Attachment #2086 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch




#endif
}

int
audit_run_command(const char *command)
{
	/* not implemented */
	return 0;
}

void
audit_end_command(int handle, const char *command)
{
	/* not implemented */
}

void
audit_count_session_open(void)
{
	/* not necessary */
}

void

Lines 35-47 Link Here

(-)openssh-5.9p0/audit-linux.c.audit1 (-18 / +131 lines)
35		35
36	#include "log.h"	36	#include "log.h"
37	#include "audit.h"	37	#include "audit.h"
		38	#include "key.h"
		39	#include "hostfile.h"
		40	#include "auth.h"
		41	#include "servconf.h"
38	#include "canohost.h"	42	#include "canohost.h"
39		43
		44	extern ServerOptions options;
		45	extern Authctxt *the_authctxt;
		46	extern u_int utmp_len;
40	const char* audit_username(void);	47	const char* audit_username(void);
41		48
42	int	49	static void
43	linux_audit_record_event(int uid, const char *username,	50	linux_audit_user_logxxx(int uid, const char *username,
44	const char hostname, const char ip, const char *ttyn, int success)	51	const char hostname, const char ip, const char *ttyn, int success, int event)
45	{	52	{
46	int audit_fd, rc, saved_errno;	53	int audit_fd, rc, saved_errno;
47		54
Lines 49-59 linux_audit_record_event(int uid, const Link Here
49	if (audit_fd < 0) {	56	if (audit_fd < 0) {
50	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|	57	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
51	errno == EAFNOSUPPORT)	58	errno == EAFNOSUPPORT)
52	return 1; /* No audit support in kernel */	59	return; /* No audit support in kernel */
53	else	60	else
54	return 0; /* Must prevent login */	61	goto fatal_report; /* Must prevent login */
55	}	62	}
56	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,	63	rc = audit_log_acct_message(audit_fd, event,
57	NULL, "login", username ? username : "(unknown)",	64	NULL, "login", username ? username : "(unknown)",
58	username == NULL ? uid : -1, hostname, ip, ttyn, success);	65	username == NULL ? uid : -1, hostname, ip, ttyn, success);
59	saved_errno = errno;	66	saved_errno = errno;
Lines 65-99 linux_audit_record_event(int uid, const Link Here
65	if ((rc == -EPERM) && (geteuid() != 0))	72	if ((rc == -EPERM) && (geteuid() != 0))
66	rc = 0;	73	rc = 0;
67	errno = saved_errno;	74	errno = saved_errno;
68	return (rc >= 0);	75	if (rc < 0) {
		76	fatal_report:
		77	fatal("linux_audit_write_entry failed: %s", strerror(errno));
		78	}
		79	}
		80
		81	static void
		82	linux_audit_user_auth(int uid, const char *username,
		83	const char hostname, const char ip, const char *ttyn, int success, int event)
		84	{
		85	int audit_fd, rc, saved_errno;
		86	static const char *event_name[] = {
		87	"maxtries exceeded",
		88	"root denied",
		89	"success",
		90	"none",
		91	"password",
		92	"challenge-response",
		93	"pubkey",
		94	"hostbased",
		95	"gssapi",
		96	"invalid user",
		97	"nologin",
		98	"connection closed",
		99	"connection abandoned",
		100	"unknown"
		101	};
		102
		103	audit_fd = audit_open();
		104	if (audit_fd < 0) {
		105	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		106	errno == EAFNOSUPPORT)
		107	return; /* No audit support in kernel */
		108	else
		109	goto fatal_report; /* Must prevent login */
		110	}
		111
		112	if ((event < 0) \|\| (event > SSH_AUDIT_UNKNOWN))
		113	event = SSH_AUDIT_UNKNOWN;
		114
		115	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
		116	NULL, event_name[event], username ? username : "(unknown)",
		117	username == NULL ? uid : -1, hostname, ip, ttyn, success);
		118	saved_errno = errno;
		119	close(audit_fd);
		120	/*
		121	* Do not report error if the error is EPERM and sshd is run as non
		122	* root user.
		123	*/
		124	if ((rc == -EPERM) && (geteuid() != 0))
		125	rc = 0;
		126	errno = saved_errno;
		127	if (rc < 0) {
		128	fatal_report:
		129	fatal("linux_audit_write_entry failed: %s", strerror(errno));
		130	}
69	}	131	}
70		132
		133	static int user_login_count = 0;
		134
71	/* Below is the sshd audit API code */	135	/* Below is the sshd audit API code */
72		136
73	void	137	void
74	audit_connection_from(const char *host, int port)	138	audit_connection_from(const char *host, int port)
75	{	139	{
76	}
77	/* not implemented */	140	/* not implemented */
		141	}
78		142
79	void	143	int
80	audit_run_command(const char *command)	144	audit_run_command(const char *command)
81	{	145	{
82	/* not implemented */	146	if (!user_login_count++)
		147	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		148	NULL, "ssh", 1, AUDIT_USER_LOGIN);
		149	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		150	NULL, "ssh", 1, AUDIT_USER_START);
		151	return 0;
		152	}
		153
		154	void
		155	audit_end_command(int handle, const char *command)
		156	{
		157	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		158	NULL, "ssh", 1, AUDIT_USER_END);
		159	if (user_login_count && !--user_login_count)
		160	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		161	NULL, "ssh", 1, AUDIT_USER_LOGOUT);
		162	}
		163
		164	void
		165	audit_count_session_open(void)
		166	{
		167	user_login_count++;
83	}	168	}
84		169
85	void	170	void
86	audit_session_open(struct logininfo *li)	171	audit_session_open(struct logininfo *li)
87	{	172	{
88	if (linux_audit_record_event(li->uid, NULL, li->hostname,	173	if (!user_login_count++)
89	NULL, li->line, 1) == 0)	174	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
90	fatal("linux_audit_write_entry failed: %s", strerror(errno));	175	NULL, li->line, 1, AUDIT_USER_LOGIN);
		176	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
		177	NULL, li->line, 1, AUDIT_USER_START);
91	}	178	}
92		179
93	void	180	void
94	audit_session_close(struct logininfo *li)	181	audit_session_close(struct logininfo *li)
95	{	182	{
96	/* not implemented */	183	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
		184	NULL, li->line, 1, AUDIT_USER_END);
		185	if (user_login_count && !--user_login_count)
		186	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
		187	NULL, li->line, 1, AUDIT_USER_LOGOUT);
97	}	188	}
98		189
99	void	190	void
Lines 101-121 audit_event(ssh_audit_event_t event) Link Here
101	{	192	{
102	switch(event) {	193	switch(event) {
103	case SSH_AUTH_SUCCESS:	194	case SSH_AUTH_SUCCESS:
104	case SSH_CONNECTION_CLOSE:	195	linux_audit_user_auth(-1, audit_username(), NULL,
		196	get_remote_ipaddr(), "ssh", 1, event);
		197	break;
		198
105	case SSH_NOLOGIN:	199	case SSH_NOLOGIN:
106	case SSH_LOGIN_EXCEED_MAXTRIES:
107	case SSH_LOGIN_ROOT_DENIED:	200	case SSH_LOGIN_ROOT_DENIED:
		201	linux_audit_user_auth(-1, audit_username(), NULL,
		202	get_remote_ipaddr(), "ssh", 0, event);
		203	linux_audit_user_logxxx(-1, audit_username(), NULL,
		204	get_remote_ipaddr(), "ssh", 0, AUDIT_USER_LOGIN);
108	break;	205	break;
109		206
		207	case SSH_LOGIN_EXCEED_MAXTRIES:
110	case SSH_AUTH_FAIL_NONE:	208	case SSH_AUTH_FAIL_NONE:
111	case SSH_AUTH_FAIL_PASSWD:	209	case SSH_AUTH_FAIL_PASSWD:
112	case SSH_AUTH_FAIL_KBDINT:	210	case SSH_AUTH_FAIL_KBDINT:
113	case SSH_AUTH_FAIL_PUBKEY:	211	case SSH_AUTH_FAIL_PUBKEY:
114	case SSH_AUTH_FAIL_HOSTBASED:	212	case SSH_AUTH_FAIL_HOSTBASED:
115	case SSH_AUTH_FAIL_GSSAPI:	213	case SSH_AUTH_FAIL_GSSAPI:
		214	linux_audit_user_auth(-1, audit_username(), NULL,
		215	get_remote_ipaddr(), "ssh", 0, event);
		216	break;
		217
		218	case SSH_CONNECTION_CLOSE:
		219	if (user_login_count) {
		220	while (user_login_count--)
		221	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		222	NULL, "ssh", 1, AUDIT_USER_END);
		223	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
		224	NULL, "ssh", 1, AUDIT_USER_LOGOUT);
		225	}
		226	break;
		227
		228	case SSH_CONNECTION_ABANDON:
116	case SSH_INVALID_USER:	229	case SSH_INVALID_USER:
117	linux_audit_record_event(-1, audit_username(), NULL,	230	linux_audit_user_logxxx(-1, audit_username(), NULL,
118	get_remote_ipaddr(), "sshd", 0);	231	get_remote_ipaddr(), "ssh", 0, AUDIT_USER_LOGIN);
119	break;	232	break;
120		233
121	default:	234	default:




}

/*
 * Called when a child process has called, or will soon call,
 * audit_session_open.
 */
void
audit_count_session_open(void)
{
	debug("audit count session open euid %d user %s", geteuid(),
	      audit_username());
}

/*
 * Called when a user session is started.  Argument is the tty allocated to
 * the session, or NULL if no tty was allocated.
 *

/*
 * This will be called when a user runs a non-interactive command.  Note that
 * it may be called multiple times for a single connection since SSH2 allows
 * multiple sessions within a single connection.  Returns a "handle" for
 * audit_end_command.
 */
int
audit_run_command(const char *command)
{
	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
	    audit_username(), command);
	return 0;
}

/*
 * This will be called when the non-interactive command finishes.  Note that
 * it may be called multiple times for a single connection since SSH2 allows
 * multiple sessions within a single connection.  "handle" should come from
 * the corresponding audit_run_command.
 */
void
audit_end_command(int handle, const char *command)
{
	debug("audit end nopty exec  euid %d user %s command '%.200s'", geteuid(),
	    audit_username(), command);
}

# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */

Lines 49-57 typedef enum ssh_audit_event_type ssh_au Link Here

(-)openssh-5.9p0/audit.h.audit1 (-1 / +3 lines)
49		49
50	void audit_connection_from(const char *, int);	50	void audit_connection_from(const char *, int);
51	void audit_event(ssh_audit_event_t);	51	void audit_event(ssh_audit_event_t);
		52	void audit_count_session_open(void);
52	void audit_session_open(struct logininfo *);	53	void audit_session_open(struct logininfo *);
53	void audit_session_close(struct logininfo *);	54	void audit_session_close(struct logininfo *);
54	void audit_run_command(const char *);	55	int audit_run_command(const char *);
		56	void audit_end_command(int, const char *);
55	ssh_audit_event_t audit_classify_auth(const char *);	57	ssh_audit_event_t audit_classify_auth(const char *);
56		58
57	#endif /* _SSH_AUDIT_H */	59	#endif /* _SSH_AUDIT_H */




#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
int mm_answer_audit_command(int, Buffer *);
int mm_answer_audit_end_command(int, Buffer *);
#endif

static int monitor_read_log(struct monitor *);

#ifdef SSH_AUDIT_EVENTS
    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
    {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
#endif
    {0, 0, NULL}
};

