10 files changed, 167 insertions, 11 deletions

diff --git a/CREDITS b/CREDITS
index 03910b301..45775a3ef 100644
--- a/CREDITS
+++ b/CREDITS
@@ -15,7 +15,7 @@ Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
 Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
 Darren Hall <dhall@virage.org> - AIX patches
 David Agraz <dagraz@jahoopa.com> - Build fixes
-David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, NetBSD fixes
+David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
 Gary E. Miller <gem@rellim.com> - SCO support
 Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - KRB4/AFS config patch
 Jani Hakala <jahakala@cc.jyu.fi> - Patches
@@ -26,6 +26,7 @@ Juergen Keil <jk@tools.de> - scp bugfixing
 Kees Cook <cook@cpoint.net> - scp fixes
 Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
 Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
+Matt Richards <v2matt@btv.ibm.com> - AIX patches
 Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
 Niels Kristian Bech Jensen <nkbj@image.dk> - Assorted patches
 Peter Kocks <peter.kocks@baygate.com> - Makefile fixes
diff --git a/ChangeLog b/ChangeLog
index afc51024a..74b20e8d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,8 @@
  - OpenBSD CVS:
    - [packet.c]
      getsockname() requires initialized tolen; andy@guildsoftware.com
+ - AIX patch from Matt Richards <v2matt@btv.ibm.com> and David Rankin 
+   <drankin@bohemians.lexington.ky.us>
 
 20000122
  - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor
diff --git a/acconfig.h b/acconfig.h
index c5e6d3ee7..e96b195dc 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -12,6 +12,9 @@
 /* Define if you want to disable PAM support */
 #undef DISABLE_PAM
 
+/* Define if you want to disable AIX4's authenticate function */
+#undef WITH_AIXAUTHENTICATE
+
 /* Define if you want to disable lastlog support */
 #undef DISABLE_LASTLOG
 
@@ -30,6 +33,12 @@
 /* Define if using the Dante SOCKS library. */
 #undef HAVE_DANTE
 
+/* Define if using the Socks4 SOCKS library. */
+#undef HAVE_SOCKS4
+
+/* Define if using the Socks5 SOCKS library. */
+#undef HAVE_SOCKS5
+
 /* Define if you want to install preformatted manpages.*/
 #undef MANTYPE
 
diff --git a/auth-passwd.c b/auth-passwd.c
index a8a52ce9a..278212aa5 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -11,13 +11,17 @@
 
 #ifndef USE_PAM
 
-RCSID("$Id: auth-passwd.c,v 1.15 2000/01/06 01:03:13 damien Exp $");
+RCSID("$Id: auth-passwd.c,v 1.16 2000/01/22 23:32:03 damien Exp $");
 
 #include "packet.h"
 #include "ssh.h"
 #include "servconf.h"
 #include "xmalloc.h"
 
+#ifdef WITH_AIXAUTHENTICATE
+#include <login.h>
+#endif
+
 #ifdef HAVE_SHADOW_H
 # include <shadow.h>
 #endif
@@ -39,6 +43,11 @@ auth_password(struct passwd * pw, const char *password)
 #ifdef HAVE_SHADOW_H
         struct spwd *spw;
 #endif
+#ifdef WITH_AIXAUTHENTICATE
+        char *authmsg;
+        char *loginmsg;
+        int reenter = 1;
+#endif
 
         /* deny if no user. */
         if (pw == NULL)
@@ -56,6 +65,11 @@ auth_password(struct passwd * pw, const char *password)
                 /* Fall back to ordinary passwd authentication. */
         }
 #endif
+
+#ifdef WITH_AIXAUTHENTICATE
+        return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+#endif
+
 #ifdef KRB4
         if (options.kerberos_authentication == 1) {
                 int ret = auth_krb4_password(pw, password);
diff --git a/bsd-misc.c b/bsd-misc.c
index 2328e5739..b2c70c680 100644
--- a/bsd-misc.c
+++ b/bsd-misc.c
@@ -47,6 +47,9 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <fcntl.h>
+#ifdef HAVE_STDDEF_H
+#include <stddef.h>
+#endif
 
 #include "xmalloc.h"
 #include "ssh.h"
diff --git a/cipher.c b/cipher.c
index 64c407e62..5589c24fa 100644
--- a/cipher.c
+++ b/cipher.c
@@ -12,10 +12,11 @@
  */
 
 #include "includes.h"
-RCSID("$Id: cipher.c,v 1.11 1999/12/14 22:34:31 damien Exp $");
+RCSID("$Id: cipher.c,v 1.12 2000/01/22 23:32:03 damien Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
+#include "config.h"
 
 #ifdef HAVE_OPENSSL
 #include <openssl/md5.h>
diff --git a/configure.in b/configure.in
index 4d414573f..6f5cdafc7 100644
--- a/configure.in
+++ b/configure.in
@@ -518,13 +518,53 @@ dnl Compile with dante SOCKS library
 AC_ARG_WITH(dante,
         [  --with-dante=DIR        Use Dante SOCKS lib (default is system library path)],
         [
-                AC_DEFINE(HAVE_DANTE)
+                SAVELIBS="$LIBS"
+                SOCKSLIBS=""
+                SOCKSLIBPATH=""
                 if test "x$withval" != "xno" ; then
                         if test -n $withval ; then
                                 LIBS="$LIBS -L$withval"
+                                SOCKSLIBPATH="-L$withval"
                         fi
-                        LIBS="$LIBS -lsocks"
+                        AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_DANTE) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
                 fi
+                LIBS="$SAVELIBS $SOCKSLIBS"
+        ]
+)
+
+dnl Compile with SOCKS4 SOCKS library
+AC_ARG_WITH(socks4,
+        [  --with-socks4=DIR        Use Socks4 SOCKS lib (default is system library path)],
+        [
+                SAVELIBS="$LIBS"
+                SOCKSLIBS=""
+                SOCKSLIBPATH=""
+                if test "x$withval" != "xno" ; then
+                        if test -n $withval ; then
+                                LIBS="$LIBS -L$withval"
+                                SOCKSLIBPATH="-L$withval"
+                        fi
+                        AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_SOCKS4) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
+                fi
+                LIBS="$SAVELIBS $SOCKSLIBS"
+        ]
+)
+
+dnl Compile with SOCKS5 SOCKS library
+AC_ARG_WITH(socks5,
+        [  --with-socks5=DIR        Use Socks5 SOCKS lib (default is system library path)],
+        [
+                SAVELIBS="$LIBS"
+                SOCKSLIBS=""
+                SOCKSLIBPATH=""
+                if test "x$withval" != "xno" ; then
+                        if test -n $withval ; then
+                                LIBS="$LIBS -L$withval"
+                                SOCKSLIBPATH="-L$withval"
+                        fi
+                        AC_CHECK_LIB(socks5, SOCKSconnect, AC_DEFINE(HAVE_SOCKS5) SOCKSLIBS="$SOCKSLIBPATH -lsocks5")
+                fi
+                LIBS="$SAVELIBS $SOCKSLIBS"
         ]
 )
 AC_ARG_WITH(catman,
diff --git a/ssh.c b/ssh.c
index 2a2fb2d35..bf0ac6bd8 100644
--- a/ssh.c
+++ b/ssh.c
@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.17 2000/01/19 03:36:49 damien Exp $");
+RCSID("$Id: ssh.c,v 1.18 2000/01/22 23:32:04 damien Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -217,6 +217,10 @@ main(int ac, char **av)
         /* Save our own name. */
         av0 = av[0];
 
+#ifdef SOCKS
+        SOCKSinit(av0);
+#endif /* SOCKS */
+
         /* Initialize option structure to indicate that no values have been set. */
         initialize_options(&options);
 
diff --git a/ssh.h b/ssh.h
index 0f3302a69..390f463e5 100644
--- a/ssh.h
+++ b/ssh.h
@@ -13,7 +13,7 @@
  * 
  */
 
-/* RCSID("$Id: ssh.h,v 1.24 2000/01/14 04:45:52 damien Exp $"); */
+/* RCSID("$Id: ssh.h,v 1.25 2000/01/22 23:32:04 damien Exp $"); */
 
 #ifndef SSH_H
 #define SSH_H
@@ -752,7 +752,7 @@ extern int IPv4or6;
 #include "auth-pam.h"
 #endif /* USE_PAM */
 
-#ifdef HAVE_DANTE
+#if defined(HAVE_DANTE) || defined(HAVE_SOCKS4)
 /*
  * The following defines map the normal socket operations to SOCKSified
  * versions coming from the Dante SOCKS package.
@@ -795,6 +795,54 @@ ssize_t Rsendto (int, const void *,
             size_t, int, const struct sockaddr *, socklen_t);
 ssize_t Rwrite(int , const void *, size_t );
 ssize_t Rwritev(int , const struct iovec *, int );
-#endif /* HAVE_DANTE */
+#endif /* HAVE_DANTE || HAVE_SOCKS4 */
 
