diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | auth-passwd.c | 45 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.c | 64 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.h | 8 |
4 files changed, 68 insertions, 54 deletions
@@ -1,5 +1,8 @@ 20031122 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ + - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Move AIX specific password authentication code to port-aix.c, call + authenticate() until reenter flag is clear. 20031121 - (djm) OpenBSD CVS Sync @@ -1501,4 +1504,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3120 2003/11/22 03:10:02 dtucker Exp $ +$Id: ChangeLog,v 1.3121 2003/11/22 03:16:56 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 54571f97..a27170cc 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -43,9 +43,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $"); #include "servconf.h" #include "auth.h" #ifdef WITH_AIXAUTHENTICATE -# include "buffer.h" # include "canohost.h" -extern Buffer loginmsg; #endif extern ServerOptions options; @@ -89,44 +87,11 @@ auth_password(Authctxt *authctxt, const char *password) } # endif # ifdef WITH_AIXAUTHENTICATE - { - char *authmsg = NULL; - int reenter = 1; - int authsuccess = 0; - - if (authenticate(pw->pw_name, password, &reenter, - &authmsg) == 0 && ok) { - char *msg; - char *host = - (char *)get_canonical_hostname(options.use_dns); - - authsuccess = 1; - aix_remove_embedded_newlines(authmsg); - - debug3("AIX/authenticate succeeded for user %s: %.100s", - pw->pw_name, authmsg); - - /* No pty yet, so just label the line as "ssh" */ - aix_setauthdb(authctxt->user); - if (loginsuccess(authctxt->user, host, "ssh", - &msg) == 0) { - if (msg != NULL) { - debug("%s: msg %s", __func__, msg); - buffer_append(&loginmsg, msg, - strlen(msg)); - xfree(msg); - } - } - } else { - debug3("AIX/authenticate failed for user %s: %.100s", - pw->pw_name, authmsg); - } - - if (authmsg != NULL) - xfree(authmsg); - - return authsuccess; - } + if (aix_authenticate(pw->pw_name, password, + get_canonical_hostname(options.use_dns)) == 0) + return 0; + else + return ok; # endif # ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 9fbcce93..a9cbf49b 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -29,6 +29,7 @@ #include "servconf.h" #include "canohost.h" #include "xmalloc.h" +#include "buffer.h" #ifdef _AIX @@ -36,6 +37,7 @@ #include "port-aix.h" extern ServerOptions options; +extern Buffer loginmsg; /* * AIX has a "usrinfo" area where logname and other stuff is stored - @@ -63,7 +65,7 @@ aix_usrinfo(struct passwd *pw) xfree(cp); } -#ifdef WITH_AIXAUTHENTICATE +# ifdef WITH_AIXAUTHENTICATE /* * Remove embedded newlines in string (if any). * Used before logging messages returned by AIX authentication functions @@ -83,27 +85,68 @@ aix_remove_embedded_newlines(char *p) if (*--p == ' ') *p = '\0'; } -#endif /* WITH_AIXAUTHENTICATE */ + +/* + * Do authentication via AIX's authenticate routine. We loop until the + * reenter parameter is 0, but normally authenticate is called only once. + * + * Note: this function returns 1 on success, whereas AIX's authenticate() + * returns 0. + */ +int +aix_authenticate(const char *name, const char *password, const char *host) +{ + char *authmsg = NULL, *msg; + int authsuccess = 0, reenter, result; + + do { + result = authenticate((char *)name, (char *)password, &reenter, + &authmsg); + aix_remove_embedded_newlines(authmsg); + debug3("AIX/authenticate result %d, msg %.100s", result, + authmsg); + } while (reenter); + + if (result == 0) { + authsuccess = 1; + + /* No pty yet, so just label the line as "ssh" */ + aix_setauthdb(name); + if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) { + if (msg != NULL) { + debug("%s: msg %s", __func__, msg); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + } + } + } + + if (authmsg != NULL) + xfree(authmsg); + + return authsuccess; +} -# ifdef CUSTOM_FAILED_LOGIN +# ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function */ void record_failed_login(const char *user, const char *ttyname) { - char *hostname = get_canonical_hostname(options.use_dns); + char *hostname = (char *)get_canonical_hostname(options.use_dns); if (geteuid() != 0) return; aix_setauthdb(user); -# ifdef AIX_LOGINFAILED_4ARG +# ifdef AIX_LOGINFAILED_4ARG loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); -# else +# else loginfailed((char *)user, hostname, (char *)ttyname); -# endif +# endif } +# endif /* CUSTOM_FAILED_LOGIN */ /* * If we have setauthdb, retrieve the password registry for the user's @@ -135,8 +178,9 @@ aix_setauthdb(const char *user) debug3("%s: Could not read S_REGISTRY for user: %s", __func__, strerror(errno)); enduserdb(); -# endif +# endif /* HAVE_SETAUTHDB */ } -# endif /* CUSTOM_FAILED_LOGIN */ -#endif /* _AIX */ +# endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index b2a48cba..975cdf05 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.15 2003/09/19 10:43:38 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */ /* * @@ -51,12 +51,14 @@ # include <sys/timers.h> #endif +void aix_usrinfo(struct passwd *); + #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); -void aix_setauthdb(const char *); #endif -void aix_usrinfo(struct passwd *); +int aix_authenticate(const char *, const char *, const char *); +void aix_setauthdb(const char *); void aix_remove_embedded_newlines(char *); #endif /* _AIX */ |