openssh/openssh-5.8p1-audit2.patch

262 lines
8.4 KiB
Diff
Raw Normal View History

2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/audit-bsm.c.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c 2011-02-24 09:38:06.000000000 +0100
2011-02-23 09:23:28 +00:00
@@ -322,6 +322,12 @@ audit_session_close(struct logininfo *li
2010-09-20 02:41:01 +00:00
/* not implemented */
}
+int
2011-02-21 19:24:29 +00:00
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
2010-09-20 02:41:01 +00:00
+{
+ /* not implemented */
+}
+
void
audit_event(ssh_audit_event_t event)
{
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/audit.c.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/audit.c 2011-02-24 09:46:00.000000000 +0100
2011-02-21 19:24:29 +00:00
@@ -36,6 +36,7 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "xmalloc.h"
/*
* Care must be taken when using this since it WILL NOT be initialized when
@@ -111,6 +112,22 @@ audit_event_lookup(ssh_audit_event_t ev)
return(event_lookup[i].name);
}
2011-02-21 19:24:29 +00:00
+void
+audit_key(int host_user, int *rv, const Key *key)
+{
+ char *fp;
2011-02-21 19:24:29 +00:00
+ const char *crypto_name;
+
2011-02-24 13:17:34 +00:00
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
2011-02-21 19:24:29 +00:00
+ if (key->type == KEY_RSA1)
+ crypto_name = "ssh-rsa1";
+ else
+ crypto_name = key_ssh_name(key);
+ if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
+ *rv = 0;
+ xfree(fp);
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
2011-02-24 13:17:34 +00:00
@@ -195,5 +212,17 @@ audit_end_command(const char *command)
2010-09-20 02:41:01 +00:00
audit_username(), command);
}
2011-02-23 09:23:28 +00:00
2010-09-20 02:41:01 +00:00
+/*
+ * This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
+ *
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
+ */
+int
2011-02-21 19:24:29 +00:00
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
2010-09-20 02:41:01 +00:00
+{
2011-02-24 13:17:34 +00:00
+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s%s, result %d",
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
+ key_fingerprint_prefix(), fp, rv);
2010-09-20 02:41:01 +00:00
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/audit.h.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/audit.h 2011-02-24 09:38:06.000000000 +0100
@@ -28,6 +28,7 @@
# define _SSH_AUDIT_H
#include "loginrec.h"
+#include "key.h"
enum ssh_audit_event_type {
SSH_LOGIN_EXCEED_MAXTRIES,
2011-02-23 09:23:28 +00:00
@@ -54,5 +55,7 @@ void audit_session_close(struct logininf
2010-09-20 02:41:01 +00:00
void audit_run_command(const char *);
2011-02-23 09:23:28 +00:00
void audit_end_command(const char *);
2010-09-20 02:41:01 +00:00
ssh_audit_event_t audit_classify_auth(const char *);
+int audit_keyusage(int, const char *, unsigned, char *, int);
2011-02-21 19:24:29 +00:00
+void audit_key(int, int *, const Key *);
2010-09-20 02:41:01 +00:00
#endif /* _SSH_AUDIT_H */
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/audit-linux.c 2011-02-24 09:47:31.000000000 +0100
2011-02-21 18:33:56 +00:00
@@ -41,6 +41,8 @@
#include "servconf.h"
2010-09-20 02:41:01 +00:00
#include "canohost.h"
+#define AUDIT_LOG_SIZE 128
+
2011-02-21 18:33:56 +00:00
extern ServerOptions options;
extern Authctxt *the_authctxt;
extern u_int utmp_len;
@@ -130,6 +132,37 @@ fatal_report:
2011-02-16 22:36:59 +00:00
}
2010-09-20 02:41:01 +00:00
}
+int
2011-02-21 19:24:29 +00:00
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
2010-09-20 02:41:01 +00:00
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, rc, saved_errno;
+
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 1; /* No audit support in kernel */
+ else
+ return 0; /* Must prevent login */
+ }
2011-02-23 09:23:28 +00:00
+ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "pubkey" : "hostbased", get_remote_port());
2010-09-20 02:41:01 +00:00
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
2010-09-20 02:41:01 +00:00
+ goto out;
2011-02-24 13:17:34 +00:00