#ifdef SSH_AUDIT_EVENTS
    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
    {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
#endif
    {0, 0, NULL}
};

		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
		session_pty_cleanup2(s);
	}
#ifdef SSH_AUDIT_EVENTS
	if (s->command != NULL) {
		debug3("%s: command %d", __func__, s->command_handle);
		session_end_command2(s);
	}
#endif
	session_unused(s->self);
}


{
	u_int len;
	char *cmd;
	Session *s;

	debug3("%s entering", __func__);
	cmd = buffer_get_string(m, &len);

	/* sanity check command, if so how? */
	s = session_new();
	if (s == NULL)
		fatal("%s: error allocating a session", __func__);
	s->command = cmd;
	s->command_handle = audit_run_command(cmd);

	buffer_clear(m);
	buffer_put_int(m, s->self);

	mm_request_send(socket, MONITOR_ANS_AUDIT_COMMAND, m);

	return (0);
}

int
mm_answer_audit_end_command(int socket, Buffer *m)
{
	int handle;
	u_int len;
	char *cmd;
	Session *s;

	debug3("%s entering", __func__);
	handle = buffer_get_int(m);
	cmd = buffer_get_string(m, &len);

	s = session_by_id(handle);
	if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
	    strcmp(s->command, cmd) != 0)
		fatal("%s: invalid handle", __func__);
	mm_session_close(s);

	xfree(cmd);
	return (0);
}

Lines 60-65 enum monitor_reqtype { Link Here

(-)openssh-5.9p0/monitor.h.audit1 (+1 lines)
60	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,	60	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
61	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,	61	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
62	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,	62	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
		63	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
63	MONITOR_REQ_TERM,	64	MONITOR_REQ_TERM,
64	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,	65	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
65	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,	66	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,




	buffer_free(&m);
}

int
mm_audit_run_command(const char *command)
{
	Buffer m;
	int handle;

	debug3("%s entering command %s", __func__, command);


	buffer_put_cstring(&m, command);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, &m);

	handle = buffer_get_int(&m);
	buffer_free(&m);

	return (handle);
}

void
mm_audit_end_command(int handle, const char *command)
{
	Buffer m;

	debug3("%s entering command %s", __func__, command);

	buffer_init(&m);
	buffer_put_int(&m, handle);
	buffer_put_cstring(&m, command);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
	buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */

Lines 74-80 void mm_sshpam_free_ctx(void *); Link Here

(-)openssh-5.9p0/monitor_wrap.h.audit1 (-1 / +2 lines)
74	#ifdef SSH_AUDIT_EVENTS	74	#ifdef SSH_AUDIT_EVENTS
75	#include "audit.h"	75	#include "audit.h"
76	void mm_audit_event(ssh_audit_event_t);	76	void mm_audit_event(ssh_audit_event_t);
77	void mm_audit_run_command(const char *);	77	int mm_audit_run_command(const char *);
		78	void mm_audit_end_command(int, const char *);
78	#endif	79	#endif
79		80
80	struct Session;	81	struct Session;

