after select()
- 'fixprogs' perl script to eliminate non-working entropy commands, and
optionally run 'ent' to measure command entropy
+ - Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
20000513
- Fix for non-recognised DSA keys from Arkadiusz Miskiewicz
/* Define if you want to disable PAM support */
#undef DISABLE_PAM
-/* Define if you want to disable AIX4's authenticate function */
+/* Define if you want to enable AIX4's authenticate function */
#undef WITH_AIXAUTHENTICATE
/* Define if you want to disable lastlog support */
#include "compat.h"
#include "channels.h"
#include "match.h"
+#ifdef HAVE_LOGIN_H
+#include <login.h>
+#endif
#include "bufaux.h"
#include "ssh2.h"
}
#ifdef WITH_AIXAUTHENTICATE
- if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+ if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) {
+ if (loginmsg && *loginmsg) {
+ /* Remove embedded newlines (if any) */
+ char *p;
+ for (p = loginmsg; *p; p++)
+ if (*p == '\n')
+ *p = ' ';
+ /* Remove trailing newline */
+ *--p = '\0';
+ log("Login restricted for %s: %.100s",
+ pw->pw_name, loginmsg);
+ }
return 0;
+ }
#endif /* WITH_AIXAUTHENTICATE */
/* We found no reason not to let this user try to log on... */
get_remote_port());
#ifdef WITH_AIXAUTHENTICATE
- if (strncmp(get_authname(type),"password",
- strlen(get_authname(type))) == 0)
- loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ loginfailed(user,get_canonical_hostname(),"ssh");
#endif /* WITH_AIXAUTHENTICATE */
/* Indicate that authentication is needed. */
client_user = NULL;
}
- if (attempt > AUTH_FAIL_MAX)
+ if (attempt > AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE
+ loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
+ }
/* Send a message indicating that the authentication attempt failed. */
packet_start(SSH_SMSG_FAILURE);
unsigned int ulen;
char *user;
#ifdef WITH_AIXAUTHENTICATE
- char *loginmsg;
+ extern char *aixloginmsg;
#endif /* WITH_AIXAUTHENTICATE */
/* Get the name of the user that we wish to log in as. */
/* The user has been authenticated and accepted. */
#ifdef WITH_AIXAUTHENTICATE
- loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ /* We don't have a pty yet, so just label the line as "ssh" */
+ if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)
+ aixloginmsg = NULL;
#endif /* WITH_AIXAUTHENTICATE */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
int authenticated = 0;
char *raw, *user, *service, *method, *authmsg = NULL;
struct passwd *pw;
-
- if (++attempt == AUTH_FAIL_MAX)
- packet_disconnect("too many failed userauth_requests");
+#ifdef WITH_AIXAUTHENTICATE
+ extern char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
raw = packet_get_raw(&rlen);
if (plen != rlen)
user = packet_get_string(&len);
service = packet_get_string(&len);
method = packet_get_string(&len);
+ if (++attempt == AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE
+ loginfailed(user,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+ packet_disconnect("too many failed userauth_requests");
+ }
debug("userauth-request for user %s service %s method %s", user, service, method);
/* XXX we only allow the ssh-connection service */
/* XXX todo: check if multiple auth methods are needed */
if (authenticated == 1) {
+#ifdef WITH_AIXAUTHENTICATE
+ /* We don't have a pty yet, so just label the line as "ssh" */
+ if (loginsuccess(user,get_canonical_hostname(),"ssh",
+ &aixloginmsg) < 0)
+ aixloginmsg = NULL;
+#endif /* WITH_AIXAUTHENTICATE */
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
packet_start(SSH2_MSG_USERAUTH_SUCCESS);
if test "$LD" != "gcc" -a -z "$blibpath"; then
blibpath="/usr/lib:/lib:/usr/local/lib"
fi
+ AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)])
AC_DEFINE(BROKEN_GETADDRINFO)
;;
*-*-hpux10*)
get_last_login_time(uid_t uid, const char *logname,
char *buf, unsigned int bufsize)
{
+#if defined(WITH_AIXAUTHENTICATE)
+ /* This is done in do_authentication */
+ return (unsigned long) 0;
+#else
#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
struct lastlog ll;
char *lastlog;
return 0;
# endif /* HAVE_TYPE_IN_UTMP */
#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(WITH_AIXAUTHENTICATE) */
}
/*
login(&u);
#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
-#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
+#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE)
+ /* AIX does this in do_authentication */
lastlog = _PATH_LASTLOG;
/* Update lastlog unless actually recording a logout. */
close(fd);
}
}
-#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */
}
/* Records that the user has logged out. */
/* data */
#define MAX_SESSIONS 10
Session sessions[MAX_SESSIONS];
+#ifdef WITH_AIXAUTHENTICATE
+/* AIX's lastlogin message, set in auth1.c */
+char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
/* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */
int no_port_forwarding_flag = 0;
fclose(f);
}
}
+#if defined(WITH_AIXAUTHENTICATE)
+ /*
+ * AIX handles the lastlog info differently. Display it here.
+ */
+ if (command == NULL && aixloginmsg && *aixloginmsg &&
+ !quiet_login && !options.use_login) {
+ printf("%s\n", aixloginmsg);
+ }
+#endif
/* Do common processing for the child, such as execing the command. */
do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty);
/* NOTREACHED */