- AIX patch from Matt Richards <v2matt@btv.ibm.com> and David Rankin

<drankin@bohemians.lexington.ky.us>

CREDITS

@@ -15,7 +15,7 @@ Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
 Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
 Darren Hall <dhall@virage.org> - AIX patches
 David Agraz <dagraz@jahoopa.com> - Build fixes
-David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, NetBSD fixes
+David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
 Gary E. Miller <gem@rellim.com> - SCO support
 Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - KRB4/AFS config patch
 Jani Hakala <jahakala@cc.jyu.fi> - Patches
@@ -26,6 +26,7 @@ Juergen Keil <jk@tools.de> - scp bugfixing
 Kees Cook <cook@cpoint.net> - scp fixes
 Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
 Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
+Matt Richards <v2matt@btv.ibm.com> - AIX patches
 Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
 Niels Kristian Bech Jensen <nkbj@image.dk> - Assorted patches
 Peter Kocks <peter.kocks@baygate.com> - Makefile fixes

ChangeLog

@@ -2,6 +2,8 @@
  - OpenBSD CVS:
    - [packet.c]
      getsockname() requires initialized tolen; andy@guildsoftware.com
+ - AIX patch from Matt Richards <v2matt@btv.ibm.com> and David Rankin 
+   <drankin@bohemians.lexington.ky.us>
 
 20000122
  - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor

acconfig.h

@@ -12,6 +12,9 @@
 /* Define if you want to disable PAM support */
 #undef DISABLE_PAM
 
+/* Define if you want to disable AIX4's authenticate function */
+#undef WITH_AIXAUTHENTICATE
+
 /* Define if you want to disable lastlog support */
 #undef DISABLE_LASTLOG
 
@@ -30,6 +33,12 @@
 /* Define if using the Dante SOCKS library. */
 #undef HAVE_DANTE
 
+/* Define if using the Socks4 SOCKS library. */
+#undef HAVE_SOCKS4
+
+/* Define if using the Socks5 SOCKS library. */
+#undef HAVE_SOCKS5
+
 /* Define if you want to install preformatted manpages.*/
 #undef MANTYPE
 

auth-passwd.c

@@ -11,13 +11,17 @@
 
 #ifndef USE_PAM
 
-RCSID("$Id: auth-passwd.c,v 1.15 2000/01/06 01:03:13 damien Exp $");
+RCSID("$Id: auth-passwd.c,v 1.16 2000/01/22 23:32:03 damien Exp $");
 
 #include "packet.h"
 #include "ssh.h"
 #include "servconf.h"
 #include "xmalloc.h"
 
+#ifdef WITH_AIXAUTHENTICATE
+#include <login.h>
+#endif
+
 #ifdef HAVE_SHADOW_H
 # include <shadow.h>
 #endif
@@ -39,6 +43,11 @@ auth_password(struct passwd * pw, const char *password)
 #ifdef HAVE_SHADOW_H
 	struct spwd *spw;
 #endif
+#ifdef WITH_AIXAUTHENTICATE
+	char *authmsg;
+	char *loginmsg;
+	int reenter = 1;
+#endif
 
 	/* deny if no user. */
 	if (pw == NULL)
@@ -56,6 +65,11 @@ auth_password(struct passwd * pw, const char *password)
 		/* Fall back to ordinary passwd authentication. */
 	}
 #endif
+
+#ifdef WITH_AIXAUTHENTICATE
+	return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+#endif
+
 #ifdef KRB4
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb4_password(pw, password);

bsd-misc.c

@@ -47,6 +47,9 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <fcntl.h>
+#ifdef HAVE_STDDEF_H
+#include <stddef.h>
+#endif
 
 #include "xmalloc.h"
 #include "ssh.h"

cipher.c

@@ -12,10 +12,11 @@
  */
 
 #include "includes.h"
-RCSID("$Id: cipher.c,v 1.11 1999/12/14 22:34:31 damien Exp $");
+RCSID("$Id: cipher.c,v 1.12 2000/01/22 23:32:03 damien Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
+#include "config.h"
 