Lines 742-747 do_exec_pty(Session s, const char comm Link Here

(-)openssh-5.9p0/session.c.audit1 (-3 / +66 lines)
742	/* Parent. Close the slave side of the pseudo tty. */	742	/* Parent. Close the slave side of the pseudo tty. */
743	close(ttyfd);	743	close(ttyfd);
744		744
		745	#ifndef HAVE_OSF_SIA
		746	/* do_login in the child did not affect state in this process,
		747	compensate. From an architectural standpoint, this is extremely
		748	ugly. */
		749	if (!(options.use_login && command == NULL))
		750	audit_count_session_open();
		751	#endif
		752
745	/* Enter interactive session. */	753	/* Enter interactive session. */
746	s->ptymaster = ptymaster;	754	s->ptymaster = ptymaster;
747	packet_set_interactive(1,	755	packet_set_interactive(1,
Lines 813-827 do_exec(Session s, const char command) Link Here
813	}	821	}
814		822
815	#ifdef SSH_AUDIT_EVENTS	823	#ifdef SSH_AUDIT_EVENTS
		824	if (s->command != NULL \|\| s->command_handle != -1)
		825	fatal("do_exec: command already set");
816	if (command != NULL)	826	if (command != NULL)
817	PRIVSEP(audit_run_command(command));	827	s->command = xstrdup(command);
818	else if (s->ttyfd == -1) {	828	else if (s->ttyfd == -1) {
819	char *shell = s->pw->pw_shell;	829	char *shell = s->pw->pw_shell;
820		830
821	if (shell[0] == '\0') /* empty shell means /bin/sh */	831	if (shell[0] == '\0') /* empty shell means /bin/sh */
822	shell =_PATH_BSHELL;	832	shell =_PATH_BSHELL;
823	PRIVSEP(audit_run_command(shell));	833	s->command = xstrdup(shell);
824	}	834	}
		835	if (s->command != NULL)
		836	s->command_handle = PRIVSEP(audit_run_command(s->command));
825	#endif	837	#endif
826	if (s->ttyfd != -1)	838	if (s->ttyfd != -1)
827	ret = do_exec_pty(s, command);	839	ret = do_exec_pty(s, command);
Lines 1848-1853 session_unused(int id) Link Here
1848	sessions[id].ttyfd = -1;	1860	sessions[id].ttyfd = -1;
1849	sessions[id].ptymaster = -1;	1861	sessions[id].ptymaster = -1;
1850	sessions[id].x11_chanids = NULL;	1862	sessions[id].x11_chanids = NULL;
		1863	sessions[id].command_handle = -1;
1851	sessions[id].next_unused = sessions_first_unused;	1864	sessions[id].next_unused = sessions_first_unused;
1852	sessions_first_unused = id;	1865	sessions_first_unused = id;
1853	}	1866	}
Lines 1930-1935 session_open(Authctxt *authctxt, int cha Link Here
1930	}	1943	}
1931		1944
1932	Session *	1945	Session *
		1946	session_by_id(int id)
		1947	{
		1948	if (id >= 0 && id < sessions_nalloc) {
		1949	Session *s = &sessions[id];
		1950	if (s->used)
		1951	return s;
		1952	}
		1953	debug("session_by_id: unknown id %d", id);
		1954	session_dump();
		1955	return NULL;
		1956	}
		1957
		1958	Session *
1933	session_by_tty(char *tty)	1959	session_by_tty(char *tty)
1934	{	1960	{
1935	int i;	1961	int i;
Lines 2455-2460 session_exit_message(Session *s, int sta Link Here
2455	chan_write_failed(c);	2481	chan_write_failed(c);
2456	}	2482	}
2457		2483
		2484	#ifdef SSH_AUDIT_EVENTS
		2485	void
		2486	session_end_command2(Session *s)
		2487	{
		2488	if (s->command != NULL) {
		2489	audit_end_command(s->command_handle, s->command);
		2490	xfree(s->command);
		2491	s->command = NULL;
		2492	s->command_handle = -1;
		2493	}
		2494	}
		2495
		2496	static void
		2497	session_end_command(Session *s)
		2498	{
		2499	if (s->command != NULL) {
		2500	PRIVSEP(audit_end_command(s->command_handle, s->command));
		2501	xfree(s->command);
		2502	s->command = NULL;
		2503	s->command_handle = -1;
		2504	}
		2505	}
		2506	#endif
		2507
2458	void	2508	void
2459	session_close(Session *s)	2509	session_close(Session *s)
2460	{	2510	{
Lines 2463-2468 session_close(Session *s) Link Here
2463	debug("session_close: session %d pid %ld", s->self, (long)s->pid);	2513	debug("session_close: session %d pid %ld", s->self, (long)s->pid);
2464	if (s->ttyfd != -1)	2514	if (s->ttyfd != -1)
2465	session_pty_cleanup(s);	2515	session_pty_cleanup(s);
		2516	#ifdef SSH_AUDIT_EVENTS
		2517	if (s->command)
		2518	session_end_command(s);
		2519	#endif
2466	if (s->term)	2520	if (s->term)
2467	xfree(s->term);	2521	xfree(s->term);
2468	if (s->display)	2522	if (s->display)
Lines 2682-2687 do_authenticated2(Authctxt *authctxt) Link Here
2682	server_loop2(authctxt);	2736	server_loop2(authctxt);
2683	}	2737	}
2684		2738
		2739	static void
		2740	do_cleanup_one_session(Session *s)
		2741	{
		2742	session_pty_cleanup2(s);
		2743	#ifdef SSH_AUDIT_EVENTS
		2744	session_end_command2(s);
		2745	#endif
		2746	}
		2747
2685	void	2748	void
2686	do_cleanup(Authctxt *authctxt)	2749	do_cleanup(Authctxt *authctxt)
2687	{	2750	{
Lines 2730-2734 do_cleanup(Authctxt *authctxt) Link Here
2730	* or if running in monitor.	2793	* or if running in monitor.
2731	*/	2794	*/
2732	if (!use_privsep \|\| mm_is_monitor())	2795	if (!use_privsep \|\| mm_is_monitor())
2733	session_destroy_all(session_pty_cleanup2);	2796	session_destroy_all(do_cleanup_one_session);
2734	}	2797	}

