From 5a88d003499744a374ec39279f4c6ec3971b5dab Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 29 Aug 2004 21:43:33 +1000 Subject: - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for accounts with authentication configs that sshd can't support (ie SYSTEM=NONE and AUTH1=something). --- openbsd-compat/port-aix.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) (limited to 'openbsd-compat/port-aix.c') diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 78f4faea3..e7eb179ec 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -1,6 +1,7 @@ /* * * Copyright (c) 2001 Gert Doering. All rights reserved. + * Copyright (c) 2003,2004 Darren Tucker. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -91,6 +92,59 @@ aix_remove_embedded_newlines(char *p) *p = '\0'; } +/* + * Test specifically for the case where SYSTEM == NONE and AUTH1 contains + * anything other than NONE or SYSTEM, which indicates that the admin has + * configured the account for purely AUTH1-type authentication. + * + * Since authenticate() doesn't check AUTH1, and sshd can't sanely support + * AUTH1 itself, in such a case authenticate() will allow access without + * authentation, which is almost certainly not what the admin intends. + * + * (The native tools, eg login, will process the AUTH1 list in addition to + * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods + * have been deprecated since AIX 4.2.x and would be very difficult for sshd + * to support. + * + * Returns 0 if an unsupportable combination is found, 1 otherwise. + */ +static int +aix_valid_authentications(const char *user) +{ + char *auth1, *sys, *p; + int valid = 1; + + if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) { + logit("Can't retrieve attribute SYSTEM for %s: %.100s", + user, strerror(errno)); + return 0; + } + + debug3("AIX SYSTEM attribute %s", sys); + if (strcmp(sys, "NONE") != 0) + return 1; /* not "NONE", so is OK */ + + if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) { + logit("Can't retrieve attribute auth1 for %s: %.100s", + user, strerror(errno)); + return 0; + } + + p = auth1; + /* A SEC_LIST is concatenated strings, ending with two NULs. */ + while (p[0] != '\0' && p[1] != '\0') { + debug3("AIX auth1 attribute list member %s", p); + if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) { + logit("Account %s has unsupported auth1 value '%s'", + user, p); + valid = 0; + } + p += strlen(p) + 1; + } + + return (valid); +} + /* * Do authentication via AIX's authenticate routine. We loop until the * reenter parameter is 0, but normally authenticate is called only once. @@ -112,6 +166,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) authmsg); } while (reenter); + if (!aix_valid_authentications(name)) + result = -1; + if (result == 0) { authsuccess = 1; -- cgit v1.2.3 From 42d9dc75ed2eefa6eeffc892f02eb164c1860603 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 2 Feb 2005 17:10:11 +1100 Subject: - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}] Make record_failed_login() call provide hostname rather than having the implementations having to do lookups themselves. Only affects AIX and UNICOS (the latter only uses the "user" parameter anyway). ok djm@ --- ChangeLog | 6 +++++- auth.c | 7 +++++-- loginrec.h | 4 +++- openbsd-compat/bsd-cray.c | 4 ++-- openbsd-compat/bsd-cray.h | 6 +++--- openbsd-compat/port-aix.c | 7 +------ openbsd-compat/port-aix.h | 3 +-- 7 files changed, 20 insertions(+), 17 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index eb897ec41..82758ca10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20050202 - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@ + - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}] + Make record_failed_login() call provide hostname rather than having the + implementations having to do lookups themselves. Only affects AIX and + UNICOS (the latter only uses the "user" parameter anyway). ok djm@ 20050201 - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some @@ -2055,4 +2059,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3629 2005/02/01 23:43:59 dtucker Exp $ +$Id: ChangeLog,v 1.3630 2005/02/02 06:10:11 dtucker Exp $ diff --git a/auth.c b/auth.c index 4698e3990..dfc1be374 100644 --- a/auth.c +++ b/auth.c @@ -50,6 +50,7 @@ RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $"); #include "misc.h" #include "bufaux.h" #include "packet.h" +#include "loginrec.h" /* import */ extern ServerOptions options; @@ -244,7 +245,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) #ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && strcmp(method, "password") == 0) - record_failed_login(authctxt->user, "ssh"); + record_failed_login(authctxt->user, + get_canonical_hostname(options.use_dns), "ssh"); #endif } @@ -468,7 +470,8 @@ getpwnamallow(const char *user) logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN - record_failed_login(user, "ssh"); + record_failed_login(user, + get_canonical_hostname(options.use_dns), "ssh"); #endif return (NULL); } diff --git a/loginrec.h b/loginrec.h index 6b7233256..d1a12a853 100644 --- a/loginrec.h +++ b/loginrec.h @@ -35,7 +35,7 @@ #include #include -/* RCSID("$Id: loginrec.h,v 1.8 2005/01/20 11:07:30 dtucker Exp $"); */ +/* RCSID("$Id: loginrec.h,v 1.9 2005/02/02 06:10:11 dtucker Exp $"); */ /** ** you should use the login_* calls to work around platform dependencies @@ -132,4 +132,6 @@ char *line_fullname(char *dst, const char *src, int dstsize); char *line_stripname(char *dst, const char *src, int dstsize); char *line_abbrevname(char *dst, const char *src, int dstsize); +void record_failed_login(const char *, const char *, const char *); + #endif /* _HAVE_LOGINREC_H_ */ diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index f630366be..d1f1c059c 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c @@ -1,5 +1,5 @@ /* - * $Id: bsd-cray.c,v 1.13 2004/01/30 03:34:22 dtucker Exp $ + * $Id: bsd-cray.c,v 1.14 2005/02/02 06:10:11 dtucker Exp $ * * bsd-cray.c * @@ -171,7 +171,7 @@ cray_access_denied(char *username) * record_failed_login: generic "login failed" interface function */ void -record_failed_login(const char *user, const char *ttyname) +record_failed_login(const char *user, const char *hostname, const char *ttyname) { cray_login_failure((char *)user, IA_UDBERR); } diff --git a/openbsd-compat/bsd-cray.h b/openbsd-compat/bsd-cray.h index de6ba1a8d..774eceb5a 100644 --- a/openbsd-compat/bsd-cray.h +++ b/openbsd-compat/bsd-cray.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cray.h,v 1.11 2004/01/30 03:34:22 dtucker Exp $ */ +/* $Id: bsd-cray.h,v 1.12 2005/02/02 06:10:11 dtucker Exp $ */ /* * Copyright (c) 2002, Cray Inc. (Wendy Palm ) @@ -42,10 +42,10 @@ void cray_init_job(struct passwd *); void cray_job_termination_handler(int); void cray_login_failure(char *, int ); int cray_access_denied(char *); -#define CUSTOM_FAILED_LOGIN 1 -void record_failed_login(const char *, const char *); extern char cray_tmpdir[]; +#define CUSTOM_FAILED_LOGIN 1 + #ifndef IA_SSHD # define IA_SSHD IA_LOGIN #endif diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index e7eb179ec..79d180211 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -28,8 +28,6 @@ #include "auth.h" #include "ssh.h" #include "log.h" -#include "servconf.h" -#include "canohost.h" #include "xmalloc.h" #include "buffer.h" @@ -38,7 +36,6 @@ #include #include "port-aix.h" -extern ServerOptions options; extern Buffer loginmsg; # ifdef HAVE_SETAUTHDB @@ -280,10 +277,8 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm) * record_failed_login: generic "login failed" interface function */ void -record_failed_login(const char *user, const char *ttyname) +record_failed_login(const char *user, const char *hostname, const char *ttyname) { - char *hostname = (char *)get_canonical_hostname(options.use_dns); - if (geteuid() != 0) return; diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 29e9751ce..751139004 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.21 2004/08/14 14:09:12 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.22 2005/02/02 06:10:11 dtucker Exp $ */ /* * @@ -68,7 +68,6 @@ int sys_auth_allowed_user(struct passwd *); # define CUSTOM_SYS_AUTH_RECORD_LOGIN 1 int sys_auth_record_login(const char *, const char *, const char *); # define CUSTOM_FAILED_LOGIN 1 -void record_failed_login(const char *, const char *); #endif void aix_setauthdb(const char *); -- cgit v1.2.3 From b4d3012d2e9a0eb53c56565108c8278e45cefc77 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 8 Feb 2005 21:06:55 +1100 Subject: - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings. --- ChangeLog | 3 ++- openbsd-compat/port-aix.c | 15 +++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index 841c7bd32..89424da03 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the regress tests so newer versions of GNU head(1) behave themselves. Patch by djm, so ok me. + - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings. 20050204 - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. @@ -2081,4 +2082,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3637 2005/02/08 09:17:17 dtucker Exp $ +$Id: ChangeLog,v 1.3638 2005/02/08 10:06:55 dtucker Exp $ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 79d180211..27ab06158 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -36,6 +36,10 @@ #include #include "port-aix.h" +/* These should be in the system headers but are not. */ +int usrinfo(int, char *, int); +int setauthdb(const char *, char *); + extern Buffer loginmsg; # ifdef HAVE_SETAUTHDB @@ -49,6 +53,8 @@ static char old_registry[REGISTRY_SIZE] = ""; * NOTE: TTY= should be set, but since no one uses it and it's hard to * acquire due to privsep code. We will just drop support. */ + + void aix_usrinfo(struct passwd *pw) { @@ -260,10 +266,10 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm) int success = 0; aix_setauthdb(user); - if (loginsuccess((char *)user, host, ttynm, &msg) == 0) { + if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; if (msg != NULL) { - debug("AIX/loginsuccess: msg %s", __func__, msg); + debug("AIX/loginsuccess: msg %s", msg); buffer_append(&loginmsg, msg, strlen(msg)); xfree(msg); } @@ -284,9 +290,10 @@ record_failed_login(const char *user, const char *hostname, const char *ttyname) aix_setauthdb(user); # ifdef AIX_LOGINFAILED_4ARG - loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); + loginfailed((char *)user, (char *)hostname, (char *)ttyname, + AUDIT_FAIL_AUTH); # else - loginfailed((char *)user, hostname, (char *)ttyname); + loginfailed((char *)user, (char *)hostname, (char *)ttyname); # endif aix_restoreauthdb(); } -- cgit v1.2.3 From 92170a862634bf9ebe958cc75911658d18e30538 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 9 Feb 2005 17:08:23 +1100 Subject: - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call disable_forwarding() from compat library. Prevent linker errrors trying to resolve it for binaries other than sshd. ok djm@ --- ChangeLog | 7 ++++++- auth-passwd.c | 12 ++++++------ openbsd-compat/port-aix.c | 1 - 3 files changed, 12 insertions(+), 8 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index 98cdf96aa..633d70c36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,11 @@ - dtucker@cvs.openbsd.org 2005/02/08 22:24:57 [sshd.c] Provide reason in error message if getnameinfo fails; ok markus@ + - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call + disable_forwarding() from compat library. Prevent linker errrors trying + to resolve it for binaries other than sshd. ok djm@ + + when 20050208 - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the @@ -2107,4 +2112,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3644 2005/02/08 22:53:48 dtucker Exp $ +$Id: ChangeLog,v 1.3645 2005/02/09 06:08:23 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index fb14f5ce4..27ece3f72 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -73,7 +73,7 @@ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; - int ok = authctxt->valid; + int result, ok = authctxt->valid; #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) static int expire_checked = 0; #endif @@ -110,14 +110,14 @@ auth_password(Authctxt *authctxt, const char *password) #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) if (!expire_checked) { expire_checked = 1; - if (auth_shadow_pwexpired(authctxt)) { - disable_forwarding(); + if (auth_shadow_pwexpired(authctxt)) authctxt->force_pwchange = 1; - } } #endif - - return (sys_auth_passwd(authctxt, password) && ok); + result = sys_auth_passwd(authctxt, password); + if (authctxt->force_pwchange) + disable_forwarding(); + return (result && ok); } #ifdef BSD_AUTH diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 27ab06158..b16988543 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -196,7 +196,6 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) break; case 1: /* expired, password change required */ ctxt->force_pwchange = 1; - disable_forwarding(); break; default: /* user can't change(2) or other error (-1) */ logit("Password can't be changed for user %s: %.100s", -- cgit v1.2.3 From 691d5235ca9485877e8345269b1be4b2cf1be322 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 15 Feb 2005 21:45:57 +1100 Subject: - (dtucker) [README.platform auth.c configure.ac loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6 on AIX where possible (see README.platform for details) and work around a misfeature of AIX's getnameinfo. ok djm@ --- ChangeLog | 6 ++++- README.platform | 11 ++++++++- auth.c | 2 +- configure.ac | 62 +++++++++++++++++++++++++++++++++++++++++++++-- loginrec.c | 6 +++-- openbsd-compat/port-aix.c | 45 ++++++++++++++++++++++++++++------ openbsd-compat/port-aix.h | 22 ++++++++++++++--- 7 files changed, 136 insertions(+), 18 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index a55a3b3d7..9b0b3e2af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 20050215 - (dtucker) [config.sh.in] Collect oslevel -r too. + - (dtucker) [README.platform auth.c configure.ac loginrec.c + openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6 + on AIX where possible (see README.platform for details) and work around + a misfeature of AIX's getnameinfo. ok djm@ 20050211 - (dtucker) [configure.ac] Tidy up configure --help output. @@ -2126,4 +2130,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3651 2005/02/15 10:26:32 dtucker Exp $ +$Id: ChangeLog,v 1.3652 2005/02/15 10:45:57 dtucker Exp $ diff --git a/README.platform b/README.platform index 880b83c63..136304a8e 100644 --- a/README.platform +++ b/README.platform @@ -13,6 +13,15 @@ Accounts in this state must have their passwords reset manually by the administrator. As a precaution, it is recommended that the administrative passwords be reset before upgrading from OpenSSH <3.8. +As of OpenSSH 4.0, configure will attempt to detect if your version +and maintenance level of AIX has a working getaddrinfo, and will use it +if found. This will enable IPv6 support. If for some reason configure +gets it wrong, or if you want to build binaries to work on earlier MLs +than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS +to force the previous IPv4-only behaviour. + +IPv6 known to work: 5.2ML2 5.2ML5 +IPv6 known broken: 4.3.3ML11 5.1ML4 Cygwin ------ @@ -27,4 +36,4 @@ Currently, sshd does not support BSM auditting. This can show up as errors when editting cron entries via crontab. See. http://bugzilla.mindrot.org/show_bug.cgi?id=125 -$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $ +$Id: README.platform,v 1.3 2005/02/15 10:45:57 dtucker Exp $ diff --git a/auth.c b/auth.c index e6dcab209..256807683 100644 --- a/auth.c +++ b/auth.c @@ -209,7 +209,7 @@ allowed_user(struct passwd * pw) } #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER - if (!sys_auth_allowed_user(pw)) + if (!sys_auth_allowed_user(pw, &loginmsg)) return 0; #endif diff --git a/configure.ac b/configure.ac index 2df8a5e87..b27f0cf70 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.241 2005/02/11 05:11:49 dtucker Exp $ +# $Id: configure.ac,v 1.242 2005/02/15 10:45:57 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -135,7 +135,7 @@ case "$host" in [#include ] ) AC_CHECK_FUNCS(setauthdb) - AC_DEFINE(BROKEN_GETADDRINFO) + check_for_aix_broken_getaddrinfo=1 AC_DEFINE(BROKEN_REALPATH) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) @@ -1146,6 +1146,64 @@ main(void) ) fi +if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (ai->ai_family == AF_INET && err != 0) { + perror("getnameinfo"); + exit(2); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(AIX_GETNAMEINFO_HACK, [], +[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address]) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + if test "x$check_for_conflicting_getspnam" = "x1"; then AC_MSG_CHECKING(for conflicting getspnam in shadow.h) AC_COMPILE_IFELSE( diff --git a/loginrec.c b/loginrec.c index c033582ad..8f5061cdc 100644 --- a/loginrec.c +++ b/loginrec.c @@ -164,7 +164,7 @@ # include #endif -RCSID("$Id: loginrec.c,v 1.65 2005/02/08 10:52:48 dtucker Exp $"); +RCSID("$Id: loginrec.c,v 1.66 2005/02/15 10:45:57 dtucker Exp $"); /** ** prototypes for helper functions in this file @@ -192,6 +192,8 @@ int lastlog_get_entry(struct logininfo *li); int wtmp_get_entry(struct logininfo *li); int wtmpx_get_entry(struct logininfo *li); +extern Buffer loginmsg; + /* pick the shortest string */ #define MIN_SIZEOF(s1,s2) (sizeof(s1) < sizeof(s2) ? sizeof(s1) : sizeof(s2)) @@ -441,7 +443,7 @@ login_write(struct logininfo *li) #endif #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN if (li->type == LTYPE_LOGIN && - !sys_auth_record_login(li->username,li->hostname,li->line)) + !sys_auth_record_login(li->username,li->hostname,li->line, &loginmsg)) logit("Writing login record failed for %s", li->username); #endif #ifdef SSH_AUDIT_EVENTS diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index b16988543..8ab862f98 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -34,14 +34,13 @@ #ifdef _AIX #include +#include #include "port-aix.h" /* These should be in the system headers but are not. */ int usrinfo(int, char *, int); int setauthdb(const char *, char *); -extern Buffer loginmsg; - # ifdef HAVE_SETAUTHDB static char old_registry[REGISTRY_SIZE] = ""; # endif @@ -156,7 +155,7 @@ aix_valid_authentications(const char *user) * returns 0. */ int -sys_auth_passwd(Authctxt *ctxt, const char *password) +sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg) { char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name; int authsuccess = 0, expired, reenter, result; @@ -186,7 +185,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) */ expired = passwdexpired(name, &msg); if (msg && *msg) { - buffer_append(&loginmsg, msg, strlen(msg)); + buffer_append(loginmsg, msg, strlen(msg)); aix_remove_embedded_newlines(msg); } debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); @@ -219,7 +218,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) * Returns 1 if login is allowed, 0 if not allowed. */ int -sys_auth_allowed_user(struct passwd *pw) +sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg) { char *msg = NULL; int result, permitted = 0; @@ -246,7 +245,7 @@ sys_auth_allowed_user(struct passwd *pw) if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0) permitted = 1; else if (msg != NULL) - buffer_append(&loginmsg, msg, strlen(msg)); + buffer_append(loginmsg, msg, strlen(msg)); if (msg == NULL) msg = xstrdup("(none)"); aix_remove_embedded_newlines(msg); @@ -259,7 +258,8 @@ sys_auth_allowed_user(struct passwd *pw) } int -sys_auth_record_login(const char *user, const char *host, const char *ttynm) +sys_auth_record_login(const char *user, const char *host, const char *ttynm, + Buffer *loginmsg) { char *msg; int success = 0; @@ -269,7 +269,7 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm) success = 1; if (msg != NULL) { debug("AIX/loginsuccess: msg %s", msg); - buffer_append(&loginmsg, msg, strlen(msg)); + buffer_append(loginmsg, msg, strlen(msg)); xfree(msg); } } @@ -349,4 +349,33 @@ aix_restoreauthdb(void) # endif /* WITH_AIXAUTHENTICATE */ +# if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO) +# undef getnameinfo +/* + * For some reason, AIX's getnameinfo will refuse to resolve the all-zeros + * IPv6 address into its textual representation ("::"), so we wrap it + * with a function that will. + */ +int +sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host, + size_t hostlen, char *serv, size_t servlen, int flags) +{ + struct sockaddr_in6 *sa6; + u_int32_t *a6; + + if (flags & (NI_NUMERICHOST|NI_NUMERICSERV) && + sa->sa_family == AF_INET6) { + sa6 = (struct sockaddr_in6 *)sa; + a6 = sa6->sin6_addr.u6_addr.u6_addr32; + + if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) { + strlcpy(host, "::", hostlen); + snprintf(serv, servlen, "%d", sa6->sin6_port); + return 0; + } + } + return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags); +} +# endif /* AIX_GETNAMEINFO_HACK */ + #endif /* _AIX */ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 751139004..cc7c43cda 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.22 2005/02/02 06:10:11 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.23 2005/02/15 10:45:58 dtucker Exp $ */ /* * @@ -27,6 +27,10 @@ #ifdef _AIX +#ifdef HAVE_SYS_SOCKET_H +# include +#endif + #ifdef WITH_AIXAUTHENTICATE # include # include @@ -36,6 +40,8 @@ # include #endif +#include "buffer.h" + /* Some versions define r_type in the above headers, which causes a conflict */ #ifdef r_type # undef r_type @@ -64,13 +70,23 @@ void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_SYS_AUTH_PASSWD 1 # define CUSTOM_SYS_AUTH_ALLOWED_USER 1 -int sys_auth_allowed_user(struct passwd *); +int sys_auth_allowed_user(struct passwd *, Buffer *); # define CUSTOM_SYS_AUTH_RECORD_LOGIN 1 -int sys_auth_record_login(const char *, const char *, const char *); +int sys_auth_record_login(const char *, const char *, const char *, Buffer *); # define CUSTOM_FAILED_LOGIN 1 #endif void aix_setauthdb(const char *); void aix_restoreauthdb(void); void aix_remove_embedded_newlines(char *); + +#if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_GETADDRINFO) +# ifdef getnameinfo +# undef getnameinfo +# endif +int sshaix_getnameinfo(const struct sockaddr *, size_t, char *, size_t, + char *, size_t, int); +# define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g)) +#endif + #endif /* _AIX */ -- cgit v1.2.3 From 3c774c52f31b54eccb5a936470d21d196968693b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 16 Feb 2005 22:49:31 +1100 Subject: - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more compiler warnings on AIX. --- ChangeLog | 4 +++- configure.ac | 7 +++++-- openbsd-compat/port-aix.c | 4 ---- openbsd-compat/port-aix.h | 25 ++++++++++++++++++++++++- 4 files changed, 32 insertions(+), 8 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index 9d132f981..836cc0dfc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ authentication early enough to be available to PAM session modules when privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam Hartman and similar to Debian's ssh-krb5 package. + - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more + compiler warnings on AIX. 20050215 - (dtucker) [config.sh.in] Collect oslevel -r too. @@ -2146,4 +2148,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3658 2005/02/16 05:47:37 dtucker Exp $ +$Id: ChangeLog,v 1.3659 2005/02/16 11:49:31 dtucker Exp $ diff --git a/configure.ac b/configure.ac index aa6aed6b0..fe6b002d4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.243 2005/02/16 05:19:17 dtucker Exp $ +# $Id: configure.ac,v 1.244 2005/02/16 11:49:31 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -121,8 +121,11 @@ case "$host" in LIBS="$LIBS -ls" ]) ]) + dnl Check for various auth function declarations in headers. + AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess, passwdexpired],, + [#include ]) dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2) - AC_CHECK_DECL(loginfailed, + AC_CHECK_DECLS(loginfailed, [AC_MSG_CHECKING(if loginfailed takes 4 arguments) AC_TRY_COMPILE( [#include ], diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 8ab862f98..fa6a4ff7b 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -37,10 +37,6 @@ #include #include "port-aix.h" -/* These should be in the system headers but are not. */ -int usrinfo(int, char *, int); -int setauthdb(const char *, char *); - # ifdef HAVE_SETAUTHDB static char old_registry[REGISTRY_SIZE] = ""; # endif diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index cc7c43cda..a05ce9703 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.23 2005/02/15 10:45:58 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.24 2005/02/16 11:49:31 dtucker Exp $ */ /* * @@ -30,6 +30,9 @@ #ifdef HAVE_SYS_SOCKET_H # include #endif +#ifdef HAVE_UNISTD_H +# include /* for seteuid() */ +#endif #ifdef WITH_AIXAUTHENTICATE # include @@ -42,6 +45,26 @@ #include "buffer.h" +/* These should be in the system headers but are not. */ +int usrinfo(int, char *, int); +int setauthdb(const char *, char *); +/* these may or may not be in the headers depending on the version */ +#if (HAVE_DECL_AUTHENTICATE == 0) +int authenticate(char *, char *, int *, char **); +#endif +#if (HAVE_DECL_LOGINFAILED == 0) +int loginfailed(char *, char *, char *); +#endif +#if (HAVE_DECL_LOGINRESTRICTIONS == 0) +int loginrestrictions(char *, int, char *, char **); +#endif +#if (HAVE_DECL_LOGINSUCCESS == 0) +int loginsuccess(char *, char *, char *, char **); +#endif +#if (HAVE_DECL_PASSWDEXPIRED == 0) +int passwdexpired(char *, char **); +#endif + /* Some versions define r_type in the above headers, which causes a conflict */ #ifdef r_type # undef r_type -- cgit v1.2.3