From e45674ae8026b9399fc0778a7e964efbcd093689 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 6 Feb 2004 16:17:51 +1100
Subject:  - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
 Restore    previous authdb setting after auth calls.  Fixes problems with
 setpcred    failing on accounts that use AFS or NIS password registries.

---
 ChangeLog                 |  5 ++++-
 openbsd-compat/port-aix.c | 44 +++++++++++++++++++++++++++++++++-----------
 openbsd-compat/port-aix.h | 11 ++++++++++-
 3 files changed, 47 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4db097614..8d9a94651 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
    required, please report them.  ok djm@
  - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent
    accidentally inheriting from root's environment.  ok djm@
+ - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Restore
+   previous authdb setting after auth calls.  Fixes problems with setpcred
+   failing on accounts that use AFS or NIS password registries.
 
 20040129
  - (dtucker) OpenBSD CVS Sync regress/
@@ -1794,4 +1797,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.3209 2004/02/06 05:04:08 dtucker Exp $
+$Id: ChangeLog,v 1.3210 2004/02/06 05:17:51 dtucker Exp $
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index a9cbf49b0..6fc2ef771 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -39,6 +39,10 @@
 extern ServerOptions options;
 extern Buffer loginmsg;
 
+# ifdef HAVE_SETAUTHDB
+static char old_registry[REGISTRY_SIZE] = "";
+# endif
+
 /*
  * AIX has a "usrinfo" area where logname and other stuff is stored - 
  * a few applications actually use this and die if it's not set
@@ -119,6 +123,7 @@ aix_authenticate(const char *name, const char *password, const char *host)
 				xfree(msg);
 			}
 		}
+		aix_restoreauthdb();
 	}
 
 	if (authmsg != NULL)
@@ -145,22 +150,21 @@ record_failed_login(const char *user, const char *ttyname)
 #   else
 	loginfailed((char *)user, hostname, (char *)ttyname);
 #   endif
+	aix_restoreauthdb();
 }
 #  endif /* CUSTOM_FAILED_LOGIN */
 
 /*
  * If we have setauthdb, retrieve the password registry for the user's
- * account then feed it to setauthdb.  This may load registry-specific method
- * code.  If we don't have setauthdb or have already called it this is a no-op.
+ * account then feed it to setauthdb.  This will mean that subsequent AIX auth
+ * functions will only use the specified loadable module.  If we don't have
+ * setauthdb this is a no-op.
  */
 void
 aix_setauthdb(const char *user)
 {
 #  ifdef HAVE_SETAUTHDB
-	static char *registry = NULL;
-
-	if (registry != NULL)	/* have already done setauthdb */
-		return;
+	char *registry;
 
 	if (setuserdb(S_READ) == -1) {
 		debug3("%s: Could not open userdb to read", __func__);
@@ -168,12 +172,11 @@ aix_setauthdb(const char *user)
 	}
 	
 	if (getuserattr((char *)user, S_REGISTRY, &registry, SEC_CHAR) == 0) {
-		if (setauthdb(registry, NULL) == 0)
-			debug3("%s: AIX/setauthdb set registry %s", __func__,
-			    registry);
+		if (setauthdb(registry, old_registry) == 0)
+			debug3("AIX/setauthdb set registry '%s'", registry);
 		else 
-			debug3("%s: AIX/setauthdb set registry %s failed: %s",
-			    __func__, registry, strerror(errno));
+			debug3("AIX/setauthdb set registry '%s' failed: %s",
+			    registry, strerror(errno));
 	} else
 		debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
 		    strerror(errno));
@@ -181,6 +184,25 @@ aix_setauthdb(const char *user)
 #  endif /* HAVE_SETAUTHDB */
 }
 
+/*
+ * Restore the user's registry settings from old_registry.
+ * Note that if the first aix_setauthdb fails, setauthdb("") is still safe
+ * (it restores the system default behaviour).  If we don't have setauthdb,
+ * this is a no-op.
+ */
+void
+aix_restoreauthdb(void)
+{
+#  ifdef HAVE_SETAUTHDB
+	if (setauthdb(old_registry, NULL) == 0)
+		debug3("%s: restoring old registry '%s'", __func__,
+		    old_registry);
+	else
+		debug3("%s: failed to restore old registry %s", __func__,
+		    old_registry);
+#  endif /* HAVE_SETAUTHDB */
+}
+
 # endif /* WITH_AIXAUTHENTICATE */
 
 #endif /* _AIX */
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 975cdf051..930b3f248 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */
 
 /*
  *
@@ -51,6 +51,14 @@
 # include <sys/timers.h>
 #endif
 
+/*
+ * According to the setauthdb man page, AIX password registries must be 15
+ * chars or less plus terminating NUL.
+ */
+#ifdef HAVE_SETAUTHDB
+# define REGISTRY_SIZE	16
+#endif
+
 void aix_usrinfo(struct passwd *);
 
 #ifdef WITH_AIXAUTHENTICATE
@@ -60,5 +68,6 @@ void record_failed_login(const char *, const char *);
 
 int aix_authenticate(const char *, const char *, const char *);
 void aix_setauthdb(const char *);
+void aix_restoreauthdb(void);
 void aix_remove_embedded_newlines(char *);
 #endif /* _AIX */
-- 
cgit v1.2.3