Lines 60-65 struct Session { Link Here

(-)openssh-5.9p0/session.h.audit1 (+8 lines)
60	char *name;	60	char *name;
61	char *val;	61	char *val;
62	} *env;	62	} *env;
		63
		64	/* exec */
		65	#ifdef SSH_AUDIT_EVENTS
		66	int command_handle;
		67	char *command;
		68	#endif
63	};	69	};
64		70
65	void do_authenticated(Authctxt *);	71	void do_authenticated(Authctxt *);
Lines 72-79 void session_close_by_pid(pid_t, int); Link Here
72	void session_close_by_channel(int, void *);	78	void session_close_by_channel(int, void *);
73	void session_destroy_all(void ()(Session ));	79	void session_destroy_all(void ()(Session ));
74	void session_pty_cleanup2(Session *);	80	void session_pty_cleanup2(Session *);
		81	void session_end_command2(Session *);
75		82
76	Session *session_new(void);	83	Session *session_new(void);
		84	Session *session_by_id(int);
77	Session session_by_tty(char );	85	Session session_by_tty(char );
78	void session_close(Session *);	86	void session_close(Session *);
79	void do_setusercontext(struct passwd *);	87	void do_setusercontext(struct passwd *);

Lines 2364-2370 cleanup_exit(int i) Link Here

(-)openssh-5.9p0/sshd.c.audit1 (-1 / +2 lines)
2364	do_cleanup(the_authctxt);	2364	do_cleanup(the_authctxt);
2365	#ifdef SSH_AUDIT_EVENTS	2365	#ifdef SSH_AUDIT_EVENTS
2366	/* done after do_cleanup so it can cancel the PAM auth 'thread' */	2366	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
2367	if (!use_privsep \|\| mm_is_monitor())	2367	if ((the_authctxt == NULL \|\| !the_authctxt->authenticated) &&
		2368	(!use_privsep \|\| mm_is_monitor()))
2368	audit_event(SSH_CONNECTION_ABANDON);	2369	audit_event(SSH_CONNECTION_ABANDON);
2369	#endif	2370	#endif
2370	_exit(i);	2371	_exit(i);

Return to bug 1402

Lines 298-307 audit_connection_from(const char *host, Link Here

(-)openssh-5.9p0/audit-bsm.c.audit1 (-1 / +14 lines)
298	#endif	298	#endif
299	}	299	}
300		300
301	void	301	int
302	audit_run_command(const char *command)	302	audit_run_command(const char *command)
303	{	303	{
304	/* not implemented */	304	/* not implemented */
		305	return 0;
		306	}
		307
		308	void
		309	audit_end_command(int handle, const char *command)
		310	{
		311	/* not implemented */
		312	}
		313
		314	void
		315	audit_count_session_open(void)
		316	{
		317	/* not necessary */
305	}	318	}
306		319
307	void	320	void

