# patch to make OpenSSH refuse logins and log usernames/passwords # patch -p0 < filename # # I run it as non-root on a high port # (with port redirection so it appears from the outside to # be on port 22) # with an alternate "etc" config directory # and confined in an additional OS-dependent way. # # No warranty. # # Obvious, but worth stating, you don't want logging like this on # hosts intended to receive SSH sessions. Because this patch always # refuses logins you can't use it there unawares. # Aug 10 00:18:42 HoStNaMe honeypot_sshd[27850]: PW-ATTEMPT(auth-passwd.c:70): test/test # Aug 10 00:18:42 HoStNaMe honeypot_sshd[27851]: Failed password for illegal user test from 206.72.66.175 port 36587 ssh2 # Aug 10 00:18:43 HoStNaMe honeypot_sshd[27852]: PW-ATTEMPT(auth-passwd.c:70): guest/guest # Aug 10 00:18:43 HoStNaMe honeypot_sshd[27853]: Failed password for illegal user guest from 206.72.66.175 port 36591 ssh2 diff -r -C2 openssh-3.8.1p1/auth-passwd.c Hopenssh-3.8.1p1/auth-passwd.c *** openssh-3.8.1p1/auth-passwd.c Thu Mar 4 11:59:37 2004 --- Hopenssh-3.8.1p1/auth-passwd.c Sat Aug 7 23:46:03 2004 *************** *** 67,70 **** --- 67,74 ---- static int expire_checked = 0; + + logit("PW-ATTEMPT(%s:%d): %s/%s", __FILE__, __LINE__, pw->pw_name, password); + + #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) *************** *** 112,115 **** --- 116,121 ---- auth_session_t *as; + logit("PW-ATTEMPT(%s:%d): %s/%s", __FILE__, __LINE__, pw->pw_name, password); + as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", (char *)password); *************** *** 142,149 **** /* ! * Authentication is accepted if the encrypted passwords ! * are identical. */ ! return (strcmp(encrypted_password, pw_password) == 0); } #endif --- 148,154 ---- /* ! * Always reject. */ ! return 0; } #endif diff -r -C2 openssh-3.8.1p1/auth-shadow.c Hopenssh-3.8.1p1/auth-shadow.c *** openssh-3.8.1p1/auth-shadow.c Sat Feb 21 23:22:05 2004 --- Hopenssh-3.8.1p1/auth-shadow.c Sat Aug 7 23:46:58 2004 *************** *** 49,74 **** auth_shadow_acctexpired(struct spwd *spw) { - time_t today; - int daysleft; - char buf[256]; - - today = time(NULL) / DAY; - daysleft = spw->sp_expire - today; - debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today, - (int)spw->sp_expire, daysleft); - - if (spw->sp_expire == -1) { - debug3("account expiration disabled"); - } else if (daysleft < 0) { - logit("Account %.100s has expired", spw->sp_namp); - return 1; - } else if (daysleft <= spw->sp_warn) { - debug3("account will expire in %d days", daysleft); - snprintf(buf, sizeof(buf), - "Your account will expire in %d day%s.\n", daysleft, - daysleft == 1 ? "" : "s"); - buffer_append(&loginmsg, buf, strlen(buf)); - } - return 0; } --- 49,52 ---- *************** *** 81,134 **** auth_shadow_pwexpired(Authctxt *ctxt) { - struct spwd *spw = NULL; - const char *user = ctxt->pw->pw_name; - char buf[256]; - time_t today; - int daysleft, disabled = 0; - - if ((spw = getspnam((char *)user)) == NULL) { - error("Could not get shadow information for %.100s", user); - return 0; - } - - today = time(NULL) / DAY; - debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today, - (int)spw->sp_lstchg, (int)spw->sp_max); - - #if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec()) { - struct pr_passwd *pr; - - pr = getprpwnam((char *)user); - - /* Test for Trusted Mode expiry disabled */ - if (pr != NULL && pr->ufld.fd_min == 0 && - pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 && - pr->ufld.fd_pw_expire_warning == 0 && - pr->ufld.fd_schange != 0) - disabled = 1; - } - #endif - - /* TODO: check sp_inact */ - daysleft = spw->sp_lstchg + spw->sp_max - today; - if (disabled) { - debug3("password expiration disabled"); - } else if (spw->sp_lstchg == 0) { - logit("User %.100s password has expired (root forced)", user); - return 1; - } else if (spw->sp_max == -1) { - debug3("password expiration disabled"); - } else if (daysleft < 0) { - logit("User %.100s password has expired (password aged)", user); - return 1; - } else if (daysleft <= spw->sp_warn) { - debug3("password will expire in %d days", daysleft); - snprintf(buf, sizeof(buf), - "Your password will expire in %d day%s.\n", daysleft, - daysleft == 1 ? "" : "s"); - buffer_append(&loginmsg, buf, strlen(buf)); - } - return 0; } --- 59,62 ---- diff -r -C2 openssh-3.8.1p1/auth.c Hopenssh-3.8.1p1/auth.c *** openssh-3.8.1p1/auth.c Sat Feb 21 22:43:15 2004 --- Hopenssh-3.8.1p1/auth.c Sat Aug 7 23:47:28 2004 *************** *** 555,564 **** struct passwd * ! fakepw(void) { static struct passwd fake; memset(&fake, 0, sizeof(fake)); ! fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; --- 555,566 ---- struct passwd * ! fakepw(char *fakeusername) { static struct passwd fake; + logit("in fakepw() with name %s", fakeusername); + memset(&fake, 0, sizeof(fake)); ! fake.pw_name = strdup(fakeusername); fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; diff -r -C2 openssh-3.8.1p1/auth.h Hopenssh-3.8.1p1/auth.h *** openssh-3.8.1p1/auth.h Fri Apr 16 13:47:55 2004 --- Hopenssh-3.8.1p1/auth.h Sat Aug 7 23:46:03 2004 *************** *** 180,184 **** void auth_debug_reset(void); ! struct passwd *fakepw(void); #define AUTH_FAIL_MAX 6 --- 180,184 ---- void auth_debug_reset(void); ! struct passwd *fakepw(char *); #define AUTH_FAIL_MAX 6 diff -r -C2 openssh-3.8.1p1/auth1.c Hopenssh-3.8.1p1/auth1.c *** openssh-3.8.1p1/auth1.c Mon Mar 8 12:04:07 2004 --- Hopenssh-3.8.1p1/auth1.c Sat Aug 7 23:46:03 2004 *************** *** 73,77 **** struct passwd *pw = authctxt->pw; ! debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "illegal user ", authctxt->user); --- 73,78 ---- struct passwd *pw = authctxt->pw; ! logit("Attempting authentication (%s:%d) for %s%.100s.", ! __FILE__, __LINE__, authctxt->valid ? "" : "illegal user ", authctxt->user); *************** *** 175,178 **** --- 176,181 ---- /* Try authentication with the password. */ + logit("Calling auth_password() from %s:%d", + __FILE__, __LINE__ ); authenticated = PRIVSEP(auth_password(authctxt, password)); *************** *** 296,305 **** /* Verify that the user is a valid user. */ ! if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) ! authctxt->valid = 1; ! else { ! debug("do_authentication: illegal user %s", user); ! authctxt->pw = fakepw(); ! } setproctitle("%s%s", authctxt->pw ? user : "unknown", --- 299,304 ---- /* Verify that the user is a valid user. */ ! debug("do_authentication: faking user %s", user); ! authctxt->pw = fakepw(user); setproctitle("%s%s", authctxt->pw ? user : "unknown", diff -r -C2 openssh-3.8.1p1/auth2.c Hopenssh-3.8.1p1/auth2.c *** openssh-3.8.1p1/auth2.c Mon Mar 8 12:04:07 2004 --- Hopenssh-3.8.1p1/auth2.c Sat Aug 7 23:46:03 2004 *************** *** 160,165 **** #endif } else { ! logit("input_userauth_request: illegal user %s", user); ! authctxt->pw = fakepw(); #ifdef