*** publickey-server.c.~1~	Fri Mar 18 08:25:41 2005
--- publickey-server.c	Fri Mar 18 08:33:32 2005
***************
*** 23,28 ****
--- 23,50 ----
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   */
+ 
+ /*
+  * VDS PKS LOGGING
+  *
+  * Patch by:		Jason A. Dour <jason@oddgeek.info>
+  *
+  * Contributions by:	Joseph Ferraro <jferraro@theferrarofamily.com>
+  *
+  * All ongoing issues with this patch and general areas in need of improvement 
+  * are commented with XXXVDSXXX.
+  *
+  * 2005.03.18 - v3	Added fix for 3.9 and 4.0.  Added auth-shadow.o and
+  *			loginrec.o as dependent objects in Makefile.  Changed
+  *			server options processing to match new method in 3.9+.
+  *
+  * 2003.05.28 - v2	Added fix for 361p2 regarding authorized_keys files in
+  *			process_list().  Possibly standardize on one keyfile?
+  *
+  * 2003.05.28 - v1	Added basic logging functionality.  Used bad bad bad
+  * 			use_privsep hack to make it work with 3.6.1p2.
+  *			Also added uidswap.o as a dependent object in the
+  *			Makefile to quell some unresolved objects.
+  */
+ 
  #include "includes.h"
  
  #include "auth.h"
***************
*** 57,62 ****
--- 79,93 ----
  /* Version of client */
  int		version;
  
+ #ifdef VDSPKS_LOGGING
+ /* User Information */
+ #define	CUNAME				cuname ? cuname : "UNKNOWN"
+ struct passwd *upw;
+ uid_t cuid;
+ pid_t ppid;
+ char *cuname;
+ #endif
+ 
  /* Server configuration file */
  Buffer		config;
  ServerOptions	options;
***************
*** 153,158 ****
--- 184,192 ----
  process_version(void)
  {
  	version = buffer_get_int(&iqueue);
+ #ifdef VDSPKS_LOGGING
+ 	logit("(%d/%d/%s) Client version %d.", ppid, cuid, CUNAME, version);
+ #endif
  	TRACE("process_version() version=%d", version);
  }
  
***************
*** 238,254 ****
  	char	*file;
  	int	success;
  
! 	TRACE("process_list(): authorized_keys_file");
! 	file = authorized_keys_file(pw);
! 	success = list_file(file);
! 	xfree(file);
! 
! 	TRACE("process_list(): authorized_keys_file2");
! 	file = authorized_keys_file2(pw);
! 	success = list_file(file) || success;
! 	xfree(file);
! 
  	TRACE("process_list() success");
  	send_status(PK_SUCCESS, "List complete");
  }
  
--- 272,299 ----
  	char	*file;
  	int	success;
  
! 	/* XXXVDSXXX - IS IT NECESSARY TO PROCESS BOTH?  WHY NOT STANDARDIZE ON ONE AND DOCUMENT IT? */
! 	if (options.authorized_keys_file != options.authorized_keys_file2) {
! 		TRACE("process_list(): authorized_keys_file\n");
! 		file = authorized_keys_file(pw);
! 		success = list_file(file);
! 		xfree(file);
!   
! 		TRACE("process_listi(): authorized_keys_file2\n");
! 		file = authorized_keys_file2(pw);
! 		success = list_file(file) || success;
! 		xfree(file);
! 	} else {
! 		TRACE("process_list(): authorized_keys_file\n");
! 		file = authorized_keys_file(pw);
! 		success = list_file(file);
! 		xfree(file);
! 	}
!   
  	TRACE("process_list() success");
+ #ifdef VDSPKS_LOGGING
+ 	logit("(%d/%d/%s) Listed keys to client.", ppid, cuid, CUNAME);
+ #endif
  	send_status(PK_SUCCESS, "List complete");
  }
  
