diff options
Diffstat (limited to 'openbsd-compat/port-aix.c')
-rw-r--r-- | openbsd-compat/port-aix.c | 88 |
1 files changed, 71 insertions, 17 deletions
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 2895f0d44..78f4faea3 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c | |||
@@ -101,7 +101,7 @@ aix_remove_embedded_newlines(char *p) | |||
101 | int | 101 | int |
102 | sys_auth_passwd(Authctxt *ctxt, const char *password) | 102 | sys_auth_passwd(Authctxt *ctxt, const char *password) |
103 | { | 103 | { |
104 | char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name; | 104 | char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name; |
105 | int authsuccess = 0, expired, reenter, result; | 105 | int authsuccess = 0, expired, reenter, result; |
106 | 106 | ||
107 | do { | 107 | do { |
@@ -115,30 +115,21 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) | |||
115 | if (result == 0) { | 115 | if (result == 0) { |
116 | authsuccess = 1; | 116 | authsuccess = 1; |
117 | 117 | ||
118 | host = (char *)get_canonical_hostname(options.use_dns); | ||
119 | |||
120 | /* | 118 | /* |
121 | * Record successful login. We don't have a pty yet, so just | 119 | * Record successful login. We don't have a pty yet, so just |
122 | * label the line as "ssh" | 120 | * label the line as "ssh" |
123 | */ | 121 | */ |
124 | aix_setauthdb(name); | 122 | aix_setauthdb(name); |
125 | if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) { | ||
126 | if (msg != NULL) { | ||
127 | debug("%s: msg %s", __func__, msg); | ||
128 | buffer_append(&loginmsg, msg, strlen(msg)); | ||
129 | xfree(msg); | ||
130 | } | ||
131 | } | ||
132 | 123 | ||
133 | /* | 124 | /* |
134 | * Check if the user's password is expired. | 125 | * Check if the user's password is expired. |
135 | */ | 126 | */ |
136 | expired = passwdexpired(name, &msg); | 127 | expired = passwdexpired(name, &msg); |
137 | if (msg && *msg) { | 128 | if (msg && *msg) { |
138 | buffer_append(&loginmsg, msg, strlen(msg)); | 129 | buffer_append(&loginmsg, msg, strlen(msg)); |
139 | aix_remove_embedded_newlines(msg); | 130 | aix_remove_embedded_newlines(msg); |
140 | } | 131 | } |
141 | debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); | 132 | debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); |
142 | 133 | ||
143 | switch (expired) { | 134 | switch (expired) { |
144 | case 0: /* password not expired */ | 135 | case 0: /* password not expired */ |
@@ -163,7 +154,70 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) | |||
163 | 154 | ||
164 | return authsuccess; | 155 | return authsuccess; |
165 | } | 156 | } |
166 | 157 | ||
158 | /* | ||
159 | * Check if specified account is permitted to log in. | ||
160 | * Returns 1 if login is allowed, 0 if not allowed. | ||
161 | */ | ||
162 | int | ||
163 | sys_auth_allowed_user(struct passwd *pw) | ||
164 | { | ||
165 | char *msg = NULL; | ||
166 | int result, permitted = 0; | ||
167 | struct stat st; | ||
168 | |||
169 | /* | ||
170 | * Don't perform checks for root account (PermitRootLogin controls | ||
171 | * logins via * ssh) or if running as non-root user (since | ||
172 | * loginrestrictions will always fail due to insufficient privilege). | ||
173 | */ | ||
174 | if (pw->pw_uid == 0 || geteuid() != 0) { | ||
175 | debug3("%s: not checking", __func__); | ||
176 | return 1; | ||
177 | } | ||
178 | |||
179 | result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg); | ||
180 | if (result == 0) | ||
181 | permitted = 1; | ||
182 | /* | ||
183 | * If restricted because /etc/nologin exists, the login will be denied | ||
184 | * in session.c after the nologin message is sent, so allow for now | ||
185 | * and do not append the returned message. | ||
186 | */ | ||
187 | if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0) | ||
188 | permitted = 1; | ||
189 | else if (msg != NULL) | ||
190 | buffer_append(&loginmsg, msg, strlen(msg)); | ||
191 | if (msg == NULL) | ||
192 | msg = xstrdup("(none)"); | ||
193 | aix_remove_embedded_newlines(msg); | ||
194 | debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg); | ||
195 | |||
196 | if (!permitted) | ||
197 | logit("Login restricted for %s: %.100s", pw->pw_name, msg); | ||
198 | xfree(msg); | ||
199 | return permitted; | ||
200 | } | ||
201 | |||
202 | int | ||
203 | sys_auth_record_login(const char *user, const char *host, const char *ttynm) | ||
204 | { | ||
205 | char *msg; | ||
206 | int success = 0; | ||
207 | |||
208 | aix_setauthdb(user); | ||
209 | if (loginsuccess((char *)user, host, ttynm, &msg) == 0) { | ||
210 | success = 1; | ||
211 | if (msg != NULL) { | ||
212 | debug("AIX/loginsuccess: msg %s", __func__, msg); | ||
213 | buffer_append(&loginmsg, msg, strlen(msg)); | ||
214 | xfree(msg); | ||
215 | } | ||
216 | } | ||
217 | aix_restoreauthdb(); | ||
218 | return (success); | ||
219 | } | ||
220 | |||
167 | # ifdef CUSTOM_FAILED_LOGIN | 221 | # ifdef CUSTOM_FAILED_LOGIN |
168 | /* | 222 | /* |
169 | * record_failed_login: generic "login failed" interface function | 223 | * record_failed_login: generic "login failed" interface function |