diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-06-24 06:34:38 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-06-24 16:56:11 +1000 |
commit | 8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch) | |
tree | 51ab66a6011af6459e0d4ca15a4b4b78368607a1 /auth.h | |
parent | e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff) |
upstream commit
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
Diffstat (limited to 'auth.h')
-rw-r--r-- | auth.h | 48 |
1 files changed, 33 insertions, 15 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.91 2017/05/30 14:29:59 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.92 2017/06/24 06:34:38 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -44,6 +44,7 @@ struct ssh; struct sshkey; +struct sshbuf; typedef struct Authctxt Authctxt; typedef struct Authmethod Authmethod; @@ -62,13 +63,17 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ char *style; + + /* Method lists for multiple authentication */ + char **auth_methods; /* modified from server config */ + u_int num_auth_methods; + + /* Authentication method-specific data */ + void *methoddata; void *kbdintctxt; - char *info; /* Extra info for next auth_log */ #ifdef BSD_AUTH auth_session_t *as; #endif - char **auth_methods; /* modified from server config */ - u_int num_auth_methods; #ifdef KRB5 krb5_context krb5_ctx; krb5_ccache krb5_fwd_ccache; @@ -76,12 +81,20 @@ struct Authctxt { char *krb5_ticket_file; char *krb5_ccname; #endif - Buffer *loginmsg; - void *methoddata; + struct sshbuf *loginmsg; + + /* Authentication keys already used; these will be refused henceforth */ + struct sshkey **prev_keys; + u_int nprev_keys; - struct sshkey **prev_userkeys; - u_int nprev_userkeys; + /* Last used key and ancilliary information from active auth method */ + struct sshkey *auth_method_key; + char *auth_method_info; + + /* Information exposed to session */ + struct sshbuf *session_info; /* Auth info for environment */ }; + /* * Every authentication method has to handle authentication requests for * non-existing users, or for users that are not allowed to login. In this @@ -120,10 +133,18 @@ int auth_password(Authctxt *, const char *); int hostbased_key_allowed(struct passwd *, const char *, char *, struct sshkey *); int user_key_allowed(struct passwd *, struct sshkey *, int); -void pubkey_auth_info(Authctxt *, const struct sshkey *, const char *, ...) - __attribute__((__format__ (printf, 3, 4))); -void auth2_record_userkey(Authctxt *, struct sshkey *); -int auth2_userkey_already_used(Authctxt *, struct sshkey *); +int auth2_key_already_used(Authctxt *, const struct sshkey *); + +/* + * Handling auth method-specific information for logging and prevention + * of key reuse during multiple authentication. + */ +void auth2_authctxt_reset_info(Authctxt *); +void auth2_record_key(Authctxt *, int, const struct sshkey *); +void auth2_record_info(Authctxt *authctxt, const char *, ...) + __attribute__((__format__ (printf, 2, 3))) + __attribute__((__nonnull__ (2))); +void auth2_update_session_info(Authctxt *, const char *, const char *); struct stat; int auth_secure_path(const char *, struct stat *, const char *, uid_t, @@ -150,9 +171,6 @@ void disable_forwarding(void); void do_authentication2(Authctxt *); -void auth_info(Authctxt *authctxt, const char *, ...) - __attribute__((__format__ (printf, 2, 3))) - __attribute__((__nonnull__ (2))); void auth_log(Authctxt *, int, int, const char *, const char *); void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); void userauth_finish(struct ssh *, int, const char *, const char *); |