From 6545dd0bc687a98c6bf9fac22d00bb463ee42151 Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 30 Aug 2006 12:33:09 +0000 Subject: [PATCH] - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call loginsuccess on AIX immediately after authentication to clear the failed login count. Previously this would only happen when an interactive session starts (ie when a pty is allocated) but this means that accounts that have primarily non-interactive sessions (eg scp's) may gradually accumulate enough failures to lock out an account. This change may have a side effect of creating two audit records, one with a tty of "ssh" corresponding to the authentication and one with the allocated pty per interactive session. --- ChangeLog | 9 +++++++++ auth.c | 5 +++++ openbsd-compat/port-aix.c | 4 +++- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 6eb0086b..8f18cdac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,15 @@ [version.h] crank to 4.4 - (djm) [openbsd-compat/xcrypt.c] needs unistd.h + - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call + loginsuccess on AIX immediately after authentication to clear the failed + login count. Previously this would only happen when an interactive + session starts (ie when a pty is allocated) but this means that accounts + that have primarily non-interactive sessions (eg scp's) may gradually + accumulate enough failures to lock out an account. This change may have + a side effect of creating two audit records, one with a tty of "ssh" + corresponding to the authentication and one with the allocated pty per + interactive session. 20060824 - (dtucker) [openbsd-compat/basename.c] Include errno.h. diff --git a/auth.c b/auth.c index 5a02a436..5da140b0 100644 --- a/auth.c +++ b/auth.c @@ -279,6 +279,11 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) strcmp(method, "challenge-response") == 0)) record_failed_login(authctxt->user, get_canonical_hostname(options.use_dns), "ssh"); +# ifdef WITH_AIXAUTHENTICATE + if (authenticated) + sys_auth_record_login(authctxt->user, + get_canonical_hostname(options.use_dns), "ssh", &loginmsg); +# endif #endif #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a7ced57e..13a73e87 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -265,15 +265,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm, Buffer *loginmsg) { char *msg = NULL; + static int msg_done = 0; int success = 0; aix_setauthdb(user); if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; - if (msg != NULL) { + if (msg != NULL && loginmsg != NULL && !msg_done) { debug("AIX/loginsuccess: msg %s", msg); buffer_append(loginmsg, msg, strlen(msg)); xfree(msg); + msg_done = 1; } } aix_restoreauthdb(); -- 2.45.1