summaryrefslogtreecommitdiff
path: root/openbsd-compat/port-aix.c
diff options
context:
space:
mode:
Diffstat (limited to 'openbsd-compat/port-aix.c')
-rw-r--r--openbsd-compat/port-aix.c88
1 files changed, 71 insertions, 17 deletions
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 2895f0d44..78f4faea3 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -101,7 +101,7 @@ aix_remove_embedded_newlines(char *p)
101int 101int
102sys_auth_passwd(Authctxt *ctxt, const char *password) 102sys_auth_passwd(Authctxt *ctxt, const char *password)
103{ 103{
104 char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name; 104 char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
105 int authsuccess = 0, expired, reenter, result; 105 int authsuccess = 0, expired, reenter, result;
106 106
107 do { 107 do {
@@ -115,30 +115,21 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
115 if (result == 0) { 115 if (result == 0) {
116 authsuccess = 1; 116 authsuccess = 1;
117 117
118 host = (char *)get_canonical_hostname(options.use_dns);
119
120 /* 118 /*
121 * Record successful login. We don't have a pty yet, so just 119 * Record successful login. We don't have a pty yet, so just
122 * label the line as "ssh" 120 * label the line as "ssh"
123 */ 121 */
124 aix_setauthdb(name); 122 aix_setauthdb(name);
125 if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) {
126 if (msg != NULL) {
127 debug("%s: msg %s", __func__, msg);
128 buffer_append(&loginmsg, msg, strlen(msg));
129 xfree(msg);
130 }
131 }
132 123
133 /* 124 /*
134 * Check if the user's password is expired. 125 * Check if the user's password is expired.
135 */ 126 */
136 expired = passwdexpired(name, &msg); 127 expired = passwdexpired(name, &msg);
137 if (msg && *msg) { 128 if (msg && *msg) {
138 buffer_append(&loginmsg, msg, strlen(msg)); 129 buffer_append(&loginmsg, msg, strlen(msg));
139 aix_remove_embedded_newlines(msg); 130 aix_remove_embedded_newlines(msg);
140 } 131 }
141 debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); 132 debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
142 133
143 switch (expired) { 134 switch (expired) {
144 case 0: /* password not expired */ 135 case 0: /* password not expired */
@@ -163,7 +154,70 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
163 154
164 return authsuccess; 155 return authsuccess;
165} 156}
166 157
158/*
159 * Check if specified account is permitted to log in.
160 * Returns 1 if login is allowed, 0 if not allowed.
161 */
162int
163sys_auth_allowed_user(struct passwd *pw)
164{
165 char *msg = NULL;
166 int result, permitted = 0;
167 struct stat st;
168
169 /*
170 * Don't perform checks for root account (PermitRootLogin controls
171 * logins via * ssh) or if running as non-root user (since
172 * loginrestrictions will always fail due to insufficient privilege).
173 */
174 if (pw->pw_uid == 0 || geteuid() != 0) {
175 debug3("%s: not checking", __func__);
176 return 1;
177 }
178
179 result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
180 if (result == 0)
181 permitted = 1;
182 /*
183 * If restricted because /etc/nologin exists, the login will be denied
184 * in session.c after the nologin message is sent, so allow for now
185 * and do not append the returned message.
186 */
187 if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
188 permitted = 1;
189 else if (msg != NULL)
190 buffer_append(&loginmsg, msg, strlen(msg));
191 if (msg == NULL)
192 msg = xstrdup("(none)");
193 aix_remove_embedded_newlines(msg);
194 debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
195
196 if (!permitted)
197 logit("Login restricted for %s: %.100s", pw->pw_name, msg);
198 xfree(msg);
199 return permitted;
200}
201
202int
203sys_auth_record_login(const char *user, const char *host, const char *ttynm)
204{
205 char *msg;
206 int success = 0;
207
208 aix_setauthdb(user);
209 if (loginsuccess((char *)user, host, ttynm, &msg) == 0) {
210 success = 1;
211 if (msg != NULL) {
212 debug("AIX/loginsuccess: msg %s", __func__, msg);
213 buffer_append(&loginmsg, msg, strlen(msg));
214 xfree(msg);
215 }
216 }
217 aix_restoreauthdb();
218 return (success);
219}
220
167# ifdef CUSTOM_FAILED_LOGIN 221# ifdef CUSTOM_FAILED_LOGIN
168/* 222/*
169 * record_failed_login: generic "login failed" interface function 223 * record_failed_login: generic "login failed" interface function