- Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix

8 files changed, 66 insertions, 14 deletions

diff --git a/ChangeLog b/ChangeLog
index c960a6952..21cd0a20b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,7 @@
          after select()
   - 'fixprogs' perl script to eliminate non-working entropy commands, and
          optionally run 'ent' to measure command entropy
+ - Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
 
 20000513
  - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz 
diff --git a/acconfig.h b/acconfig.h
index 99e70d17b..4f5f48f3c 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -9,7 +9,7 @@
 /* Define if you want to disable PAM support */
 #undef DISABLE_PAM
 
-/* Define if you want to disable AIX4's authenticate function */
+/* Define if you want to enable AIX4's authenticate function */
 #undef WITH_AIXAUTHENTICATE
 
 /* Define if you want to disable lastlog support */
diff --git a/auth.c b/auth.c
index 3bfcfd8e2..c3063e422 100644
--- a/auth.c
+++ b/auth.c
@@ -19,6 +19,9 @@ RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $");
 #include "compat.h"
 #include "channels.h"
 #include "match.h"
+#ifdef HAVE_LOGIN_H
+#include <login.h>
+#endif
 
 #include "bufaux.h"
 #include "ssh2.h"
@@ -111,8 +114,20 @@ allowed_user(struct passwd * pw)
         }
 
 #ifdef WITH_AIXAUTHENTICATE
-        if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+        if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) {
+                if (loginmsg && *loginmsg) {
+                        /* Remove embedded newlines (if any) */
+                        char *p;
+                        for (p = loginmsg; *p; p++)
+                                if (*p == '\n')
+                                        *p = ' ';
+                        /* Remove trailing newline */
+                        *--p = '\0';
+                        log("Login restricted for %s: %.100s",
+                                        pw->pw_name, loginmsg);
+                }
                 return 0;
+        }
 #endif /* WITH_AIXAUTHENTICATE */
 
         /* We found no reason not to let this user try to log on... */
diff --git a/auth1.c b/auth1.c
index dedf898e9..3e7efcb2a 100644
--- a/auth1.c
+++ b/auth1.c
@@ -66,9 +66,7 @@ do_fake_authloop1(char *user)
             get_remote_port());
 
 #ifdef WITH_AIXAUTHENTICATE 
-                if (strncmp(get_authname(type),"password",
-                    strlen(get_authname(type))) == 0)
-                        loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+        loginfailed(user,get_canonical_hostname(),"ssh");
 #endif /* WITH_AIXAUTHENTICATE */
 
         /* Indicate that authentication is needed. */
@@ -408,8 +406,12 @@ do_authloop(struct passwd * pw)
                         client_user = NULL;
                 }
 
-                if (attempt > AUTH_FAIL_MAX)
+                if (attempt > AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE 
+                        loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
                         packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
+                }
 
                 /* Send a message indicating that the authentication attempt failed. */
                 packet_start(SSH_SMSG_FAILURE);
@@ -430,7 +432,7 @@ do_authentication()
         unsigned int ulen;
         char *user;
 #ifdef WITH_AIXAUTHENTICATE
-        char *loginmsg;
+        extern char *aixloginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
 
         /* Get the name of the user that we wish to log in as. */
@@ -501,7 +503,9 @@ do_authentication()
 
         /* The user has been authenticated and accepted. */
 #ifdef WITH_AIXAUTHENTICATE
-        loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+        /* We don't have a pty yet, so just label the line as "ssh" */
+        if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)
+                aixloginmsg = NULL;
 #endif /* WITH_AIXAUTHENTICATE */
         packet_start(SSH_SMSG_SUCCESS);
         packet_send();
diff --git a/auth2.c b/auth2.c
index 3c15639dd..46c8c1f81 100644
--- a/auth2.c
+++ b/auth2.c
@@ -154,9 +154,9 @@ input_userauth_request(int type, int plen)
         int authenticated = 0;
         char *raw, *user, *service, *method, *authmsg = NULL;
         struct passwd *pw;
-
-        if (++attempt == AUTH_FAIL_MAX)
-                packet_disconnect("too many failed userauth_requests");
+#ifdef WITH_AIXAUTHENTICATE
+        extern char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
 
         raw = packet_get_raw(&rlen);
         if (plen != rlen)
@@ -164,6 +164,12 @@ input_userauth_request(int type, int plen)
         user = packet_get_string(&len);
         service = packet_get_string(&len);
         method = packet_get_string(&len);
+        if (++attempt == AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE 
+                loginfailed(user,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+                packet_disconnect("too many failed userauth_requests");
+        }
         debug("userauth-request for user %s service %s method %s", user, service, method);
 
