From 26d4e19caa3013f57dc3c1462847eceaac6a1d7d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 30 Aug 2006 22:33:09 +1000 Subject: - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call loginsuccess on AIX immediately after authentication to clear the failed login count. Previously this would only happen when an interactive session starts (ie when a pty is allocated) but this means that accounts that have primarily non-interactive sessions (eg scp's) may gradually accumulate enough failures to lock out an account. This change may have a side effect of creating two audit records, one with a tty of "ssh" corresponding to the authentication and one with the allocated pty per interactive session. --- openbsd-compat/port-aix.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a7ced57e9..13a73e873 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -265,15 +265,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm, Buffer *loginmsg) { char *msg = NULL; + static int msg_done = 0; int success = 0; aix_setauthdb(user); if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; - if (msg != NULL) { + if (msg != NULL && loginmsg != NULL && !msg_done) { debug("AIX/loginsuccess: msg %s", msg); buffer_append(loginmsg, msg, strlen(msg)); xfree(msg); + msg_done = 1; } } aix_restoreauthdb(); -- cgit v1.2.3