+#if defined(HAVE_SOCKS5) 
+/*
+ * The following defines map the normal socket operations to SOCKSified
+ * versions coming from the SOCKS package.
+ */
+#define accept SOCKSaccept
+#define bind SOCKSbind
+#define bindresvport SOCKSbindresvport
+#define connect SOCKSconnect
+#define gethostbyname SOCKSgethostbyname
+#define gethostbyname2 SOCKSgethostbyname2
+#define getpeername SOCKSgetpeername
+#define getsockname SOCKSgetsockname
+#define read SOCKSread
+#define readv SOCKSreadv
+#define recv SOCKSrecv
+#define recvmsg SOCKSrecvmsg
+#define recvfrom SOCKSrecvfrom
+#define rresvport SOCKSrresvport
+#define send SOCKSsend
+#define sendmsg SOCKSsendmsg
+#define sendto SOCKSsendto
+#define write SOCKSwrite
+#define writev SOCKSwritev
+int     SOCKSaccept (int, struct sockaddr *, socklen_t *);
+int     SOCKSbind (int, const struct sockaddr *, socklen_t);
+int     SOCKSbindresvport(int , struct sockaddr_in *);
+int     SOCKSconnect (int, const struct sockaddr *, socklen_t);
+struct hostent *SOCKSgethostbyname(const char *);
+struct hostent *SOCKSgethostbyname2(const char *, int);
+int     SOCKSgetpeername (int, struct sockaddr *, socklen_t *);
+int     SOCKSgetsockname (int, struct sockaddr *, socklen_t *);
+ssize_t SOCKSread(int , void *, size_t );
+ssize_t SOCKSreadv(int d, const struct iovec *iov, int iovcnt);
+ssize_t SOCKSrecv (int, void *, size_t, int);
+ssize_t SOCKSrecvfrom (int, void *, size_t, int, struct sockaddr *,
+            socklen_t *);
+ssize_t SOCKSsend (int, const void *, size_t, int);
+ssize_t SOCKSsendmsg (int, const struct msghdr *, int);
+ssize_t SOCKSsendto (int, const void *,
+            size_t, int, const struct sockaddr *, socklen_t);
+ssize_t SOCKSwrite(int , const void *, size_t );
+ssize_t SOCKSwritev(int , const struct iovec *, int );
+#endif /* SOCKS5 */
+
+#if defined(DANTE) || defined(SOCKS4) || defined(SOCKS5)
+#define SOCKS
+#endif /* defined(DANTE) || defined(SOCKS4) || defined(SOCKS5) */
 #endif                          /* SSH_H */
diff --git a/sshd.c b/sshd.c
index 7f761bb14..a5cbbfc43 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1099,6 +1099,9 @@ allowed_user(struct passwd * pw)
 {
         struct group *grp;
         int i;
+#ifdef WITH_AIXAUTHENTICATE
+        char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
 
         /* Shouldn't be called if pw is NULL, but better safe than sorry... */
         if (!pw)
@@ -1155,6 +1158,12 @@ allowed_user(struct passwd * pw)
                                 return 0;
                 }
         }
+
+#ifdef WITH_AIXAUTHENTICATE
+        if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+                return 0;
+#endif /* WITH_AIXAUTHENTICATE */
+
         /* We found no reason not to let this user try to log on... */
         return 1;
 }
@@ -1179,6 +1188,10 @@ do_authentication()
 
         setproctitle("%s", user);
 
+#ifdef WITH_AIXAUTHENTICATE
+        char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
+
 #ifdef AFS
         /* If machine has AFS, set process authentication group. */
         if (k_hasafs()) {
@@ -1244,6 +1257,9 @@ do_authentication()
                                           get_canonical_hostname());
         }
         /* The user has been authenticated and accepted. */
+#ifdef WITH_AIXAUTHENTICATE
+        loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+#endif /* WITH_AIXAUTHENTICATE */
         packet_start(SSH_SMSG_SUCCESS);
         packet_send();
         packet_write_wait();
@@ -1498,8 +1514,7 @@ do_authloop(struct passwd * pw)
 
                 if (authenticated) {
 #ifdef USE_PAM
-                        if (!do_pam_account(pw->pw_name, client_user))
-                        {
+                        if (!do_pam_account(pw->pw_name, client_user)) {
                                 if (client_user != NULL)
                                         xfree(client_user);
 
@@ -1582,6 +1597,11 @@ do_fake_authloop(char *user)
                 packet_start(SSH_SMSG_FAILURE);
                 packet_send();
                 packet_write_wait();
+#ifdef WITH_AIXAUTHENTICATE 
+                if (strncmp(get_authname(type),"password",
+                    strlen(get_authname(type))) == 0)
+                        loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
         }
         /* NOTREACHED */
         abort();
@@ -2423,6 +2443,18 @@ do_child(const char *command, struct passwd * pw, const char *term,
         if (display)
                 child_set_env(&env, &envsize, "DISPLAY", display);
 
+#ifdef _AIX
+        {
+           char *authstate,*krb5cc;
+
+           if ((authstate = getenv("AUTHSTATE")) != NULL)
+                 child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+           if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+                 child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+        }
+#endif
+
 #ifdef KRB4
         {
                 extern char *ticket;
@@ -2444,6 +2476,8 @@ do_child(const char *command, struct passwd * pw, const char *term,
                 child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
                               auth_get_socket_name());
 
+        read_environment_file(&env,&envsize,"/etc/environment");
+
         /* read $HOME/.ssh/environment. */
         if (!options.use_login) {
                 snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir);