1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-03-16 12:03:03 -05:00

Reorganise the logging and display of messages about SSH

authentication. We should now produce an Event Log entry for every
authentication attempted and every authentication failure; meanwhile,
messages in the PuTTY window will not be generated for the failure of
auth types unless we also announced in the PuTTY window that we were
trying them. (GSSAPI was getting the latter wrong, leading to spurious
'Access denied' for many users of 0.61.)

[originally from svn r9226]
This commit is contained in:
Simon Tatham 2011-07-16 12:06:32 +00:00
parent 8cd720d608
commit 0b79fe0bcb

63
ssh.c
View File

@ -7316,7 +7316,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
AUTH_TYPE_PUBLICKEY_OFFER_LOUD, AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
AUTH_TYPE_PUBLICKEY_OFFER_QUIET, AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
AUTH_TYPE_PASSWORD, AUTH_TYPE_PASSWORD,
AUTH_TYPE_GSSAPI, AUTH_TYPE_GSSAPI, /* always QUIET */
AUTH_TYPE_KEYBOARD_INTERACTIVE, AUTH_TYPE_KEYBOARD_INTERACTIVE,
AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
} type; } type;
@ -7678,19 +7678,20 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
/* /*
* We have received an unequivocal Access * We have received an unequivocal Access
* Denied. This can translate to a variety of * Denied. This can translate to a variety of
* messages: * messages, or no message at all.
* *
* - if we'd just tried "none" authentication, * For forms of authentication which are attempted
* it's not worth printing anything at all * implicitly, by which I mean without printing
* * anything in the window indicating that we're
* - if we'd just tried a public key _offer_, * trying them, we should never print 'Access
* the message should be "Server refused our * denied'.
* key" (or no message at all if the key *
* came from Pageant) * If we do print a message saying that we're
* * attempting some kind of authentication, it's OK
* - if we'd just tried anything else, the * to print a followup message saying it failed -
* message really should be "Access denied". * but the message may sometimes be more specific
* * than simply 'Access denied'.
*
* Additionally, if we'd just tried password * Additionally, if we'd just tried password
* authentication, we should break out of this * authentication, we should break out of this
* whole loop so as to go back to the username * whole loop so as to go back to the username
@ -7703,14 +7704,30 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) { s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD) if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
c_write_str(ssh, "Server refused our key\r\n"); c_write_str(ssh, "Server refused our key\r\n");
logevent("Server refused public key"); logevent("Server refused our key");
} else if (s->type == AUTH_TYPE_PUBLICKEY) {
/* This _shouldn't_ happen except by a
* protocol bug causing client and server to
* disagree on what is a correct signature. */
c_write_str(ssh, "Server refused public-key signature"
" despite accepting key!\r\n");
logevent("Server refused public-key signature"
" despite accepting key!");
} else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) { } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
/* server declined keyboard-interactive; ignore */ /* quiet, so no c_write */
} else { logevent("Server refused keyboard-interactive authentication");
} else if (s->type==AUTH_TYPE_GSSAPI) {
/* always quiet, so no c_write */
logevent("GSSAPI authentication failed");
} else if (s->type == AUTH_TYPE_KEYBOARD_INTERACTIVE) {
logevent("Keyboard-interactive authentication failed");
c_write_str(ssh, "Access denied\r\n"); c_write_str(ssh, "Access denied\r\n");
logevent("Access denied"); } else {
if (s->type == AUTH_TYPE_PASSWORD && assert(s->type == AUTH_TYPE_PASSWORD);
conf_get_int(ssh->conf, CONF_change_username)) { logevent("Password authentication failed");
c_write_str(ssh, "Access denied\r\n");
if (conf_get_int(ssh->conf, CONF_change_username)) {
/* XXX perhaps we should allow /* XXX perhaps we should allow
* keyboard-interactive to do this too? */ * keyboard-interactive to do this too? */
s->we_are_in = FALSE; s->we_are_in = FALSE;
@ -8059,6 +8076,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
sfree(sigdata); sfree(sigdata);
ssh2_pkt_send(ssh, s->pktout); ssh2_pkt_send(ssh, s->pktout);
logevent("Sent public key signature");
s->type = AUTH_TYPE_PUBLICKEY; s->type = AUTH_TYPE_PUBLICKEY;
key->alg->freekey(key->data); key->alg->freekey(key->data);
} }
@ -8111,6 +8129,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
ssh2_pkt_addstring(s->pktout, ssh->username); ssh2_pkt_addstring(s->pktout, ssh->username);
ssh2_pkt_addstring(s->pktout, "ssh-connection"); ssh2_pkt_addstring(s->pktout, "ssh-connection");
ssh2_pkt_addstring(s->pktout, "gssapi-with-mic"); ssh2_pkt_addstring(s->pktout, "gssapi-with-mic");
logevent("Attempting GSSAPI authentication");
/* add mechanism info */ /* add mechanism info */
s->gsslib->indicate_mech(s->gsslib, &s->gss_buf); s->gsslib->indicate_mech(s->gsslib, &s->gss_buf);
@ -8275,6 +8294,8 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
ssh2_pkt_addstring(s->pktout, ""); /* submethods */ ssh2_pkt_addstring(s->pktout, ""); /* submethods */
ssh2_pkt_send(ssh, s->pktout); ssh2_pkt_send(ssh, s->pktout);
logevent("Attempting keyboard-interactive authentication");
crWaitUntilV(pktin); crWaitUntilV(pktin);
if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) { if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
/* Server is not willing to do keyboard-interactive /* Server is not willing to do keyboard-interactive
@ -8282,8 +8303,6 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
* user without actually issuing any prompts). * user without actually issuing any prompts).
* Give up on it entirely. */ * Give up on it entirely. */
s->gotit = TRUE; s->gotit = TRUE;
if (pktin->type == SSH2_MSG_USERAUTH_FAILURE)
logevent("Keyboard-interactive authentication refused");
s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET; s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
s->kbd_inter_refused = TRUE; /* don't try it again */ s->kbd_inter_refused = TRUE; /* don't try it again */
continue; continue;