- Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
diff --git a/ChangeLog b/ChangeLog
index c960a69..21cd0a2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,7 @@
after select()
- 'fixprogs' perl script to eliminate non-working entropy commands, and
optionally run 'ent' to measure command entropy
+ - Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
20000513
- Fix for non-recognised DSA keys from Arkadiusz Miskiewicz
diff --git a/acconfig.h b/acconfig.h
index 99e70d1..4f5f48f 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -9,7 +9,7 @@
/* Define if you want to disable PAM support */
#undef DISABLE_PAM
-/* Define if you want to disable AIX4's authenticate function */
+/* Define if you want to enable AIX4's authenticate function */
#undef WITH_AIXAUTHENTICATE
/* Define if you want to disable lastlog support */
diff --git a/auth.c b/auth.c
index 3bfcfd8..c3063e4 100644
--- a/auth.c
+++ b/auth.c
@@ -19,6 +19,9 @@
#include "compat.h"
#include "channels.h"
#include "match.h"
+#ifdef HAVE_LOGIN_H
+#include <login.h>
+#endif
#include "bufaux.h"
#include "ssh2.h"
@@ -111,8 +114,20 @@
}
#ifdef WITH_AIXAUTHENTICATE
- if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+ if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) {
+ if (loginmsg && *loginmsg) {
+ /* Remove embedded newlines (if any) */
+ char *p;
+ for (p = loginmsg; *p; p++)
+ if (*p == '\n')
+ *p = ' ';
+ /* Remove trailing newline */
+ *--p = '\0';
+ log("Login restricted for %s: %.100s",
+ pw->pw_name, loginmsg);
+ }
return 0;
+ }
#endif /* WITH_AIXAUTHENTICATE */
/* We found no reason not to let this user try to log on... */
diff --git a/auth1.c b/auth1.c
index dedf898..3e7efcb 100644
--- a/auth1.c
+++ b/auth1.c
@@ -66,9 +66,7 @@
get_remote_port());
#ifdef WITH_AIXAUTHENTICATE
- if (strncmp(get_authname(type),"password",
- strlen(get_authname(type))) == 0)
- loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ loginfailed(user,get_canonical_hostname(),"ssh");
#endif /* WITH_AIXAUTHENTICATE */
/* Indicate that authentication is needed. */
@@ -408,8 +406,12 @@
client_user = NULL;
}
- if (attempt > AUTH_FAIL_MAX)
+ if (attempt > AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE
+ loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
+ }
/* Send a message indicating that the authentication attempt failed. */
packet_start(SSH_SMSG_FAILURE);
@@ -430,7 +432,7 @@
unsigned int ulen;
char *user;
#ifdef WITH_AIXAUTHENTICATE
- char *loginmsg;
+ extern char *aixloginmsg;
#endif /* WITH_AIXAUTHENTICATE */
/* Get the name of the user that we wish to log in as. */
@@ -501,7 +503,9 @@
/* The user has been authenticated and accepted. */
#ifdef WITH_AIXAUTHENTICATE
- loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ /* We don't have a pty yet, so just label the line as "ssh" */
+ if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)
+ aixloginmsg = NULL;
#endif /* WITH_AIXAUTHENTICATE */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
diff --git a/auth2.c b/auth2.c
index 3c15639..46c8c1f 100644
--- a/auth2.c
+++ b/auth2.c
@@ -154,9 +154,9 @@
int authenticated = 0;
char *raw, *user, *service, *method, *authmsg = NULL;
struct passwd *pw;
-
- if (++attempt == AUTH_FAIL_MAX)
- packet_disconnect("too many failed userauth_requests");
+#ifdef WITH_AIXAUTHENTICATE
+ extern char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
raw = packet_get_raw(&rlen);
if (plen != rlen)
@@ -164,6 +164,12 @@
user = packet_get_string(&len);
service = packet_get_string(&len);
method = packet_get_string(&len);
+ if (++attempt == AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE
+ loginfailed(user,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+ packet_disconnect("too many failed userauth_requests");
+ }
debug("userauth-request for user %s service %s method %s", user, service, method);
/* XXX we only allow the ssh-connection service */
@@ -211,6 +217,12 @@
/* XXX todo: check if multiple auth methods are needed */
if (authenticated == 1) {
+#ifdef WITH_AIXAUTHENTICATE
+ /* We don't have a pty yet, so just label the line as "ssh" */
+ if (loginsuccess(user,get_canonical_hostname(),"ssh",
+ &aixloginmsg) < 0)
+ aixloginmsg = NULL;
+#endif /* WITH_AIXAUTHENTICATE */
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
packet_start(SSH2_MSG_USERAUTH_SUCCESS);
diff --git a/configure.in b/configure.in
index 73e1a8f..aaf3d85 100644
--- a/configure.in
+++ b/configure.in
@@ -34,6 +34,7 @@
if test "$LD" != "gcc" -a -z "$blibpath"; then
blibpath="/usr/lib:/lib:/usr/local/lib"
fi
+ AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)])
AC_DEFINE(BROKEN_GETADDRINFO)
;;
*-*-hpux10*)
diff --git a/login.c b/login.c
index 0d874cc..49853bd 100644
--- a/login.c
+++ b/login.c
@@ -18,7 +18,7 @@
*/
#include "includes.h"
-RCSID("$Id: login.c,v 1.26 2000/05/17 11:34:08 damien Exp $");
+RCSID("$Id: login.c,v 1.27 2000/05/17 12:00:03 damien Exp $");
#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
# include <utmpx.h>
@@ -53,6 +53,10 @@
get_last_login_time(uid_t uid, const char *logname,
char *buf, unsigned int bufsize)
{
+#if defined(WITH_AIXAUTHENTICATE)
+ /* This is done in do_authentication */
+ return (unsigned long) 0;
+#else
#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
struct lastlog ll;
char *lastlog;
@@ -132,6 +136,7 @@
return 0;
# endif /* HAVE_TYPE_IN_UTMP */
#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(WITH_AIXAUTHENTICATE) */
}
/*
@@ -246,7 +251,8 @@
login(&u);
#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
-#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
+#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE)
+ /* AIX does this in do_authentication */
lastlog = _PATH_LASTLOG;
/* Update lastlog unless actually recording a logout. */
@@ -276,7 +282,7 @@
close(fd);
}
}
-#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */
}
/* Records that the user has logged out. */
diff --git a/session.c b/session.c
index c490f08..480a163 100644
--- a/session.c
+++ b/session.c
@@ -83,6 +83,10 @@
/* data */
#define MAX_SESSIONS 10
Session sessions[MAX_SESSIONS];
+#ifdef WITH_AIXAUTHENTICATE
+/* AIX's lastlogin message, set in auth1.c */
+char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
/* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */
int no_port_forwarding_flag = 0;
@@ -631,6 +635,15 @@
fclose(f);
}
}
+#if defined(WITH_AIXAUTHENTICATE)
+ /*
+ * AIX handles the lastlog info differently. Display it here.
+ */
+ if (command == NULL && aixloginmsg && *aixloginmsg &&
+ !quiet_login && !options.use_login) {
+ printf("%s\n", aixloginmsg);
+ }
+#endif
/* Do common processing for the child, such as execing the command. */
do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty);
/* NOTREACHED */