summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog4
-rw-r--r--auth.c29
-rw-r--r--openbsd-compat/port-aix.c46
-rw-r--r--openbsd-compat/port-aix.h4
4 files changed, 55 insertions, 28 deletions
diff --git a/ChangeLog b/ChangeLog
index 2fde8a8f7..d9f4c8d99 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,8 @@
16 Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@ 16 Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@
17 - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match 17 - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match
18 -Wshadow change. 18 -Wshadow change.
19 - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
20 Move loginrestrictions test to port-aix.c, replace with a generic hook.
19 21
2020040622 2220040622
21 - (bal) [auth-passwd.c auth1.c] Clean up unused variables. 23 - (bal) [auth-passwd.c auth1.c] Clean up unused variables.
@@ -1388,4 +1390,4 @@
1388 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 1390 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
1389 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 1391 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
1390 1392
1391$Id: ChangeLog,v 1.3438 2004/06/23 03:21:54 mouring Exp $ 1393$Id: ChangeLog,v 1.3439 2004/06/23 03:45:24 dtucker Exp $
diff --git a/auth.c b/auth.c
index ef3cdba3c..d9ee0362f 100644
--- a/auth.c
+++ b/auth.c
@@ -203,31 +203,10 @@ allowed_user(struct passwd * pw)
203 ga_free(); 203 ga_free();
204 } 204 }
205 205
206#ifdef WITH_AIXAUTHENTICATE 206#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
207 /* 207 if (!sys_auth_allowed_user(pw))
208 * Don't check loginrestrictions() for root account (use 208 return 0;
209 * PermitRootLogin to control logins via ssh), or if running as 209#endif
210 * non-root user (since loginrestrictions will always fail).
211 */
212 if ((pw->pw_uid != 0) && (geteuid() == 0)) {
213 char *msg;
214
215 if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
216 int loginrestrict_errno = errno;
217
218 if (msg && *msg) {
219 buffer_append(&loginmsg, msg, strlen(msg));
220 aix_remove_embedded_newlines(msg);
221 logit("Login restricted for %s: %.100s",
222 pw->pw_name, msg);
223 }
224 /* Don't fail if /etc/nologin set */
225 if (!(loginrestrict_errno == EPERM &&
226 stat(_PATH_NOLOGIN, &st) == 0))
227 return 0;
228 }
229 }
230#endif /* WITH_AIXAUTHENTICATE */
231 210
232 /* We found no reason not to let this user try to log on... */ 211 /* We found no reason not to let this user try to log on... */
233 return 1; 212 return 1;
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 5ba6819de..bf7e98652 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
163 163
164 return authsuccess; 164 return authsuccess;
165} 165}
166 166
167/*
168 * Check if specified account is permitted to log in.
169 * Returns 1 if login is allowed, 0 if not allowed.
170 */
171int
172sys_auth_allowed_user(struct passwd *pw)
173{
174 char *msg = NULL;
175 int result, permitted = 0;
176 struct stat st;
177
178 /*
179 * Don't perform checks for root account (PermitRootLogin controls
180 * logins via * ssh) or if running as non-root user (since
181 * loginrestrictions will always fail due to insufficient privilege).
182 */
183 if (pw->pw_uid == 0 || geteuid() != 0) {
184 debug3("%s: not checking");
185 return 1;
186 }
187
188 result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
189 if (result == 0)
190 permitted = 1;
191 /*
192 * If restricted because /etc/nologin exists, the login will be denied
193 * in session.c after the nologin message is sent, so allow for now
194 * and do not append the returned message.
195 */
196 if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
197 permitted = 1;
198 else if (msg != NULL)
199 buffer_append(&loginmsg, msg, strlen(msg));
200 if (msg == NULL)
201 msg = xstrdup("(none)");
202 aix_remove_embedded_newlines(msg);
203 debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
204
205 if (!permitted)
206 logit("Login restricted for %s: %.100s", pw->pw_name, msg);
207 xfree(msg);
208 return permitted;
209}
210
167# ifdef CUSTOM_FAILED_LOGIN 211# ifdef CUSTOM_FAILED_LOGIN
168/* 212/*
169 * record_failed_login: generic "login failed" interface function 213 * record_failed_login: generic "login failed" interface function
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 3118af9a9..3b82652db 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
1/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */ 1/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */
2 2
3/* 3/*
4 * 4 *
@@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *);
63 63
64#ifdef WITH_AIXAUTHENTICATE 64#ifdef WITH_AIXAUTHENTICATE
65# define CUSTOM_SYS_AUTH_PASSWD 1 65# define CUSTOM_SYS_AUTH_PASSWD 1
66# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
67int sys_auth_allowed_user(struct passwd *);
66# define CUSTOM_FAILED_LOGIN 1 68# define CUSTOM_FAILED_LOGIN 1
67void record_failed_login(const char *, const char *); 69void record_failed_login(const char *, const char *);
68#endif 70#endif
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 21:10:41 +0000