mirror of
https://github.com/clearml/dropbear
synced 2025-04-02 12:06:15 +00:00
Log the IP along with auth success/fail attempts
--HG-- extra : convert_revision : 25eab43bd46e931fd4afecec49c22b9311062099
This commit is contained in:
Matt Johnston
parent
e7677a5e8d
commit
9d43183704
@ -48,7 +48,7 @@ void session_identification();
|
||||
|
||||
|
||||
/* Server */
|
||||
void svr_session(int sock, int childpipe, char *remotehost);
|
||||
void svr_session(int sock, int childpipe, char *remotehost, char *addrstring);
|
||||
void svr_dropbear_exit(int exitcode, const char* format, va_list param);
|
||||
void svr_dropbear_log(int priority, const char* format, va_list param);
|
||||
|
||||
@ -180,6 +180,9 @@ struct serversession {
|
||||
* svr-chansession.c for details */
|
||||
struct exitinfo lastexit;
|
||||
|
||||
/* The numeric address they connected from, used for logging */
|
||||
char * addrstring;
|
||||
|
||||
};
|
||||
|
||||
typedef enum {
|
||||
|
||||
@ -205,7 +205,8 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
|
||||
strcmp(username, ses.authstate.username) != 0) {
|
||||
/* the username needs resetting */
|
||||
if (ses.authstate.username != NULL) {
|
||||
dropbear_log(LOG_WARNING, "client trying multiple usernames");
|
||||
dropbear_log(LOG_WARNING, "client trying multiple usernames from %s",
|
||||
svr_ses.addrstring);
|
||||
m_free(ses.authstate.username);
|
||||
}
|
||||
authclear();
|
||||
@ -218,7 +219,8 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
|
||||
if (ses.authstate.pw == NULL) {
|
||||
TRACE(("leave checkusername: user '%s' doesn't exist", username));
|
||||
dropbear_log(LOG_WARNING,
|
||||
"login attempt for nonexistent user");
|
||||
"login attempt for nonexistent user from %s",
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
return DROPBEAR_FAILURE;
|
||||
}
|
||||
@ -336,7 +338,8 @@ void send_msg_userauth_failure(int partial, int incrfail) {
|
||||
} else {
|
||||
userstr = ses.authstate.printableuser;
|
||||
}
|
||||
dropbear_exit("Max auth tries reached - user %s", userstr);
|
||||
dropbear_exit("Max auth tries reached - user '%s' from %s",
|
||||
userstr, svr_ses.addrstring);
|
||||
}
|
||||
|
||||
TRACE(("leave send_msg_userauth_failure"));
|
||||
|
||||
@ -194,8 +194,9 @@ void svr_auth_pam() {
|
||||
dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n",
|
||||
rc, pam_strerror(pamHandlep, rc));
|
||||
dropbear_log(LOG_WARNING,
|
||||
"bad PAM password attempt for '%s'",
|
||||
ses.authstate.printableuser);
|
||||
"bad PAM password attempt for '%s' from %s",
|
||||
ses.authstate.printableuser,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
goto cleanup;
|
||||
}
|
||||
@ -204,15 +205,17 @@ void svr_auth_pam() {
|
||||
dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n",
|
||||
rc, pam_strerror(pamHandlep, rc));
|
||||
dropbear_log(LOG_WARNING,
|
||||
"bad PAM password attempt for '%s'",
|
||||
ses.authstate.printableuser);
|
||||
"bad PAM password attempt for '%s' from %s",
|
||||
ses.authstate.printableuser,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* successful authentication */
|
||||
dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s'",
|
||||
ses.authstate.printableuser);
|
||||
dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
|
||||
ses.authstate.printableuser,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_success();
|
||||
|
||||
cleanup:
|
||||
|
||||
@ -88,13 +88,15 @@ void svr_auth_password() {
|
||||
if (strcmp(testcrypt, passwdcrypt) == 0) {
|
||||
/* successful authentication */
|
||||
dropbear_log(LOG_NOTICE,
|
||||
"password auth succeeded for '%s'",
|
||||
ses.authstate.printableuser);
|
||||
"password auth succeeded for '%s' from %s",
|
||||
