ||
>+	    strncmp(method, "keyboard-interactive", 20) == 0))
> 		record_failed_login(authctxt->user,
> 		    get_canonical_hostname(options.use_dns), "ssh");
> #endif
>Index: canohost.c
>===================================================================
>RCS file: /var/cvs/openssh/canohost.c,v
>retrieving revision 1.45
>diff -u -p -r1.45 canohost.c
>--- canohost.c	21 Jul 2004 11:53:34 -0000	1.45
>+++ canohost.c	2 Feb 2005 06:45:55 -0000
>@@ -20,7 +20,6 @@ RCSID("$OpenBSD: canohost.c,v 1.41 2004/
> #include "canohost.h"
> 
> static void check_ip_options(int, char *);
>-static void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
> 
> /*
>  * Return the canonical name of the host at the other end of the socket. The
>@@ -166,7 +165,7 @@ check_ip_options(int sock, char *ipaddr)
> #endif /* IP_OPTIONS */
> }
> 
>-static void
>+void
> ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
> {
> 	struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr;
>Index: canohost.h
>===================================================================
>RCS file: /var/cvs/openssh/canohost.h,v
>retrieving revision 1.8
>diff -u -p -r1.8 canohost.h
>--- canohost.h	4 Jul 2001 04:46:57 -0000	1.8
>+++ canohost.h	2 Feb 2005 06:45:55 -0000
>@@ -23,3 +23,5 @@ char		*get_local_name(int);
> 
> int		 get_remote_port(void);
> int		 get_local_port(void);
>+
>+void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
>Index: configure.ac
>===================================================================
>RCS file: /var/cvs/openssh/configure.ac,v
>retrieving revision 1.236
>diff -u -p -r1.236 configure.ac
>--- configure.ac	1 Feb 2005 23:44:00 -0000	1.236
>+++ configure.ac	2 Feb 2005 06:45:57 -0000
>@@ -219,6 +219,7 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	AC_DEFINE(DISABLE_UTMP)
> 	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
>+	AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
> 	check_for_hpux_broken_getaddrinfo=1
> 	check_for_conflicting_getspnam=1
> 	LIBS="$LIBS -lsec"
>@@ -256,6 +257,8 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!")
> 	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
> 	AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM)
>+	AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts])
>+	AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
> 	inet6_default_4in6=yes
> 	case `uname -r` in
> 	1.*|2.0.*)
>Index: defines.h
>===================================================================
>RCS file: /var/cvs/openssh/defines.h,v
>retrieving revision 1.117
>diff -u -p -r1.117 defines.h
>--- defines.h	22 Jun 2004 03:27:16 -0000	1.117
>+++ defines.h	2 Feb 2005 06:45:57 -0000
>@@ -644,6 +644,15 @@ struct winsize {
> # define CUSTOM_SYS_AUTH_PASSWD 1
> #endif
> 
>+/* HP-UX 11.11 */
>+#ifdef BTMP_FILE
>+# define _PATH_BTMP BTMP_FILE
>+#endif
>+
>+#if defined(USE_BTMP) && defined(_PATH_BTMP)
>+# define CUSTOM_FAILED_LOGIN
>+#endif
>+
> /** end of login recorder definitions */
> 
> #endif /* _DEFINES_H */
>Index: loginrec.c
>===================================================================
>RCS file: /var/cvs/openssh/loginrec.c,v
>retrieving revision 1.62
>diff -u -p -r1.62 loginrec.c
>--- loginrec.c	12 Sep 2004 05:26:01 -0000	1.62
>+++ loginrec.c	2 Feb 2005 06:45:58 -0000
>@@ -25,6 +25,27 @@
>  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>  */
> 
>+/*
>+ * The btmp logging code is derived from login.c from util-linux and is under
>+ * the the following license:
>+ *
>+ * Copyright (c) 1980, 1987, 1988 The Regents of the University of California.
