diff options
-rw-r--r-- | CREDITS | 3 | ||||
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | openbsd-compat/port-aix.c | 38 | ||||
-rw-r--r-- | openbsd-compat/port-aix.h | 1 |
5 files changed, 47 insertions, 3 deletions
@@ -49,6 +49,7 @@ Juergen Keil <jk@tools.de> - scp bugfixing KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp> - Configure fixes Kees Cook <cook@cpoint.net> - scp fixes Kenji Miyake <kenji@miyake.org> - Configure fixes +Kevin Cawlfield <cawlfiel@us.ibm.com> - AIX fixes. Kevin O'Connor <kevin_oconnor@standardandpoors.com> - RSAless operation Kevin Steves <stevesk@pobox.com> - HP support, bugfixes, improvements Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes @@ -92,5 +93,5 @@ Apologies to anyone I have missed. Damien Miller <djm@mindrot.org> -$Id: CREDITS,v 1.69 2003/06/28 04:27:29 dtucker Exp $ +$Id: CREDITS,v 1.70 2003/07/14 06:41:55 dtucker Exp $ @@ -3,6 +3,9 @@ loginfailed at all, so assume 3-arg loginfailed if not declared. - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by undef'ing it. + - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h] + Call setauthdb() before loginfailed(), which may load password registry- + specific functions. Based on patch by cawlfiel@us.ibm.com. 20030708 - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]] @@ -676,4 +679,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2851 2003/07/14 06:26:51 dtucker Exp $ +$Id: ChangeLog,v 1.2852 2003/07/14 06:41:55 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 8a23469a..516a2443 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.133 2003/07/14 06:21:44 dtucker Exp $ +# $Id: configure.ac,v 1.134 2003/07/14 06:41:55 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -95,6 +95,7 @@ case "$host" in [], [#include <usersec.h>] ) + AC_CHECK_FUNCS(setauthdb) AC_DEFINE(BROKEN_GETADDRINFO) AC_DEFINE(BROKEN_REALPATH) dnl AIX handles lastlog as part of its login message diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 56292372..7a981634 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -32,6 +32,7 @@ #include <uinfo.h> #include <../xmalloc.h> +#include "port-aix.h" extern ServerOptions options; @@ -92,12 +93,49 @@ record_failed_login(const char *user, const char *ttyname) { char *hostname = get_canonical_hostname(options.use_dns); + if (geteuid() != 0) + return; + + aix_setauthdb(user); # ifdef AIX_LOGINFAILED_4ARG loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); # else loginfailed((char *)user, hostname, (char *)ttyname); # endif } + +/* + * If we have setauthdb, retrieve the password registry for the user's + * account then feed it to setauthdb. This may load registry-specific method + * code. If we don't have setauthdb or have already called it this is a no-op. + */ +void +aix_setauthdb(const char *user) +{ +# ifdef HAVE_SETAUTHDB + static char *registry = NULL; + + if (registry != NULL) /* have already done setauthdb */ + return; + + if (setuserdb(S_READ) == -1) { + debug3("%s: Could not open userdb to read", __func__); + return; + } + + if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) { + if (setauthdb(registry, NULL) == 0) + debug3("%s: AIX/setauthdb set registry %s", __func__, + registry); + else + debug3("%s: AIX/setauthdb set registry %s failed: %s", + __func__, registry, strerror(errno)); + } else + debug3("%s: Could not read S_REGISTRY for user: %s", __func__, + strerror(errno)); + enduserdb(); +# endif +} # endif /* CUSTOM_FAILED_LOGIN */ #endif /* _AIX */ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 2e5def54..25ceb5b1 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -53,6 +53,7 @@ #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *user, const char *ttyname); +void aix_setauthdb(const char *); #endif void aix_usrinfo(struct passwd *pw); |