7 files changed, 78 insertions, 38 deletions
diff --git a/ChangeLog b/ChangeLog
index 58b188eb3..89adc1266 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,9 @@
 - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
   Include AIX headers for authentication functions and make calls match
   prototypes.  Test for and handle 3-args and 4-arg variants of loginfailed.
- - (dtucker) Check return value of setpcred().
+ - (dtucker) [session.c] Check return value of setpcred().
+ - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
+   Convert aixloginmsg into platform-independant Buffer loginmsg.
 20030707
 - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
@@ -668,4 +670,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.2848 2003/07/08 11:01:04 dtucker Exp $
+$Id: ChangeLog,v 1.2849 2003/07/08 12:59:59 dtucker Exp $
diff --git a/auth-passwd.c b/auth-passwd.c
index ea65a0125..f078eddd5 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -42,6 +42,8 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
+#include "buffer.h"
+#include "xmalloc.h"
 #include "canohost.h"
 #if !defined(HAVE_OSF_SIA)
@@ -79,9 +81,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
 #endif /* !HAVE_OSF_SIA */
 extern ServerOptions options;
-#ifdef WITH_AIXAUTHENTICATE
+extern Buffer loginmsg;
-extern char *aixloginmsg;
-#endif
 /*
 * Tries to authenticate the user using password.  Returns true if
@@ -149,15 +149,29 @@ auth_password(Authctxt *authctxt, const char *password)
 # endif
 # ifdef WITH_AIXAUTHENTICATE
        authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+        aix_remove_embedded_newlines(authmsg);  
        if (authsuccess) {
+                char *msg;
+                char *host = (char *)get_canonical_hostname(options.use_dns);
+                debug3("AIX/authenticate succeeded for user %s: %.100s",
+                        pw->pw_name, authmsg);
                /* We don't have a pty yet, so just label the line as "ssh" */
-                if (loginsuccess(authctxt->user,
+                if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0){
-                    get_canonical_hostname(options.use_dns),
+                        if (msg != NULL) {
-                    "ssh", &aixloginmsg) < 0) {
+                                debug("%s: msg %s", __func__, msg);
-                        aixloginmsg = NULL;
+                                buffer_append(&loginmsg, msg, strlen(msg));
+                                xfree(msg);
+                        }
                }
+        } else {
+                debug3("AIX/authenticate failed for user %s: %.100s",
+                    pw->pw_name, authmsg);
        }
+        if (authmsg != NULL)
+                xfree(authmsg);
        return (authsuccess);
 # endif
diff --git a/auth.c b/auth.c
index 6b48addf7..d4768a154 100644
--- a/auth.c
+++ b/auth.c
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 /* Debugging messages */
 Buffer auth_debug;
@@ -75,9 +76,6 @@ allowed_user(struct passwd * pw)
        const char *hostname = NULL, *ipaddr = NULL;
        char *shell;
        int i;
-#ifdef WITH_AIXAUTHENTICATE
-        char *loginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
    defined(HAS_SHADOW_EXPIRE)
        struct spwd *spw;
@@ -206,26 +204,23 @@ allowed_user(struct passwd * pw)
         * PermitRootLogin to control logins via ssh), or if running as
         * non-root user (since loginrestrictions will always fail).
         */
-        if ((pw->pw_uid != 0) && (geteuid() == 0) &&
+        if ((pw->pw_uid != 0) && (geteuid() == 0)) {
-            loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+                char *msg;
-                int loginrestrict_errno = errno;
+                if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
-                if (loginmsg && *loginmsg) {
+                        int loginrestrict_errno = errno;
-                        /* Remove embedded newlines (if any) */
-                        char *p;
+                        if (msg && *msg) {
-                        for (p = loginmsg; *p; p++) {
+                                buffer_append(&loginmsg, msg, strlen(msg));
-                                if (*p == '\n')
+                                aix_remove_embedded_newlines(msg);
-                                        *p = ' ';
+                                logit("Login restricted for %s: %.100s",
+                                    pw->pw_name, msg);
                        }
-                        /* Remove trailing newline */
+                        /* Don't fail if /etc/nologin  set */
-                        *--p = '\0';
+                        if (!(loginrestrict_errno == EPERM && 
-                        logit("Login restricted for %s: %.100s", pw->pw_name, 
+                            stat(_PATH_NOLOGIN, &st) == 0))
-                            loginmsg);
+                                return 0;
                }
-                /* Don't fail if /etc/nologin  set */
-                if (!(loginrestrict_errno == EPERM && 
-                    stat(_PATH_NOLOGIN, &st) == 0))
-                        return 0;
        }
 #endif /* WITH_AIXAUTHENTICATE */
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index c8d9517b6..cc6190cb8 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -61,6 +61,28 @@ aix_usrinfo(struct passwd *pw)
        xfree(cp);
 }
+#ifdef WITH_AIXAUTHENTICATE
+/*
+ * Remove embedded newlines in string (if any).
+ * Used before logging messages returned by AIX authentication functions
+ * so the message is logged on one line.
+ */
+void
+aix_remove_embedded_newlines(char *p)
+{
+        if (p == NULL)
+                return;
+        for (; *p; p++) {
+                if (*p == '\n')
+                        *p = ' ';
+        }
+        /* Remove trailing whitespace */
+        if (*--p == ' ')
+                *p = '\0';
+}
+#endif /* WITH_AIXAUTHENTICATE */
+  
 # ifdef CUSTOM_FAILED_LOGIN
 /*
 * record_failed_login: generic "login failed" interface function
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 2787d919d..4627a82f0 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -51,4 +51,5 @@ void record_failed_login(const char *user, const char *ttyname);
 #endif
 void aix_usrinfo(struct passwd *pw);
+void aix_remove_embedded_newlines(char *);
 #endif /* _AIX */
diff --git a/session.c b/session.c
index e9cf7e959..4b443831b 100644
--- a/session.c
+++ b/session.c
@@ -95,6 +95,7 @@ extern int debug_flag;
 extern u_int utmp_len;
 extern int startup_pipe;
 extern void destroy_sensitive_data(void);
+extern Buffer loginmsg;
 /* original command from peer. */
 const char *original_command = NULL;
@@ -103,10 +104,6 @@ const char *original_command = NULL;
 #define MAX_SESSIONS 10
 Session sessions[MAX_SESSIONS];
-#ifdef WITH_AIXAUTHENTICATE
-char *aixloginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
 #ifdef HAVE_LOGIN_CAP
 login_cap_t *lc;
 #endif
@@ -770,10 +767,13 @@ do_login(Session *s, const char *command)
        if (options.use_pam && !is_pam_password_change_required())
                print_pam_messages();
 #endif /* USE_PAM */
-#ifdef WITH_AIXAUTHENTICATE
-        if (aixloginmsg && *aixloginmsg)
+        /* display post-login message */
-                printf("%s\n", aixloginmsg);
+        if (buffer_len(&loginmsg) > 0) {
-#endif /* WITH_AIXAUTHENTICATE */
+                buffer_append(&loginmsg, "\0", 1);
+                printf("%s\n", (char *)buffer_ptr(&loginmsg));
+        }
+        buffer_free(&loginmsg);
 #ifndef NO_SSH_LASTLOG
        if (options.print_lastlog && s->last_login_time != 0) {
diff --git a/sshd.c b/sshd.c
index fafe0c66d..14cd4a27f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -201,6 +201,9 @@ int startup_pipe;		/* in child */
 int use_privsep;
 struct monitor *pmonitor;
+/* message to be displayed after login */
+Buffer loginmsg;
 /* Prototypes for various functions defined later in this file. */
 void destroy_sensitive_data(void);
 void demote_sensitive_data(void);
@@ -1501,6 +1504,9 @@ main(int ac, char **av)
        packet_set_nonblocking();
+        /* prepare buffers to collect authentication messages */
+        buffer_init(&loginmsg);
        if (use_privsep)
                if ((authctxt = privsep_preauth()) != NULL)
                        goto authenticated;

diff --git a/ChangeLog b/ChangeLog index 58b188eb3..89adc1266 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -2,7 +2,9 @@
2	- (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]	2	- (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
3	Include AIX headers for authentication functions and make calls match	3	Include AIX headers for authentication functions and make calls match
4	prototypes. Test for and handle 3-args and 4-arg variants of loginfailed.	4	prototypes. Test for and handle 3-args and 4-arg variants of loginfailed.
5	- (dtucker) Check return value of setpcred().	5	- (dtucker) [session.c] Check return value of setpcred().
		6	- (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
		7	Convert aixloginmsg into platform-independant Buffer loginmsg.
6		8
7	20030707	9	20030707
8	- (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before	10	- (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
@@ -668,4 +670,4 @@
668	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.	670	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
669	Report from murple@murple.net, diagnosis from dtucker@zip.com.au	671	Report from murple@murple.net, diagnosis from dtucker@zip.com.au
670		672
671	$Id: ChangeLog,v 1.2848 2003/07/08 11:01:04 dtucker Exp $	673	$Id: ChangeLog,v 1.2849 2003/07/08 12:59:59 dtucker Exp $


diff --git a/auth-passwd.c b/auth-passwd.c index ea65a0125..f078eddd5 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -42,6 +42,8 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
42	#include "log.h"	42	#include "log.h"
43	#include "servconf.h"	43	#include "servconf.h"
44	#include "auth.h"	44	#include "auth.h"
		45	#include "buffer.h"
		46	#include "xmalloc.h"
45	#include "canohost.h"	47	#include "canohost.h"
46		48
47	#if !defined(HAVE_OSF_SIA)	49	#if !defined(HAVE_OSF_SIA)
@@ -79,9 +81,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
79	#endif /* !HAVE_OSF_SIA */	81	#endif /* !HAVE_OSF_SIA */
80		82
81	extern ServerOptions options;	83	extern ServerOptions options;
82	#ifdef WITH_AIXAUTHENTICATE	84	extern Buffer loginmsg;
83	extern char *aixloginmsg;
84	#endif
85		85
86	/*	86	/*
87	* Tries to authenticate the user using password. Returns true if	87	* Tries to authenticate the user using password. Returns true if
@@ -149,15 +149,29 @@ auth_password(Authctxt authctxt, const char password)
149	# endif	149	# endif
150	# ifdef WITH_AIXAUTHENTICATE	150	# ifdef WITH_AIXAUTHENTICATE
151	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);	151	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
		152	aix_remove_embedded_newlines(authmsg);
152		153
153	if (authsuccess) {	154	if (authsuccess) {
		155	char *msg;
		156	char host = (char )get_canonical_hostname(options.use_dns);
		157
		158	debug3("AIX/authenticate succeeded for user %s: %.100s",
		159	pw->pw_name, authmsg);
		160
154	/* We don't have a pty yet, so just label the line as "ssh" */	161	/* We don't have a pty yet, so just label the line as "ssh" */
155	if (loginsuccess(authctxt->user,	162	if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0){
156	get_canonical_hostname(options.use_dns),	163	if (msg != NULL) {
157	"ssh", &aixloginmsg) < 0) {	164	debug("%s: msg %s", __func__, msg);
158	aixloginmsg = NULL;	165	buffer_append(&loginmsg, msg, strlen(msg));
		166	xfree(msg);
		167	}
159	}	168	}
		169	} else {
		170	debug3("AIX/authenticate failed for user %s: %.100s",
		171	pw->pw_name, authmsg);
160	}	172	}
		173	if (authmsg != NULL)
		174	xfree(authmsg);
161		175
162	return (authsuccess);	176	return (authsuccess);
163	# endif	177	# endif


diff --git a/auth.c b/auth.c index 6b48addf7..d4768a154 100644 --- a/auth.c +++ b/auth.c
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
54		54
55	/* import */	55	/* import */
56	extern ServerOptions options;	56	extern ServerOptions options;
		57	extern Buffer loginmsg;
57		58
58	/* Debugging messages */	59	/* Debugging messages */
59	Buffer auth_debug;	60	Buffer auth_debug;
@@ -75,9 +76,6 @@ allowed_user(struct passwd * pw)
75	const char hostname = NULL, ipaddr = NULL;	76	const char hostname = NULL, ipaddr = NULL;
76	char *shell;	77	char *shell;
77	int i;	78	int i;
78	#ifdef WITH_AIXAUTHENTICATE
79	char *loginmsg;
80	#endif /* WITH_AIXAUTHENTICATE */
81	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \	79	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
82	defined(HAS_SHADOW_EXPIRE)	80	defined(HAS_SHADOW_EXPIRE)
83	struct spwd *spw;	81	struct spwd *spw;
@@ -206,26 +204,23 @@ allowed_user(struct passwd * pw)
206	* PermitRootLogin to control logins via ssh), or if running as	204	* PermitRootLogin to control logins via ssh), or if running as
207	* non-root user (since loginrestrictions will always fail).	205	* non-root user (since loginrestrictions will always fail).
208	*/	206	*/
209	if ((pw->pw_uid != 0) && (geteuid() == 0) &&	207	if ((pw->pw_uid != 0) && (geteuid() == 0)) {
210	loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {	208	char *msg;
211	int loginrestrict_errno = errno;	209
212		210	if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
213	if (loginmsg && *loginmsg) {	211	int loginrestrict_errno = errno;
214	/* Remove embedded newlines (if any) */	212
215	char *p;	213	if (msg && *msg) {
216	for (p = loginmsg; *p; p++) {	214	buffer_append(&loginmsg, msg, strlen(msg));
217	if (*p == '\n')	215	aix_remove_embedded_newlines(msg);
218	*p = ' ';	216	logit("Login restricted for %s: %.100s",
		217	pw->pw_name, msg);
219	}	218	}
220	/* Remove trailing newline */	219	/* Don't fail if /etc/nologin set */
221	*--p = '\0';	220	if (!(loginrestrict_errno == EPERM &&
222	logit("Login restricted for %s: %.100s", pw->pw_name,	221	stat(_PATH_NOLOGIN, &st) == 0))
223	loginmsg);	222	return 0;
224	}	223	}
225	/* Don't fail if /etc/nologin set */
226	if (!(loginrestrict_errno == EPERM &&
227	stat(_PATH_NOLOGIN, &st) == 0))
228	return 0;
229	}	224	}
230	#endif /* WITH_AIXAUTHENTICATE */	225	#endif /* WITH_AIXAUTHENTICATE */
231		226


diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index c8d9517b6..cc6190cb8 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c
@@ -61,6 +61,28 @@ aix_usrinfo(struct passwd *pw)
61	xfree(cp);	61	xfree(cp);
62	}	62	}
63		63
		64	#ifdef WITH_AIXAUTHENTICATE
		65	/*
		66	* Remove embedded newlines in string (if any).
		67	* Used before logging messages returned by AIX authentication functions
		68	* so the message is logged on one line.
