- (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]

Move loginrestrictions test to port-aix.c, replace with a generic hook.

ChangeLog

@@ -16,6 +16,8 @@
      Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@
  - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match
    -Wshadow change.
+ - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
+   Move loginrestrictions test to port-aix.c, replace with a generic hook.
 
 20040622
  - (bal) [auth-passwd.c auth1.c] Clean up unused variables.
@@ -1388,4 +1390,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3438 2004/06/23 03:21:54 mouring Exp $
+$Id: ChangeLog,v 1.3439 2004/06/23 03:45:24 dtucker Exp $

auth.c

@@ -203,31 +203,10 @@ allowed_user(struct passwd * pw)
 		ga_free();
 	}
 
-#ifdef WITH_AIXAUTHENTICATE
-	/*
-	 * Don't check loginrestrictions() for root account (use
-	 * PermitRootLogin to control logins via ssh), or if running as
-	 * non-root user (since loginrestrictions will always fail).
-	 */
-	if ((pw->pw_uid != 0) && (geteuid() == 0)) {
-		char *msg;
-
-		if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
-			int loginrestrict_errno = errno;
-
-			if (msg && *msg) {
-				buffer_append(&loginmsg, msg, strlen(msg));
-				aix_remove_embedded_newlines(msg);
-				logit("Login restricted for %s: %.100s",
-				    pw->pw_name, msg);
-			}
-			/* Don't fail if /etc/nologin  set */
-			if (!(loginrestrict_errno == EPERM &&
-			    stat(_PATH_NOLOGIN, &st) == 0))
-				return 0;
-		}
-	}
-#endif /* WITH_AIXAUTHENTICATE */
+#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
+	if (!sys_auth_allowed_user(pw))
+		return 0;
+#endif
 
 	/* We found no reason not to let this user try to log on... */
 	return 1;

openbsd-compat/port-aix.c

@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
 
 	return authsuccess;
 }
-  
+
+/*
+ * Check if specified account is permitted to log in.
+ * Returns 1 if login is allowed, 0 if not allowed.
+ */
+int
+sys_auth_allowed_user(struct passwd *pw)
+{
+	char *msg = NULL;
+	int result, permitted = 0;
+	struct stat st;
+
+	/*
+	 * Don't perform checks for root account (PermitRootLogin controls
+	 * logins via * ssh) or if running as non-root user (since
+	 * loginrestrictions will always fail due to insufficient privilege).
+	 */
+	if (pw->pw_uid == 0 || geteuid() != 0) {
+		debug3("%s: not checking");
+		return 1;
+	}
+
+	result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
+	if (result == 0)
+		permitted = 1;
+	/*
+	 * If restricted because /etc/nologin exists, the login will be denied
+	 * in session.c after the nologin message is sent, so allow for now
+	 * and do not append the returned message.
+	 */
+	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
+		permitted = 1;
+	else if (msg != NULL)
+		buffer_append(&loginmsg, msg, strlen(msg));
+	if (msg == NULL)
+		msg = xstrdup("(none)");
+	aix_remove_embedded_newlines(msg);
+	debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
+
+	if (!permitted)
+		logit("Login restricted for %s: %.100s", pw->pw_name, msg);
+	xfree(msg);
+	return permitted;
+}
+
 #  ifdef CUSTOM_FAILED_LOGIN
 /*
  * record_failed_login: generic "login failed" interface function

openbsd-compat/port-aix.h

@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */
 
 /*
  *
@@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *);
 
 #ifdef WITH_AIXAUTHENTICATE
 # define CUSTOM_SYS_AUTH_PASSWD 1
+# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
+int sys_auth_allowed_user(struct passwd *);
 # define CUSTOM_FAILED_LOGIN 1
 void record_failed_login(const char *, const char *);
 #endif