4 files changed, 68 insertions, 54 deletions
diff --git a/ChangeLog b/ChangeLog
index 1d9d7412c..1d723126d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 20031122
 - (dtucker) [channels.c] Make AIX write limit code clearer.  Suggested by djm@
+ - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
+   Move AIX specific password authentication code to port-aix.c, call
+   authenticate() until reenter flag is clear.
 20031121
 - (djm) OpenBSD CVS Sync
@@ -1501,4 +1504,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.3120 2003/11/22 03:10:02 dtucker Exp $
+$Id: ChangeLog,v 1.3121 2003/11/22 03:16:56 dtucker Exp $
diff --git a/auth-passwd.c b/auth-passwd.c
index 54571f972..a27170ccc 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -43,9 +43,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $");
 #include "servconf.h"
 #include "auth.h"
 #ifdef WITH_AIXAUTHENTICATE
-# include "buffer.h"
 # include "canohost.h"
-extern Buffer loginmsg;
 #endif
 extern ServerOptions options;
@@ -89,44 +87,11 @@ auth_password(Authctxt *authctxt, const char *password)
        }
 # endif
 # ifdef WITH_AIXAUTHENTICATE
-        {
+        if (aix_authenticate(pw->pw_name, password,
-                char *authmsg = NULL;
+            get_canonical_hostname(options.use_dns)) == 0)
-                int reenter = 1;
+                return 0;
-                int authsuccess = 0;
+        else
+                return ok;
-                if (authenticate(pw->pw_name, password, &reenter,
-                    &authmsg) == 0 && ok) {
-                        char *msg;
-                        char *host =
-                            (char *)get_canonical_hostname(options.use_dns);
-                        authsuccess = 1;
-                        aix_remove_embedded_newlines(authmsg);
-                        debug3("AIX/authenticate succeeded for user %s: %.100s",
-                                pw->pw_name, authmsg);
-                        /* No pty yet, so just label the line as "ssh" */
-                        aix_setauthdb(authctxt->user);
-                        if (loginsuccess(authctxt->user, host, "ssh",
-                            &msg) == 0) {
-                                if (msg != NULL) {
-                                        debug("%s: msg %s", __func__, msg);
-                                        buffer_append(&loginmsg, msg,
-                                            strlen(msg));
-                                        xfree(msg);
-                                }
-                        }
-                } else {
-                        debug3("AIX/authenticate failed for user %s: %.100s",
-                            pw->pw_name, authmsg);
-                }
-                if (authmsg != NULL)
-                        xfree(authmsg);
-                return authsuccess;
-        }
 # endif
 # ifdef BSD_AUTH
        if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 9fbcce936..a9cbf49b0 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -29,6 +29,7 @@
 #include "servconf.h"
 #include "canohost.h"
 #include "xmalloc.h"
+#include "buffer.h"
 #ifdef _AIX
@@ -36,6 +37,7 @@
 #include "port-aix.h"
 extern ServerOptions options;
+extern Buffer loginmsg;
 /*
 * AIX has a "usrinfo" area where logname and other stuff is stored - 
@@ -63,7 +65,7 @@ aix_usrinfo(struct passwd *pw)
        xfree(cp);
 }
-#ifdef WITH_AIXAUTHENTICATE
+# ifdef WITH_AIXAUTHENTICATE
 /*
 * Remove embedded newlines in string (if any).
 * Used before logging messages returned by AIX authentication functions
@@ -83,27 +85,68 @@ aix_remove_embedded_newlines(char *p)
        if (*--p == ' ')
                *p = '\0';
 }
-#endif /* WITH_AIXAUTHENTICATE */
+/*
+ * Do authentication via AIX's authenticate routine.  We loop until the
+ * reenter parameter is 0, but normally authenticate is called only once.
+ *
+ * Note: this function returns 1 on success, whereas AIX's authenticate()
+ * returns 0.
+ */
+int
+aix_authenticate(const char *name, const char *password, const char *host)
+{
+        char *authmsg = NULL, *msg;
+        int authsuccess = 0, reenter, result;
+        do {
+                result = authenticate((char *)name, (char *)password, &reenter,
+                    &authmsg);
+                aix_remove_embedded_newlines(authmsg);  
+                debug3("AIX/authenticate result %d, msg %.100s", result,
+                    authmsg);
+        } while (reenter);
+        if (result == 0) {
+                authsuccess = 1;
+                /* No pty yet, so just label the line as "ssh" */
+                aix_setauthdb(name);
+                if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) {
+                        if (msg != NULL) {
+                                debug("%s: msg %s", __func__, msg);
+                                buffer_append(&loginmsg, msg, strlen(msg));
+                                xfree(msg);
+                        }
+                }
+        }
+        if (authmsg != NULL)
+                xfree(authmsg);
+        return authsuccess;
+}
  
-# ifdef CUSTOM_FAILED_LOGIN
+#  ifdef CUSTOM_FAILED_LOGIN
 /*
 * record_failed_login: generic "login failed" interface function
 */
 void
 record_failed_login(const char *user, const char *ttyname)
 {
-        char *hostname = get_canonical_hostname(options.use_dns);
+        char *hostname = (char *)get_canonical_hostname(options.use_dns);
        if (geteuid() != 0)
                return;
        aix_setauthdb(user);
-#  ifdef AIX_LOGINFAILED_4ARG
+#   ifdef AIX_LOGINFAILED_4ARG
        loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH);
-#  else
+#   else
        loginfailed((char *)user, hostname, (char *)ttyname);
-#  endif
+#   endif
 }
+#  endif /* CUSTOM_FAILED_LOGIN */
 /*
 * If we have setauthdb, retrieve the password registry for the user's
@@ -135,8 +178,9 @@ aix_setauthdb(const char *user)
                debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
                    strerror(errno));
        enduserdb();
-#  endif
+#  endif /* HAVE_SETAUTHDB */
 }
-# endif /* CUSTOM_FAILED_LOGIN */
-#endif /* _AIX */
+# endif /* WITH_AIXAUTHENTICATE */
+#endif /* _AIX */
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index b2a48cba9..975cdf051 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.15 2003/09/19 10:43:38 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */
 /*
 *
@@ -51,12 +51,14 @@
 # include <sys/timers.h>
 #endif
+void aix_usrinfo(struct passwd *);
 #ifdef WITH_AIXAUTHENTICATE
 # define CUSTOM_FAILED_LOGIN 1
 void record_failed_login(const char *, const char *);
-void aix_setauthdb(const char *);
 #endif
-void aix_usrinfo(struct passwd *);
+int aix_authenticate(const char *, const char *, const char *);
+void aix_setauthdb(const char *);
 void aix_remove_embedded_newlines(char *);
 #endif /* _AIX */

diff --git a/ChangeLog b/ChangeLog index 1d9d7412c..1d723126d 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,5 +1,8 @@
1	20031122	1	20031122
2	- (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@	2	- (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@
		3	- (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
		4	Move AIX specific password authentication code to port-aix.c, call
		5	authenticate() until reenter flag is clear.
3		6
4	20031121	7	20031121
5	- (djm) OpenBSD CVS Sync	8	- (djm) OpenBSD CVS Sync
@@ -1501,4 +1504,4 @@
1501	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.	1504	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
1502	Report from murple@murple.net, diagnosis from dtucker@zip.com.au	1505	Report from murple@murple.net, diagnosis from dtucker@zip.com.au
1503		1506
1504	$Id: ChangeLog,v 1.3120 2003/11/22 03:10:02 dtucker Exp $	1507	$Id: ChangeLog,v 1.3121 2003/11/22 03:16:56 dtucker Exp $


diff --git a/auth-passwd.c b/auth-passwd.c index 54571f972..a27170ccc 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -43,9 +43,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $");
43	#include "servconf.h"	43	#include "servconf.h"
44	#include "auth.h"	44	#include "auth.h"
45	#ifdef WITH_AIXAUTHENTICATE	45	#ifdef WITH_AIXAUTHENTICATE
46	# include "buffer.h"
47	# include "canohost.h"	46	# include "canohost.h"
48	extern Buffer loginmsg;
49	#endif	47	#endif
50		48
51	extern ServerOptions options;	49	extern ServerOptions options;
@@ -89,44 +87,11 @@ auth_password(Authctxt authctxt, const char password)
89	}	87	}
90	# endif	88	# endif
91	# ifdef WITH_AIXAUTHENTICATE	89	# ifdef WITH_AIXAUTHENTICATE
92	{	90	if (aix_authenticate(pw->pw_name, password,
93	char *authmsg = NULL;	91	get_canonical_hostname(options.use_dns)) == 0)
94	int reenter = 1;	92	return 0;
95	int authsuccess = 0;	93	else
96		94	return ok;
97	if (authenticate(pw->pw_name, password, &reenter,
98	&authmsg) == 0 && ok) {
99	char *msg;
100	char *host =
101	(char *)get_canonical_hostname(options.use_dns);
102
103	authsuccess = 1;
104	aix_remove_embedded_newlines(authmsg);
105
106	debug3("AIX/authenticate succeeded for user %s: %.100s",
107	pw->pw_name, authmsg);
108
109	/* No pty yet, so just label the line as "ssh" */
110	aix_setauthdb(authctxt->user);
111	if (loginsuccess(authctxt->user, host, "ssh",
112	&msg) == 0) {
113	if (msg != NULL) {
114	debug("%s: msg %s", __func__, msg);
115	buffer_append(&loginmsg, msg,
116	strlen(msg));
117	xfree(msg);
118	}
119	}
120	} else {
121	debug3("AIX/authenticate failed for user %s: %.100s",
122	pw->pw_name, authmsg);
123	}
124
125	if (authmsg != NULL)
126	xfree(authmsg);
127
128	return authsuccess;
129	}
130	# endif	95	# endif
131	# ifdef BSD_AUTH	96	# ifdef BSD_AUTH
132	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",	97	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",


diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 9fbcce936..a9cbf49b0 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c
@@ -29,6 +29,7 @@
29	#include "servconf.h"	29	#include "servconf.h"
30	#include "canohost.h"	30	#include "canohost.h"
31	#include "xmalloc.h"	31	#include "xmalloc.h"
		32	#include "buffer.h"
32		33
33	#ifdef _AIX	34	#ifdef _AIX
34		35
@@ -36,6 +37,7 @@
36	#include "port-aix.h"	37	#include "port-aix.h"
37		38
38	extern ServerOptions options;	39	extern ServerOptions options;
		40	extern Buffer loginmsg;
39		41
40	/*	42	/*
41	* AIX has a "usrinfo" area where logname and other stuff is stored -	43	* AIX has a "usrinfo" area where logname and other stuff is stored -
@@ -63,7 +65,7 @@ aix_usrinfo(struct passwd *pw)
63	xfree(cp);	65	xfree(cp);
64	}	66	}
65		67
66	#ifdef WITH_AIXAUTHENTICATE	68	# ifdef WITH_AIXAUTHENTICATE
67	/*	69	/*
68	* Remove embedded newlines in string (if any).	70	* Remove embedded newlines in string (if any).
69	* Used before logging messages returned by AIX authentication functions	71	* Used before logging messages returned by AIX authentication functions
@@ -83,27 +85,68 @@ aix_remove_embedded_newlines(char *p)
83	if (*--p == ' ')	85	if (*--p == ' ')
84	*p = '\0';	86	*p = '\0';
85	}	87	}
86	#endif /* WITH_AIXAUTHENTICATE */	88
		89	/*
		90	* Do authentication via AIX's authenticate routine. We loop until the
		91	* reenter parameter is 0, but normally authenticate is called only once.
		92	*
		93	* Note: this function returns 1 on success, whereas AIX's authenticate()
		94	* returns 0.
		95	*/
		96	int
		97	aix_authenticate(const char name, const char password, const char *host)
		98	{
		99	char authmsg = NULL, msg;
		100	int authsuccess = 0, reenter, result;
		101
		102	do {
		103	result = authenticate((char )name, (char )password, &reenter,
		104	&authmsg);
		105	aix_remove_embedded_newlines(authmsg);
		106	debug3("AIX/authenticate result %d, msg %.100s", result,
		107	authmsg);
		108	} while (reenter);
		109
		110	if (result == 0) {
		111	authsuccess = 1;
		112
		113	/* No pty yet, so just label the line as "ssh" */
		114	aix_setauthdb(name);
		115	if (loginsuccess((char )name, (char )host, "ssh", &msg) == 0) {
		116	if (msg != NULL) {
		117	debug("%s: msg %s", __func__, msg);
		118	buffer_append(&loginmsg, msg, strlen(msg));
		119	xfree(msg);
		120	}
		121	}
		122	}
		123
		124	if (authmsg != NULL)
		125	xfree(authmsg);
		126
		127	return authsuccess;
		128	}
87		129
88	# ifdef CUSTOM_FAILED_LOGIN	130	# ifdef CUSTOM_FAILED_LOGIN
89	/*	131	/*
90	* record_failed_login: generic "login failed" interface function	132	* record_failed_login: generic "login failed" interface function
91	*/	133	*/
92	void	134	void
93	record_failed_login(const char user, const char ttyname)	135	record_failed_login(const char user, const char ttyname)
94	{	136	{
95	char *hostname = get_canonical_hostname(options.use_dns);	137	char hostname = (char )get_canonical_hostname(options.use_dns);
96		138
97	if (geteuid() != 0)	139	if (geteuid() != 0)
98	return;	140	return;
99		141
100	aix_setauthdb(user);	142	aix_setauthdb(user);
101	# ifdef AIX_LOGINFAILED_4ARG	143	# ifdef AIX_LOGINFAILED_4ARG
102	loginfailed((char )user, hostname, (char )ttyname, AUDIT_FAIL_AUTH);	144	loginfailed((char )user, hostname, (char )ttyname, AUDIT_FAIL_AUTH);
103	# else	145	# else
104	loginfailed((char )user, hostname, (char )ttyname);	146	loginfailed((char )user, hostname, (char )ttyname);
105	# endif	147	# endif
106	}	148	}
		149	# endif /* CUSTOM_FAILED_LOGIN */
107		150
108	/*	151	/*
109	* If we have setauthdb, retrieve the password registry for the user's	152	* If we have setauthdb, retrieve the password registry for the user's
@@ -135,8 +178,9 @@ aix_setauthdb(const char *user)
135	debug3("%s: Could not read S_REGISTRY for user: %s", __func__,	178	debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
136	strerror(errno));	179	strerror(errno));
137	enduserdb();	180	enduserdb();
138	# endif	181	# endif /* HAVE_SETAUTHDB */
139	}	182	}
140	# endif /* CUSTOM_FAILED_LOGIN */
141	#endif /* _AIX */
142		183
		184	# endif /* WITH_AIXAUTHENTICATE */
		185
		186	#endif /* _AIX */


diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index b2a48cba9..975cdf051 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
1	/* $Id: port-aix.h,v 1.15 2003/09/19 10:43:38 dtucker Exp $ */	1	/* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */
2		2
3	/*	3	/*
4	*	4	*
@@ -51,12 +51,14 @@
51	# include <sys/timers.h>	51	# include <sys/timers.h>
52	#endif	52	#endif
53		53
		54	void aix_usrinfo(struct passwd *);
		55
54	#ifdef WITH_AIXAUTHENTICATE	56	#ifdef WITH_AIXAUTHENTICATE
55	# define CUSTOM_FAILED_LOGIN 1	57	# define CUSTOM_FAILED_LOGIN 1
56	void record_failed_login(const char , const char );	58	void record_failed_login(const char , const char );
57	void aix_setauthdb(const char *);
58	#endif	59	#endif
59		60
60	void aix_usrinfo(struct passwd *);	61	int aix_authenticate(const char , const char , const char *);
		62	void aix_setauthdb(const char *);
61	void aix_remove_embedded_newlines(char *);	63	void aix_remove_embedded_newlines(char *);
62	#endif /* _AIX */	64	#endif /* _AIX */