		69	*/
		70	void
		71	aix_remove_embedded_newlines(char *p)
		72	{
		73	if (p == NULL)
		74	return;
		75
		76	for (; *p; p++) {
		77	if (*p == '\n')
		78	*p = ' ';
		79	}
		80	/* Remove trailing whitespace */
		81	if (*--p == ' ')
		82	*p = '\0';
		83	}
		84	#endif /* WITH_AIXAUTHENTICATE */
		85
64	# ifdef CUSTOM_FAILED_LOGIN	86	# ifdef CUSTOM_FAILED_LOGIN
65	/*	87	/*
66	* record_failed_login: generic "login failed" interface function	88	* record_failed_login: generic "login failed" interface function


diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 2787d919d..4627a82f0 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h
@@ -51,4 +51,5 @@ void record_failed_login(const char user, const char ttyname);
51	#endif	51	#endif
52		52
53	void aix_usrinfo(struct passwd *pw);	53	void aix_usrinfo(struct passwd *pw);
		54	void aix_remove_embedded_newlines(char *);
54	#endif /* _AIX */	55	#endif /* _AIX */


diff --git a/session.c b/session.c index e9cf7e959..4b443831b 100644 --- a/session.c +++ b/session.c
@@ -95,6 +95,7 @@ extern int debug_flag;
95	extern u_int utmp_len;	95	extern u_int utmp_len;
96	extern int startup_pipe;	96	extern int startup_pipe;
97	extern void destroy_sensitive_data(void);	97	extern void destroy_sensitive_data(void);
		98	extern Buffer loginmsg;
98		99
99	/* original command from peer. */	100	/* original command from peer. */
100	const char *original_command = NULL;	101	const char *original_command = NULL;
@@ -103,10 +104,6 @@ const char *original_command = NULL;
103	#define MAX_SESSIONS 10	104	#define MAX_SESSIONS 10
104	Session sessions[MAX_SESSIONS];	105	Session sessions[MAX_SESSIONS];
105		106
106	#ifdef WITH_AIXAUTHENTICATE
107	char *aixloginmsg;
108	#endif /* WITH_AIXAUTHENTICATE */
109
110	#ifdef HAVE_LOGIN_CAP	107	#ifdef HAVE_LOGIN_CAP
111	login_cap_t *lc;	108	login_cap_t *lc;
112	#endif	109	#endif
@@ -770,10 +767,13 @@ do_login(Session s, const char command)
770	if (options.use_pam && !is_pam_password_change_required())	767	if (options.use_pam && !is_pam_password_change_required())
771	print_pam_messages();	768	print_pam_messages();
772	#endif /* USE_PAM */	769	#endif /* USE_PAM */
773	#ifdef WITH_AIXAUTHENTICATE	770
774	if (aixloginmsg && *aixloginmsg)	771	/* display post-login message */
775	printf("%s\n", aixloginmsg);	772	if (buffer_len(&loginmsg) > 0) {
776	#endif /* WITH_AIXAUTHENTICATE */	773	buffer_append(&loginmsg, "\0", 1);
		774	printf("%s\n", (char *)buffer_ptr(&loginmsg));
		775	}
		776	buffer_free(&loginmsg);
777		777
778	#ifndef NO_SSH_LASTLOG	778	#ifndef NO_SSH_LASTLOG
779	if (options.print_lastlog && s->last_login_time != 0) {	779	if (options.print_lastlog && s->last_login_time != 0) {


diff --git a/sshd.c b/sshd.c index fafe0c66d..14cd4a27f 100644 --- a/sshd.c +++ b/sshd.c
@@ -201,6 +201,9 @@ int startup_pipe; /* in child */
201	int use_privsep;	201	int use_privsep;
202	struct monitor *pmonitor;	202	struct monitor *pmonitor;
203		203
		204	/* message to be displayed after login */
		205	Buffer loginmsg;
		206
204	/* Prototypes for various functions defined later in this file. */	207	/* Prototypes for various functions defined later in this file. */
205	void destroy_sensitive_data(void);	208	void destroy_sensitive_data(void);
206	void demote_sensitive_data(void);	209	void demote_sensitive_data(void);
@@ -1501,6 +1504,9 @@ main(int ac, char **av)
1501		1504
1502	packet_set_nonblocking();	1505	packet_set_nonblocking();
1503		1506
		1507	/* prepare buffers to collect authentication messages */
		1508	buffer_init(&loginmsg);
		1509
1504	if (use_privsep)	1510	if (use_privsep)
1505	if ((authctxt = privsep_preauth()) != NULL)	1511	if ((authctxt = privsep_preauth()) != NULL)
1506	goto authenticated;	1512	goto authenticated;