187 lines
5.0 KiB
C
187 lines
5.0 KiB
C
/*
|
|
*
|
|
* Copyright (c) 2001 Gert Doering. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
*/
|
|
#include "includes.h"
|
|
#include "ssh.h"
|
|
#include "log.h"
|
|
#include "servconf.h"
|
|
#include "canohost.h"
|
|
#include "xmalloc.h"
|
|
#include "buffer.h"
|
|
|
|
#ifdef _AIX
|
|
|
|
#include <uinfo.h>
|
|
#include "port-aix.h"
|
|
|
|
extern ServerOptions options;
|
|
extern Buffer loginmsg;
|
|
|
|
/*
|
|
* AIX has a "usrinfo" area where logname and other stuff is stored -
|
|
* a few applications actually use this and die if it's not set
|
|
*
|
|
* NOTE: TTY= should be set, but since no one uses it and it's hard to
|
|
* acquire due to privsep code. We will just drop support.
|
|
*/
|
|
void
|
|
aix_usrinfo(struct passwd *pw)
|
|
{
|
|
u_int i;
|
|
size_t len;
|
|
char *cp;
|
|
|
|
len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
|
|
cp = xmalloc(len);
|
|
|
|
i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
|
|
pw->pw_name, '\0');
|
|
if (usrinfo(SETUINFO, cp, i) == -1)
|
|
fatal("Couldn't set usrinfo: %s", strerror(errno));
|
|
debug3("AIX/UsrInfo: set len %d", i);
|
|
|
|
xfree(cp);
|
|
}
|
|
|
|
# ifdef WITH_AIXAUTHENTICATE
|
|
/*
|
|
* Remove embedded newlines in string (if any).
|
|
* Used before logging messages returned by AIX authentication functions
|
|
* so the message is logged on one line.
|
|
*/
|
|
void
|
|
aix_remove_embedded_newlines(char *p)
|
|
{
|
|
if (p == NULL)
|
|
return;
|
|
|
|
for (; *p; p++) {
|
|
if (*p == '\n')
|
|
*p = ' ';
|
|
}
|
|
/* Remove trailing whitespace */
|
|
if (*--p == ' ')
|
|
*p = '\0';
|
|
}
|
|
|
|
/*
|
|
* Do authentication via AIX's authenticate routine. We loop until the
|
|
* reenter parameter is 0, but normally authenticate is called only once.
|
|
*
|
|
* Note: this function returns 1 on success, whereas AIX's authenticate()
|
|
* returns 0.
|
|
*/
|
|
int
|
|
aix_authenticate(const char *name, const char *password, const char *host)
|
|
{
|
|
char *authmsg = NULL, *msg;
|
|
int authsuccess = 0, reenter, result;
|
|
|
|
do {
|
|
result = authenticate((char *)name, (char *)password, &reenter,
|
|
&authmsg);
|
|
aix_remove_embedded_newlines(authmsg);
|
|
debug3("AIX/authenticate result %d, msg %.100s", result,
|
|
authmsg);
|
|
} while (reenter);
|
|
|
|
if (result == 0) {
|
|
authsuccess = 1;
|
|
|
|
/* No pty yet, so just label the line as "ssh" */
|
|
aix_setauthdb(name);
|
|
if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) {
|
|
if (msg != NULL) {
|
|
debug("%s: msg %s", __func__, msg);
|
|
buffer_append(&loginmsg, msg, strlen(msg));
|
|
xfree(msg);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (authmsg != NULL)
|
|
xfree(authmsg);
|
|
|
|
return authsuccess;
|
|
}
|
|
|
|
# ifdef CUSTOM_FAILED_LOGIN
|
|
/*
|
|
* record_failed_login: generic "login failed" interface function
|
|
*/
|
|
void
|
|
record_failed_login(const char *user, const char *ttyname)
|
|
{
|
|
char *hostname = (char *)get_canonical_hostname(options.use_dns);
|
|
|
|
if (geteuid() != 0)
|
|
return;
|
|
|
|
aix_setauthdb(user);
|
|
# ifdef AIX_LOGINFAILED_4ARG
|
|
loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH);
|
|
# else
|
|
loginfailed((char *)user, hostname, (char *)ttyname);
|
|
# endif
|
|
}
|
|
# endif /* CUSTOM_FAILED_LOGIN */
|
|
|
|
/*
|
|
* If we have setauthdb, retrieve the password registry for the user's
|
|
* account then feed it to setauthdb. This may load registry-specific method
|
|
* code. If we don't have setauthdb or have already called it this is a no-op.
|
|
*/
|
|
void
|
|
aix_setauthdb(const char *user)
|
|
{
|
|
# ifdef HAVE_SETAUTHDB
|
|
static char *registry = NULL;
|
|
|
|
if (registry != NULL) /* have already done setauthdb */
|
|
return;
|
|
|
|
if (setuserdb(S_READ) == -1) {
|
|
debug3("%s: Could not open userdb to read", __func__);
|
|
return;
|
|
}
|
|
|
|
if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) {
|
|
if (setauthdb(registry, NULL) == 0)
|
|
debug3("%s: AIX/setauthdb set registry %s", __func__,
|
|
registry);
|
|
else
|
|
debug3("%s: AIX/setauthdb set registry %s failed: %s",
|
|
__func__, registry, strerror(errno));
|
|
} else
|
|
debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
|
|
strerror(errno));
|
|
enduserdb();
|
|
# endif /* HAVE_SETAUTHDB */
|
|
}
|
|
|
|
# endif /* WITH_AIXAUTHENTICATE */
|
|
|
|
#endif /* _AIX */
|