[openssh-commits] [openssh] 02/02: Don't skip audit before exitting cleanup_exit
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Aug 28 22:10:03 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 05f2b141cfcc60c7cdedf9450d2b9d390c19eaad
Author: Antonio Larrosa <alarrosa at suse.com>
AuthorDate: Fri Aug 23 12:21:06 2024 +0200
Don't skip audit before exitting cleanup_exit
This fixes an issue where the SSH_CONNECTION_ABANDON event is not
audited because cleanup_exit overrides the regular _exit too soon and
as a result, failed auth attempts are not logged correctly.
The problem was introduced in 81c1099d22b81ebfd20a334ce986c4f753b0db29
where the code from upstream was merged before the audit_event call when
it should have been merged right before the _exit call in order to honor
the comment that just mentions an override of the exit value.
---
sshd-session.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sshd-session.c b/sshd-session.c
index d089f10d..757435a1 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -1502,13 +1502,13 @@ cleanup_exit(int i)
}
}
}
- /* Override default fatal exit value when auth was attempted */
- if (i == 255 && auth_attempted)
- _exit(EXIT_AUTH_ATTEMPTED);
#ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
if (the_active_state != NULL && mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
+ /* Override default fatal exit value when auth was attempted */
+ if (i == 255 && auth_attempted)
+ _exit(EXIT_AUTH_ATTEMPTED);
_exit(i);
}
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list