From 4318a9a998f78f1d6ee4d32facd0fc8e1e231179 Mon Sep 17 00:00:00 2001
From: Timo Weingärtner <timo@tiwe.de>
Date: Mon, 26 May 2014 23:36:33 +0200
Subject: add dissection of pam_ssh_agent_auth data

---
 ssh-agent-filter.C | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C
index 5aedb35..7ac2687 100644
--- a/ssh-agent-filter.C
+++ b/ssh-agent-filter.C
@@ -66,6 +66,8 @@ using std::count;
 using std::mutex;
 using std::lock_guard;
 
+#include <chrono>
+
 #include <cerrno>
 #include <csignal>
 #include <cstdlib>
@@ -339,6 +341,55 @@ bool dissect_auth_data_ssh (rfc4251string const & data, string & request_descrip
 
 	request_description = "The request is for an ssh connection as user '" + string{username} + "' with service name '" + string{servicename} + "'.";
 
+	if (string{servicename} == "pam_ssh_agent_auth") try {
+		clog << base64_encode(session_identifier) << endl;
+		io::stream<io::array_source> idstream{session_identifier.data(), session_identifier.size()};
+		arm(idstream);
+
+		rfc4251uint32	type{idstream};
+		if (type == 101) {
+			// PAM_SSH_AGENT_AUTH_REQUESTv1
+			rfc4251string	cookie{idstream};
+			rfc4251string	user{idstream};
+			rfc4251string	ruser{idstream};
+			rfc4251string	pam_service{idstream};
+			rfc4251string	pwd{idstream};
+			rfc4251string	action{idstream};
+			rfc4251string	hostname{idstream};
+			rfc4251uint64	timestamp{idstream};
+
+			string singleuser{user};
+			if (user != ruser)
+				singleuser += " (" + string{ruser} + ")";
+
+			string additional;
+			additional += "User '" + singleuser + "' wants to use '" + string{pam_service};
+			additional += "' in '" + string{pwd};
+			
+			io::stream<io::array_source> actionstream{action.data(), action.size()};
+			arm(actionstream);
+			
+			rfc4251uint32	argc{actionstream};
+			
+			if (argc) {
+				additional += " to run";
+				for (uint32_t i = argc; i; --i) {
+					rfc4251string	argv{actionstream};
+					additional += ' ' + string{argv};
+				}
+			}
+			
+			additional += " on " + string{hostname} + ".\n";
+			
+			auto now = std::chrono::system_clock::now();
+			auto req_time = std::chrono::system_clock::from_time_t(static_cast<uint64_t>(timestamp));
+			auto timediff = std::chrono::duration_cast<std::chrono::seconds>(now - req_time).count();
+			
+			additional += "The request was generated " + std::to_string(timediff) + " seconds ago.\n";
+			request_description = move(additional);
+		}
+	} catch (...) {}
+	
 	return true;
 } catch (...) {
 	return false;
-- 
cgit v1.2.3