***************
*** 315,326 ****
  	xfree(file);
  
  	if (f == NULL) {
! 		if (errno == EACCES)
! 			send_status(PK_ACCESS_DENIED, 
! 				    "Access is denied to the authorized_keys file.");
! 		else
  			send_status(PK_GENERAL_FAILURE, 
  				    "Could not open authorize_keys file.");
  		
  		xfree(comment);
  		key_free(key);
--- 360,385 ----
  	xfree(file);
  
  	if (f == NULL) {
! 		if ( errno == EACCES ) {
! #ifdef VDSPKS_LOGGING
! 			logit("(%d/%d/%s) Key add failed (%s/%d/%s): %s.", ppid, cuid, CUNAME, 
! 				key_ssh_name(key), 
! 				key_size(key), 
! 				key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX),
! 				"Access to authorized_keys denied.");
! #endif
!   			send_status(PK_ACCESS_DENIED, "Access is denied to the authorized_keys file.");
! 		} else {
! #ifdef VDSPKS_LOGGING
! 			logit("(%d/%d/%s) Key add failed (%s/%d/%s): %s.", ppid, cuid, CUNAME, 
! 				key_ssh_name(key), 
! 				key_size(key), 
! 				key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX),
! 				"Could not open authorized_keys file.");
! #endif
  			send_status(PK_GENERAL_FAILURE, 
  				    "Could not open authorize_keys file.");
+ 		}
  		
  		xfree(comment);
  		key_free(key);
***************
*** 328,333 ****
--- 387,398 ----
  	}
  
  	key_write(key, f);
+ #ifdef VDSPKS_LOGGING
+ 	logit("(%d/%d/%s) Key added (%s/%d/%s).", ppid, cuid, CUNAME, 
+ 		key_ssh_name(key), 
+ 		key_size(key), 
+ 		key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX));
+ #endif
  	key_free(key);
  
  	fprintf(f, " %s\n", comment);
***************
*** 337,342 ****
--- 402,411 ----
  	send_status(PK_SUCCESS, "Key added.");
  }
  
+ /*
+  * XXXVDSXXX - NEED PARANOIA CHECKS REGARDING PRIOR EXISTENCE OF TEMP FILE
+  *		TO PREVENT RACE ATTACKS, NAMED PIPES, LINKS, ET CETERA.
+  */
  static int
  remove_from_file(Key *remove_key, const char *file)
  {
***************
*** 416,436 ****
  		xfree(org_file);
  	}
  
! 	if (success == -1)
! 		send_status(PK_GENERAL_FAILURE, "Couldn't create temp file.");
! 	else if (success == 1)
! 		send_status(PK_SUCCESS, 
  			    "All instances of publickey were removed.");
! 	else	/* success == 0 */
! 		send_status(PK_KEY_NOT_FOUND, "Could not find publickey.");
! 
! 	key_free(key);
  }
  
  static void
  process_command(void)
  {
  	TRACE("process_command()");
  }
  
  /* stolen from sftp-server */
--- 485,528 ----
  		xfree(org_file);
  	}
  
! 	if (success == -1) {
! #ifdef VDSPKS_LOGGING
! 		logit("(%d/%d/%s) Key remove failed (%s/%d/%s): %s", ppid, cuid, CUNAME,
! 			key_ssh_name(key),
! 			key_size(key),
! 			key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX),
! 			"Could not create temp file.");
! #endif
!   		send_status(PK_GENERAL_FAILURE, "Couldn't create temp file.");
! 	} else if (success == 1) {
! #ifdef VDSPKS_LOGGING
! 		logit("(%d/%d/%s) Key removed (%s/%d/%s)", ppid, cuid, CUNAME,
! 			key_ssh_name(key),
! 			key_size(key),
! 			key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX));
! #endif
!   		send_status(PK_SUCCESS,
  			    "All instances of publickey were removed.");
! 	} else { /* success == 0 */
! #ifdef VDSPKS_LOGGING
! 		logit("(%d/%d/%s) Key remove failed (%s/%d/%s): %s", ppid, cuid, CUNAME,
! 			key_ssh_name(key),
! 			key_size(key),
! 			key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX),
! 			"Could not find public-key.");
! #endif
!   		send_status(PK_KEY_NOT_FOUND, "Could not find publickey.");
! 	}
!   	key_free(key);
  }
  
  static void
  process_command(void)
  {
  	TRACE("process_command()");
+ #ifdef VDSPKS_LOGGING
+ 	logit("(%d/%d/%s) Extended operation attempted - Ignoring.", ppid, cuid, CUNAME);
+ #endif
  }
  
  /* stolen from sftp-server */
***************
*** 467,475 ****
  		process_remove();
  	else if (strcmp(type, "command") == 0)
  		process_command();
! 	else
  		send_status(PK_REQUEST_NOT_SUPPORTED, 
  			    "The requested operation is not supported.");
  }
  
  static void
--- 559,571 ----
  		process_remove();
  	else if (strcmp(type, "command") == 0)
  		process_command();
! 	else {
! #ifdef VDSPKS_LOGGING
! 		logit("(%d/%d/%s) Invalid operation - Ignoring.", ppid, cuid, CUNAME);
! #endif
  		send_status(PK_REQUEST_NOT_SUPPORTED, 
  			    "The requested operation is not supported.");
+ 	}
  }
  
  static void
***************
*** 492,498 ****
  
  	uid = getuid();
  	pid = getpid();
! 	pw = getpwuid(uid);
  
  #ifdef DEBUG_PUBLICKEY_SERVER
  	log_init("publickey-server", SYSLOG_LEVEL_DEBUG1, 
--- 588,594 ----
  
  	uid = getuid();
  	pid = getpid();
! 	pw = getpwuid(uid);	/* XXXVDSXXX - NEED ERROR TRAPPING! BOMB OUT? */
  
  #ifdef DEBUG_PUBLICKEY_SERVER
  	log_init("publickey-server", SYSLOG_LEVEL_DEBUG1, 
***************
*** 535,540 ****
--- 631,655 ----
  	/* Fill in default values for those options not explicitly set. */
  	fill_default_server_options(&options);
  
+ #ifdef VDSPKS_LOGGING
+ 	/* Initialize the username of the user running the process. */
+ 	cuid = uid;
+ 	if ((upw = getpwuid(cuid)) == NULL) {
+ 		cuname = NULL;
+ 	} else {
+ 		cuname = xstrdup(upw->pw_name);
+ 	}
+ 
+ 	/* Initialize the parent process ID. */
+ 	ppid = getppid();
+ 
+ 	/* Initialize the logfile. */
+ 	log_init(__progname, options.log_level, options.log_facility, 0);
+ 
+ 	/* Log session start. */
+ 	logit("(%d/%d/%s) VDS PKS session started.", ppid, cuid, CUNAME);
+ #endif
+ 
  	send_version(1);
  
  	for (;;) {
***************
*** 551,556 ****
--- 666,674 ----
  			if (errno == EINTR)
  				continue;
  			TRACE("main() exit1");
+ #ifdef VDSPKS_LOGGING
+ 			logit("(%d/%d/%s) VDS PKS session closing (%s).", ppid, cuid, CUNAME, "Select Error");
+ #endif
  			exit(2);
  		}
  
***************
*** 561,570 ****
--- 679,694 ----
  			if (len == 0) {
  				TRACE("read eof");
  				TRACE("main() exit2");
+ #ifdef VDSPKS_LOGGING
+ 				logit("(%d/%d/%s) VDS PKS session closing (%s).", ppid, cuid, CUNAME, "EOF");
+ #endif
  				exit(0);
  			} else if (len < 0) {
  				error("read error");
  				TRACE("main() exit3");
+ #ifdef VDSPKS_LOGGING
+ 				logit("(%d/%d/%s) VDS PKS session closing (%s).", ppid, cuid, CUNAME, "Read Error");
+ #endif
  				exit(1);
  			} else {
  				buffer_append(&iqueue, buf, len);
***************
*** 577,582 ****
--- 701,709 ----
  			if (len < 0) {
  				error("write error");
  				TRACE("main() exit4");
+ #ifdef VDSPKS_LOGGING
+ 				logit("(%d/%d/%s) VDS PKS session closing (%s).", ppid, cuid, CUNAME, "Write Error");
+ #endif
  				exit(1);
  			} else {
  				buffer_consume(&oqueue, len);
***************
*** 588,591 ****
--- 715,721 ----
  	}
  
  	TRACE("main() end");
+ #ifdef VDSPKS_LOGGING
+ 	logit("(%d/%d/%s) VDS PKS session closing (%s).", ppid, cuid, CUNAME, "EOF");
+ #endif
  }