diff options
| author |   djm <djm@openbsd.org> | 2017-06-24 06:34:38 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2017-06-24 06:34:38 +0000 |
| commit | 0fafb8f15103750de30cf30b93fb548e93bda91c (patch) | |
| tree | 1b9e0f2714d22f0978866c97b873a2199b5ce320 /usr.bin/ssh/auth.h | |
| parent | word fix; (diff) | |
| download | wireguard-openbsd-0fafb8f15103750de30cf30b93fb548e93bda91c.tar.xz wireguard-openbsd-0fafb8f15103750de30cf30b93fb548e93bda91c.zip | |
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/auth.h')
| -rw-r--r-- | usr.bin/ssh/auth.h | 45 |
1 files changed, 31 insertions, 14 deletions
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h index 1fea67ce3b6..96fd1a72ed2 100644 --- a/usr.bin/ssh/auth.h +++ b/usr.bin/ssh/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.91 2017/05/30 14:29:59 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.92 2017/06/24 06:34:38 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -57,22 +57,34 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ char *style; - void *kbdintctxt; - char *info; /* Extra info for next auth_log */ - auth_session_t *as; + + /* Method lists for multiple authentication */ char **auth_methods; /* modified from server config */ u_int num_auth_methods; + + /* Authentication method-specific data */ + void *methoddata; + void *kbdintctxt; + auth_session_t *as; #ifdef KRB5 krb5_context krb5_ctx; krb5_ccache krb5_fwd_ccache; krb5_principal krb5_user; char *krb5_ticket_file; #endif - void *methoddata; - struct sshkey **prev_userkeys; - u_int nprev_userkeys; + /* Authentication keys already used; these will be refused henceforth */ + struct sshkey **prev_keys; + u_int nprev_keys; + + /* Last used key and ancilliary information from active auth method */ + struct sshkey *auth_method_key; + char *auth_method_info; + + /* Information exposed to session */ + struct sshbuf *session_info; /* Auth info for environment */ }; + /* * Every authentication method has to handle authentication requests for * non-existing users, or for users that are not allowed to login. In this @@ -111,10 +123,18 @@ int auth_password(Authctxt *, const char *); int hostbased_key_allowed(struct passwd *, const char *, char *, struct sshkey *); int user_key_allowed(struct passwd *, struct sshkey *, int); -void pubkey_auth_info(Authctxt *, const struct sshkey *, const char *, ...) - __attribute__((__format__ (printf, 3, 4))); -void auth2_record_userkey(Authctxt *, struct sshkey *); -int auth2_userkey_already_used(Authctxt *, struct sshkey *); +int auth2_key_already_used(Authctxt *, const struct sshkey *); + +/* + * Handling auth method-specific information for logging and prevention + * of key reuse during multiple authentication. + */ +void auth2_authctxt_reset_info(Authctxt *); +void auth2_record_key(Authctxt *, int, const struct sshkey *); +void auth2_record_info(Authctxt *authctxt, const char *, ...) + __attribute__((__format__ (printf, 2, 3))) + __attribute__((__nonnull__ (2))); +void auth2_update_session_info(Authctxt *, const char *, const char *); struct stat; int auth_secure_path(const char *, struct stat *, const char *, uid_t, @@ -129,9 +149,6 @@ void krb5_cleanup_proc(Authctxt *authctxt); void do_authentication2(Authctxt *); -void auth_info(Authctxt *authctxt, const char *, ...) - __attribute__((__format__ (printf, 2, 3))) - __attribute__((__nonnull__ (2))); void auth_log(Authctxt *, int, int, const char *, const char *); void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); void userauth_finish(struct ssh *, int, const char *, const char *); |