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s%s rport=%d",
+ type, bits, key_fingerprint_prefix(), fp, get_remote_port());
2010-09-20 02:41:01 +00:00
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
+out:
+ saved_errno = errno;
+ audit_close(audit_fd);
+ errno = saved_errno;
+ /* do not report error if the error is EPERM and sshd is run as non root user */
+ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
2010-09-20 02:41:01 +00:00
+}
+
2011-02-21 18:33:56 +00:00
static int user_login_count = 0;
2010-09-20 02:41:01 +00:00
2011-02-21 18:33:56 +00:00
/* Below is the sshd audit API code */
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/auth2-hostbased.c.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-24 09:38:06.000000000 +0100
@@ -136,6 +136,18 @@ done:
return authenticated;
}
+int
+hostkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
+{
+ int rv;
+
+ rv = key_verify(key, sig, slen, data, datalen);
+#ifdef SSH_AUDIT_EVENTS
+ audit_key(0, &rv, key);
+#endif
+ return rv;
+}
+
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/auth2-pubkey.c.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-24 09:38:06.000000000 +0100
@@ -177,6 +177,18 @@ done:
2010-09-20 02:41:01 +00:00
return authenticated;
}
+int
+pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
+{
+ int rv;
+
+ rv = key_verify(key, sig, slen, data, datalen);
+#ifdef SSH_AUDIT_EVENTS
+ audit_key(1, &rv, key);
2010-09-20 02:41:01 +00:00
+#endif
+ return rv;
+}
+
static int
match_principals_option(const char *principal_list, struct KeyCert *cert)
{
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
--- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
2011-02-24 13:17:34 +00:00
+++ openssh-5.8p1/auth.h 2011-02-24 09:38:06.000000000 +0100
2010-11-02 20:10:16 +00:00
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *);
char *authorized_principals_file(struct passwd *);
+int pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
2010-11-02 20:10:16 +00:00
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -185,6 +186,7 @@ Key *get_hostkey_public_by_type(int);
Key *get_hostkey_private_by_type(int);
int get_hostkey_index(Key *);
int ssh1_session_key(BIGNUM *);
+int hostkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/auth-rsa.c.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c 2011-02-24 09:48:39.000000000 +0100
2010-09-20 02:41:01 +00:00
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
{
u_char buf[32], mdbuf[16];
MD5_CTX md;
- int len;
+ int len, rv;
+#ifdef SSH_AUDIT_EVENTS
+ char *fp;
+#endif
2011-02-14 14:32:49 +00:00
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
2010-09-20 02:41:01 +00:00
MD5_Final(mdbuf, &md);
/* Verify that the response is the original challenge. */
- if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
- /* Wrong answer. */
- return (0);
+ rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
2011-02-24 13:17:34 +00:00
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
2011-02-21 19:24:29 +00:00
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
2010-09-20 02:41:01 +00:00
+ debug("unsuccessful audit");
+ rv = 0;
}
- /* Correct answer. */
- return (1);
+ xfree(fp);
+#endif
+
+ return rv;
}
/*
2011-02-14 14:32:49 +00:00
diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
2011-02-24 13:17:34 +00:00
--- openssh-5.8p1/monitor.c.audit2 2011-02-24 09:38:06.000000000 +0100
+++ openssh-5.8p1/monitor.c 2011-02-24 09:38:06.000000000 +0100
2011-02-23 09:23:28 +00:00
@@ -1238,7 +1238,17 @@ mm_answer_keyverify(int sock, Buffer *m)
2010-09-20 02:41:01 +00:00
if (!valid_data)
fatal("%s: bad signature data blob", __func__);
- verified = key_verify(key, signature, signaturelen, data, datalen);
+ switch (key_blobtype) {
+ case MM_USERKEY:
+ verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
+ break;
+ case MM_HOSTKEY:
+ verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
2010-09-20 02:41:01 +00:00
+ break;
+ default:
+ verified = 0;
+ break;
+ }
debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified");