From 5a88d003499744a374ec39279f4c6ec3971b5dab Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 29 Aug 2004 21:43:33 +1000 Subject: - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for accounts with authentication configs that sshd can't support (ie SYSTEM=NONE and AUTH1=something). --- ChangeLog | 5 ++++- openbsd-compat/port-aix.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a8192cf58..a2f03d437 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64 too; patch from cmadams at hiwaay.net. - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo. + - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for + accounts with authentication configs that sshd can't support (ie + SYSTEM=NONE and AUTH1=something). 20040828 - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from @@ -1704,4 +1707,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3535 2004/08/29 11:18:09 dtucker Exp $ +$Id: ChangeLog,v 1.3536 2004/08/29 11:43:33 dtucker Exp $ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 78f4faea3..e7eb179ec 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -1,6 +1,7 @@ /* * * Copyright (c) 2001 Gert Doering. All rights reserved. + * Copyright (c) 2003,2004 Darren Tucker. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -91,6 +92,59 @@ aix_remove_embedded_newlines(char *p) *p = '\0'; } +/* + * Test specifically for the case where SYSTEM == NONE and AUTH1 contains + * anything other than NONE or SYSTEM, which indicates that the admin has + * configured the account for purely AUTH1-type authentication. + * + * Since authenticate() doesn't check AUTH1, and sshd can't sanely support + * AUTH1 itself, in such a case authenticate() will allow access without + * authentation, which is almost certainly not what the admin intends. + * + * (The native tools, eg login, will process the AUTH1 list in addition to + * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods + * have been deprecated since AIX 4.2.x and would be very difficult for sshd + * to support. + * + * Returns 0 if an unsupportable combination is found, 1 otherwise. + */ +static int +aix_valid_authentications(const char *user) +{ + char *auth1, *sys, *p; + int valid = 1; + + if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) { + logit("Can't retrieve attribute SYSTEM for %s: %.100s", + user, strerror(errno)); + return 0; + } + + debug3("AIX SYSTEM attribute %s", sys); + if (strcmp(sys, "NONE") != 0) + return 1; /* not "NONE", so is OK */ + + if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) { + logit("Can't retrieve attribute auth1 for %s: %.100s", + user, strerror(errno)); + return 0; + } + + p = auth1; + /* A SEC_LIST is concatenated strings, ending with two NULs. */ + while (p[0] != '\0' && p[1] != '\0') { + debug3("AIX auth1 attribute list member %s", p); + if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) { + logit("Account %s has unsupported auth1 value '%s'", + user, p); + valid = 0; + } + p += strlen(p) + 1; + } + + return (valid); +} + /* * Do authentication via AIX's authenticate routine. We loop until the * reenter parameter is 0, but normally authenticate is called only once. @@ -112,6 +166,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) authmsg); } while (reenter); + if (!aix_valid_authentications(name)) + result = -1; + if (result == 0) { authsuccess = 1; -- cgit v1.2.3