Attachment #1939 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch

Lines 316-321 audit_session_close(struct logininfo *li Link Here

(-)openssh-5.6p1/audit-bsm.c.audit2 (+6 lines)
316	/* not implemented */	316	/* not implemented */
317	}	317	}
318		318
		319	int
		320	audit_keyusage(const char type, unsigned len, char fp)
		321	{
		322	/* not implemented */
		323	}
		324
319	void	325	void
320	audit_event(ssh_audit_event_t event)	326	audit_event(ssh_audit_event_t event)
321	{	327	{




	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
	    audit_username(), command);
}

/*
 * This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
 *
 * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
 */
int
audit_keyusage(const char *type, unsigned len, char *fp)
{
	debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s", geteuid(),
	    audit_username(), type, len, fp);
}
# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */

Lines 53-57 void audit_session_open(struct logininfo Link Here

(-)openssh-5.6p1/audit.h.audit2 (+1 lines)
53	void audit_session_close(struct logininfo *);	53	void audit_session_close(struct logininfo *);
54	void audit_run_command(const char *);	54	void audit_run_command(const char *);
55	ssh_audit_event_t audit_classify_auth(const char *);	55	ssh_audit_event_t audit_classify_auth(const char *);
		56	int audit_keyusage(const char , unsigned, char );
56		57
57	#endif /* _SSH_AUDIT_H */	58	#endif /* _SSH_AUDIT_H */

Lines 37-42 Link Here

(-)openssh-5.6p1/audit-linux.c.audit2 (+27 lines)
37	#include "audit.h"	37	#include "audit.h"
38	#include "canohost.h"	38	#include "canohost.h"
39		39
		40	#define AUDIT_LOG_SIZE 128
		41
40	const char* audit_username(void);	42	const char* audit_username(void);
41		43
42	int	44	int
Lines 62-67 linux_audit_record_event(int uid, const Link Here
62	return (rc >= 0);	64	return (rc >= 0);
63	}	65	}
64		66
		67	int
		68	audit_keyusage(const char type, unsigned len, char fp)
		69	{
		70	char buf[AUDIT_LOG_SIZE];
		71	int audit_fd, rc, saved_errno;
		72
		73	snprintf(buf, sizeof(buf), "pubkey_auth algo=%s size=%d fp=%s rhost=%s rport=%d",
		74	type, 8 * len, fp, get_remote_ipaddr(), get_remote_port());
		75
		76	audit_fd = audit_open();
		77	if (audit_fd < 0) {
		78	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		79	errno == EAFNOSUPPORT)
		80	return 1; /* No audit support in kernel */
		81	else
		82	return 0; /* Must prevent login */
		83	}
		84	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
		85	buf, audit_username(), -1, NULL, NULL, NULL, 1);
		86	saved_errno = errno;
		87	audit_close(audit_fd);
		88	errno = saved_errno;
		89	return (rc >= 0);
		90	}
		91
65	/* Below is the sshd audit API code */	92	/* Below is the sshd audit API code */
66		93
67	void	94	void




	return authenticated;
}

int
pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
{
#ifdef SSH_AUDIT_EVENTS
	char *fp;
	unsigned size = 0;
	const char *crypto_name[] = {
		"ssh-rsa1",
		"ssh-rsa",
		"ssh-dsa",
		"unknown" };
#endif

	if (key_verify(key, sig, slen, data, datalen) == 0)
		return 0;
#ifdef SSH_AUDIT_EVENTS
	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
	switch(key->type) {
		case KEY_RSA1:
		case KEY_RSA:
			size = RSA_size(key->rsa);
			break;
		case KEY_DSA:
			size = DSA_size(key->dsa);
			break;
	}

	if (audit_keyusage(crypto_name[key->type], size, fp) == 0)
		return 0;
	xfree(fp);
#endif
	return 1;
}

static int
match_principals_option(const char *principal_list, struct KeyCert *cert)
{




		*rkey = key;
	else
		key_free(key);

#ifdef SSH_AUDIT_EVENTS
	if (allowed) {
		char *fp;

		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		if (audit_keyusage("ssh-rsa1", RSA_size(key->rsa), fp) == 0) {
			debug("unsuccessful audit");
			allowed = 0;
		}
		xfree(fp);
	}
#endif

	return (allowed);
}





	if (!valid_data)
		fatal("%s: bad signature data blob", __func__);

	switch (key_blobtype) {
	case MM_USERKEY:
		verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
		break;
	case MM_HOSTKEY:
		verified = key_verify(key, signature, signaturelen, data, datalen);
		valid_data = monitor_valid_hostbasedblob(data, datalen,
		    hostbased_cuser, hostbased_chost);
		break;
	default:
		verified = 0;
		break;
	}
	debug3("%s: key %p signature %s",
	    __func__, key, (verified == 1) ? "verified" : "unverified");