 #ifdef HAVE_OPENSSL
 #include <openssl/md5.h>

configure.in

@@ -518,13 +518,53 @@ dnl Compile with dante SOCKS library
 AC_ARG_WITH(dante,
 	[  --with-dante=DIR        Use Dante SOCKS lib (default is system library path)],
 	[
-		AC_DEFINE(HAVE_DANTE)
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
 		if test "x$withval" != "xno" ; then
 			if test -n $withval ; then
 				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
 			fi
-			LIBS="$LIBS -lsocks"
+			AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_DANTE) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
 		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
+	]
+)
+
+dnl Compile with SOCKS4 SOCKS library
+AC_ARG_WITH(socks4,
+	[  --with-socks4=DIR        Use Socks4 SOCKS lib (default is system library path)],
+	[
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
+		if test "x$withval" != "xno" ; then
+			if test -n $withval ; then
+				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
+			fi
+			AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_SOCKS4) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
+		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
+	]
+)
+
+dnl Compile with SOCKS5 SOCKS library
+AC_ARG_WITH(socks5,
+	[  --with-socks5=DIR        Use Socks5 SOCKS lib (default is system library path)],
+	[
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
+		if test "x$withval" != "xno" ; then
+			if test -n $withval ; then
+				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
+			fi
+			AC_CHECK_LIB(socks5, SOCKSconnect, AC_DEFINE(HAVE_SOCKS5) SOCKSLIBS="$SOCKSLIBPATH -lsocks5")
+		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
 	]
 )
 AC_ARG_WITH(catman,

ssh.c

@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.17 2000/01/19 03:36:49 damien Exp $");
+RCSID("$Id: ssh.c,v 1.18 2000/01/22 23:32:04 damien Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -217,6 +217,10 @@ main(int ac, char **av)
 	/* Save our own name. */
 	av0 = av[0];
 
+#ifdef SOCKS
+	SOCKSinit(av0);
+#endif /* SOCKS */
+
 	/* Initialize option structure to indicate that no values have been set. */
 	initialize_options(&options);
 

ssh.h

@@ -13,7 +13,7 @@
  * 
  */
 
-/* RCSID("$Id: ssh.h,v 1.24 2000/01/14 04:45:52 damien Exp $"); */
+/* RCSID("$Id: ssh.h,v 1.25 2000/01/22 23:32:04 damien Exp $"); */
 
 #ifndef SSH_H
 #define SSH_H
@@ -752,7 +752,7 @@ extern int IPv4or6;
 #include "auth-pam.h"
 #endif /* USE_PAM */
 
-#ifdef HAVE_DANTE
+#if defined(HAVE_DANTE) || defined(HAVE_SOCKS4)
 /*
  * The following defines map the normal socket operations to SOCKSified
  * versions coming from the Dante SOCKS package.
@@ -795,6 +795,54 @@ ssize_t Rsendto (int, const void *,
             size_t, int, const struct sockaddr *, socklen_t);
 ssize_t Rwrite(int , const void *, size_t );
 ssize_t Rwritev(int , const struct iovec *, int );
-#endif /* HAVE_DANTE */
+#endif /* HAVE_DANTE || HAVE_SOCKS4 */
 
