From a7ea546f1bec59b045a747f900be1ac67089329b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 16 Jun 2004 12:01:15 +1000 Subject: - (dtucker) [openbsd-compat/port-aix.c] Expand whitespace -> tabs. No code changes. --- openbsd-compat/port-aix.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 2895f0d44..5ba6819de 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -133,12 +133,12 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) /* * Check if the user's password is expired. */ - expired = passwdexpired(name, &msg); - if (msg && *msg) { - buffer_append(&loginmsg, msg, strlen(msg)); - aix_remove_embedded_newlines(msg); - } - debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); + expired = passwdexpired(name, &msg); + if (msg && *msg) { + buffer_append(&loginmsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + } + debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); switch (expired) { case 0: /* password not expired */ -- cgit v1.2.3 From 0a9d43d7264ff0a74c4f9493be238e35ef04c952 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 23 Jun 2004 13:45:24 +1000 Subject: - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move loginrestrictions test to port-aix.c, replace with a generic hook. --- ChangeLog | 4 +++- auth.c | 29 ++++------------------------- openbsd-compat/port-aix.c | 46 +++++++++++++++++++++++++++++++++++++++++++++- openbsd-compat/port-aix.h | 4 +++- 4 files changed, 55 insertions(+), 28 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index 2fde8a8f7..d9f4c8d99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,8 @@ Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@ - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match -Wshadow change. + - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Move loginrestrictions test to port-aix.c, replace with a generic hook. 20040622 - (bal) [auth-passwd.c auth1.c] Clean up unused variables. @@ -1388,4 +1390,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3438 2004/06/23 03:21:54 mouring Exp $ +$Id: ChangeLog,v 1.3439 2004/06/23 03:45:24 dtucker Exp $ diff --git a/auth.c b/auth.c index ef3cdba3c..d9ee0362f 100644 --- a/auth.c +++ b/auth.c @@ -203,31 +203,10 @@ allowed_user(struct passwd * pw) ga_free(); } -#ifdef WITH_AIXAUTHENTICATE - /* - * Don't check loginrestrictions() for root account (use - * PermitRootLogin to control logins via ssh), or if running as - * non-root user (since loginrestrictions will always fail). - */ - if ((pw->pw_uid != 0) && (geteuid() == 0)) { - char *msg; - - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { - int loginrestrict_errno = errno; - - if (msg && *msg) { - buffer_append(&loginmsg, msg, strlen(msg)); - aix_remove_embedded_newlines(msg); - logit("Login restricted for %s: %.100s", - pw->pw_name, msg); - } - /* Don't fail if /etc/nologin set */ - if (!(loginrestrict_errno == EPERM && - stat(_PATH_NOLOGIN, &st) == 0)) - return 0; - } - } -#endif /* WITH_AIXAUTHENTICATE */ +#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER + if (!sys_auth_allowed_user(pw)) + return 0; +#endif /* We found no reason not to let this user try to log on... */ return 1; diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 5ba6819de..bf7e98652 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) return authsuccess; } - + +/* + * Check if specified account is permitted to log in. + * Returns 1 if login is allowed, 0 if not allowed. + */ +int +sys_auth_allowed_user(struct passwd *pw) +{ + char *msg = NULL; + int result, permitted = 0; + struct stat st; + + /* + * Don't perform checks for root account (PermitRootLogin controls + * logins via * ssh) or if running as non-root user (since + * loginrestrictions will always fail due to insufficient privilege). + */ + if (pw->pw_uid == 0 || geteuid() != 0) { + debug3("%s: not checking"); + return 1; + } + + result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg); + if (result == 0) + permitted = 1; + /* + * If restricted because /etc/nologin exists, the login will be denied + * in session.c after the nologin message is sent, so allow for now + * and do not append the returned message. + */ + if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0) + permitted = 1; + else if (msg != NULL) + buffer_append(&loginmsg, msg, strlen(msg)); + if (msg == NULL) + msg = xstrdup("(none)"); + aix_remove_embedded_newlines(msg); + debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg); + + if (!permitted) + logit("Login restricted for %s: %.100s", pw->pw_name, msg); + xfree(msg); + return permitted; +} + # ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 3118af9a9..3b82652db 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */ /* * @@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_SYS_AUTH_PASSWD 1 +# define CUSTOM_SYS_AUTH_ALLOWED_USER 1 +int sys_auth_allowed_user(struct passwd *); # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); #endif -- cgit v1.2.3 From 5288cb242aeea747dba400997c376035578a8445 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 28 Jun 2004 18:11:19 +1000 Subject: - (dtucker) [openbsd-compat/port-aix.c] Missing __func__. --- ChangeLog | 3 ++- openbsd-compat/port-aix.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index ac1145056..62fc76a72 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ rename handling for Linux which returns EPERM for link() on (at least some) filesystems that do not support hard links. sftp-server will fall back to stat+rename() in such cases. + - (dtucker) [openbsd-compat/port-aix.c] Missing __func__. 20040626 - (djm) OpenBSD CVS Sync @@ -1442,4 +1443,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3456 2004/06/28 06:01:19 dtucker Exp $ +$Id: ChangeLog,v 1.3457 2004/06/28 08:11:19 dtucker Exp $ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index bf7e98652..d0c9a49e8 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -181,7 +181,7 @@ sys_auth_allowed_user(struct passwd *pw) * loginrestrictions will always fail due to insufficient privilege). */ if (pw->pw_uid == 0 || geteuid() != 0) { - debug3("%s: not checking"); + debug3("%s: not checking", __func__); return 1; } -- cgit v1.2.3 From 397a2f2612901785d8290a90ae9aa59efb422c92 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 15 Aug 2004 00:09:11 +1000 Subject: - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Plug AIX login recording into login_write so logins will be recorded for all auth types. --- ChangeLog | 5 ++++- loginrec.c | 7 ++++++- openbsd-compat/port-aix.c | 30 ++++++++++++++++++++---------- openbsd-compat/port-aix.h | 4 +++- 4 files changed, 33 insertions(+), 13 deletions(-) (limited to 'openbsd-compat/port-aix.c') diff --git a/ChangeLog b/ChangeLog index ddf0aaa19..00f38b465 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ Explicitly set umask for mkstemp; ok djm@ - (dtucker) [includes.h] Undef _INCLUDE__STDC__ on HP-UX, otherwise prot.h and shadow.h provide conflicting declarations of getspnam. ok djm@ + - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Plug AIX login recording into login_write so logins will be recorded for + all auth types. 20040813 - (dtucker) [openbsd-compat/bsd-misc.c] Typo in #ifdef; from vinschen at @@ -1628,4 +1631,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3507 2004/08/14 14:01:48 dtucker Exp $ +$Id: ChangeLog,v 1.3508 2004/08/14 14:09:11 dtucker Exp $ diff --git a/loginrec.c b/loginrec.c index b74d412e6..af32b1867 100644 --- a/loginrec.c +++ b/loginrec.c @@ -158,7 +158,7 @@ #include "log.h" #include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.56 2004/04/08 06:16:06 dtucker Exp $"); +RCSID("$Id: loginrec.c,v 1.57 2004/08/14 14:09:11 dtucker Exp $"); #ifdef HAVE_UTIL_H # include @@ -434,6 +434,11 @@ login_write (struct logininfo *li) #endif #ifdef USE_WTMPX wtmpx_write_entry(li); +#endif +#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN + if (li->type == LTYPE_LOGIN && + !sys_auth_record_login(li->username,li->hostname,li->line)) + logit("Writing login record failed for %s", li->username); #endif return 0; } diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index d0c9a49e8..78f4faea3 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -101,7 +101,7 @@ aix_remove_embedded_newlines(char *p) int sys_auth_passwd(Authctxt *ctxt, const char *password) { - char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name; + char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name; int authsuccess = 0, expired, reenter, result; do { @@ -115,20 +115,11 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) if (result == 0) { authsuccess = 1; - host = (char *)get_canonical_hostname(options.use_dns); - /* * Record successful login. We don't have a pty yet, so just * label the line as "ssh" */ aix_setauthdb(name); - if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) { - if (msg != NULL) { - debug("%s: msg %s", __func__, msg); - buffer_append(&loginmsg, msg, strlen(msg)); - xfree(msg); - } - } /* * Check if the user's password is expired. @@ -208,6 +199,25 @@ sys_auth_allowed_user(struct passwd *pw) return permitted; } +int +sys_auth_record_login(const char *user, const char *host, const char *ttynm) +{ + char *msg; + int success = 0; + + aix_setauthdb(user); + if (loginsuccess((char *)user, host, ttynm, &msg) == 0) { + success = 1; + if (msg != NULL) { + debug("AIX/loginsuccess: msg %s", __func__, msg); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + } + } + aix_restoreauthdb(); + return (success); +} + # ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 3b82652db..29e9751ce 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.21 2004/08/14 14:09:12 dtucker Exp $ */ /* * @@ -65,6 +65,8 @@ void aix_usrinfo(struct passwd *); # define CUSTOM_SYS_AUTH_PASSWD 1 # define CUSTOM_SYS_AUTH_ALLOWED_USER 1 int sys_auth_allowed_user(struct passwd *); +# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1 +int sys_auth_record_login(const char *, const char *, const char *); # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); #endif -- cgit v1.2.3