Date: Tue, 19 Oct 1999 13:22:16 -0400 From: Mike Tancsa <mike@sentex.net> To: torstenb@FreeBSD.org Cc: security@FreeBSD.org Subject: SSH port request - logging password failures Message-ID: <3.0.5.32.19991019132216.014d8b60@staff.sentex.ca>
next in thread | raw e-mail | index | archive | help
Hello,
As the port maintainer, I was wondering if you could apply some or all of
the following patches to the sshd 1.2.27 distribution. It would be nice to
have it act in a similar fashion to other authentication services where
password failures are logged.
The main one that I think is important/worthwhile is the last one,
@@ -2674,6 +2695,7 @@
break;
}
debug("Password authentication for %.100s failed.", user);
+ log_msg("Password LOGIN FAILURE for user: %.100s", user);
memset(password, 0, strlen(password));
xfree(password);
break;
--- sshd.c.o2 Tue Oct 19 12:41:16 1999
+++ sshd.c Tue Oct 19 13:19:39 1999
@@ -1633,6 +1633,7 @@
if (account_is_locked)
{
debug("Account %.100s is locked.", user);
+ log_msg("Account %.100s is locked.", user);
enduserdb();
return 0;
}
@@ -1640,6 +1641,8 @@
{
debug("Remote logins to account %.100s not permitted by user
profile.",
user);
+ log_msg("Remote logins to account %.100s not permitted by user
profile.",
+ user);
enduserdb();
return 0;
}
@@ -1670,6 +1673,7 @@
if (strcmp(normalized, current_time) < 0)
{
debug("Account %.100s has expired - access denied.", user);
+ log_msg("Account %.100s has expired - access denied.", user);
enduserdb();
return 0;
}
@@ -1721,6 +1725,7 @@
if (sp->sp_expire > 0 && today > sp->sp_expire)
{
debug("Account %.100s has expired - access denied.", user);
+ log_msg("Account %.100s has expired - access denied.", user);
endspent();
return 0;
}
@@ -1822,6 +1827,7 @@
if (pwd->pw_expire && pwd->pw_expire <= currtime)
{
debug("Account %.100s has expired - access denied.", user);
+ log_msg("Account %.100s has expired - access denied.", user);
return 0;
}
else
@@ -1850,6 +1856,7 @@
if ( pr->uflg.fg_lock && pr->ufld.fd_lock )
{
debug("Account %.100s is locked.",user);
+ log_msg("Account %.100s is locked.",user);
packet_send_debug("\n\tAdministrative lock on account");
endprpwent();
return 0;
@@ -1861,6 +1868,7 @@
if ( pr->uflg.fg_acct_expire && time(NULL) >
pr->ufld.fd_acct_expire )
{
debug("Account %.100s lifetime exceeded.", user);
+ log_msg("Account %.100s lifetime exceeded.", user);
packet_send_debug("\n\tAccount lifetime exceeded");
endprpwent();
return 0;
@@ -1913,6 +1921,7 @@
if ( time(NULL) > pr->ufld.fd_schange + expire )
{
debug("Account %.100s passwd expired, requires change",
user);
+ log_msg("Account %.100s passwd expired, requires change",
user);
if (options.forced_passwd_change)
{
forced_command = xmalloc(sizeof(PASSWD_PATH) +
@@ -1960,6 +1969,8 @@
{
debug("Account %.100s locked, too many unsuccessful login
attempts",
user);
+ log_msg("Account %.100s locked, too many unsuccessful login
attempts",
+ user);
packet_send_debug("\n\tToo many unsuccessful attempts");
endprpwent();
return 0;
@@ -1981,6 +1992,7 @@
)
{
debug("Account %.100s is locked.", user);
+ log_msg("Account %.100s is locked.", user);
return 0;
}
}
@@ -1999,6 +2011,7 @@
if (invalid)
{
debug("Account %.100s doesn't have valid shell", user);
+ log_msg("Account %.100s doesn't have valid shell", user);
return 0;
}
}
@@ -2267,7 +2280,6 @@
else
{
/* Indicate that authentication is needed. */
-
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
@@ -2351,6 +2363,8 @@
#endif /* KRB5 */
debug("Kerberos authentication failed for %.100s from %.200s",
user, get_canonical_hostname());
+ log_msg("Kerberos authentication failed for %.100s from %.200s",
+ user, get_canonical_hostname());
break;
#endif /* KERBEROS */
@@ -2390,6 +2404,8 @@
}
debug("Rhosts authentication failed for '%.100s', remote
'%.100s', host '%.200s'.",
user, client_user, get_canonical_hostname());
+ log_msg("Rhosts authentication failed for '%.100s', remote
'%.100s', host '%.200s'.",
+ user, client_user, get_canonical_hostname());
xfree(client_user);
break;
@@ -2451,6 +2467,8 @@
}
debug("RhostsRSA authentication failed for '%.100s', remote
'%.100s', host '%.200s'.",
user, client_user, get_canonical_hostname());
+ log_msg("RhostsRSA authentication failed for '%.100s', remote
'%.100s', host '%.200s'.",
+ user, client_user, get_canonical_hostname());
xfree(client_user);
mpz_clear(&client_host_key_e);
mpz_clear(&client_host_key_n);
@@ -2481,6 +2499,7 @@
}
mpz_clear(&n);
debug("RSA authentication for %.100s failed.", user);
+ log_msg("RSA authentication for %.100s failed.", user);
}
break;
@@ -2586,6 +2605,7 @@
/* Unknown user */
auth_close();
debug("Unknown user from authentication server");
+ log_msg("Unknown user from authentication server");
break;
}
}
@@ -2614,6 +2634,7 @@
break;
} else {
debug("TIS authentication for %.100s failed",user);
+ log_msg("TIS authentication for %.100s failed",user);
memset(password, 0, strlen(password));
xfree(password);
break;
@@ -2674,6 +2695,7 @@
break;
}
debug("Password authentication for %.100s failed.", user);
+ log_msg("Password LOGIN FAILURE for user: %.100s", user);
memset(password, 0, strlen(password));
xfree(password);
break;
---Mike
------------------------------------------------------------------------
Mike Tancsa, tel 01.519.651.3400
Network Administrator, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19991019132216.014d8b60>