summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--openbsd-compat/port-aix.c57
2 files changed, 61 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index a8192cf58..a2f03d437 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,9 @@
37 - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64 37 - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
38 too; patch from cmadams at hiwaay.net. 38 too; patch from cmadams at hiwaay.net.
39 - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo. 39 - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
40 - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
41 accounts with authentication configs that sshd can't support (ie
42 SYSTEM=NONE and AUTH1=something).
40 43
4120040828 4420040828
42 - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from 45 - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
@@ -1704,4 +1707,4 @@
1704 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 1707 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
1705 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 1708 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
1706 1709
1707$Id: ChangeLog,v 1.3535 2004/08/29 11:18:09 dtucker Exp $ 1710$Id: ChangeLog,v 1.3536 2004/08/29 11:43:33 dtucker Exp $
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 78f4faea3..e7eb179ec 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,6 +1,7 @@
1/* 1/*
2 * 2 *
3 * Copyright (c) 2001 Gert Doering. All rights reserved. 3 * Copyright (c) 2001 Gert Doering. All rights reserved.
4 * Copyright (c) 2003,2004 Darren Tucker. All rights reserved.
4 * 5 *
5 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -92,6 +93,59 @@ aix_remove_embedded_newlines(char *p)
92} 93}
93 94
94/* 95/*
96 * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
97 * anything other than NONE or SYSTEM, which indicates that the admin has
98 * configured the account for purely AUTH1-type authentication.
99 *
100 * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
101 * AUTH1 itself, in such a case authenticate() will allow access without
102 * authentation, which is almost certainly not what the admin intends.
103 *
104 * (The native tools, eg login, will process the AUTH1 list in addition to
105 * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
106 * have been deprecated since AIX 4.2.x and would be very difficult for sshd
107 * to support.
108 *
109 * Returns 0 if an unsupportable combination is found, 1 otherwise.
110 */
111static int
112aix_valid_authentications(const char *user)
113{
114 char *auth1, *sys, *p;
115 int valid = 1;
116
117 if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
118 logit("Can't retrieve attribute SYSTEM for %s: %.100s",
119 user, strerror(errno));
120 return 0;
121 }
122
123 debug3("AIX SYSTEM attribute %s", sys);
124 if (strcmp(sys, "NONE") != 0)
125 return 1; /* not "NONE", so is OK */
126
127 if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
128 logit("Can't retrieve attribute auth1 for %s: %.100s",
129 user, strerror(errno));
130 return 0;
131 }
132
133 p = auth1;
134 /* A SEC_LIST is concatenated strings, ending with two NULs. */
135 while (p[0] != '\0' && p[1] != '\0') {
136 debug3("AIX auth1 attribute list member %s", p);
137 if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
138 logit("Account %s has unsupported auth1 value '%s'",
139 user, p);
140 valid = 0;
141 }
142 p += strlen(p) + 1;
143 }
144
145 return (valid);
146}
147
148/*
95 * Do authentication via AIX's authenticate routine. We loop until the 149 * Do authentication via AIX's authenticate routine. We loop until the
96 * reenter parameter is 0, but normally authenticate is called only once. 150 * reenter parameter is 0, but normally authenticate is called only once.
97 * 151 *
@@ -112,6 +166,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
112 authmsg); 166 authmsg);
113 } while (reenter); 167 } while (reenter);
114 168
169 if (!aix_valid_authentications(name))
170 result = -1;
171
115 if (result == 0) { 172 if (result == 0) {
116 authsuccess = 1; 173 authsuccess = 1;
117 174