Oops, forgot to document second change to roaming_client.c

[openssh.git] / openbsd-compat / port-aix.c

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 8ab862f9851761f8b00bdf57962e36bf6b8dff7d..0bdefbf6da0078f0d3ef30f6b9aa089692dbcbf5 100644 (file)
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,7 +1,7 @@
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
- * Copyright (c) 2003,2004 Darren Tucker.  All rights reserved.
+ * Copyright (c) 2003,2004,2005,2006 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -25,35 +25,51 @@
  *
  */
 #include "includes.h"
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "ssh.h"
 #include "log.h"
-#include "xmalloc.h"
-#include "buffer.h"
 
 #ifdef _AIX
 
+#include <errno.h>
+#if defined(HAVE_NETDB_H)
+# include <netdb.h>
+#endif
 #include <uinfo.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
 #include <sys/socket.h>
+
+#ifdef WITH_AIXAUTHENTICATE
+# include <login.h>
+# include <userpw.h>
+# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG)
+#  include <sys/audit.h>
+# endif
+# include <usersec.h>
+#endif
+
 #include "port-aix.h"
 
-/* These should be in the system headers but are not. */
-int usrinfo(int, char *, int);
-int setauthdb(const char *, char *);
+static char *lastlogin_msg = NULL;
 
 # ifdef HAVE_SETAUTHDB
 static char old_registry[REGISTRY_SIZE] = "";
 # endif
 
 /*
- * AIX has a "usrinfo" area where logname and other stuff is stored - 
+ * AIX has a "usrinfo" area where logname and other stuff is stored -
  * a few applications actually use this and die if it's not set
  *
  * NOTE: TTY= should be set, but since no one uses it and it's hard to
  * acquire due to privsep code.  We will just drop support.
  */
-
-
 void
 aix_usrinfo(struct passwd *pw)
 {
@@ -64,7 +80,7 @@ aix_usrinfo(struct passwd *pw)
        len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
        cp = xmalloc(len);
 
-       i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0', 
+       i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
            pw->pw_name, '\0');
        if (usrinfo(SETUINFO, cp, i) == -1)
                fatal("Couldn't set usrinfo: %s", strerror(errno));
@@ -155,16 +171,16 @@ aix_valid_authentications(const char *user)
  * returns 0.
  */
 int
-sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
+sys_auth_passwd(Authctxt *ctxt, const char *password)
 {
-       char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
+       char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
        int authsuccess = 0, expired, reenter, result;
 
        do {
                result = authenticate((char *)name, (char *)password, &reenter,
                    &authmsg);
                aix_remove_embedded_newlines(authmsg);  
-               debug3("AIX/authenticate result %d, msg %.100s", result,
+               debug3("AIX/authenticate result %d, authmsg %.100s", result,
                    authmsg);
        } while (reenter);
 
@@ -174,7 +190,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
        if (result == 0) {
                authsuccess = 1;
 
-               /*
+               /*
                 * Record successful login.  We don't have a pty yet, so just
                 * label the line as "ssh"
                 */
@@ -185,7 +201,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
                 */
                expired = passwdexpired(name, &msg);
                if (msg && *msg) {
-                       buffer_append(loginmsg, msg, strlen(msg));
+                       buffer_append(ctxt->loginmsg, msg, strlen(msg));
                        aix_remove_embedded_newlines(msg);
                }
                debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
@@ -226,7 +242,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
 
        /*
         * Don't perform checks for root account (PermitRootLogin controls
-        * logins via * ssh) or if running as non-root user (since
+        * logins via ssh) or if running as non-root user (since
         * loginrestrictions will always fail due to insufficient privilege).
         */
        if (pw->pw_uid == 0 || geteuid() != 0) {
@@ -261,7 +277,7 @@ int
 sys_auth_record_login(const char *user, const char *host, const char *ttynm,
     Buffer *loginmsg)
 {
-       char *msg;
+       char *msg = NULL;
        int success = 0;
 
        aix_setauthdb(user);
@@ -269,14 +285,23 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm,
                success = 1;
                if (msg != NULL) {
                        debug("AIX/loginsuccess: msg %s", msg);
-                       buffer_append(loginmsg, msg, strlen(msg));
-                       xfree(msg);
+                       if (lastlogin_msg == NULL)
+                               lastlogin_msg = msg;
                }
        }
        aix_restoreauthdb();
        return (success);
 }
 
+char *
+sys_auth_get_lastlogin_msg(const char *user, uid_t uid)
+{
+       char *msg = lastlogin_msg;
+
+       lastlogin_msg = NULL;
+       return msg;
+}
+
 #  ifdef CUSTOM_FAILED_LOGIN
 /*
  * record_failed_login: generic "login failed" interface function
@@ -349,6 +374,31 @@ aix_restoreauthdb(void)
 
 # endif /* WITH_AIXAUTHENTICATE */
 
+# ifdef USE_AIX_KRB_NAME
+/*
+ * aix_krb5_get_principal_name: returns the user's kerberos client principal name if
+ * configured, otherwise NULL.  Caller must free returned string.
+ */
+char *
+aix_krb5_get_principal_name(char *pw_name)
+{
+       char *authname = NULL, *authdomain = NULL, *principal = NULL;
+
+       setuserdb(S_READ);
+       if (getuserattr(pw_name, S_AUTHDOMAIN, &authdomain, SEC_CHAR) != 0)
+               debug("AIX getuserattr S_AUTHDOMAIN: %s", strerror(errno));
+       if (getuserattr(pw_name, S_AUTHNAME, &authname, SEC_CHAR) != 0)
+               debug("AIX getuserattr S_AUTHNAME: %s", strerror(errno));
+
+       if (authdomain != NULL)
+               xasprintf(&principal, "%s@%s", authname ? authname : pw_name, authdomain);
+       else if (authname != NULL)
+               principal = xstrdup(authname);
+       enduserdb();
+       return principal;
+}
+# endif /* USE_AIX_KRB_NAME */
+
 # if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO)
 # undef getnameinfo
 /*
@@ -378,4 +428,47 @@ sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
 }
 # endif /* AIX_GETNAMEINFO_HACK */
 
+# if defined(USE_GETGRSET)
+#  include <stdlib.h>
+int
+getgrouplist(const char *user, gid_t pgid, gid_t *groups, int *grpcnt)
+{
+       char *cp, *grplist, *grp;
+       gid_t gid;
+       int ret = 0, ngroups = 0, maxgroups;
+       long l;
+
+       maxgroups = *grpcnt;
+
+       if ((cp = grplist = getgrset(user)) == NULL)
+               return -1;
+
+       /* handle zero-length case */
+       if (maxgroups <= 0) {
+               *grpcnt = 0;
+               return -1;
+       }
+
+       /* copy primary group */
+       groups[ngroups++] = pgid;
+
+       /* copy each entry from getgrset into group list */
+       while ((grp = strsep(&grplist, ",")) != NULL) {
+               l = strtol(grp, NULL, 10);
+               if (ngroups >= maxgroups || l == LONG_MIN || l == LONG_MAX) {
+                       ret = -1;
+                       goto out;
+               }
+               gid = (gid_t)l;
+               if (gid == pgid)
+                       continue;       /* we have already added primary gid */
+               groups[ngroups++] = gid;
+       }
+out:
+       free(cp);
+       *grpcnt = ngroups;
+       return ret;
+}
+# endif        /* USE_GETGRSET */
+
 #endif /* _AIX */