USE_PAM if (options.use_pam) --- 160,165 ---- #endif } else { ! logit("input_userauth_request: faking user %s", user); ! authctxt->pw = fakepw(user); #ifdef USE_PAM if (options.use_pam) diff -r -C2 openssh-3.8.1p1/cipher.c Hopenssh-3.8.1p1/cipher.c *** openssh-3.8.1p1/cipher.c Sat Feb 7 01:29:39 2004 --- Hopenssh-3.8.1p1/cipher.c Sat Aug 7 23:12:48 2004 *************** *** 70,73 **** --- 70,75 ---- extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); + extern void EVP_cast5_cbc(void); + struct Cipher { char *name; diff -r -C2 openssh-3.8.1p1/loginrec.c Hopenssh-3.8.1p1/loginrec.c *** openssh-3.8.1p1/loginrec.c Thu Apr 8 07:16:06 2004 --- Hopenssh-3.8.1p1/loginrec.c Sat Aug 7 23:46:03 2004 *************** *** 407,439 **** login_write (struct logininfo *li) { - #ifndef HAVE_CYGWIN - if ((int)geteuid() != 0) { - logit("Attempt to write login records by non-root user (aborting)"); - return 1; - } - #endif - - /* set the timestamp */ - login_set_current_time(li); - #ifdef USE_LOGIN - syslogin_write_entry(li); - #endif - #ifdef USE_LASTLOG - if (li->type == LTYPE_LOGIN) { - lastlog_write_entry(li); - } - #endif - #ifdef USE_UTMP - utmp_write_entry(li); - #endif - #ifdef USE_WTMP - wtmp_write_entry(li); - #endif - #ifdef USE_UTMPX - utmpx_write_entry(li); - #endif - #ifdef USE_WTMPX - wtmpx_write_entry(li); - #endif return 0; } --- 407,410 ---- *************** *** 443,460 **** login_utmp_only(struct logininfo *li) { - li->type = LTYPE_LOGIN; - login_set_current_time(li); - # ifdef USE_UTMP - utmp_write_entry(li); - # endif - # ifdef USE_WTMP - wtmp_write_entry(li); - # endif - # ifdef USE_UTMPX - utmpx_write_entry(li); - # endif - # ifdef USE_WTMPX - wtmpx_write_entry(li); - # endif return 0; } --- 414,417 ---- *************** *** 470,498 **** getlast_entry(struct logininfo *li) { ! #ifdef USE_LASTLOG ! return(lastlog_get_entry(li)); ! #else /* !USE_LASTLOG */ ! ! #ifdef DISABLE_LASTLOG ! /* On some systems we shouldn't even try to obtain last login ! * time, e.g. AIX */ ! return 0; ! # else /* DISABLE_LASTLOG */ ! /* Try to retrieve the last login time from wtmp */ ! # if defined(USE_WTMP) && (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP)) ! /* retrieve last login time from utmp */ ! return (wtmp_get_entry(li)); ! # else /* defined(USE_WTMP) && (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP)) */ ! /* If wtmp isn't available, try wtmpx */ ! # if defined(USE_WTMPX) && (defined(HAVE_TIME_IN_UTMPX) || defined(HAVE_TV_IN_UTMPX)) ! /* retrieve last login time from utmpx */ ! return (wtmpx_get_entry(li)); ! # else ! /* Give up: No means of retrieving last login time */ ! return 0; ! # endif /* USE_WTMPX && (HAVE_TIME_IN_UTMPX || HAVE_TV_IN_UTMPX) */ ! # endif /* USE_WTMP && (HAVE_TIME_IN_UTMP || HAVE_TV_IN_UTMP) */ ! # endif /* DISABLE_LASTLOG */ ! #endif /* USE_LASTLOG */ } --- 427,431 ---- getlast_entry(struct logininfo *li) { ! return 0; } diff -r -C2 openssh-3.8.1p1/monitor.c Hopenssh-3.8.1p1/monitor.c *** openssh-3.8.1p1/monitor.c Wed Apr 14 08:24:30 2004 --- Hopenssh-3.8.1p1/monitor.c Sat Aug 7 23:46:03 2004 *************** *** 568,571 **** --- 568,574 ---- authctxt->user = xstrdup(login); setproctitle("%s [priv]", pwent ? login : "unknown"); + if (pwent == NULL) { + authctxt->pw = fakepw(login); + } xfree(login); *************** *** 574,578 **** if (pwent == NULL) { buffer_put_char(m, 0); - authctxt->pw = fakepw(); goto out; } --- 577,580 ----