Lines 1188-1197 mm_audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.9p0/monitor_wrap.c.audit1 (-1 / +22 lines)
1188	buffer_free(&m);	1188	buffer_free(&m);
1189	}	1189	}
1190		1190
1191	void	1191	int
1192	mm_audit_run_command(const char *command)	1192	mm_audit_run_command(const char *command)
1193	{	1193	{
1194	Buffer m;	1194	Buffer m;
		1195	int handle;
1195		1196
1196	debug3("%s entering command %s", __func__, command);	1197	debug3("%s entering command %s", __func__, command);
1197		1198
Lines 1199-1204 mm_audit_run_command(const char *command Link Here
1199	buffer_put_cstring(&m, command);	1200	buffer_put_cstring(&m, command);
1200		1201
1201	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);	1202	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
		1203	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, &m);
		1204
		1205	handle = buffer_get_int(&m);
		1206	buffer_free(&m);
		1207
		1208	return (handle);
		1209	}
		1210
		1211	void
		1212	mm_audit_end_command(int handle, const char *command)
		1213	{
		1214	Buffer m;
		1215
		1216	debug3("%s entering command %s", __func__, command);
		1217
		1218	buffer_init(&m);
		1219	buffer_put_int(&m, handle);
		1220	buffer_put_cstring(&m, command);
		1221
		1222	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
1202	buffer_free(&m);	1223	buffer_free(&m);
1203	}	1224	}
1204	#endif /* SSH_AUDIT_EVENTS */	1225	#endif /* SSH_AUDIT_EVENTS */

Lines 140-145 audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.9p0/audit.c.audit1 (-2 / +29 lines)
140	}	140	}
141		141
142	/*	142	/*
		143	* Called when a child process has called, or will soon call,
		144	* audit_session_open.
		145	*/
		146	void
		147	audit_count_session_open(void)
		148	{
		149	debug("audit count session open euid %d user %s", geteuid(),
		150	audit_username());
		151	}
		152
		153	/*
143	* Called when a user session is started. Argument is the tty allocated to	154	* Called when a user session is started. Argument is the tty allocated to
144	* the session, or NULL if no tty was allocated.	155	* the session, or NULL if no tty was allocated.
145	*	156	*
Lines 174-186 audit_session_close(struct logininfo *li Link Here
174	/*	185	/*
175	* This will be called when a user runs a non-interactive command. Note that	186	* This will be called when a user runs a non-interactive command. Note that
176	* it may be called multiple times for a single connection since SSH2 allows	187	* it may be called multiple times for a single connection since SSH2 allows
177	* multiple sessions within a single connection.	188	* multiple sessions within a single connection. Returns a "handle" for
		189	* audit_end_command.
178	*/	190	*/
179	void	191	int
180	audit_run_command(const char *command)	192	audit_run_command(const char *command)
181	{	193	{
182	debug("audit run command euid %d user %s command '%.200s'", geteuid(),	194	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
183	audit_username(), command);	195	audit_username(), command);
		196	return 0;
		197	}
		198
		199	/*
		200	* This will be called when the non-interactive command finishes. Note that
		201	* it may be called multiple times for a single connection since SSH2 allows
		202	* multiple sessions within a single connection. "handle" should come from
		203	* the corresponding audit_run_command.
		204	*/
		205	void
		206	audit_end_command(int handle, const char *command)
		207	{
		208	debug("audit end nopty exec euid %d user %s command '%.200s'", geteuid(),
		209	audit_username(), command);
184	}	210	}
		211
185	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	212	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
186	#endif /* SSH_AUDIT_EVENTS */	213	#endif /* SSH_AUDIT_EVENTS */

