From d2c208a2d37104c5c429659ac708d6288400ecd2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 May 2000 22:00:02 +1000 Subject: - Applied Tom Bertelson's AIX authentication fix --- ChangeLog | 1 + acconfig.h | 2 +- auth.c | 17 ++++++++++++++++- auth1.c | 16 ++++++++++------ auth2.c | 18 +++++++++++++++--- configure.in | 1 + login.c | 12 +++++++++--- session.c | 13 +++++++++++++ 8 files changed, 66 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index c960a695..21cd0a20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,7 @@ after select() - 'fixprogs' perl script to eliminate non-working entropy commands, and optionally run 'ent' to measure command entropy + - Applied Tom Bertelson's AIX authentication fix 20000513 - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz diff --git a/acconfig.h b/acconfig.h index 99e70d17..4f5f48f3 100644 --- a/acconfig.h +++ b/acconfig.h @@ -9,7 +9,7 @@ /* Define if you want to disable PAM support */ #undef DISABLE_PAM -/* Define if you want to disable AIX4's authenticate function */ +/* Define if you want to enable AIX4's authenticate function */ #undef WITH_AIXAUTHENTICATE /* Define if you want to disable lastlog support */ diff --git a/auth.c b/auth.c index 3bfcfd8e..c3063e42 100644 --- a/auth.c +++ b/auth.c @@ -19,6 +19,9 @@ RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $"); #include "compat.h" #include "channels.h" #include "match.h" +#ifdef HAVE_LOGIN_H +#include +#endif #include "bufaux.h" #include "ssh2.h" @@ -111,8 +114,20 @@ allowed_user(struct passwd * pw) } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) + if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) { + if (loginmsg && *loginmsg) { + /* Remove embedded newlines (if any) */ + char *p; + for (p = loginmsg; *p; p++) + if (*p == '\n') + *p = ' '; + /* Remove trailing newline */ + *--p = '\0'; + log("Login restricted for %s: %.100s", + pw->pw_name, loginmsg); + } return 0; + } #endif /* WITH_AIXAUTHENTICATE */ /* We found no reason not to let this user try to log on... */ diff --git a/auth1.c b/auth1.c index dedf898e..3e7efcb2 100644 --- a/auth1.c +++ b/auth1.c @@ -66,9 +66,7 @@ do_fake_authloop1(char *user) get_remote_port()); #ifdef WITH_AIXAUTHENTICATE - if (strncmp(get_authname(type),"password", - strlen(get_authname(type))) == 0) - loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); + loginfailed(user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ /* Indicate that authentication is needed. */ @@ -408,8 +406,12 @@ do_authloop(struct passwd * pw) client_user = NULL; } - if (attempt > AUTH_FAIL_MAX) + if (attempt > AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); @@ -430,7 +432,7 @@ do_authentication() unsigned int ulen; char *user; #ifdef WITH_AIXAUTHENTICATE - char *loginmsg; + extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */ /* Get the name of the user that we wish to log in as. */ @@ -501,7 +503,9 @@ do_authentication() /* The user has been authenticated and accepted. */ #ifdef WITH_AIXAUTHENTICATE - loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) + aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ packet_start(SSH_SMSG_SUCCESS); packet_send(); diff --git a/auth2.c b/auth2.c index 3c15639d..46c8c1f8 100644 --- a/auth2.c +++ b/auth2.c @@ -154,9 +154,9 @@ input_userauth_request(int type, int plen) int authenticated = 0; char *raw, *user, *service, *method, *authmsg = NULL; struct passwd *pw; - - if (++attempt == AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); +#ifdef WITH_AIXAUTHENTICATE + extern char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ raw = packet_get_raw(&rlen); if (plen != rlen) @@ -164,6 +164,12 @@ input_userauth_request(int type, int plen) user = packet_get_string(&len); service = packet_get_string(&len); method = packet_get_string(&len); + if (++attempt == AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(user,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ + packet_disconnect("too many failed userauth_requests"); + } debug("userauth-request for user %s service %s method %s", user, service, method); /* XXX we only allow the ssh-connection service */ @@ -211,6 +217,12 @@ input_userauth_request(int type, int plen) /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { +#ifdef WITH_AIXAUTHENTICATE + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh", + &aixloginmsg) < 0) + aixloginmsg = NULL; +#endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); packet_start(SSH2_MSG_USERAUTH_SUCCESS); diff --git a/configure.in b/configure.in index 73e1a8fd..aaf3d852 100644 --- a/configure.in +++ b/configure.in @@ -34,6 +34,7 @@ case "$host" in if test "$LD" != "gcc" -a -z "$blibpath"; then blibpath="/usr/lib:/lib:/usr/local/lib" fi + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) AC_DEFINE(BROKEN_GETADDRINFO) ;; *-*-hpux10*) diff --git a/login.c b/login.c index 0d874cc7..49853bdc 100644 --- a/login.c +++ b/login.c @@ -18,7 +18,7 @@ */ #include "includes.h" -RCSID("$Id: login.c,v 1.26 2000/05/17 11:34:08 damien Exp $"); +RCSID("$Id: login.c,v 1.27 2000/05/17 12:00:03 damien Exp $"); #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # include @@ -53,6 +53,10 @@ unsigned long get_last_login_time(uid_t uid, const char *logname, char *buf, unsigned int bufsize) { +#if defined(WITH_AIXAUTHENTICATE) + /* This is done in do_authentication */ + return (unsigned long) 0; +#else #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; @@ -132,6 +136,7 @@ get_last_login_time(uid_t uid, const char *logname, return 0; # endif /* HAVE_TYPE_IN_UTMP */ #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ +#endif /* defined(WITH_AIXAUTHENTICATE) */ } /* @@ -246,7 +251,8 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, login(&u); #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ -#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) + /* AIX does this in do_authentication */ lastlog = _PATH_LASTLOG; /* Update lastlog unless actually recording a logout. */ @@ -276,7 +282,7 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, close(fd); } } -#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */ } /* Records that the user has logged out. */ diff --git a/session.c b/session.c index c490f087..480a1635 100644 --- a/session.c +++ b/session.c @@ -83,6 +83,10 @@ static char *xauthfile; /* data */ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +#ifdef WITH_AIXAUTHENTICATE +/* AIX's lastlogin message, set in auth1.c */ +char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */ int no_port_forwarding_flag = 0; @@ -631,6 +635,15 @@ do_exec_pty(Session *s, const char *command, struct passwd * pw) fclose(f); } } +#if defined(WITH_AIXAUTHENTICATE) + /* + * AIX handles the lastlog info differently. Display it here. + */ + if (command == NULL && aixloginmsg && *aixloginmsg && + !quiet_login && !options.use_login) { + printf("%s\n", aixloginmsg); + } +#endif /* Do common processing for the child, such as execing the command. */ do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); /* NOTREACHED */ -- cgit v1.2.3