diff options
author | Damien Miller <djm@mindrot.org> | 2000-05-17 22:00:02 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-05-17 22:00:02 +1000 |
commit | d2c208a2d37104c5c429659ac708d6288400ecd2 (patch) | |
tree | 595741836a9444811c123b6555c1d47f5def2a95 | |
parent | 8d1fd57a971159c828ab778136ca6332f0ba8f34 (diff) |
- Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
-rw-r--r-- | ChangeLog | 1 | ||||
-rw-r--r-- | acconfig.h | 2 | ||||
-rw-r--r-- | auth.c | 17 | ||||
-rw-r--r-- | auth1.c | 16 | ||||
-rw-r--r-- | auth2.c | 18 | ||||
-rw-r--r-- | configure.in | 1 | ||||
-rw-r--r-- | login.c | 12 | ||||
-rw-r--r-- | session.c | 13 |
8 files changed, 66 insertions, 14 deletions
@@ -9,6 +9,7 @@ | |||
9 | after select() | 9 | after select() |
10 | - 'fixprogs' perl script to eliminate non-working entropy commands, and | 10 | - 'fixprogs' perl script to eliminate non-working entropy commands, and |
11 | optionally run 'ent' to measure command entropy | 11 | optionally run 'ent' to measure command entropy |
12 | - Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix | ||
12 | 13 | ||
13 | 20000513 | 14 | 20000513 |
14 | - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz | 15 | - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz |
diff --git a/acconfig.h b/acconfig.h index 99e70d17b..4f5f48f3c 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -9,7 +9,7 @@ | |||
9 | /* Define if you want to disable PAM support */ | 9 | /* Define if you want to disable PAM support */ |
10 | #undef DISABLE_PAM | 10 | #undef DISABLE_PAM |
11 | 11 | ||
12 | /* Define if you want to disable AIX4's authenticate function */ | 12 | /* Define if you want to enable AIX4's authenticate function */ |
13 | #undef WITH_AIXAUTHENTICATE | 13 | #undef WITH_AIXAUTHENTICATE |
14 | 14 | ||
15 | /* Define if you want to disable lastlog support */ | 15 | /* Define if you want to disable lastlog support */ |
@@ -19,6 +19,9 @@ RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $"); | |||
19 | #include "compat.h" | 19 | #include "compat.h" |
20 | #include "channels.h" | 20 | #include "channels.h" |
21 | #include "match.h" | 21 | #include "match.h" |
22 | #ifdef HAVE_LOGIN_H | ||
23 | #include <login.h> | ||
24 | #endif | ||
22 | 25 | ||
23 | #include "bufaux.h" | 26 | #include "bufaux.h" |
24 | #include "ssh2.h" | 27 | #include "ssh2.h" |
@@ -111,8 +114,20 @@ allowed_user(struct passwd * pw) | |||
111 | } | 114 | } |
112 | 115 | ||
113 | #ifdef WITH_AIXAUTHENTICATE | 116 | #ifdef WITH_AIXAUTHENTICATE |
114 | if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) | 117 | if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) { |
118 | if (loginmsg && *loginmsg) { | ||
119 | /* Remove embedded newlines (if any) */ | ||
120 | char *p; | ||
121 | for (p = loginmsg; *p; p++) | ||
122 | if (*p == '\n') | ||
123 | *p = ' '; | ||
124 | /* Remove trailing newline */ | ||
125 | *--p = '\0'; | ||
126 | log("Login restricted for %s: %.100s", | ||
127 | pw->pw_name, loginmsg); | ||
128 | } | ||
115 | return 0; | 129 | return 0; |
130 | } | ||
116 | #endif /* WITH_AIXAUTHENTICATE */ | 131 | #endif /* WITH_AIXAUTHENTICATE */ |
117 | 132 | ||
118 | /* We found no reason not to let this user try to log on... */ | 133 | /* We found no reason not to let this user try to log on... */ |
@@ -66,9 +66,7 @@ do_fake_authloop1(char *user) | |||
66 | get_remote_port()); | 66 | get_remote_port()); |
67 | 67 | ||
68 | #ifdef WITH_AIXAUTHENTICATE | 68 | #ifdef WITH_AIXAUTHENTICATE |
69 | if (strncmp(get_authname(type),"password", | 69 | loginfailed(user,get_canonical_hostname(),"ssh"); |
70 | strlen(get_authname(type))) == 0) | ||
71 | loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); | ||
72 | #endif /* WITH_AIXAUTHENTICATE */ | 70 | #endif /* WITH_AIXAUTHENTICATE */ |
73 | 71 | ||
74 | /* Indicate that authentication is needed. */ | 72 | /* Indicate that authentication is needed. */ |
@@ -408,8 +406,12 @@ do_authloop(struct passwd * pw) | |||
408 | client_user = NULL; | 406 | client_user = NULL; |
409 | } | 407 | } |
410 | 408 | ||
411 | if (attempt > AUTH_FAIL_MAX) | 409 | if (attempt > AUTH_FAIL_MAX) { |
410 | #ifdef WITH_AIXAUTHENTICATE | ||
411 | loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); | ||
412 | #endif /* WITH_AIXAUTHENTICATE */ | ||
412 | packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); | 413 | packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); |
414 | } | ||
413 | 415 | ||
414 | /* Send a message indicating that the authentication attempt failed. */ | 416 | /* Send a message indicating that the authentication attempt failed. */ |
415 | packet_start(SSH_SMSG_FAILURE); | 417 | packet_start(SSH_SMSG_FAILURE); |
@@ -430,7 +432,7 @@ do_authentication() | |||
430 | unsigned int ulen; | 432 | unsigned int ulen; |
431 | char *user; | 433 | char *user; |
432 | #ifdef WITH_AIXAUTHENTICATE | 434 | #ifdef WITH_AIXAUTHENTICATE |
433 | char *loginmsg; | 435 | extern char *aixloginmsg; |
434 | #endif /* WITH_AIXAUTHENTICATE */ | 436 | #endif /* WITH_AIXAUTHENTICATE */ |
435 | 437 | ||
436 | /* Get the name of the user that we wish to log in as. */ | 438 | /* Get the name of the user that we wish to log in as. */ |
@@ -501,7 +503,9 @@ do_authentication() | |||
501 | 503 | ||
502 | /* The user has been authenticated and accepted. */ | 504 | /* The user has been authenticated and accepted. */ |
503 | #ifdef WITH_AIXAUTHENTICATE | 505 | #ifdef WITH_AIXAUTHENTICATE |
504 | loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); | 506 | /* We don't have a pty yet, so just label the line as "ssh" */ |
507 | if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) | ||
508 | aixloginmsg = NULL; | ||
505 | #endif /* WITH_AIXAUTHENTICATE */ | 509 | #endif /* WITH_AIXAUTHENTICATE */ |
506 | packet_start(SSH_SMSG_SUCCESS); | 510 | packet_start(SSH_SMSG_SUCCESS); |
507 | packet_send(); | 511 | packet_send(); |
@@ -154,9 +154,9 @@ input_userauth_request(int type, int plen) | |||
154 | int authenticated = 0; | 154 | int authenticated = 0; |
155 | char *raw, *user, *service, *method, *authmsg = NULL; | 155 | char *raw, *user, *service, *method, *authmsg = NULL; |
156 | struct passwd *pw; | 156 | struct passwd *pw; |
157 | 157 | #ifdef WITH_AIXAUTHENTICATE | |
158 | if (++attempt == AUTH_FAIL_MAX) | 158 | extern char *aixloginmsg; |
159 | packet_disconnect("too many failed userauth_requests"); | 159 | #endif /* WITH_AIXAUTHENTICATE */ |
160 | 160 | ||
161 | raw = packet_get_raw(&rlen); | 161 | raw = packet_get_raw(&rlen); |
162 | if (plen != rlen) | 162 | if (plen != rlen) |
@@ -164,6 +164,12 @@ input_userauth_request(int type, int plen) | |||
164 | user = packet_get_string(&len); | 164 | user = packet_get_string(&len); |
165 | service = packet_get_string(&len); | 165 | service = packet_get_string(&len); |
166 | method = packet_get_string(&len); | 166 | method = packet_get_string(&len); |
167 | if (++attempt == AUTH_FAIL_MAX) { | ||
168 | #ifdef WITH_AIXAUTHENTICATE | ||
169 | loginfailed(user,get_canonical_hostname(),"ssh"); | ||
170 | #endif /* WITH_AIXAUTHENTICATE */ | ||
171 | packet_disconnect("too many failed userauth_requests"); | ||
172 | } | ||
167 | debug("userauth-request for user %s service %s method %s", user, service, method); | 173 | debug("userauth-request for user %s service %s method %s", user, service, method); |
168 | 174 | ||
169 | /* XXX we only allow the ssh-connection service */ | 175 | /* XXX we only allow the ssh-connection service */ |
@@ -211,6 +217,12 @@ input_userauth_request(int type, int plen) | |||
211 | 217 | ||
212 | /* XXX todo: check if multiple auth methods are needed */ | 218 | /* XXX todo: check if multiple auth methods are needed */ |
213 | if (authenticated == 1) { | 219 | if (authenticated == 1) { |
220 | #ifdef WITH_AIXAUTHENTICATE | ||
221 | /* We don't have a pty yet, so just label the line as "ssh" */ | ||
222 | if (loginsuccess(user,get_canonical_hostname(),"ssh", | ||
223 | &aixloginmsg) < 0) | ||
224 | aixloginmsg = NULL; | ||
225 | #endif /* WITH_AIXAUTHENTICATE */ | ||
214 | /* turn off userauth */ | 226 | /* turn off userauth */ |
215 | dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); | 227 | dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); |
216 | packet_start(SSH2_MSG_USERAUTH_SUCCESS); | 228 | packet_start(SSH2_MSG_USERAUTH_SUCCESS); |
diff --git a/configure.in b/configure.in index 73e1a8fd1..aaf3d8522 100644 --- a/configure.in +++ b/configure.in | |||
@@ -34,6 +34,7 @@ case "$host" in | |||
34 | if test "$LD" != "gcc" -a -z "$blibpath"; then | 34 | if test "$LD" != "gcc" -a -z "$blibpath"; then |
35 | blibpath="/usr/lib:/lib:/usr/local/lib" | 35 | blibpath="/usr/lib:/lib:/usr/local/lib" |
36 | fi | 36 | fi |
37 | AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) | ||
37 | AC_DEFINE(BROKEN_GETADDRINFO) | 38 | AC_DEFINE(BROKEN_GETADDRINFO) |
38 | ;; | 39 | ;; |
39 | *-*-hpux10*) | 40 | *-*-hpux10*) |
@@ -18,7 +18,7 @@ | |||
18 | */ | 18 | */ |
19 | 19 | ||
20 | #include "includes.h" | 20 | #include "includes.h" |
21 | RCSID("$Id: login.c,v 1.26 2000/05/17 11:34:08 damien Exp $"); | 21 | RCSID("$Id: login.c,v 1.27 2000/05/17 12:00:03 damien Exp $"); |
22 | 22 | ||
23 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | 23 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) |
24 | # include <utmpx.h> | 24 | # include <utmpx.h> |
@@ -53,6 +53,10 @@ unsigned long | |||
53 | get_last_login_time(uid_t uid, const char *logname, | 53 | get_last_login_time(uid_t uid, const char *logname, |
54 | char *buf, unsigned int bufsize) | 54 | char *buf, unsigned int bufsize) |
55 | { | 55 | { |
56 | #if defined(WITH_AIXAUTHENTICATE) | ||
57 | /* This is done in do_authentication */ | ||
58 | return (unsigned long) 0; | ||
59 | #else | ||
56 | #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) | 60 | #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) |
57 | struct lastlog ll; | 61 | struct lastlog ll; |
58 | char *lastlog; | 62 | char *lastlog; |
@@ -132,6 +136,7 @@ get_last_login_time(uid_t uid, const char *logname, | |||
132 | return 0; | 136 | return 0; |
133 | # endif /* HAVE_TYPE_IN_UTMP */ | 137 | # endif /* HAVE_TYPE_IN_UTMP */ |
134 | #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ | 138 | #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ |
139 | #endif /* defined(WITH_AIXAUTHENTICATE) */ | ||
135 | } | 140 | } |
136 | 141 | ||
137 | /* | 142 | /* |
@@ -246,7 +251,8 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, | |||
246 | login(&u); | 251 | login(&u); |
247 | #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | 252 | #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ |
248 | 253 | ||
249 | #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) | 254 | #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) |
255 | /* AIX does this in do_authentication */ | ||
250 | lastlog = _PATH_LASTLOG; | 256 | lastlog = _PATH_LASTLOG; |
251 | 257 | ||
252 | /* Update lastlog unless actually recording a logout. */ | 258 | /* Update lastlog unless actually recording a logout. */ |
@@ -276,7 +282,7 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, | |||
276 | close(fd); | 282 | close(fd); |
277 | } | 283 | } |
278 | } | 284 | } |
279 | #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ | 285 | #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */ |
280 | } | 286 | } |
281 | 287 | ||
282 | /* Records that the user has logged out. */ | 288 | /* Records that the user has logged out. */ |
@@ -83,6 +83,10 @@ static char *xauthfile; | |||
83 | /* data */ | 83 | /* data */ |
84 | #define MAX_SESSIONS 10 | 84 | #define MAX_SESSIONS 10 |
85 | Session sessions[MAX_SESSIONS]; | 85 | Session sessions[MAX_SESSIONS]; |
86 | #ifdef WITH_AIXAUTHENTICATE | ||
87 | /* AIX's lastlogin message, set in auth1.c */ | ||
88 | char *aixloginmsg; | ||
89 | #endif /* WITH_AIXAUTHENTICATE */ | ||
86 | 90 | ||
87 | /* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */ | 91 | /* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */ |
88 | int no_port_forwarding_flag = 0; | 92 | int no_port_forwarding_flag = 0; |
@@ -631,6 +635,15 @@ do_exec_pty(Session *s, const char *command, struct passwd * pw) | |||
631 | fclose(f); | 635 | fclose(f); |
632 | } | 636 | } |
633 | } | 637 | } |
638 | #if defined(WITH_AIXAUTHENTICATE) | ||
639 | /* | ||
640 | * AIX handles the lastlog info differently. Display it here. | ||
641 | */ | ||
642 | if (command == NULL && aixloginmsg && *aixloginmsg && | ||
643 | !quiet_login && !options.use_login) { | ||
644 | printf("%s\n", aixloginmsg); | ||
645 | } | ||
646 | #endif | ||
634 | /* Do common processing for the child, such as execing the command. */ | 647 | /* Do common processing for the child, such as execing the command. */ |
635 | do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); | 648 | do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); |
636 | /* NOTREACHED */ | 649 | /* NOTREACHED */ |