- (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for

accounts with authentication configs that sshd can't support (ie
   SYSTEM=NONE and AUTH1=something).
This commit is contained in:
Darren Tucker 2004-08-29 21:43:33 +10:00
parent cf59d31761
commit 5a88d00349
2 changed files with 61 additions and 1 deletions

View File

@ -37,6 +37,9 @@
- (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
too; patch from cmadams at hiwaay.net.
- (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
- (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
accounts with authentication configs that sshd can't support (ie
SYSTEM=NONE and AUTH1=something).
20040828
- (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
@ -1704,4 +1707,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3535 2004/08/29 11:18:09 dtucker Exp $
$Id: ChangeLog,v 1.3536 2004/08/29 11:43:33 dtucker Exp $

View File

@ -1,6 +1,7 @@
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
* Copyright (c) 2003,2004 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -91,6 +92,59 @@ aix_remove_embedded_newlines(char *p)
*p = '\0';
}
/*
* Test specifically for the case where SYSTEM == NONE and AUTH1 contains
* anything other than NONE or SYSTEM, which indicates that the admin has
* configured the account for purely AUTH1-type authentication.
*
* Since authenticate() doesn't check AUTH1, and sshd can't sanely support
* AUTH1 itself, in such a case authenticate() will allow access without
* authentation, which is almost certainly not what the admin intends.
*
* (The native tools, eg login, will process the AUTH1 list in addition to
* the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
* have been deprecated since AIX 4.2.x and would be very difficult for sshd
* to support.
*
* Returns 0 if an unsupportable combination is found, 1 otherwise.
*/
static int
aix_valid_authentications(const char *user)
{
char *auth1, *sys, *p;
int valid = 1;
if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
logit("Can't retrieve attribute SYSTEM for %s: %.100s",
user, strerror(errno));
return 0;
}
debug3("AIX SYSTEM attribute %s", sys);
if (strcmp(sys, "NONE") != 0)
return 1; /* not "NONE", so is OK */
if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
logit("Can't retrieve attribute auth1 for %s: %.100s",
user, strerror(errno));
return 0;
}
p = auth1;
/* A SEC_LIST is concatenated strings, ending with two NULs. */
while (p[0] != '\0' && p[1] != '\0') {
debug3("AIX auth1 attribute list member %s", p);
if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
logit("Account %s has unsupported auth1 value '%s'",
user, p);
valid = 0;
}
p += strlen(p) + 1;
}
return (valid);
}
/*
* Do authentication via AIX's authenticate routine. We loop until the
* reenter parameter is 0, but normally authenticate is called only once.
@ -112,6 +166,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
authmsg);
} while (reenter);
if (!aix_valid_authentications(name))
result = -1;
if (result == 0) {
authsuccess = 1;