mkj
commented
2 years ago Dropbear doesn't currently implement Linux audit events. I'd be happy to merge patches adding it.
Open manojkiraneda opened 2 years ago
mkj
commented
2 years ago Dropbear doesn't currently implement Linux audit events. I'd be happy to merge patches adding it.
manojkiraneda
commented
2 years ago sure @mkj I would be happy to do that , but I don't exactly understand the dropbear ssh code, can you point me to the code that are the exact points where the authentication is successful & not successful ?
manojkiraneda
commented
2 years ago I could probably use that as my starting point to understand the code ,& then back track.
mkj
commented
2 years ago Auth success always results in a call to send_msg_userauth_success() (the audit call probably should be added at each caller since that has context of which auth type succeeded). For example https://github.com/mkj/dropbear/blob/17e02fe614065025a11d544ec17264f209272f11/svr-authpasswd.c#L110 for password auth.
Auth failure calls send_msg_userauth_failure(), see a few lines below for password auth. Note that send_msg_userauth_failure() also gets called when a user is querying whether a particular SSH key is acceptable, which shouldn't be counted as a "bad" event - in that case the incrfail argument is set to 0.
When too many failures are reached dropbear exits - that looks like ANOM_LOGIN_FAILURE: https://github.com/mkj/dropbear/blob/17e02fe614065025a11d544ec17264f209272f11/svr-auth.c#L438
The USER_START and USER_END events would possibly correspond with sessioncommand() and closechansess()
manojkiraneda
commented
2 years ago thanks @mkj , this is really a great help. I can back track from this and come up with the patches that enables the audit events.
I am trying to enable auditd on openbmc - and our platform of openbmc uses dropbear ssh for authentication.
From my understanding , there are certain type of login events USER_AUTH that should be sent by the login daemon , so that utilities like aureport, and ausearch could report the login attempts & whether they are successful or failed.
In the current state, i was able to see the authentication logs in
/var/log/auth.logbut i am not seeing any audit events when we login via dropbear ssh, while i was searching i found a similar bug on lightdm & openssh where they needed the audit logging support. Is this missing in dropbear ?