- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call

loginsuccess on AIX immediately after authentication to clear the failed
   login count.  Previously this would only happen when an interactive
   session starts (ie when a pty is allocated) but this means that accounts
   that have primarily non-interactive sessions (eg scp's) may gradually
   accumulate enough failures to lock out an account.  This change may have
   a side effect of creating two audit records, one with a tty of "ssh"
   corresponding to the authentication and one with the allocated pty per
   interactive session.
This commit is contained in:
Darren Tucker 2006-08-30 22:33:09 +10:00
parent 8ff1da81ec
commit 26d4e19caa
3 changed files with 18 additions and 2 deletions

View File

@ -27,6 +27,15 @@
[version.h] [version.h]
crank to 4.4 crank to 4.4
- (djm) [openbsd-compat/xcrypt.c] needs unistd.h - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
loginsuccess on AIX immediately after authentication to clear the failed
login count. Previously this would only happen when an interactive
session starts (ie when a pty is allocated) but this means that accounts
that have primarily non-interactive sessions (eg scp's) may gradually
accumulate enough failures to lock out an account. This change may have
a side effect of creating two audit records, one with a tty of "ssh"
corresponding to the authentication and one with the allocated pty per
interactive session.
20060824 20060824
- (dtucker) [openbsd-compat/basename.c] Include errno.h. - (dtucker) [openbsd-compat/basename.c] Include errno.h.
@ -5329,4 +5338,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.4517 2006/08/30 07:52:03 djm Exp $ $Id: ChangeLog,v 1.4518 2006/08/30 12:33:09 dtucker Exp $

5
auth.c
View File

@ -279,6 +279,11 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
strcmp(method, "challenge-response") == 0)) strcmp(method, "challenge-response") == 0))
record_failed_login(authctxt->user, record_failed_login(authctxt->user,
get_canonical_hostname(options.use_dns), "ssh"); get_canonical_hostname(options.use_dns), "ssh");
# ifdef WITH_AIXAUTHENTICATE
if (authenticated)
sys_auth_record_login(authctxt->user,
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed) if (authenticated == 0 && !authctxt->postponed)

View File

@ -265,15 +265,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm,
Buffer *loginmsg) Buffer *loginmsg)
{ {
char *msg = NULL; char *msg = NULL;
static int msg_done = 0;
int success = 0; int success = 0;
aix_setauthdb(user); aix_setauthdb(user);
if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
success = 1; success = 1;
if (msg != NULL) { if (msg != NULL && loginmsg != NULL && !msg_done) {
debug("AIX/loginsuccess: msg %s", msg); debug("AIX/loginsuccess: msg %s", msg);
buffer_append(loginmsg, msg, strlen(msg)); buffer_append(loginmsg, msg, strlen(msg));
xfree(msg); xfree(msg);
msg_done = 1;
} }
} }
aix_restoreauthdb(); aix_restoreauthdb();