From f284c5eb834dc3621cb25af6ca164207cb3f19ad Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 17 Jan 2018 10:08:26 +0100
Subject: [PATCH] Do not attempt to pass hostnames to audit (inconsistency)
 (#1534577)

---
 openssh-7.6p1-audit.patch | 61 ++++++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 27 deletions(-)

diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch
index bc9a470..b09ef65 100644
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
@@ -310,7 +310,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
 diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 --- openssh-7.6p1/audit-linux.c.audit	2017-10-02 21:34:26.000000000 +0200
 +++ openssh-7.6p1/audit-linux.c	2017-10-04 17:18:32.835505053 +0200
-@@ -33,25 +33,38 @@
+@@ -33,27 +33,40 @@
  
  #include "log.h"
  #include "audit.h"
@@ -337,7 +337,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 -linux_audit_record_event(int uid, const char *username, const char *hostname,
 -    const char *ip, const char *ttyn, int success)
 +static void
-+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
++linux_audit_user_logxxx(int uid, const char *username,
 +    const char *ip, const char *ttyn, int success, int event)
  {
  	int audit_fd, rc, saved_errno;
@@ -354,8 +354,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 -	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
 +	rc = audit_log_acct_message(audit_fd, event,
  	    NULL, "login", username ? username : "(unknown)",
- 	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+-	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
++	    username == NULL ? uid : -1, NULL, ip, ttyn, success);
  	saved_errno = errno;
+ 	close(audit_fd);
+ 
 @@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const
  		rc = 0;
  	errno = saved_errno;
@@ -369,7 +372,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +
 +static void
 +linux_audit_user_auth(int uid, const char *username,
-+    const char *hostname, const char *ip, const char *ttyn, int success, int event)
++    const char *ip, const char *ttyn, int success, int event)
 +{
 +	int audit_fd, rc, saved_errno;
 +	static const char *event_name[] = {
@@ -403,7 +406,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +
 +	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
 +	    NULL, event_name[event], username ? username : "(unknown)",
-+	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
++	    username == NULL ? uid : -1, NULL, ip, ttyn, success);
 +	saved_errno = errno;
 +	close(audit_fd);
 +	/*
@@ -455,7 +458,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  /* Below is the sshd audit API code */
  
  void
-@@ -76,24 +177,51 @@ audit_connection_from(const char *host,
+@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
  	/* not implemented */
  }
  
@@ -465,21 +468,25 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  {
 -	/* not implemented */
 +	if (!user_login_count++)
-+		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+		    NULL, "ssh", 1, AUDIT_USER_LOGIN);
-+	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+	    NULL, "ssh", 1, AUDIT_USER_START);
++		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    ssh_remote_ipaddr(active_state),
++		    "ssh", 1, AUDIT_USER_LOGIN);
++	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    ssh_remote_ipaddr(active_state),
++	    "ssh", 1, AUDIT_USER_START);
 +	return 0;
 +}
 +
 +void
 +audit_end_command(int handle, const char *command)
 +{
-+	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+	    NULL, "ssh", 1, AUDIT_USER_END);
++	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    ssh_remote_ipaddr(active_state),
++	    "ssh", 1, AUDIT_USER_END);
 +	if (user_login_count && !--user_login_count)
-+		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+		    NULL, "ssh", 1, AUDIT_USER_LOGOUT);
++		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    ssh_remote_ipaddr(active_state),
++		    "ssh", 1, AUDIT_USER_LOGOUT);
 +}
 +
 +void
@@ -496,9 +503,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 -		fatal("linux_audit_write_entry failed: %s", strerror(errno));
 +	if (!user_login_count++)
 +		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+		    NULL, li->line, 1, AUDIT_USER_LOGIN);
++		    li->line, 1, AUDIT_USER_LOGIN);
 +	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+	    NULL, li->line, 1, AUDIT_USER_START);
++	    li->line, 1, AUDIT_USER_START);
  }
  
  void
@@ -506,10 +513,10 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  {
 -	/* not implemented */
 +	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+	    NULL, li->line, 1, AUDIT_USER_END);
++	    li->line, 1, AUDIT_USER_END);
 +	if (user_login_count && !--user_login_count)
 +		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+		    NULL, li->line, 1, AUDIT_USER_LOGOUT);
++		    li->line, 1, AUDIT_USER_LOGOUT);
  }
  
  void
@@ -518,16 +525,16 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  	switch(event) {
  	case SSH_AUTH_SUCCESS:
 -	case SSH_CONNECTION_CLOSE:
-+		linux_audit_user_auth(-1, audit_username(), NULL,
++		linux_audit_user_auth(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 1, event);
 +		break;
 +
  	case SSH_NOLOGIN:
 -	case SSH_LOGIN_EXCEED_MAXTRIES:
  	case SSH_LOGIN_ROOT_DENIED:
-+		linux_audit_user_auth(-1, audit_username(), NULL,
++		linux_audit_user_auth(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, event);
-+		linux_audit_user_logxxx(-1, audit_username(), NULL,
++		linux_audit_user_logxxx(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
  		break;
 +	case SSH_LOGIN_EXCEED_MAXTRIES:
@@ -537,7 +544,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  	case SSH_AUTH_FAIL_PUBKEY:
  	case SSH_AUTH_FAIL_HOSTBASED:
  	case SSH_AUTH_FAIL_GSSAPI:
-+		linux_audit_user_auth(-1, audit_username(), NULL,
++		linux_audit_user_auth(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, event);
 +		break;
 +
@@ -545,11 +552,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +		if (user_login_count) {
 +			while (user_login_count--)
 +				linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
-+				    session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
-+				    NULL, "ssh", 1, AUDIT_USER_END);
++				    ssh_remote_ipaddr(ssh),
++				    "ssh", 1, AUDIT_USER_END);
 +			linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
-+			    session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
-+			    NULL, "ssh", 1, AUDIT_USER_LOGOUT);
++			    ssh_remote_ipaddr(ssh),
++			    "ssh", 1, AUDIT_USER_LOGOUT);
 +		}
 +		break;
 +
@@ -557,7 +564,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  	case SSH_INVALID_USER:
 -		linux_audit_record_event(-1, audit_username(), NULL,
 -		    ssh_remote_ipaddr(ssh), "sshd", 0);
-+		linux_audit_user_logxxx(-1, audit_username(), NULL,
++		linux_audit_user_logxxx(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
  		break;
  	default: