- (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for

accounts with authentication configs that sshd can't support (ie
   SYSTEM=NONE and AUTH1=something).

ChangeLog

@@ -37,6 +37,9 @@
  - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
    too; patch from cmadams at hiwaay.net.
  - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
+ - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
+   accounts with authentication configs that sshd can't support (ie
+   SYSTEM=NONE and AUTH1=something).
 
 20040828
  - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
@@ -1704,4 +1707,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3535 2004/08/29 11:18:09 dtucker Exp $
+$Id: ChangeLog,v 1.3536 2004/08/29 11:43:33 dtucker Exp $

openbsd-compat/port-aix.c

@@ -1,6 +1,7 @@
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
+ * Copyright (c) 2003,2004 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -91,6 +92,59 @@ aix_remove_embedded_newlines(char *p)
 		*p = '\0';
 }
 
+/*
+ * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
+ * anything other than NONE or SYSTEM, which indicates that the admin has
+ * configured the account for purely AUTH1-type authentication.
+ *
+ * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
+ * AUTH1 itself, in such a case authenticate() will allow access without
+ * authentation, which is almost certainly not what the admin intends.
+ *
+ * (The native tools, eg login, will process the AUTH1 list in addition to
+ * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
+ * have been deprecated since AIX 4.2.x and would be very difficult for sshd
+ * to support.
+ *
+ * Returns 0 if an unsupportable combination is found, 1 otherwise.
+ */
+static int
+aix_valid_authentications(const char *user)
+{
+	char *auth1, *sys, *p;
+	int valid = 1;
+
+	if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
+		logit("Can't retrieve attribute SYSTEM for %s: %.100s",
+		    user, strerror(errno));
+		return 0;
+	}
+
+	debug3("AIX SYSTEM attribute %s", sys);
+	if (strcmp(sys, "NONE") != 0)
+		return 1;	/* not "NONE", so is OK */
+
+	if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
+		logit("Can't retrieve attribute auth1 for %s: %.100s",
+		    user, strerror(errno));
+		return 0;
+	}
+
+	p = auth1;
+	/* A SEC_LIST is concatenated strings, ending with two NULs. */
+	while (p[0] != '\0' && p[1] != '\0') {
+		debug3("AIX auth1 attribute list member %s", p);
+		if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
+			logit("Account %s has unsupported auth1 value '%s'",
+			    user, p);
+			valid = 0;
+		}
+		p += strlen(p) + 1;
+	}
+
+	return (valid);
+}
+
 /*
  * Do authentication via AIX's authenticate routine.  We loop until the
  * reenter parameter is 0, but normally authenticate is called only once.
@@ -112,6 +166,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
 		    authmsg);
 	} while (reenter);
 
+	if (!aix_valid_authentications(name))
+		result = -1;
+
 	if (result == 0) {
 		authsuccess = 1;