>+ * All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms are permitted
>+ * provided that the above copyright notice and this paragraph are
>+ * duplicated in all such forms and that any documentation,
>+ * advertising materials, and other materials related to such
>+ * distribution and use acknowledge that the software was developed
>+ * by the University of California, Berkeley.  The name of the
>+ * University may not be used to endorse or promote products derived
>+ * from this software without specific prior written permission.
>+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
>+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
>+ */
>+
>+
> /**
>  ** loginrec.c:  platform-independent login recording and lastlog retrieval
>  **/
>@@ -131,6 +152,8 @@
> #include "loginrec.h"
> #include "log.h"
> #include "atomicio.h"
>+#include "packet.h"
>+#include "canohost.h"
> 
> #ifdef HAVE_UTIL_H
> # include <util.h>
>@@ -1563,3 +1586,82 @@ lastlog_get_entry(struct logininfo *li)
> 	return (0);
> }
> #endif /* USE_LASTLOG */
>+
>+#ifdef USE_BTMP
>+  /*
>+   * Logs failed login attempts in _PATH_BTMP if that exists.
>+   * The most common login failure is to give password instead of username.
>+   * So the _PATH_BTMP file checked for the correct permission, so that
>+   * only root can read it.
>+   */
>+
>+void
>+record_failed_login(const char *username, const char *hostname,
>+    const char *ttyn)
>+{
>+	int fd;
>+	struct utmp ut;
>+	struct sockaddr_storage from;
>+	size_t fromlen = sizeof(from);
>+	struct sockaddr_in *a4;
>+	struct sockaddr_in6 *a6;
>+	time_t t;
>+	struct stat fst;
>+
>+	if (geteuid() != 0)
>+		return;
>+	if ((fd = open(_PATH_BTMP, O_WRONLY | O_APPEND)) < 0) {
>+		debug("Unable to open the btmp file %s: %s", _PATH_BTMP,
>+		    strerror(errno));
>+		return;
>+	}
>+	if (fstat(fd, &fst) < 0) {
>+		logit("%s: fstat of %s failed: %s", __func__, _PATH_BTMP,
>+		    strerror(errno));
>+		goto out;
>+	}
>+	if((fst.st_mode & (S_IRWXG | S_IRWXO)) || (fst.st_uid != 0)){
>+		logit("Excess permission or bad ownership on file %s",
>+		    _PATH_BTMP);
>+		goto out;
>+	}
>+
>+	memset(&ut, 0, sizeof(ut));
>+	/* strncpy because we don't necessarily want nul termination */
>+	strncpy(ut.ut_user, username, sizeof(ut.ut_user));
>+	strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
>+
>+	time(&t);
>+	ut.ut_time = t;     /* ut_time is not always a time_t */
>+	ut.ut_type = LOGIN_PROCESS;
>+	ut.ut_pid = getpid();
>+
>+	/* strncpy because we don't necessarily want nul termination */
>+	strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
>+
>+	if (packet_connection_is_on_socket() &&
>+	    getpeername(packet_get_connection_in(),
>+	    (struct sockaddr *)&from, &fromlen) == 0) {
>+		ipv64_normalise_mapped(&from, &fromlen);
>+		if (from.ss_family == AF_INET) {
>+			a4 = (struct sockaddr_in *)&from;
>+			memcpy(&ut.ut_addr, &(a4->sin_addr),
>+			    MIN_SIZEOF(ut.ut_addr, a4->sin_addr));
>+		}
>+#ifdef HAVE_ADDR_V6_IN_UTMP
>+		if (from.ss_family == AF_INET6) {
>+			a6 = (struct sockaddr_in6 *)&from;
>+			memcpy(&ut.ut_addr_v6, &(a6->sin6_addr),
>+			    MIN_SIZEOF(ut.ut_addr_v6, a6->sin6_addr));
>+		}
>+#endif
>+	}
>+
>+	if (atomicio(vwrite, fd, &ut, sizeof(ut)) != sizeof(ut))
>+		error("Failed to write to %s: %s", _PATH_BTMP,
>+		    strerror(errno));
>+
>+out:
>+	close(fd);
>+}
>+#endif	/* USE_BTMP */

Flags:

djm: ok+

Actions: View | Diff

Attachments on bug 974: 774 | 776 | 777 | 780 | 781 | 785 | 787 | 798 | 799 | 862