[openssh-commits] [openssh] 01/01: auth_log: dont log partial successes as failures

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Jun 4 16:25:46 AEST 2021 

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 7cd7f302d3a072748299f362f9e241d81fcecd26
Author: Vincent Brillault <vincent.brillault at cern.ch>
Date:   Sun May 24 09:15:06 2020 +0200

    auth_log: dont log partial successes as failures
    
    By design, 'partial' logins are successful logins, so initially with
    authenticated set to 1, for which another authentication is required. As
    a result, authenticated is always reset to 0 when partial is set to 1.
    However, even if authenticated is 0, those are not failed login
    attempts, similarly to attempts with authctxt->postponed set to 1.
---
 auth.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/auth.c b/auth.c
index b560eed1..929f59a9 100644
--- a/auth.c
+++ b/auth.c
@@ -352,23 +352,26 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
 
 	free(extra);
 
-#ifdef CUSTOM_FAILED_LOGIN
-	if (authenticated == 0 && !authctxt->postponed &&
-	    (strcmp(method, "password") == 0 ||
-	    strncmp(method, "keyboard-interactive", 20) == 0 ||
-	    strcmp(method, "challenge-response") == 0))
-		record_failed_login(ssh, authctxt->user,
-		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
-# ifdef WITH_AIXAUTHENTICATE
+#if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS)
+	if (authenticated == 0 && !(authctxt->postponed || partial)) {
+		/* Log failed login attempt */
+# ifdef CUSTOM_FAILED_LOGIN
+		if (strcmp(method, "password") == 0 ||
+		    strncmp(method, "keyboard-interactive", 20) == 0 ||
+		    strcmp(method, "challenge-response") == 0)
+			record_failed_login(ssh, authctxt->user,
+			    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
+# endif
+# ifdef SSH_AUDIT_EVENTS
+		audit_event(ssh, audit_classify_auth(method));
+# endif
+	}
+#endif
+#if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE)
 	if (authenticated)
 		sys_auth_record_login(authctxt->user,
 		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
 		    loginmsg);
-# endif
-#endif
-#ifdef SSH_AUDIT_EVENTS
-	if (authenticated == 0 && !authctxt->postponed)
-		audit_event(ssh, audit_classify_auth(method));
 #endif
 }
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list