- (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for

   accounts with authentication configs that sshd can't support (ie
   SYSTEM=NONE and AUTH1=something).

diff --git a/ChangeLog b/ChangeLog
index efbfb42c53667c2dc74a904c171e126a077ed5f8..6b0e874e6f50aa3b1764021f2330832e9299cf0a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,9 @@
  - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
    too; patch from cmadams at hiwaay.net.
  - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
+ - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
+   accounts with authentication configs that sshd can't support (ie
+   SYSTEM=NONE and AUTH1=something).
 
 20040828
  - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 78f4faea3b3b61780393f5d5a7e16b7610ad0350..e7eb179ec12f743fbd955fe2cf468d52651b75b0 100644 (file)
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,6 +1,7 @@
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
+ * Copyright (c) 2003,2004 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -91,6 +92,59 @@ aix_remove_embedded_newlines(char *p)
                *p = '\0';
 }
 
+/*
+ * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
+ * anything other than NONE or SYSTEM, which indicates that the admin has
+ * configured the account for purely AUTH1-type authentication.
+ *
+ * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
+ * AUTH1 itself, in such a case authenticate() will allow access without
+ * authentation, which is almost certainly not what the admin intends.
+ *
+ * (The native tools, eg login, will process the AUTH1 list in addition to
+ * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
+ * have been deprecated since AIX 4.2.x and would be very difficult for sshd
+ * to support.
+ *
+ * Returns 0 if an unsupportable combination is found, 1 otherwise.
+ */
+static int
+aix_valid_authentications(const char *user)
+{
+       char *auth1, *sys, *p;
+       int valid = 1;
+
+       if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
+               logit("Can't retrieve attribute SYSTEM for %s: %.100s",
+                   user, strerror(errno));
+               return 0;
+       }
+
+       debug3("AIX SYSTEM attribute %s", sys);
+       if (strcmp(sys, "NONE") != 0)
+               return 1;       /* not "NONE", so is OK */
+
+       if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
+               logit("Can't retrieve attribute auth1 for %s: %.100s",
+                   user, strerror(errno));
+               return 0;
+       }
+
+       p = auth1;
+       /* A SEC_LIST is concatenated strings, ending with two NULs. */
+       while (p[0] != '\0' && p[1] != '\0') {
+               debug3("AIX auth1 attribute list member %s", p);
+               if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
+                       logit("Account %s has unsupported auth1 value '%s'",
+                           user, p);
+                       valid = 0;
+               }
+               p += strlen(p) + 1;
+       }
+
+       return (valid);
+}
+
 /*
  * Do authentication via AIX's authenticate routine.  We loop until the
  * reenter parameter is 0, but normally authenticate is called only once.
@@ -112,6 +166,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
                    authmsg);
        } while (reenter);
 
+       if (!aix_valid_authentications(name))
+               result = -1;
+
        if (result == 0) {
                authsuccess = 1;