2 files changed, 48 insertions, 2 deletions
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 5ba6819de..bf7e98652 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
        return authsuccess;
 }
-  
+/*
+ * Check if specified account is permitted to log in.
+ * Returns 1 if login is allowed, 0 if not allowed.
+ */
+int
+sys_auth_allowed_user(struct passwd *pw)
+{
+        char *msg = NULL;
+        int result, permitted = 0;
+        struct stat st;
+        /*
+         * Don't perform checks for root account (PermitRootLogin controls
+         * logins via * ssh) or if running as non-root user (since
+         * loginrestrictions will always fail due to insufficient privilege).
+         */
+        if (pw->pw_uid == 0 || geteuid() != 0) {
+                debug3("%s: not checking");
+                return 1;
+        }
+        result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
+        if (result == 0)
+                permitted = 1;
+        /*
+         * If restricted because /etc/nologin exists, the login will be denied
+         * in session.c after the nologin message is sent, so allow for now
+         * and do not append the returned message.
+         */
+        if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
+                permitted = 1;
+        else if (msg != NULL)
+                buffer_append(&loginmsg, msg, strlen(msg));
+        if (msg == NULL)
+                msg = xstrdup("(none)");
+        aix_remove_embedded_newlines(msg);
+        debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
+        if (!permitted)
+                logit("Login restricted for %s: %.100s", pw->pw_name, msg);
+        xfree(msg);
+        return permitted;
+}
 #  ifdef CUSTOM_FAILED_LOGIN
 /*
 * record_failed_login: generic "login failed" interface function
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 3118af9a9..3b82652db 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */
 /*
 *
@@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *);
 #ifdef WITH_AIXAUTHENTICATE
 # define CUSTOM_SYS_AUTH_PASSWD 1
+# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
+int sys_auth_allowed_user(struct passwd *);
 # define CUSTOM_FAILED_LOGIN 1
 void record_failed_login(const char *, const char *);
 #endif

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 5ba6819de..bf7e98652 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c
@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt ctxt, const char password)
163		163
164	return authsuccess;	164	return authsuccess;
165	}	165	}
166		166
		167	/*
		168	* Check if specified account is permitted to log in.
		169	* Returns 1 if login is allowed, 0 if not allowed.
		170	*/
		171	int
		172	sys_auth_allowed_user(struct passwd *pw)
		173	{
		174	char *msg = NULL;
		175	int result, permitted = 0;
		176	struct stat st;
		177
		178	/*
		179	* Don't perform checks for root account (PermitRootLogin controls
		180	* logins via * ssh) or if running as non-root user (since
		181	* loginrestrictions will always fail due to insufficient privilege).
		182	*/
		183	if (pw->pw_uid == 0 \|\| geteuid() != 0) {
		184	debug3("%s: not checking");
		185	return 1;
		186	}
		187
		188	result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
		189	if (result == 0)
		190	permitted = 1;
		191	/*
		192	* If restricted because /etc/nologin exists, the login will be denied
		193	* in session.c after the nologin message is sent, so allow for now
		194	* and do not append the returned message.
		195	*/
		196	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
		197	permitted = 1;
		198	else if (msg != NULL)
		199	buffer_append(&loginmsg, msg, strlen(msg));
		200	if (msg == NULL)
		201	msg = xstrdup("(none)");
		202	aix_remove_embedded_newlines(msg);
		203	debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
		204
		205	if (!permitted)
		206	logit("Login restricted for %s: %.100s", pw->pw_name, msg);
		207	xfree(msg);
		208	return permitted;
		209	}
		210
167	# ifdef CUSTOM_FAILED_LOGIN	211	# ifdef CUSTOM_FAILED_LOGIN
168	/*	212	/*
169	* record_failed_login: generic "login failed" interface function	213	* record_failed_login: generic "login failed" interface function


diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 3118af9a9..3b82652db 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
1	/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */	1	/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */
2		2
3	/*	3	/*
4	*	4	*
@@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *);
63		63
64	#ifdef WITH_AIXAUTHENTICATE	64	#ifdef WITH_AIXAUTHENTICATE
65	# define CUSTOM_SYS_AUTH_PASSWD 1	65	# define CUSTOM_SYS_AUTH_PASSWD 1
		66	# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
		67	int sys_auth_allowed_user(struct passwd *);
66	# define CUSTOM_FAILED_LOGIN 1	68	# define CUSTOM_FAILED_LOGIN 1
67	void record_failed_login(const char , const char );	69	void record_failed_login(const char , const char );
68	#endif	70	#endif