1 files changed, 71 insertions, 17 deletions
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 2895f0d44..78f4faea3 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -101,7 +101,7 @@ aix_remove_embedded_newlines(char *p)
 int
 sys_auth_passwd(Authctxt *ctxt, const char *password)
 {
-        char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name;
+        char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
        int authsuccess = 0, expired, reenter, result;
        do {
@@ -115,30 +115,21 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
        if (result == 0) {
                authsuccess = 1;
-                host = (char *)get_canonical_hostname(options.use_dns);
                /*
                 * Record successful login.  We don't have a pty yet, so just
                 * label the line as "ssh"
                 */
                aix_setauthdb(name);
-                if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) {
-                        if (msg != NULL) {
-                                debug("%s: msg %s", __func__, msg);
-                                buffer_append(&loginmsg, msg, strlen(msg));
-                                xfree(msg);
-                        }
-                }
                /*
                 * Check if the user's password is expired.
                 */
-                expired = passwdexpired(name, &msg);
+                expired = passwdexpired(name, &msg);
-                if (msg && *msg) {
+                if (msg && *msg) {
-                        buffer_append(&loginmsg, msg, strlen(msg));
+                        buffer_append(&loginmsg, msg, strlen(msg));
-                        aix_remove_embedded_newlines(msg);
+                        aix_remove_embedded_newlines(msg);
-                }
+                }
-                debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
+                debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
                switch (expired) {
                case 0: /* password not expired */
@@ -163,7 +154,70 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
        return authsuccess;
 }
-  
+/*
+ * Check if specified account is permitted to log in.
+ * Returns 1 if login is allowed, 0 if not allowed.
+ */
+int
+sys_auth_allowed_user(struct passwd *pw)
+{
+        char *msg = NULL;
+        int result, permitted = 0;
+        struct stat st;
+        /*
+         * Don't perform checks for root account (PermitRootLogin controls
+         * logins via * ssh) or if running as non-root user (since
+         * loginrestrictions will always fail due to insufficient privilege).
+         */
+        if (pw->pw_uid == 0 || geteuid() != 0) {
+                debug3("%s: not checking", __func__);
+                return 1;
+        }
+        result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
+        if (result == 0)
+                permitted = 1;
+        /*
+         * If restricted because /etc/nologin exists, the login will be denied
+         * in session.c after the nologin message is sent, so allow for now
+         * and do not append the returned message.
+         */
+        if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
+                permitted = 1;
+        else if (msg != NULL)
+                buffer_append(&loginmsg, msg, strlen(msg));
+        if (msg == NULL)
+                msg = xstrdup("(none)");
+        aix_remove_embedded_newlines(msg);
+        debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
+        if (!permitted)
+                logit("Login restricted for %s: %.100s", pw->pw_name, msg);
+        xfree(msg);
+        return permitted;
+}
+int
+sys_auth_record_login(const char *user, const char *host, const char *ttynm)
+{
+        char *msg;
+        int success = 0;
+        aix_setauthdb(user);
+        if (loginsuccess((char *)user, host, ttynm, &msg) == 0) {
+                success = 1;
+                if (msg != NULL) {
+                        debug("AIX/loginsuccess: msg %s", __func__, msg);
+                        buffer_append(&loginmsg, msg, strlen(msg));
+                        xfree(msg);
+                }
+        }
+        aix_restoreauthdb();
+        return (success);
+}
 #  ifdef CUSTOM_FAILED_LOGIN
 /*
 * record_failed_login: generic "login failed" interface function

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 2895f0d44..78f4faea3 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c
@@ -101,7 +101,7 @@ aix_remove_embedded_newlines(char *p)
101	int	101	int
102	sys_auth_passwd(Authctxt ctxt, const char password)	102	sys_auth_passwd(Authctxt ctxt, const char password)
103	{	103	{
104	char authmsg = NULL, host, msg, name = ctxt->pw->pw_name;	104	char authmsg = NULL, msg, *name = ctxt->pw->pw_name;
105	int authsuccess = 0, expired, reenter, result;	105	int authsuccess = 0, expired, reenter, result;
106		106
107	do {	107	do {
@@ -115,30 +115,21 @@ sys_auth_passwd(Authctxt ctxt, const char password)
115	if (result == 0) {	115	if (result == 0) {
116	authsuccess = 1;	116	authsuccess = 1;
117		117
118	host = (char *)get_canonical_hostname(options.use_dns);
119
120	/*	118	/*
121	* Record successful login. We don't have a pty yet, so just	119	* Record successful login. We don't have a pty yet, so just
122	* label the line as "ssh"	120	* label the line as "ssh"
123	*/	121	*/
124	aix_setauthdb(name);	122	aix_setauthdb(name);
125	if (loginsuccess((char )name, (char )host, "ssh", &msg) == 0) {
126	if (msg != NULL) {
127	debug("%s: msg %s", __func__, msg);
128	buffer_append(&loginmsg, msg, strlen(msg));
129	xfree(msg);
130	}
131	}
132		123
133	/*	124	/*
134	* Check if the user's password is expired.	125	* Check if the user's password is expired.
