-/* $OpenBSD: monitor.c,v 1.145 2015/02/20 22:17:21 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.150 2015/06/22 23:42:16 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(authctxt, authenticated, partial,
auth_method, auth_submethod);
- if (!authenticated)
+ if (!partial && !authenticated)
authctxt->failures++;
}
}
int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
-
debug3("%s", __func__);
- authctxt->user = buffer_get_string(m, NULL);
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
int
mm_answer_pam_free_ctx(int sock, Buffer *m)
{
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
debug3("%s", __func__);
(sshpam_device.free_ctx)(sshpam_ctxt);
+ sshpam_ctxt = sshpam_authok = NULL;
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive";
auth_submethod = "pam";
- return (sshpam_authok == sshpam_ctxt);
+ return r;
}
#endif
Key *key;
char *cuser, *chost;
u_char *blob;
- u_int bloblen;
+ u_int bloblen, pubkey_auth_attempt;
enum mm_keytype type = 0;
int allowed = 0;
cuser = buffer_get_string(m, NULL);
chost = buffer_get_string(m, NULL);
blob = buffer_get_string(m, &bloblen);
+ pubkey_auth_attempt = buffer_get_int(m);
key = key_from_blob(blob, bloblen);
allowed = options.pubkey_authentication &&
!auth2_userkey_already_used(authctxt, key) &&
match_pattern_list(sshkey_ssh_name(key),
- options.pubkey_key_types,
- strlen(options.pubkey_key_types), 0) == 1 &&
- user_key_allowed(authctxt->pw, key);
+ options.pubkey_key_types, 0) == 1 &&
+ user_key_allowed(authctxt->pw, key,
+ pubkey_auth_attempt);
pubkey_auth_info(authctxt, key, NULL);
auth_method = "publickey";
- if (options.pubkey_authentication && allowed != 1)
+ if (options.pubkey_authentication &&
+ (!pubkey_auth_attempt || allowed != 1))
auth_clear_options();
break;
case MM_HOSTKEY:
allowed = options.hostbased_authentication &&
match_pattern_list(sshkey_ssh_name(key),
- options.hostbased_key_types,
- strlen(options.hostbased_key_types), 0) == 1 &&
+ options.hostbased_key_types, 0) == 1 &&
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
pubkey_auth_info(authctxt, key,
socklen_t fromlen;
struct sockaddr_storage from;
+ if (options.use_login)
+ return;
+
/*
* Get IP address of client. If the connection is not a socket, let
* the address be 0.0.0.0.