         /* XXX we only allow the ssh-connection service */
@@ -211,6 +217,12 @@ input_userauth_request(int type, int plen)
 
         /* XXX todo: check if multiple auth methods are needed */
         if (authenticated == 1) {
+#ifdef WITH_AIXAUTHENTICATE
+                /* We don't have a pty yet, so just label the line as "ssh" */
+                if (loginsuccess(user,get_canonical_hostname(),"ssh",
+                                &aixloginmsg) < 0)
+                        aixloginmsg = NULL;
+#endif /* WITH_AIXAUTHENTICATE */
                 /* turn off userauth */
                 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
                 packet_start(SSH2_MSG_USERAUTH_SUCCESS);
diff --git a/configure.in b/configure.in
index 73e1a8fd1..aaf3d8522 100644
--- a/configure.in
+++ b/configure.in
@@ -34,6 +34,7 @@ case "$host" in
         if test "$LD" != "gcc" -a -z "$blibpath"; then
                 blibpath="/usr/lib:/lib:/usr/local/lib"
         fi
+        AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)])
         AC_DEFINE(BROKEN_GETADDRINFO)
         ;;
 *-*-hpux10*)
diff --git a/login.c b/login.c
index 0d874cc71..49853bdc2 100644
--- a/login.c
+++ b/login.c
@@ -18,7 +18,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: login.c,v 1.26 2000/05/17 11:34:08 damien Exp $");
+RCSID("$Id: login.c,v 1.27 2000/05/17 12:00:03 damien Exp $");
 
 #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
 # include <utmpx.h>
@@ -53,6 +53,10 @@ unsigned long
 get_last_login_time(uid_t uid, const char *logname,
                     char *buf, unsigned int bufsize)
 {
+#if defined(WITH_AIXAUTHENTICATE)
+        /* This is done in do_authentication */
+        return (unsigned long) 0;
+#else
 #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
         struct lastlog ll;
         char *lastlog;
@@ -132,6 +136,7 @@ get_last_login_time(uid_t uid, const char *logname,
         return 0;
 # endif /* HAVE_TYPE_IN_UTMP */
 #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(WITH_AIXAUTHENTICATE) */
 }
 
 /*
@@ -246,7 +251,8 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
         login(&u);
 #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 
-#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
+#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE)
+        /* AIX does this in do_authentication */
         lastlog = _PATH_LASTLOG;
 
         /* Update lastlog unless actually recording a logout. */
@@ -276,7 +282,7 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
                         close(fd);
                 }
         }
-#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */
 }
 
 /* Records that the user has logged out. */
diff --git a/session.c b/session.c
index c490f087e..480a1635a 100644
--- a/session.c
+++ b/session.c
@@ -83,6 +83,10 @@ static char *xauthfile;
 /* data */
 #define MAX_SESSIONS 10
 Session sessions[MAX_SESSIONS];
+#ifdef WITH_AIXAUTHENTICATE
+/* AIX's lastlogin message, set in auth1.c */
+char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
 
 /* Flags set in auth-rsa from authorized_keys flags.  These are set in auth-rsa.c. */
 int no_port_forwarding_flag = 0;
@@ -631,6 +635,15 @@ do_exec_pty(Session *s, const char *command, struct passwd * pw)
                                 fclose(f);
                         }
                 }
+#if defined(WITH_AIXAUTHENTICATE)
+                /*
+                 * AIX handles the lastlog info differently.  Display it here.
+                 */
+                if (command == NULL && aixloginmsg && *aixloginmsg &&
+                    !quiet_login && !options.use_login) {
+                        printf("%s\n", aixloginmsg);
+                }
+#endif
                 /* Do common processing for the child, such as execing the command. */
                 do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty);
                 /* NOTREACHED */