- Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix

ChangeLog

@@ -9,6 +9,7 @@
 	 after select()
   - 'fixprogs' perl script to eliminate non-working entropy commands, and
 	 optionally run 'ent' to measure command entropy
+ - Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
 
 20000513
  - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz 

acconfig.h

@@ -9,7 +9,7 @@
 /* Define if you want to disable PAM support */
 #undef DISABLE_PAM
 
-/* Define if you want to disable AIX4's authenticate function */
+/* Define if you want to enable AIX4's authenticate function */
 #undef WITH_AIXAUTHENTICATE
 
 /* Define if you want to disable lastlog support */

auth.c

@@ -19,6 +19,9 @@ RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $");
 #include "compat.h"
 #include "channels.h"
 #include "match.h"
+#ifdef HAVE_LOGIN_H
+#include <login.h>
+#endif
 
 #include "bufaux.h"
 #include "ssh2.h"
@@ -111,8 +114,20 @@ allowed_user(struct passwd * pw)
 	}
 
 #ifdef WITH_AIXAUTHENTICATE
-	if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+	if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) {
+		if (loginmsg && *loginmsg) {
+			/* Remove embedded newlines (if any) */
+			char *p;
+			for (p = loginmsg; *p; p++)
+				if (*p == '\n')
+					*p = ' ';
+			/* Remove trailing newline */
+			*--p = '\0';
+			log("Login restricted for %s: %.100s",
+					pw->pw_name, loginmsg);
+		}
 		return 0;
+	}
 #endif /* WITH_AIXAUTHENTICATE */
 
 	/* We found no reason not to let this user try to log on... */

auth1.c

@@ -66,9 +66,7 @@ do_fake_authloop1(char *user)
 	    get_remote_port());
 
 #ifdef WITH_AIXAUTHENTICATE 
-		if (strncmp(get_authname(type),"password",
+	loginfailed(user,get_canonical_hostname(),"ssh");
-		    strlen(get_authname(type))) == 0)
-			loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
 #endif /* WITH_AIXAUTHENTICATE */
 
 	/* Indicate that authentication is needed. */
@@ -408,8 +406,12 @@ do_authloop(struct passwd * pw)
 			client_user = NULL;
 		}
 
-		if (attempt > AUTH_FAIL_MAX)
+		if (attempt > AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE 
+			loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
 			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
+		}
 
 		/* Send a message indicating that the authentication attempt failed. */
 		packet_start(SSH_SMSG_FAILURE);
@@ -430,7 +432,7 @@ do_authentication()
 	unsigned int ulen;
 	char *user;
 #ifdef WITH_AIXAUTHENTICATE
-	char *loginmsg;
+	extern char *aixloginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
 
 	/* Get the name of the user that we wish to log in as. */
@@ -501,7 +503,9 @@ do_authentication()
 
 	/* The user has been authenticated and accepted. */
 #ifdef WITH_AIXAUTHENTICATE
-	loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+	/* We don't have a pty yet, so just label the line as "ssh" */
+	if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)
+		aixloginmsg = NULL;
 #endif /* WITH_AIXAUTHENTICATE */
 	packet_start(SSH_SMSG_SUCCESS);
 	packet_send();

auth2.c

@@ -154,9 +154,9 @@ input_userauth_request(int type, int plen)
 	int authenticated = 0;
 	char *raw, *user, *service, *method, *authmsg = NULL;
 	struct passwd *pw;
-
+#ifdef WITH_AIXAUTHENTICATE
-	if (++attempt == AUTH_FAIL_MAX)
+	extern char *aixloginmsg;
-		packet_disconnect("too many failed userauth_requests");
+#endif /* WITH_AIXAUTHENTICATE */
 
 	raw = packet_get_raw(&rlen);
 	if (plen != rlen)
@@ -164,6 +164,12 @@ input_userauth_request(int type, int plen)
 	user = packet_get_string(&len);
 	service = packet_get_string(&len);
 	method = packet_get_string(&len);
+	if (++attempt == AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE 
+		loginfailed(user,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+		packet_disconnect("too many failed userauth_requests");
+	}
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 
 	/* XXX we only allow the ssh-connection service */
@@ -211,6 +217,12 @@ input_userauth_request(int type, int plen)
 
 	/* XXX todo: check if multiple auth methods are needed */
 	if (authenticated == 1) {
+#ifdef WITH_AIXAUTHENTICATE
+		/* We don't have a pty yet, so just label the line as "ssh" */
+		if (loginsuccess(user,get_canonical_hostname(),"ssh",
+				&aixloginmsg) < 0)
+			aixloginmsg = NULL;
+#endif /* WITH_AIXAUTHENTICATE */
 		/* turn off userauth */
 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
 		packet_start(SSH2_MSG_USERAUTH_SUCCESS);

configure.in

@@ -34,6 +34,7 @@ case "$host" in
 	if test "$LD" != "gcc" -a -z "$blibpath"; then
 		blibpath="/usr/lib:/lib:/usr/local/lib"
 	fi
+	AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)])
 	AC_DEFINE(BROKEN_GETADDRINFO)
 	;;
 *-*-hpux10*)

login.c

@@ -18,7 +18,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: login.c,v 1.26 2000/05/17 11:34:08 damien Exp $");
+RCSID("$Id: login.c,v 1.27 2000/05/17 12:00:03 damien Exp $");
 
 #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
 # include <utmpx.h>
@@ -53,6 +53,10 @@ unsigned long
 get_last_login_time(uid_t uid, const char *logname,
 		    char *buf, unsigned int bufsize)
 {
+#if defined(WITH_AIXAUTHENTICATE)
+	/* This is done in do_authentication */
+	return (unsigned long) 0;
+#else
 #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
 	struct lastlog ll;
 	char *lastlog;
@@ -132,6 +136,7 @@ get_last_login_time(uid_t uid, const char *logname,
 	return 0;
 # endif /* HAVE_TYPE_IN_UTMP */
 #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(WITH_AIXAUTHENTICATE) */
 }
 
 /*
@@ -246,7 +251,8 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
 	login(&u);
 #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 
-#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
+#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE)
+	/* AIX does this in do_authentication */
 	lastlog = _PATH_LASTLOG;
 
 	/* Update lastlog unless actually recording a logout. */
@@ -276,7 +282,7 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
 			close(fd);
 		}
 	}
-#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
+#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */
 }
 
 /* Records that the user has logged out. */

session.c

@@ -83,6 +83,10 @@ static char *xauthfile;
 /* data */
 #define MAX_SESSIONS 10
 Session	sessions[MAX_SESSIONS];
+#ifdef WITH_AIXAUTHENTICATE
+/* AIX's lastlogin message, set in auth1.c */
+char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
 
 /* Flags set in auth-rsa from authorized_keys flags.  These are set in auth-rsa.c. */
 int no_port_forwarding_flag = 0;
@@ -631,6 +635,15 @@ do_exec_pty(Session *s, const char *command, struct passwd * pw)
 				fclose(f);
 			}
 		}
+#if defined(WITH_AIXAUTHENTICATE)
+		/*
+		 * AIX handles the lastlog info differently.  Display it here.
+		 */
+		if (command == NULL && aixloginmsg && *aixloginmsg &&
+		    !quiet_login && !options.use_login) {
+			printf("%s\n", aixloginmsg);
+		}
+#endif
 		/* Do common processing for the child, such as execing the command. */
 		do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty);
 		/* NOTREACHED */