From: dtucker Date: Tue, 8 Jul 2003 12:59:59 +0000 (+0000) Subject: - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h] X-Git-Tag: PRE_KRB4_REMOVAL~20 X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/bc7dfc06770233b90b9b85b6f384072e8a300cf6 - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h] Convert aixloginmsg into platform-independant Buffer loginmsg. --- diff --git a/ChangeLog b/ChangeLog index 1b81b873..add37078 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,7 +2,9 @@ - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]] Include AIX headers for authentication functions and make calls match prototypes. Test for and handle 3-args and 4-arg variants of loginfailed. - - (dtucker) Check return value of setpcred(). + - (dtucker) [session.c] Check return value of setpcred(). + - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h] + Convert aixloginmsg into platform-independant Buffer loginmsg. 20030707 - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before diff --git a/auth-passwd.c b/auth-passwd.c index ea65a012..f078eddd 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -42,6 +42,8 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); #include "log.h" #include "servconf.h" #include "auth.h" +#include "buffer.h" +#include "xmalloc.h" #include "canohost.h" #if !defined(HAVE_OSF_SIA) @@ -79,9 +81,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); #endif /* !HAVE_OSF_SIA */ extern ServerOptions options; -#ifdef WITH_AIXAUTHENTICATE -extern char *aixloginmsg; -#endif +extern Buffer loginmsg; /* * Tries to authenticate the user using password. Returns true if @@ -149,15 +149,29 @@ auth_password(Authctxt *authctxt, const char *password) # endif # ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); if (authsuccess) { + char *msg; + char *host = (char *)get_canonical_hostname(options.use_dns); + + debug3("AIX/authenticate succeeded for user %s: %.100s", + pw->pw_name, authmsg); + /* We don't have a pty yet, so just label the line as "ssh" */ - if (loginsuccess(authctxt->user, - get_canonical_hostname(options.use_dns), - "ssh", &aixloginmsg) < 0) { - aixloginmsg = NULL; + if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0){ + if (msg != NULL) { + debug("%s: msg %s", __func__, msg); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + } } + } else { + debug3("AIX/authenticate failed for user %s: %.100s", + pw->pw_name, authmsg); } + if (authmsg != NULL) + xfree(authmsg); return (authsuccess); # endif diff --git a/auth.c b/auth.c index 6b48addf..d4768a15 100644 --- a/auth.c +++ b/auth.c @@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $"); /* import */ extern ServerOptions options; +extern Buffer loginmsg; /* Debugging messages */ Buffer auth_debug; @@ -75,9 +76,6 @@ allowed_user(struct passwd * pw) const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ defined(HAS_SHADOW_EXPIRE) struct spwd *spw; @@ -206,26 +204,23 @@ allowed_user(struct passwd * pw) * PermitRootLogin to control logins via ssh), or if running as * non-root user (since loginrestrictions will always fail). */ - if ((pw->pw_uid != 0) && (geteuid() == 0) && - loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - int loginrestrict_errno = errno; - - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + if ((pw->pw_uid != 0) && (geteuid() == 0)) { + char *msg; + + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { + int loginrestrict_errno = errno; + + if (msg && *msg) { + buffer_append(&loginmsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + logit("Login restricted for %s: %.100s", + pw->pw_name, msg); } - /* Remove trailing newline */ - *--p = '\0'; - logit("Login restricted for %s: %.100s", pw->pw_name, - loginmsg); + /* Don't fail if /etc/nologin set */ + if (!(loginrestrict_errno == EPERM && + stat(_PATH_NOLOGIN, &st) == 0)) + return 0; } - /* Don't fail if /etc/nologin set */ - if (!(loginrestrict_errno == EPERM && - stat(_PATH_NOLOGIN, &st) == 0)) - return 0; } #endif /* WITH_AIXAUTHENTICATE */ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index c8d9517b..cc6190cb 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -61,6 +61,28 @@ aix_usrinfo(struct passwd *pw) xfree(cp); } +#ifdef WITH_AIXAUTHENTICATE +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing whitespace */ + if (*--p == ' ') + *p = '\0'; +} +#endif /* WITH_AIXAUTHENTICATE */ + # ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 2787d919..4627a82f 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -51,4 +51,5 @@ void record_failed_login(const char *user, const char *ttyname); #endif void aix_usrinfo(struct passwd *pw); +void aix_remove_embedded_newlines(char *); #endif /* _AIX */ diff --git a/session.c b/session.c index e9cf7e95..4b443831 100644 --- a/session.c +++ b/session.c @@ -95,6 +95,7 @@ extern int debug_flag; extern u_int utmp_len; extern int startup_pipe; extern void destroy_sensitive_data(void); +extern Buffer loginmsg; /* original command from peer. */ const char *original_command = NULL; @@ -103,10 +104,6 @@ const char *original_command = NULL; #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; -#ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; -#endif /* WITH_AIXAUTHENTICATE */ - #ifdef HAVE_LOGIN_CAP login_cap_t *lc; #endif @@ -770,10 +767,13 @@ do_login(Session *s, const char *command) if (options.use_pam && !is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ -#ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) - printf("%s\n", aixloginmsg); -#endif /* WITH_AIXAUTHENTICATE */ + + /* display post-login message */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + printf("%s\n", (char *)buffer_ptr(&loginmsg)); + } + buffer_free(&loginmsg); #ifndef NO_SSH_LASTLOG if (options.print_lastlog && s->last_login_time != 0) { diff --git a/sshd.c b/sshd.c index fafe0c66..14cd4a27 100644 --- a/sshd.c +++ b/sshd.c @@ -201,6 +201,9 @@ int startup_pipe; /* in child */ int use_privsep; struct monitor *pmonitor; +/* message to be displayed after login */ +Buffer loginmsg; + /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); void demote_sensitive_data(void); @@ -1501,6 +1504,9 @@ main(int ac, char **av) packet_set_nonblocking(); + /* prepare buffers to collect authentication messages */ + buffer_init(&loginmsg); + if (use_privsep) if ((authctxt = privsep_preauth()) != NULL) goto authenticated;