summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
authorVincent Brillault <vincent.brillault@cern.ch>2020-05-24 09:15:06 +0200
committerDarren Tucker <dtucker@dtucker.net>2021-06-04 16:25:32 +1000
commit7cd7f302d3a072748299f362f9e241d81fcecd26 (patch)
tree2b72b8be872e2092df3b317af02aca5c42ae5555 /auth.c
parente7606919180661edc7f698e6a1b4ef2cfb363ebf (diff)
auth_log: dont log partial successes as failures
By design, 'partial' logins are successful logins, so initially with authenticated set to 1, for which another authentication is required. As a result, authenticated is always reset to 0 when partial is set to 1. However, even if authenticated is 0, those are not failed login attempts, similarly to attempts with authctxt->postponed set to 1.
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c29
1 files changed, 16 insertions, 13 deletions
diff --git a/auth.c b/auth.c
index b560eed1..929f59a9 100644
--- a/auth.c
+++ b/auth.c
@@ -352,23 +352,26 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
free(extra);
-#ifdef CUSTOM_FAILED_LOGIN
- if (authenticated == 0 && !authctxt->postponed &&
- (strcmp(method, "password") == 0 ||
- strncmp(method, "keyboard-interactive", 20) == 0 ||
- strcmp(method, "challenge-response") == 0))
- record_failed_login(ssh, authctxt->user,
- auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
-# ifdef WITH_AIXAUTHENTICATE
+#if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS)
+ if (authenticated == 0 && !(authctxt->postponed || partial)) {
+ /* Log failed login attempt */
+# ifdef CUSTOM_FAILED_LOGIN
+ if (strcmp(method, "password") == 0 ||
+ strncmp(method, "keyboard-interactive", 20) == 0 ||
+ strcmp(method, "challenge-response") == 0)
+ record_failed_login(ssh, authctxt->user,
+ auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
+# endif
+# ifdef SSH_AUDIT_EVENTS
+ audit_event(ssh, audit_classify_auth(method));
+# endif
+ }
+#endif
+#if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE)
if (authenticated)
sys_auth_record_login(authctxt->user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
loginmsg);
-# endif
-#endif
-#ifdef SSH_AUDIT_EVENTS
- if (authenticated == 0 && !authctxt->postponed)
- audit_event(ssh, audit_classify_auth(method));
#endif
}