From owner-freebsd-security Tue Oct 19 10:23:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 595BF1776E; Tue, 19 Oct 1999 10:23:12 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id NAA07180; Tue, 19 Oct 1999 13:23:09 -0400 (EDT) Message-Id: <3.0.5.32.19991019132216.014d8b60@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 19 Oct 1999 13:22:16 -0400 To: torstenb@FreeBSD.org From: Mike Tancsa Subject: SSH port request - logging password failures Cc: security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, As the port maintainer, I was wondering if you could apply some or all of the following patches to the sshd 1.2.27 distribution. It would be nice to have it act in a similar fashion to other authentication services where password failures are logged. The main one that I think is important/worthwhile is the last one, @@ -2674,6 +2695,7 @@ break; } debug("Password authentication for %.100s failed.", user); + log_msg("Password LOGIN FAILURE for user: %.100s", user); memset(password, 0, strlen(password)); xfree(password); break; --- sshd.c.o2 Tue Oct 19 12:41:16 1999 +++ sshd.c Tue Oct 19 13:19:39 1999 @@ -1633,6 +1633,7 @@ if (account_is_locked) { debug("Account %.100s is locked.", user); + log_msg("Account %.100s is locked.", user); enduserdb(); return 0; } @@ -1640,6 +1641,8 @@ { debug("Remote logins to account %.100s not permitted by user profile.", user); + log_msg("Remote logins to account %.100s not permitted by user profile.", + user); enduserdb(); return 0; } @@ -1670,6 +1673,7 @@ if (strcmp(normalized, current_time) < 0) { debug("Account %.100s has expired - access denied.", user); + log_msg("Account %.100s has expired - access denied.", user); enduserdb(); return 0; } @@ -1721,6 +1725,7 @@ if (sp->sp_expire > 0 && today > sp->sp_expire) { debug("Account %.100s has expired - access denied.", user); + log_msg("Account %.100s has expired - access denied.", user); endspent(); return 0; } @@ -1822,6 +1827,7 @@ if (pwd->pw_expire && pwd->pw_expire <= currtime) { debug("Account %.100s has expired - access denied.", user); + log_msg("Account %.100s has expired - access denied.", user); return 0; } else @@ -1850,6 +1856,7 @@ if ( pr->uflg.fg_lock && pr->ufld.fd_lock ) { debug("Account %.100s is locked.",user); + log_msg("Account %.100s is locked.",user); packet_send_debug("\n\tAdministrative lock on account"); endprpwent(); return 0; @@ -1861,6 +1868,7 @@ if ( pr->uflg.fg_acct_expire && time(NULL) > pr->ufld.fd_acct_expire ) { debug("Account %.100s lifetime exceeded.", user); + log_msg("Account %.100s lifetime exceeded.", user); packet_send_debug("\n\tAccount lifetime exceeded"); endprpwent(); return 0; @@ -1913,6 +1921,7 @@ if ( time(NULL) > pr->ufld.fd_schange + expire ) { debug("Account %.100s passwd expired, requires change", user); + log_msg("Account %.100s passwd expired, requires change", user); if (options.forced_passwd_change) { forced_command = xmalloc(sizeof(PASSWD_PATH) + @@ -1960,6 +1969,8 @@ { debug("Account %.100s locked, too many unsuccessful login attempts", user); + log_msg("Account %.100s locked, too many unsuccessful login attempts", + user); packet_send_debug("\n\tToo many unsuccessful attempts"); endprpwent(); return 0; @@ -1981,6 +1992,7 @@ ) { debug("Account %.100s is locked.", user); + log_msg("Account %.100s is locked.", user); return 0; } } @@ -1999,6 +2011,7 @@ if (invalid) { debug("Account %.100s doesn't have valid shell", user); + log_msg("Account %.100s doesn't have valid shell", user); return 0; } } @@ -2267,7 +2280,6 @@ else { /* Indicate that authentication is needed. */ - packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); @@ -2351,6 +2363,8 @@ #endif /* KRB5 */ debug("Kerberos authentication failed for %.100s from %.200s", user, get_canonical_hostname()); + log_msg("Kerberos authentication failed for %.100s from %.200s", + user, get_canonical_hostname()); break; #endif /* KERBEROS */ @@ -2390,6 +2404,8 @@ } debug("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.", user, client_user, get_canonical_hostname()); + log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.", + user, client_user, get_canonical_hostname()); xfree(client_user); break; @@ -2451,6 +2467,8 @@ } debug("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.", user, client_user, get_canonical_hostname()); + log_msg("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.", + user, client_user, get_canonical_hostname()); xfree(client_user); mpz_clear(&client_host_key_e); mpz_clear(&client_host_key_n); @@ -2481,6 +2499,7 @@ } mpz_clear(&n); debug("RSA authentication for %.100s failed.", user); + log_msg("RSA authentication for %.100s failed.", user); } break; @@ -2586,6 +2605,7 @@ /* Unknown user */ auth_close(); debug("Unknown user from authentication server"); + log_msg("Unknown user from authentication server"); break; } } @@ -2614,6 +2634,7 @@ break; } else { debug("TIS authentication for %.100s failed",user); + log_msg("TIS authentication for %.100s failed",user); memset(password, 0, strlen(password)); xfree(password); break; @@ -2674,6 +2695,7 @@ break; } debug("Password authentication for %.100s failed.", user); + log_msg("Password LOGIN FAILURE for user: %.100s", user); memset(password, 0, strlen(password)); xfree(password); break; ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message