+#if defined(HAVE_SOCKS5) 
+/*
+ * The following defines map the normal socket operations to SOCKSified
+ * versions coming from the SOCKS package.
+ */
+#define accept SOCKSaccept
+#define bind SOCKSbind
+#define bindresvport SOCKSbindresvport
+#define connect SOCKSconnect
+#define gethostbyname SOCKSgethostbyname
+#define gethostbyname2 SOCKSgethostbyname2
+#define getpeername SOCKSgetpeername
+#define getsockname SOCKSgetsockname
+#define read SOCKSread
+#define readv SOCKSreadv
+#define recv SOCKSrecv
+#define recvmsg SOCKSrecvmsg
+#define recvfrom SOCKSrecvfrom
+#define rresvport SOCKSrresvport
+#define send SOCKSsend
+#define sendmsg SOCKSsendmsg
+#define sendto SOCKSsendto
+#define write SOCKSwrite
+#define writev SOCKSwritev
+int     SOCKSaccept (int, struct sockaddr *, socklen_t *);
+int     SOCKSbind (int, const struct sockaddr *, socklen_t);
+int	SOCKSbindresvport(int , struct sockaddr_in *);
+int     SOCKSconnect (int, const struct sockaddr *, socklen_t);
+struct hostent *SOCKSgethostbyname(const char *);
+struct hostent *SOCKSgethostbyname2(const char *, int);
+int     SOCKSgetpeername (int, struct sockaddr *, socklen_t *);
+int     SOCKSgetsockname (int, struct sockaddr *, socklen_t *);
+ssize_t SOCKSread(int , void *, size_t );
+ssize_t SOCKSreadv(int d, const struct iovec *iov, int iovcnt);
+ssize_t SOCKSrecv (int, void *, size_t, int);
+ssize_t SOCKSrecvfrom (int, void *, size_t, int, struct sockaddr *,
+            socklen_t *);
+ssize_t SOCKSsend (int, const void *, size_t, int);
+ssize_t SOCKSsendmsg (int, const struct msghdr *, int);
+ssize_t SOCKSsendto (int, const void *,
+            size_t, int, const struct sockaddr *, socklen_t);
+ssize_t SOCKSwrite(int , const void *, size_t );
+ssize_t SOCKSwritev(int , const struct iovec *, int );
+#endif /* SOCKS5 */
+
+#if defined(DANTE) || defined(SOCKS4) || defined(SOCKS5)
+#define SOCKS
+#endif /* defined(DANTE) || defined(SOCKS4) || defined(SOCKS5) */
 #endif				/* SSH_H */

sshd.c

@@ -1099,6 +1099,9 @@ allowed_user(struct passwd * pw)
 {
 	struct group *grp;
 	int i;
+#ifdef WITH_AIXAUTHENTICATE
+	char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
 
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
 	if (!pw)
@@ -1155,6 +1158,12 @@ allowed_user(struct passwd * pw)
 				return 0;
 		}
 	}
+
+#ifdef WITH_AIXAUTHENTICATE
+	if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+		return 0;
+#endif /* WITH_AIXAUTHENTICATE */
+
 	/* We found no reason not to let this user try to log on... */
 	return 1;
 }
@@ -1179,6 +1188,10 @@ do_authentication()
 
 	setproctitle("%s", user);
 
+#ifdef WITH_AIXAUTHENTICATE
+	char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
+
 #ifdef AFS
 	/* If machine has AFS, set process authentication group. */
 	if (k_hasafs()) {
@@ -1244,6 +1257,9 @@ do_authentication()
 					  get_canonical_hostname());
 	}
 	/* The user has been authenticated and accepted. */
+#ifdef WITH_AIXAUTHENTICATE
+	loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+#endif /* WITH_AIXAUTHENTICATE */
 	packet_start(SSH_SMSG_SUCCESS);
 	packet_send();
 	packet_write_wait();
@@ -1498,8 +1514,7 @@ do_authloop(struct passwd * pw)
 
 		if (authenticated) {
 #ifdef USE_PAM
-			if (!do_pam_account(pw->pw_name, client_user))
-			{
+			if (!do_pam_account(pw->pw_name, client_user)) {
 				if (client_user != NULL)
 					xfree(client_user);
 
@@ -1582,6 +1597,11 @@ do_fake_authloop(char *user)
 		packet_start(SSH_SMSG_FAILURE);
 		packet_send();
 		packet_write_wait();
+#ifdef WITH_AIXAUTHENTICATE 
+		if (strncmp(get_authname(type),"password",
+		    strlen(get_authname(type))) == 0)
+			loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
 	}
 	/* NOTREACHED */
 	abort();
@@ -2423,6 +2443,18 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	if (display)
 		child_set_env(&env, &envsize, "DISPLAY", display);
 
+#ifdef _AIX
+	{
+           char *authstate,*krb5cc;
+
+	   if ((authstate = getenv("AUTHSTATE")) != NULL)
+		 child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+	   if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+		 child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+	}
+#endif
+
 #ifdef KRB4
 	{
 		extern char *ticket;
@@ -2444,6 +2476,8 @@ do_child(const char *command, struct passwd * pw, const char *term,
 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
 			      auth_get_socket_name());
 
+	read_environment_file(&env,&envsize,"/etc/environment");
+
 	/* read $HOME/.ssh/environment. */
 	if (!options.use_login) {
 		snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir);