From e8c56fba2926cfdaf7759edf3d53af8823db9dbc Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Wed, 20 Nov 2019 16:30:37 +0000
Subject: sshd: make getpwclass wrapper MON_ISAUTH not MON_AUTH

In r339216 a privsep wrapper was added for login_getpwclass to address
PR 231172.  Unfortunately the change used the MON_AUTH flag in the
wrapper, and MON_AUTH includes MON_AUTHDECIDE which triggers an
auth_log() on each invocation.  getpwclass() does not participate in the
authentication decision, so should be MON_ISAUTH instead.

PR:		234793
Submitted by:	Henry Hu
Reviewed by:	Yuichiro NAITO
MFC after:	1 week
---
 crypto/openssh/monitor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'crypto')

diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index 1913b1f8a1e92..c5e3708c2563c 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -193,7 +193,7 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
 #ifdef HAVE_LOGIN_CAP
-    {MONITOR_REQ_GETPWCLASS, MON_AUTH, mm_answer_login_getpwclass},
+    {MONITOR_REQ_GETPWCLASS, MON_ISAUTH, mm_answer_login_getpwclass},
 #endif
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-- 
cgit v1.2.3