Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 26d4e19caa3013f57dc3c1462847eceaac6a1d7d^! / .
commit26d4e19caa3013f57dc3c1462847eceaac6a1d7d[log] [tgz]
authorDarren Tucker <dtucker@zip.com.au>Wed Aug 30 22:33:09 2006 +1000
committerDarren Tucker <dtucker@zip.com.au>Wed Aug 30 22:33:09 2006 +1000
tree0ef89a92e02a33a1681ebdf4e667f86bb6e15059
parent8ff1da81ec5e3032befb98349ec6ceba84dab706 [diff]
 - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
   loginsuccess on AIX immediately after authentication to clear the failed
   login count.  Previously this would only happen when an interactive
   session starts (ie when a pty is allocated) but this means that accounts
   that have primarily non-interactive sessions (eg scp's) may gradually
   accumulate enough failures to lock out an account.  This change may have
   a side effect of creating two audit records, one with a tty of "ssh"
   corresponding to the authentication and one with the allocated pty per
   interactive session.

diff --git a/ChangeLog b/ChangeLog
index feabcb4..d9aa6f6 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -27,6 +27,15 @@
      [version.h]
      crank to 4.4
  - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
+ - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
+   loginsuccess on AIX immediately after authentication to clear the failed
+   login count.  Previously this would only happen when an interactive
+   session starts (ie when a pty is allocated) but this means that accounts
+   that have primarily non-interactive sessions (eg scp's) may gradually
+   accumulate enough failures to lock out an account.  This change may have
+   a side effect of creating two audit records, one with a tty of "ssh"
+   corresponding to the authentication and one with the allocated pty per
+   interactive session.
 
 20060824
  - (dtucker) [openbsd-compat/basename.c] Include errno.h.
@@ -5329,4 +5338,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4517 2006/08/30 07:52:03 djm Exp $
+$Id: ChangeLog,v 1.4518 2006/08/30 12:33:09 dtucker Exp $

diff --git a/auth.c b/auth.c
index 5a02a43..5da140b 100644
--- a/auth.c
+++ b/auth.c

@@ -279,6 +279,11 @@
 	    strcmp(method, "challenge-response") == 0))
 		record_failed_login(authctxt->user,
 		    get_canonical_hostname(options.use_dns), "ssh");
+# ifdef WITH_AIXAUTHENTICATE
+	if (authenticated)
+		sys_auth_record_login(authctxt->user,
+		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
+# endif
 #endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index a7ced57..13a73e8 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c

@@ -265,15 +265,17 @@
     Buffer *loginmsg)
 {
 	char *msg = NULL;
+	static int msg_done = 0;
 	int success = 0;
 
 	aix_setauthdb(user);
 	if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
 		success = 1;
-		if (msg != NULL) {
+		if (msg != NULL && loginmsg != NULL && !msg_done) {
 			debug("AIX/loginsuccess: msg %s", msg);
 			buffer_append(loginmsg, msg, strlen(msg));
 			xfree(msg);
+			msg_done = 1;
 		}
 	}
 	aix_restoreauthdb();