diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.c | 44 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.h | 11 |
3 files changed, 47 insertions, 13 deletions
| @@ -9,6 +9,9 @@ | |||
| 9 | required, please report them. ok djm@ | 9 | required, please report them. ok djm@ |
| 10 | - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent | 10 | - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent |
| 11 | accidentally inheriting from root's environment. ok djm@ | 11 | accidentally inheriting from root's environment. ok djm@ |
| 12 | - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Restore | ||
| 13 | previous authdb setting after auth calls. Fixes problems with setpcred | ||
| 14 | failing on accounts that use AFS or NIS password registries. | ||
| 12 | 15 | ||
| 13 | 20040129 | 16 | 20040129 |
| 14 | - (dtucker) OpenBSD CVS Sync regress/ | 17 | - (dtucker) OpenBSD CVS Sync regress/ |
| @@ -1794,4 +1797,4 @@ | |||
| 1794 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 1797 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
| 1795 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 1798 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
| 1796 | 1799 | ||
| 1797 | $Id: ChangeLog,v 1.3209 2004/02/06 05:04:08 dtucker Exp $ | 1800 | $Id: ChangeLog,v 1.3210 2004/02/06 05:17:51 dtucker Exp $ |
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a9cbf49b0..6fc2ef771 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c | |||
| @@ -39,6 +39,10 @@ | |||
| 39 | extern ServerOptions options; | 39 | extern ServerOptions options; |
| 40 | extern Buffer loginmsg; | 40 | extern Buffer loginmsg; |
| 41 | 41 | ||
| 42 | # ifdef HAVE_SETAUTHDB | ||
| 43 | static char old_registry[REGISTRY_SIZE] = ""; | ||
| 44 | # endif | ||
| 45 | |||
| 42 | /* | 46 | /* |
| 43 | * AIX has a "usrinfo" area where logname and other stuff is stored - | 47 | * AIX has a "usrinfo" area where logname and other stuff is stored - |
| 44 | * a few applications actually use this and die if it's not set | 48 | * a few applications actually use this and die if it's not set |
| @@ -119,6 +123,7 @@ aix_authenticate(const char *name, const char *password, const char *host) | |||
| 119 | xfree(msg); | 123 | xfree(msg); |
| 120 | } | 124 | } |
| 121 | } | 125 | } |
| 126 | aix_restoreauthdb(); | ||
| 122 | } | 127 | } |
| 123 | 128 | ||
| 124 | if (authmsg != NULL) | 129 | if (authmsg != NULL) |
| @@ -145,22 +150,21 @@ record_failed_login(const char *user, const char *ttyname) | |||
| 145 | # else | 150 | # else |
| 146 | loginfailed((char *)user, hostname, (char *)ttyname); | 151 | loginfailed((char *)user, hostname, (char *)ttyname); |
| 147 | # endif | 152 | # endif |
| 153 | aix_restoreauthdb(); | ||
| 148 | } | 154 | } |
| 149 | # endif /* CUSTOM_FAILED_LOGIN */ | 155 | # endif /* CUSTOM_FAILED_LOGIN */ |
| 150 | 156 | ||
| 151 | /* | 157 | /* |
| 152 | * If we have setauthdb, retrieve the password registry for the user's | 158 | * If we have setauthdb, retrieve the password registry for the user's |
| 153 | * account then feed it to setauthdb. This may load registry-specific method | 159 | * account then feed it to setauthdb. This will mean that subsequent AIX auth |
| 154 | * code. If we don't have setauthdb or have already called it this is a no-op. | 160 | * functions will only use the specified loadable module. If we don't have |
| 161 | * setauthdb this is a no-op. | ||
| 155 | */ | 162 | */ |
| 156 | void | 163 | void |
| 157 | aix_setauthdb(const char *user) | 164 | aix_setauthdb(const char *user) |
| 158 | { | 165 | { |
| 159 | # ifdef HAVE_SETAUTHDB | 166 | # ifdef HAVE_SETAUTHDB |
| 160 | static char *registry = NULL; | 167 | char *registry; |
| 161 | |||
| 162 | if (registry != NULL) /* have already done setauthdb */ | ||
| 163 | return; | ||
| 164 | 168 | ||
| 165 | if (setuserdb(S_READ) == -1) { | 169 | if (setuserdb(S_READ) == -1) { |
| 166 | debug3("%s: Could not open userdb to read", __func__); | 170 | debug3("%s: Could not open userdb to read", __func__); |
| @@ -168,12 +172,11 @@ aix_setauthdb(const char *user) | |||
| 168 | } | 172 | } |
| 169 | 173 | ||
| 170 | if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) { | 174 | if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) { |
| 171 | if (setauthdb(registry, NULL) == 0) | 175 | if (setauthdb(registry, old_registry) == 0) |
| 172 | debug3("%s: AIX/setauthdb set registry %s", __func__, | 176 | debug3("AIX/setauthdb set registry '%s'", registry); |
| 173 | registry); | ||
| 174 | else | 177 | else |
| 175 | debug3("%s: AIX/setauthdb set registry %s failed: %s", | 178 | debug3("AIX/setauthdb set registry '%s' failed: %s", |
| 176 | __func__, registry, strerror(errno)); | 179 | registry, strerror(errno)); |
| 177 | } else | 180 | } else |
| 178 | debug3("%s: Could not read S_REGISTRY for user: %s", __func__, | 181 | debug3("%s: Could not read S_REGISTRY for user: %s", __func__, |
| 179 | strerror(errno)); | 182 | strerror(errno)); |
| @@ -181,6 +184,25 @@ aix_setauthdb(const char *user) | |||
| 181 | # endif /* HAVE_SETAUTHDB */ | 184 | # endif /* HAVE_SETAUTHDB */ |
| 182 | } | 185 | } |
| 183 | 186 | ||
| 187 | /* | ||
| 188 | * Restore the user's registry settings from old_registry. | ||
| 189 | * Note that if the first aix_setauthdb fails, setauthdb("") is still safe | ||
| 190 | * (it restores the system default behaviour). If we don't have setauthdb, | ||
| 191 | * this is a no-op. | ||
| 192 | */ | ||
| 193 | void | ||
| 194 | aix_restoreauthdb(void) | ||
| 195 | { | ||
| 196 | # ifdef HAVE_SETAUTHDB | ||
| 197 | if (setauthdb(old_registry, NULL) == 0) | ||
| 198 | debug3("%s: restoring old registry '%s'", __func__, | ||
| 199 | old_registry); | ||
| 200 | else | ||
| 201 | debug3("%s: failed to restore old registry %s", __func__, | ||
| 202 | old_registry); | ||
| 203 | # endif /* HAVE_SETAUTHDB */ | ||
| 204 | } | ||
| 205 | |||
| 184 | # endif /* WITH_AIXAUTHENTICATE */ | 206 | # endif /* WITH_AIXAUTHENTICATE */ |
| 185 | 207 | ||
| 186 | #endif /* _AIX */ | 208 | #endif /* _AIX */ |
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 975cdf051..930b3f248 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */ | 1 | /* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * | 4 | * |
| @@ -51,6 +51,14 @@ | |||
| 51 | # include <sys/timers.h> | 51 | # include <sys/timers.h> |
| 52 | #endif | 52 | #endif |
| 53 | 53 | ||
| 54 | /* | ||
| 55 | * According to the setauthdb man page, AIX password registries must be 15 | ||
| 56 | * chars or less plus terminating NUL. | ||
| 57 | */ | ||
| 58 | #ifdef HAVE_SETAUTHDB | ||
| 59 | # define REGISTRY_SIZE 16 | ||
| 60 | #endif | ||
| 61 | |||
| 54 | void aix_usrinfo(struct passwd *); | 62 | void aix_usrinfo(struct passwd *); |
| 55 | 63 | ||
| 56 | #ifdef WITH_AIXAUTHENTICATE | 64 | #ifdef WITH_AIXAUTHENTICATE |
| @@ -60,5 +68,6 @@ void record_failed_login(const char *, const char *); | |||
| 60 | 68 | ||
| 61 | int aix_authenticate(const char *, const char *, const char *); | 69 | int aix_authenticate(const char *, const char *, const char *); |
| 62 | void aix_setauthdb(const char *); | 70 | void aix_setauthdb(const char *); |
| 71 | void aix_restoreauthdb(void); | ||
| 63 | void aix_remove_embedded_newlines(char *); | 72 | void aix_remove_embedded_newlines(char *); |
| 64 | #endif /* _AIX */ | 73 | #endif /* _AIX */ |