openssh-7.1p2

[android-x86/external-openssh.git] / monitor.c

diff --git a/monitor.c b/monitor.c
index 2947eb0..8a53dd7 100644 (file)
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.145 2015/02/20 22:17:21 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.150 2015/06/22 23:42:16 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -404,7 +404,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
                        auth_log(authctxt, authenticated, partial,
                            auth_method, auth_submethod);
-                       if (!authenticated)
+                       if (!partial && !authenticated)
                                authctxt->failures++;
                }
        }
@@ -1089,9 +1089,7 @@ extern KbdintDevice sshpam_device;
 int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
-
        debug3("%s", __func__);
-       authctxt->user = buffer_get_string(m, NULL);
        sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
        sshpam_authok = NULL;
        buffer_clear(m);
@@ -1173,14 +1171,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+       int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
        debug3("%s", __func__);
        (sshpam_device.free_ctx)(sshpam_ctxt);
+       sshpam_ctxt = sshpam_authok = NULL;
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
        auth_method = "keyboard-interactive";
        auth_submethod = "pam";
-       return (sshpam_authok == sshpam_ctxt);
+       return r;
 }
 #endif
 
@@ -1190,7 +1190,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
        Key *key;
        char *cuser, *chost;
        u_char *blob;
-       u_int bloblen;
+       u_int bloblen, pubkey_auth_attempt;
        enum mm_keytype type = 0;
        int allowed = 0;
 
@@ -1200,6 +1200,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
        cuser = buffer_get_string(m, NULL);
        chost = buffer_get_string(m, NULL);
        blob = buffer_get_string(m, &bloblen);
+       pubkey_auth_attempt = buffer_get_int(m);
 
        key = key_from_blob(blob, bloblen);
 
@@ -1220,19 +1221,19 @@ mm_answer_keyallowed(int sock, Buffer *m)
                        allowed = options.pubkey_authentication &&
                            !auth2_userkey_already_used(authctxt, key) &&
                            match_pattern_list(sshkey_ssh_name(key),
-                           options.pubkey_key_types,
-                           strlen(options.pubkey_key_types), 0) == 1 &&
-                           user_key_allowed(authctxt->pw, key);
+                           options.pubkey_key_types, 0) == 1 &&
+                           user_key_allowed(authctxt->pw, key,
+                           pubkey_auth_attempt);
                        pubkey_auth_info(authctxt, key, NULL);
                        auth_method = "publickey";
-                       if (options.pubkey_authentication && allowed != 1)
+                       if (options.pubkey_authentication &&
+                           (!pubkey_auth_attempt || allowed != 1))
                                auth_clear_options();
                        break;
                case MM_HOSTKEY:
                        allowed = options.hostbased_authentication &&
                            match_pattern_list(sshkey_ssh_name(key),
-                           options.hostbased_key_types,
-                           strlen(options.hostbased_key_types), 0) == 1 &&
+                           options.hostbased_key_types, 0) == 1 &&
                            hostbased_key_allowed(authctxt->pw,
                            cuser, chost, key);
                        pubkey_auth_info(authctxt, key,
@@ -1479,6 +1480,9 @@ mm_record_login(Session *s, struct passwd *pw)
        socklen_t fromlen;
        struct sockaddr_storage from;
 
+       if (options.use_login)
+               return;
+
        /*
         * Get IP address of client. If the connection is not a socket, let
         * the address be 0.0.0.0.