Return to bug 1402

Lines 182-186 audit_run_command(const char *command) Link Here

(-)openssh-5.6p1/audit.c.audit2 (+12 lines)
182	debug("audit run command euid %d user %s command '%.200s'", geteuid(),	182	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
183	audit_username(), command);	183	audit_username(), command);
184	}	184	}
		185
		186	/*
		187	* This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
		188	*
		189	* Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
		190	*/
		191	int
		192	audit_keyusage(const char type, unsigned len, char fp)
		193	{
		194	debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s", geteuid(),
		195	audit_username(), type, len, fp);
		196	}
185	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	197	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
186	#endif /* SSH_AUDIT_EVENTS */	198	#endif /* SSH_AUDIT_EVENTS */

Lines 177-182 done: Link Here

(-)openssh-5.6p1/auth2-pubkey.c.audit2 (+34 lines)
177	return authenticated;	177	return authenticated;
178	}	178	}
179		179
		180	int
		181	pubkey_key_verify(const Key key, const u_char sig, u_int slen, const u_char *data, u_int datalen)
		182	{
		183	#ifdef SSH_AUDIT_EVENTS
		184	char *fp;
		185	unsigned size = 0;
		186	const char *crypto_name[] = {
		187	"ssh-rsa1",
		188	"ssh-rsa",
		189	"ssh-dsa",
		190	"unknown" };
		191	#endif
		192
		193	if (key_verify(key, sig, slen, data, datalen) == 0)
		194	return 0;
		195	#ifdef SSH_AUDIT_EVENTS
		196	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		197	switch(key->type) {
		198	case KEY_RSA1:
		199	case KEY_RSA:
		200	size = RSA_size(key->rsa);
		201	break;
		202	case KEY_DSA:
		203	size = DSA_size(key->dsa);
		204	break;
		205	}
		206
		207	if (audit_keyusage(crypto_name[key->type], size, fp) == 0)
		208	return 0;
		209	xfree(fp);
		210	#endif
		211	return 1;
		212	}
		213
180	static int	214	static int
181	match_principals_option(const char principal_list, struct KeyCert cert)	215	match_principals_option(const char principal_list, struct KeyCert cert)
182	{	216	{

Lines 275-280 auth_rsa_key_allowed(struct passwd *pw, Link Here

(-)openssh-5.6p1/auth-rsa.c.audit2 (+14 lines)
275	*rkey = key;	275	*rkey = key;
276	else	276	else
277	key_free(key);	277	key_free(key);
		278
		279	#ifdef SSH_AUDIT_EVENTS
		280	if (allowed) {
		281	char *fp;
		282
		283	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		284	if (audit_keyusage("ssh-rsa1", RSA_size(key->rsa), fp) == 0) {
		285	debug("unsuccessful audit");
		286	allowed = 0;
		287	}
		288	xfree(fp);
		289	}
		290	#endif
		291
278	return (allowed);	292	return (allowed);
279	}	293	}
280		294

Lines 1235-1241 mm_answer_keyverify(int sock, Buffer *m) Link Here

(-)openssh-5.6p1/monitor.c.audit2 (-1 / +13 lines)
1235	if (!valid_data)	1235	if (!valid_data)
1236	fatal("%s: bad signature data blob", __func__);	1236	fatal("%s: bad signature data blob", __func__);
1237		1237
1238	verified = key_verify(key, signature, signaturelen, data, datalen);	1238	switch (key_blobtype) {
		1239	case MM_USERKEY:
		1240	verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
		1241	break;
		1242	case MM_HOSTKEY:
		1243	verified = key_verify(key, signature, signaturelen, data, datalen);
		1244	valid_data = monitor_valid_hostbasedblob(data, datalen,
		1245	hostbased_cuser, hostbased_chost);
		1246	break;
		1247	default:
		1248	verified = 0;
		1249	break;
		1250	}
1239	debug3("%s: key %p signature %s",	1251	debug3("%s: key %p signature %s",
1240	__func__, key, (verified == 1) ? "verified" : "unverified");	1252	__func__, key, (verified == 1) ? "verified" : "unverified");
1241		1253