- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
loginsuccess on AIX immediately after authentication to clear the failed login count. Previously this would only happen when an interactive session starts (ie when a pty is allocated) but this means that accounts that have primarily non-interactive sessions (eg scp's) may gradually accumulate enough failures to lock out an account. This change may have a side effect of creating two audit records, one with a tty of "ssh" corresponding to the authentication and one with the allocated pty per interactive session.
This commit is contained in:
parent
8ff1da81ec
commit
26d4e19caa
11
ChangeLog
11
ChangeLog
|
@ -27,6 +27,15 @@
|
|||
[version.h]
|
||||
crank to 4.4
|
||||
- (djm) [openbsd-compat/xcrypt.c] needs unistd.h
|
||||
- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
|
||||
loginsuccess on AIX immediately after authentication to clear the failed
|
||||
login count. Previously this would only happen when an interactive
|
||||
session starts (ie when a pty is allocated) but this means that accounts
|
||||
that have primarily non-interactive sessions (eg scp's) may gradually
|
||||
accumulate enough failures to lock out an account. This change may have
|
||||
a side effect of creating two audit records, one with a tty of "ssh"
|
||||
corresponding to the authentication and one with the allocated pty per
|
||||
interactive session.
|
||||
|
||||
20060824
|
||||
- (dtucker) [openbsd-compat/basename.c] Include errno.h.
|
||||
|
@ -5329,4 +5338,4 @@
|
|||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.4517 2006/08/30 07:52:03 djm Exp $
|
||||
$Id: ChangeLog,v 1.4518 2006/08/30 12:33:09 dtucker Exp $
|
||||
|
|
5
auth.c
5
auth.c
|
@ -279,6 +279,11 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
|||
strcmp(method, "challenge-response") == 0))
|
||||
record_failed_login(authctxt->user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
# ifdef WITH_AIXAUTHENTICATE
|
||||
if (authenticated)
|
||||
sys_auth_record_login(authctxt->user,
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
|
|
|
@ -265,15 +265,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm,
|
|||
Buffer *loginmsg)
|
||||
{
|
||||
char *msg = NULL;
|
||||
static int msg_done = 0;
|
||||
int success = 0;
|
||||
|
||||
aix_setauthdb(user);
|
||||
if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
|
||||
success = 1;
|
||||
if (msg != NULL) {
|
||||
if (msg != NULL && loginmsg != NULL && !msg_done) {
|
||||
debug("AIX/loginsuccess: msg %s", msg);
|
||||
buffer_append(loginmsg, msg, strlen(msg));
|
||||
xfree(msg);
|
||||
msg_done = 1;
|
||||
}
|
||||
}
|
||||
aix_restoreauthdb();
|
||||
|
|
Loading…
Reference in New Issue