[PATCH] Clean up failed login logging.

Darren Tucker dtucker at zip.com.au
Fri Feb 28 19:41:16 EST 2003


Hi All.
	As noted in a previous post, the logging of failed user logins is
somewhat spread out.  This patch creates a record_failed_login()
function in sshlogin.c and moves the AIX and UNICOS code to it,
eliminating 3 #ifdefs from the main code.  It also provides an obvious
place to add the code for any other platforms that support this.

	I've tested this on AIX 4.3.3.  Wendy Palm was kind enough to test it
on UNICOS (this patch includes the cast required to placate the Cray
compiler).

	Note: this will call record_failed_login() in the case of a login
attempt by a non-existant user.  This is good for AIX (loginfailed
replaces the username with UNKNOWN_USER).  I'm not sure if that's the
right thing on UNICOS or not.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
retrieving revision 1.67
diff -u -r1.67 auth.c
--- auth.c	18 Jan 2003 05:24:06 -0000	1.67
+++ auth.c	25 Feb 2003 09:52:31 -0000
@@ -268,13 +268,10 @@
 	    get_remote_port(),
 	    info);
 
-#ifdef WITH_AIXAUTHENTICATE
 	if (authenticated == 0 && strcmp(method, "password") == 0)
-	    loginfailed(authctxt->user,
-		get_canonical_hostname(options.verify_reverse_mapping),
-		"ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-
+		record_failed_login(authctxt->user, 
+		    get_canonical_hostname(options.verify_reverse_mapping),
+		    "ssh");
 }
 
 /*
@@ -496,11 +493,9 @@
 	if (pw == NULL) {
 		log("Illegal user %.100s from %.100s",
 		    user, get_remote_ipaddr());
-#ifdef WITH_AIXAUTHENTICATE
-		loginfailed(user,
+		record_failed_login(user,
 		    get_canonical_hostname(options.verify_reverse_mapping),
 		    "ssh");
-#endif
 		return (NULL);
 	}
 	if (!allowed_user(pw))
Index: auth1.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
retrieving revision 1.79
diff -u -r1.79 auth1.c
--- auth1.c	24 Feb 2003 00:59:27 -0000	1.79
+++ auth1.c	25 Feb 2003 09:45:10 -0000
@@ -311,8 +311,6 @@
 			    authctxt->user);
 
 #ifdef _UNICOS
-		if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
-			cray_login_failure(authctxt->user, IA_UDBERR);
 		if (authenticated && cray_access_denied(authctxt->user)) {
 			authenticated = 0;
 			fatal("Access denied for user %s.",authctxt->user);
Index: auth2.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
retrieving revision 1.112
diff -u -r1.112 auth2.c
--- auth2.c	24 Feb 2003 00:59:27 -0000	1.112
+++ auth2.c	25 Feb 2003 09:45:10 -0000
@@ -241,10 +241,6 @@
 		if (authctxt->failures++ > AUTH_FAIL_MAX) {
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		}
-#ifdef _UNICOS
-		if (strcmp(method, "password") == 0)
-			cray_login_failure(authctxt->user, IA_UDBERR);
-#endif /* _UNICOS */
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);
Index: sshlogin.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshlogin.c,v
retrieving revision 1.9
diff -u -r1.9 sshlogin.c
--- sshlogin.c	1 Jan 2003 23:43:56 -0000	1.9
+++ sshlogin.c	28 Feb 2003 08:01:49 -0000
@@ -99,3 +99,15 @@
   login_logout(li);
   login_free_entry(li);
 }
+
+/* Record a failed login attempt. */
+void
+record_failed_login(const char *user, const char *host, const char *ttyname)
+{
+#ifdef WITH_AIXAUTHENTICATE
+	loginfailed(user, host, ttyname);
+#endif
+#ifdef _UNICOS
+	cray_login_failure((char *)user, IA_UDBERR);
+#endif /* _UNICOS */
+}


More information about the openssh-unix-dev mailing list