ses.authstate.printableuser,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_success();
|
||||
} else {
|
||||
dropbear_log(LOG_WARNING,
|
||||
"bad password attempt for '%s'",
|
||||
ses.authstate.printableuser);
|
||||
"bad password attempt for '%s' from %s",
|
||||
ses.authstate.printableuser,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
}
|
||||
|
||||
|
||||
@ -104,13 +104,13 @@ void svr_auth_pubkey() {
|
||||
if (buf_verify(ses.payload, key, buf_getptr(signbuf, signbuf->len),
|
||||
signbuf->len) == DROPBEAR_SUCCESS) {
|
||||
dropbear_log(LOG_NOTICE,
|
||||
"pubkey auth succeeded for '%s' with key %s",
|
||||
ses.authstate.printableuser, fp);
|
||||
"pubkey auth succeeded for '%s' with key %s from %s",
|
||||
ses.authstate.printableuser, fp, svr_ses.addrstring);
|
||||
send_msg_userauth_success();
|
||||
} else {
|
||||
dropbear_log(LOG_WARNING,
|
||||
"pubkey auth bad signature for '%s' with key %s",
|
||||
ses.authstate.printableuser, fp);
|
||||
"pubkey auth bad signature for '%s' with key %s from %s",
|
||||
ses.authstate.printableuser, fp, svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
}
|
||||
m_free(fp);
|
||||
@ -165,8 +165,8 @@ static int checkpubkey(unsigned char* algo, unsigned int algolen,
|
||||
/* check that we can use the algo */
|
||||
if (have_algo(algo, algolen, sshhostkey) == DROPBEAR_FAILURE) {
|
||||
dropbear_log(LOG_WARNING,
|
||||
"pubkey auth attempt with unknown algo for '%s'",
|
||||
ses.authstate.printableuser);
|
||||
"pubkey auth attempt with unknown algo for '%s' from %s",
|
||||
ses.authstate.printableuser, svr_ses.addrstring);
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
||||
@ -94,7 +94,6 @@ static void main_inetd() {
|
||||
/* In case our inetd was lax in logging source addresses */
|
||||
addrstring = getaddrstring(&remoteaddr, 1);
|
||||
dropbear_log(LOG_INFO, "Child connection from %s", addrstring);
|
||||
m_free(addrstring);
|
||||
|
||||
/* Don't check the return value - it may just fail since inetd has
|
||||
* already done setsid() after forking (xinetd on Darwin appears to do
|
||||
@ -104,7 +103,7 @@ static void main_inetd() {
|
||||
/* Start service program
|
||||
* -1 is a dummy childpipe, just something we can close() without
|
||||
* mattering. */
|
||||
svr_session(0, -1, getaddrhostname(&remoteaddr));
|
||||
svr_session(0, -1, getaddrhostname(&remoteaddr), addrstring);
|
||||
|
||||
/* notreached */
|
||||
}
|
||||
@ -264,7 +263,6 @@ void main_noinetd() {
|
||||
|
||||
addrstring = getaddrstring(&remoteaddr, 1);
|
||||
dropbear_log(LOG_INFO, "Child connection from %s", addrstring);
|
||||
m_free(addrstring);
|
||||
|
||||
if (setsid() < 0) {
|
||||
dropbear_exit("setsid: %s", strerror(errno));
|
||||
@ -283,7 +281,8 @@ void main_noinetd() {
|
||||
|
||||
/* start the session */
|
||||
svr_session(childsock, childpipe[1],
|
||||
getaddrhostname(&remoteaddr));
|
||||
getaddrhostname(&remoteaddr),
|
||||
addrstring);
|
||||
/* don't return */
|
||||
assert(0);
|
||||
}
|
||||
|
||||
@ -74,7 +74,8 @@ static const struct ChanType *svr_chantypes[] = {
|
||||
NULL /* Null termination is mandatory. */
|
||||
};
|
||||
|
||||
void svr_session(int sock, int childpipe, char* remotehost) {
|
||||
void svr_session(int sock, int childpipe,
|
||||
char* remotehost, char *addrstring) {
|
||||
|
||||
struct timeval timeout;
|
||||
|
||||
@ -83,6 +84,7 @@ void svr_session(int sock, int childpipe, char* remotehost) {
|
||||
|
||||
/* Initialise server specific parts of the session */
|
||||
svr_ses.childpipe = childpipe;
|
||||
svr_ses.addrstring = addrstring;
|
||||
svr_authinitialise();
|
||||
chaninitialise(svr_chantypes);
|
||||
svr_chansessinitialise();
|
||||
|
||||
Loading…
Reference in New Issue
Block a user