Lines 185-190 int mm_answer_gss_checkmic(int, Buffer * Link Here

(-)openssh-5.9p0/monitor.c.audit1 (-1 / +43 lines)
185	#ifdef SSH_AUDIT_EVENTS	185	#ifdef SSH_AUDIT_EVENTS
186	int mm_answer_audit_event(int, Buffer *);	186	int mm_answer_audit_event(int, Buffer *);
187	int mm_answer_audit_command(int, Buffer *);	187	int mm_answer_audit_command(int, Buffer *);
		188	int mm_answer_audit_end_command(int, Buffer *);
188	#endif	189	#endif
189		190
190	static int monitor_read_log(struct monitor *);	191	static int monitor_read_log(struct monitor *);
Lines 271-276 struct mon_table mon_dispatch_postauth20 Link Here
271	#ifdef SSH_AUDIT_EVENTS	272	#ifdef SSH_AUDIT_EVENTS
272	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	273	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
273	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},	274	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
		275	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
274	#endif	276	#endif
275	{0, 0, NULL}	277	{0, 0, NULL}
276	};	278	};
Lines 313-318 struct mon_table mon_dispatch_postauth15 Link Here
313	#ifdef SSH_AUDIT_EVENTS	315	#ifdef SSH_AUDIT_EVENTS
314	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	316	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
315	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},	317	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},
		318	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
316	#endif	319	#endif
317	{0, 0, NULL}	320	{0, 0, NULL}
318	};	321	};
Lines 1398-1403 mm_session_close(Session *s) Link Here
1398	debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);	1401	debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
1399	session_pty_cleanup2(s);	1402	session_pty_cleanup2(s);
1400	}	1403	}
		1404	#ifdef SSH_AUDIT_EVENTS
		1405	if (s->command != NULL) {
		1406	debug3("%s: command %d", __func__, s->command_handle);
		1407	session_end_command2(s);
		1408	}
		1409	#endif
1401	session_unused(s->self);	1410	session_unused(s->self);
1402	}	1411	}
1403		1412
Lines 1720-1730 mm_answer_audit_command(int socket, Buff Link Here
1720	{	1729	{
1721	u_int len;	1730	u_int len;
1722	char *cmd;	1731	char *cmd;
		1732	Session *s;
1723		1733
1724	debug3("%s entering", __func__);	1734	debug3("%s entering", __func__);
1725	cmd = buffer_get_string(m, &len);	1735	cmd = buffer_get_string(m, &len);
		1736
1726	/* sanity check command, if so how? */	1737	/* sanity check command, if so how? */
1727	audit_run_command(cmd);	1738	s = session_new();
		1739	if (s == NULL)
		1740	fatal("%s: error allocating a session", __func__);
		1741	s->command = cmd;
		1742	s->command_handle = audit_run_command(cmd);
		1743
		1744	buffer_clear(m);
		1745	buffer_put_int(m, s->self);
		1746
		1747	mm_request_send(socket, MONITOR_ANS_AUDIT_COMMAND, m);
		1748
		1749	return (0);
		1750	}
		1751
		1752	int
		1753	mm_answer_audit_end_command(int socket, Buffer *m)
		1754	{
		1755	int handle;
		1756	u_int len;
		1757	char *cmd;
		1758	Session *s;
		1759
		1760	debug3("%s entering", __func__);
		1761	handle = buffer_get_int(m);
		1762	cmd = buffer_get_string(m, &len);
		1763
		1764	s = session_by_id(handle);
		1765	if (s == NULL \|\| s->ttyfd != -1 \|\| s->command == NULL \|\|
		1766	strcmp(s->command, cmd) != 0)
		1767	fatal("%s: invalid handle", __func__);
		1768	mm_session_close(s);
		1769
1728	xfree(cmd);	1770	xfree(cmd);
1729	return (0);	1771	return (0);
1730	}	1772	}