]> git.ipfire.org Git - thirdparty/openssh-portable.git/commitdiff
projects / thirdparty / openssh-portable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e760691)
auth_log: dont log partial successes as failures
authorVincent Brillault <vincent.brillault@cern.ch>
Sun, 24 May 2020 07:15:06 +0000 (09:15 +0200)
committerDarren Tucker <dtucker@dtucker.net>
Fri, 4 Jun 2021 06:25:32 +0000 (16:25 +1000)
By design, 'partial' logins are successful logins, so initially with
authenticated set to 1, for which another authentication is required. As
a result, authenticated is always reset to 0 when partial is set to 1.
However, even if authenticated is 0, those are not failed login
attempts, similarly to attempts with authctxt->postponed set to 1.

auth.c patch | blob | blame | history

diff --git a/auth.c b/auth.c
index b560eed14b1d6845123e0b0f352f9618eb0446fe..929f59a9d511c871e2d49630ca47f4f6bed8fecc 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -352,23 +352,26 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
 
        free(extra);
 
-#ifdef CUSTOM_FAILED_LOGIN
-       if (authenticated == 0 && !authctxt->postponed &&
-           (strcmp(method, "password") == 0 ||
-           strncmp(method, "keyboard-interactive", 20) == 0 ||
-           strcmp(method, "challenge-response") == 0))
-               record_failed_login(ssh, authctxt->user,
-                   auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
-# ifdef WITH_AIXAUTHENTICATE
+#if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS)
+       if (authenticated == 0 && !(authctxt->postponed || partial)) {
+               /* Log failed login attempt */
+# ifdef CUSTOM_FAILED_LOGIN
+               if (strcmp(method, "password") == 0 ||
+                   strncmp(method, "keyboard-interactive", 20) == 0 ||
+                   strcmp(method, "challenge-response") == 0)
+                       record_failed_login(ssh, authctxt->user,
+                           auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
+# endif
+# ifdef SSH_AUDIT_EVENTS
+               audit_event(ssh, audit_classify_auth(method));
+# endif
+       }
+#endif
+#if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE)
        if (authenticated)
                sys_auth_record_login(authctxt->user,
                    auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
                    loginmsg);
-# endif
-#endif
-#ifdef SSH_AUDIT_EVENTS
-       if (authenticated == 0 && !authctxt->postponed)
-               audit_event(ssh, audit_classify_auth(method));
 #endif
 }
 
Mirror of https://github.com/openssh/openssh-portable.git