diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2006-08-30 22:33:09 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2006-08-30 22:33:09 +1000 |
| commit | 26d4e19caa3013f57dc3c1462847eceaac6a1d7d (patch) | |
| tree | 0ef89a92e02a33a1681ebdf4e667f86bb6e15059 | |
| parent | 8ff1da81ec5e3032befb98349ec6ceba84dab706 (diff) | |
- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
loginsuccess on AIX immediately after authentication to clear the failed
login count. Previously this would only happen when an interactive
session starts (ie when a pty is allocated) but this means that accounts
that have primarily non-interactive sessions (eg scp's) may gradually
accumulate enough failures to lock out an account. This change may have
a side effect of creating two audit records, one with a tty of "ssh"
corresponding to the authentication and one with the allocated pty per
interactive session.
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | auth.c | 5 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.c | 4 |
3 files changed, 18 insertions, 2 deletions
@@ -27,6 +27,15 @@ [version.h] crank to 4.4 - (djm) [openbsd-compat/xcrypt.c] needs unistd.h + - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call + loginsuccess on AIX immediately after authentication to clear the failed + login count. Previously this would only happen when an interactive + session starts (ie when a pty is allocated) but this means that accounts + that have primarily non-interactive sessions (eg scp's) may gradually + accumulate enough failures to lock out an account. This change may have + a side effect of creating two audit records, one with a tty of "ssh" + corresponding to the authentication and one with the allocated pty per + interactive session. 20060824 - (dtucker) [openbsd-compat/basename.c] Include errno.h. @@ -5329,4 +5338,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4517 2006/08/30 07:52:03 djm Exp $ +$Id: ChangeLog,v 1.4518 2006/08/30 12:33:09 dtucker Exp $ @@ -279,6 +279,11 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) strcmp(method, "challenge-response") == 0)) record_failed_login(authctxt->user, get_canonical_hostname(options.use_dns), "ssh"); +# ifdef WITH_AIXAUTHENTICATE + if (authenticated) + sys_auth_record_login(authctxt->user, + get_canonical_hostname(options.use_dns), "ssh", &loginmsg); +# endif #endif #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a7ced57e..13a73e87 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -265,15 +265,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm, Buffer *loginmsg) { char *msg = NULL; + static int msg_done = 0; int success = 0; aix_setauthdb(user); if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; - if (msg != NULL) { + if (msg != NULL && loginmsg != NULL && !msg_done) { debug("AIX/loginsuccess: msg %s", msg); buffer_append(loginmsg, msg, strlen(msg)); xfree(msg); + msg_done = 1; } } aix_restoreauthdb(); |