[PATCH] Creation of record_failed_login() in sshlogin.c

Darren Tucker dtucker at zip.com.au
Mon Jan 27 23:01:04 EST 2003 

Hi All,
	I've been poking around various parts of the auth code for a while. 
Some platforms support failed login counters and it occurs to me that
there's as few too many instances of:

#ifdef [PLATFORM]
	if (authenticated == 0 && strcmp(method, "password") == 0)
		some_login_failure_func();
#endif

	The attached patch creates a record_failed_login() function in
sshlogin.c to go along with record_login().  This new function holds the
platform-specific code.  At the moment, this is AIX and UNICOS, but it
will provide an obvious place for any other platforms that support this
type of thing.

	auth_log() is called from do_authloop (proto 1) or userauth_finish
(proto 2) and calls record_failed_login() for each failed password
authentication.

	The next question is should this function get called for public-key
authentications and, if so, under what circumstances?  My best guess is
that it should be called once if one or more public-key authentications
was attempted and the user was not eventually authenticated.  Thoughts?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
retrieving revision 1.67
diff -u -r1.67 auth.c
--- auth.c	18 Jan 2003 05:24:06 -0000	1.67
+++ auth.c	27 Jan 2003 11:39:07 -0000
@@ -268,13 +268,11 @@
 	    get_remote_port(),
 	    info);
 
-#ifdef WITH_AIXAUTHENTICATE
-	if (authenticated == 0 && strcmp(method, "password") == 0)
-	    loginfailed(authctxt->user,
-		get_canonical_hostname(options.verify_reverse_mapping),
-		"ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-
+	if (geteuid() == 0 && authenticated == 0 &&
+	    strcmp(method, "password") == 0)
+		record_failed_login(authctxt->user, 
+		    get_canonical_hostname(options.verify_reverse_mapping),
+		    "ssh");
 }
 
 /*
@@ -496,11 +494,9 @@
 	if (pw == NULL) {
 		log("Illegal user %.100s from %.100s",
 		    user, get_remote_ipaddr());
-#ifdef WITH_AIXAUTHENTICATE
-		loginfailed(user,
+		record_failed_login(user,
 		    get_canonical_hostname(options.verify_reverse_mapping),
 		    "ssh");
-#endif
 		return (NULL);
 	}
 	if (!allowed_user(pw))
Index: auth1.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
retrieving revision 1.78
diff -u -r1.78 auth1.c
--- auth1.c	23 Jan 2003 06:41:20 -0000	1.78
+++ auth1.c	27 Jan 2003 10:51:39 -0000
@@ -311,8 +311,6 @@
 			    authctxt->user);
 
 #ifdef _UNICOS
-		if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
-			cray_login_failure(authctxt->user, IA_UDBERR);
 		if (authenticated && cray_access_denied(authctxt->user)) {
 			authenticated = 0;
 			fatal("Access denied for user %s.",authctxt->user);
Index: auth2.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
retrieving revision 1.111
diff -u -r1.111 auth2.c
--- auth2.c	26 Sep 2002 00:38:49 -0000	1.111
+++ auth2.c	27 Jan 2003 11:38:03 -0000
@@ -242,10 +242,6 @@
 		if (authctxt->failures++ > AUTH_FAIL_MAX) {
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		}
-#ifdef _UNICOS
-		if (strcmp(method, "password") == 0)
-			cray_login_failure(authctxt->user, IA_UDBERR);
-#endif /* _UNICOS */
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);
Index: sshlogin.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshlogin.c,v
retrieving revision 1.9
diff -u -r1.9 sshlogin.c
--- sshlogin.c	1 Jan 2003 23:43:56 -0000	1.9
+++ sshlogin.c	27 Jan 2003 11:47:18 -0000
@@ -42,6 +42,7 @@
 RCSID("$OpenBSD: sshlogin.c,v 1.5 2002/08/29 15:57:25 stevesk Exp $");
 
 #include "loginrec.h"
+#include "log.h"
 
 /*
  * Returns the time when the user last logged in.  Returns 0 if the
@@ -98,4 +99,20 @@
   li = login_alloc_entry(pid, user, NULL, ttyname);
   login_logout(li);
   login_free_entry(li);
+}
+
+
+/* Record a failed login attempt. */
+void
+record_failed_login(const char *user, const char *host, const char *ttyname)
+{
+	debug3("%s user %s host %s tty %s", __func__, user, host, ttyname);
+
+#ifdef WITH_AIXAUTHENTICATE
+	loginfailed(user, host, ttyname);
+#endif
+
+#ifdef _UNICOS
+	cray_login_failure(authctxt->user, IA_UDBERR);
+#endif /* _UNICOS */
 }

More information about the openssh-unix-dev mailing list