diff options
author | Darren Tucker <dtucker@zip.com.au> | 2006-08-30 22:33:09 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2006-08-30 22:33:09 +1000 |
commit | 26d4e19caa3013f57dc3c1462847eceaac6a1d7d (patch) | |
tree | 0ef89a92e02a33a1681ebdf4e667f86bb6e15059 | |
parent | 8ff1da81ec5e3032befb98349ec6ceba84dab706 (diff) |
- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
loginsuccess on AIX immediately after authentication to clear the failed
login count. Previously this would only happen when an interactive
session starts (ie when a pty is allocated) but this means that accounts
that have primarily non-interactive sessions (eg scp's) may gradually
accumulate enough failures to lock out an account. This change may have
a side effect of creating two audit records, one with a tty of "ssh"
corresponding to the authentication and one with the allocated pty per
interactive session.
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | auth.c | 5 | ||||
-rw-r--r-- | openbsd-compat/port-aix.c | 4 |
3 files changed, 18 insertions, 2 deletions
@@ -27,6 +27,15 @@ | |||
27 | [version.h] | 27 | [version.h] |
28 | crank to 4.4 | 28 | crank to 4.4 |
29 | - (djm) [openbsd-compat/xcrypt.c] needs unistd.h | 29 | - (djm) [openbsd-compat/xcrypt.c] needs unistd.h |
30 | - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call | ||
31 | loginsuccess on AIX immediately after authentication to clear the failed | ||
32 | login count. Previously this would only happen when an interactive | ||
33 | session starts (ie when a pty is allocated) but this means that accounts | ||
34 | that have primarily non-interactive sessions (eg scp's) may gradually | ||
35 | accumulate enough failures to lock out an account. This change may have | ||
36 | a side effect of creating two audit records, one with a tty of "ssh" | ||
37 | corresponding to the authentication and one with the allocated pty per | ||
38 | interactive session. | ||
30 | 39 | ||
31 | 20060824 | 40 | 20060824 |
32 | - (dtucker) [openbsd-compat/basename.c] Include errno.h. | 41 | - (dtucker) [openbsd-compat/basename.c] Include errno.h. |
@@ -5329,4 +5338,4 @@ | |||
5329 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 5338 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
5330 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 5339 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
5331 | 5340 | ||
5332 | $Id: ChangeLog,v 1.4517 2006/08/30 07:52:03 djm Exp $ | 5341 | $Id: ChangeLog,v 1.4518 2006/08/30 12:33:09 dtucker Exp $ |
@@ -279,6 +279,11 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | |||
279 | strcmp(method, "challenge-response") == 0)) | 279 | strcmp(method, "challenge-response") == 0)) |
280 | record_failed_login(authctxt->user, | 280 | record_failed_login(authctxt->user, |
281 | get_canonical_hostname(options.use_dns), "ssh"); | 281 | get_canonical_hostname(options.use_dns), "ssh"); |
282 | # ifdef WITH_AIXAUTHENTICATE | ||
283 | if (authenticated) | ||
284 | sys_auth_record_login(authctxt->user, | ||
285 | get_canonical_hostname(options.use_dns), "ssh", &loginmsg); | ||
286 | # endif | ||
282 | #endif | 287 | #endif |
283 | #ifdef SSH_AUDIT_EVENTS | 288 | #ifdef SSH_AUDIT_EVENTS |
284 | if (authenticated == 0 && !authctxt->postponed) | 289 | if (authenticated == 0 && !authctxt->postponed) |
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a7ced57e9..13a73e873 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c | |||
@@ -265,15 +265,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm, | |||
265 | Buffer *loginmsg) | 265 | Buffer *loginmsg) |
266 | { | 266 | { |
267 | char *msg = NULL; | 267 | char *msg = NULL; |
268 | static int msg_done = 0; | ||
268 | int success = 0; | 269 | int success = 0; |
269 | 270 | ||
270 | aix_setauthdb(user); | 271 | aix_setauthdb(user); |
271 | if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { | 272 | if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { |
272 | success = 1; | 273 | success = 1; |
273 | if (msg != NULL) { | 274 | if (msg != NULL && loginmsg != NULL && !msg_done) { |
274 | debug("AIX/loginsuccess: msg %s", msg); | 275 | debug("AIX/loginsuccess: msg %s", msg); |
275 | buffer_append(loginmsg, msg, strlen(msg)); | 276 | buffer_append(loginmsg, msg, strlen(msg)); |
276 | xfree(msg); | 277 | xfree(msg); |
278 | msg_done = 1; | ||
277 | } | 279 | } |
278 | } | 280 | } |
279 | aix_restoreauthdb(); | 281 | aix_restoreauthdb(); |