135	*/	126	*/
136	expired = passwdexpired(name, &msg);	127	expired = passwdexpired(name, &msg);
137	if (msg && *msg) {	128	if (msg && *msg) {
138	buffer_append(&loginmsg, msg, strlen(msg));	129	buffer_append(&loginmsg, msg, strlen(msg));
139	aix_remove_embedded_newlines(msg);	130	aix_remove_embedded_newlines(msg);
140	}	131	}
141	debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);	132	debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
142		133
143	switch (expired) {	134	switch (expired) {
144	case 0: /* password not expired */	135	case 0: /* password not expired */
@@ -163,7 +154,70 @@ sys_auth_passwd(Authctxt ctxt, const char password)
163		154
164	return authsuccess;	155	return authsuccess;
165	}	156	}
166		157
		158	/*
		159	* Check if specified account is permitted to log in.
		160	* Returns 1 if login is allowed, 0 if not allowed.
		161	*/
		162	int
		163	sys_auth_allowed_user(struct passwd *pw)
		164	{
		165	char *msg = NULL;
		166	int result, permitted = 0;
		167	struct stat st;
		168
		169	/*
		170	* Don't perform checks for root account (PermitRootLogin controls
		171	* logins via * ssh) or if running as non-root user (since
		172	* loginrestrictions will always fail due to insufficient privilege).
		173	*/
		174	if (pw->pw_uid == 0 \|\| geteuid() != 0) {
		175	debug3("%s: not checking", __func__);
		176	return 1;
		177	}
		178
		179	result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
		180	if (result == 0)
		181	permitted = 1;
		182	/*
		183	* If restricted because /etc/nologin exists, the login will be denied
		184	* in session.c after the nologin message is sent, so allow for now
		185	* and do not append the returned message.
		186	*/
		187	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
		188	permitted = 1;
		189	else if (msg != NULL)
		190	buffer_append(&loginmsg, msg, strlen(msg));
		191	if (msg == NULL)
		192	msg = xstrdup("(none)");
		193	aix_remove_embedded_newlines(msg);
		194	debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
		195
		196	if (!permitted)
		197	logit("Login restricted for %s: %.100s", pw->pw_name, msg);
		198	xfree(msg);
		199	return permitted;
		200	}
		201
		202	int
		203	sys_auth_record_login(const char user, const char host, const char *ttynm)
		204	{
		205	char *msg;
		206	int success = 0;
		207
		208	aix_setauthdb(user);
		209	if (loginsuccess((char *)user, host, ttynm, &msg) == 0) {
		210	success = 1;
		211	if (msg != NULL) {
		212	debug("AIX/loginsuccess: msg %s", __func__, msg);
		213	buffer_append(&loginmsg, msg, strlen(msg));
		214	xfree(msg);
		215	}
		216	}
		217	aix_restoreauthdb();
		218	return (success);
		219	}
		220
167	# ifdef CUSTOM_FAILED_LOGIN	221	# ifdef CUSTOM_FAILED_LOGIN
168	/*	222	/*
169	* record_failed_login: generic "login failed" interface function	223	* record_failed_login: generic "login failed" interface function