From 1fa154bb1e06bfb4f8d6b95f09a6352d38577c57 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 23 Jan 2000 10:32:03 +1100 Subject: [PATCH] - AIX patch from Matt Richards and David Rankin --- CREDITS | 3 ++- ChangeLog | 2 ++ acconfig.h | 9 +++++++++ auth-passwd.c | 16 ++++++++++++++- bsd-misc.c | 3 +++ cipher.c | 3 ++- configure.in | 44 +++++++++++++++++++++++++++++++++++++++-- ssh.c | 6 +++++- ssh.h | 54 ++++++++++++++++++++++++++++++++++++++++++++++++--- sshd.c | 38 ++++++++++++++++++++++++++++++++++-- 10 files changed, 167 insertions(+), 11 deletions(-) diff --git a/CREDITS b/CREDITS index 03910b301..45775a3ef 100644 --- a/CREDITS +++ b/CREDITS @@ -15,7 +15,7 @@ Chun-Chung Chen - RPM fixes Dan Brosemer - Autoconf support, build fixes Darren Hall - AIX patches David Agraz - Build fixes -David Rankin - libwrap, NetBSD fixes +David Rankin - libwrap, AIX, NetBSD fixes Gary E. Miller - SCO support Holger Trapp - KRB4/AFS config patch Jani Hakala - Patches @@ -26,6 +26,7 @@ Juergen Keil - scp bugfixing Kees Cook - scp fixes Kiyokazu SUTO - Bugfixes Marc G. Fournier - Solaris patches +Matt Richards - AIX patches Nalin Dahyabhai - PAM environment patch Niels Kristian Bech Jensen - Assorted patches Peter Kocks - Makefile fixes diff --git a/ChangeLog b/ChangeLog index afc51024a..74b20e8d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - OpenBSD CVS: - [packet.c] getsockname() requires initialized tolen; andy@guildsoftware.com + - AIX patch from Matt Richards and David Rankin + 20000122 - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor diff --git a/acconfig.h b/acconfig.h index c5e6d3ee7..e96b195dc 100644 --- a/acconfig.h +++ b/acconfig.h @@ -12,6 +12,9 @@ /* Define if you want to disable PAM support */ #undef DISABLE_PAM +/* Define if you want to disable AIX4's authenticate function */ +#undef WITH_AIXAUTHENTICATE + /* Define if you want to disable lastlog support */ #undef DISABLE_LASTLOG @@ -30,6 +33,12 @@ /* Define if using the Dante SOCKS library. */ #undef HAVE_DANTE +/* Define if using the Socks4 SOCKS library. */ +#undef HAVE_SOCKS4 + +/* Define if using the Socks5 SOCKS library. */ +#undef HAVE_SOCKS5 + /* Define if you want to install preformatted manpages.*/ #undef MANTYPE diff --git a/auth-passwd.c b/auth-passwd.c index a8a52ce9a..278212aa5 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -11,13 +11,17 @@ #ifndef USE_PAM -RCSID("$Id: auth-passwd.c,v 1.15 2000/01/06 01:03:13 damien Exp $"); +RCSID("$Id: auth-passwd.c,v 1.16 2000/01/22 23:32:03 damien Exp $"); #include "packet.h" #include "ssh.h" #include "servconf.h" #include "xmalloc.h" +#ifdef WITH_AIXAUTHENTICATE +#include +#endif + #ifdef HAVE_SHADOW_H # include #endif @@ -39,6 +43,11 @@ auth_password(struct passwd * pw, const char *password) #ifdef HAVE_SHADOW_H struct spwd *spw; #endif +#ifdef WITH_AIXAUTHENTICATE + char *authmsg; + char *loginmsg; + int reenter = 1; +#endif /* deny if no user. */ if (pw == NULL) @@ -56,6 +65,11 @@ auth_password(struct passwd * pw, const char *password) /* Fall back to ordinary passwd authentication. */ } #endif + +#ifdef WITH_AIXAUTHENTICATE + return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); +#endif + #ifdef KRB4 if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(pw, password); diff --git a/bsd-misc.c b/bsd-misc.c index 2328e5739..b2c70c680 100644 --- a/bsd-misc.c +++ b/bsd-misc.c @@ -47,6 +47,9 @@ #include #include #include +#ifdef HAVE_STDDEF_H +#include +#endif #include "xmalloc.h" #include "ssh.h" diff --git a/cipher.c b/cipher.c index 64c407e62..5589c24fa 100644 --- a/cipher.c +++ b/cipher.c @@ -12,10 +12,11 @@ */ #include "includes.h" -RCSID("$Id: cipher.c,v 1.11 1999/12/14 22:34:31 damien Exp $"); +RCSID("$Id: cipher.c,v 1.12 2000/01/22 23:32:03 damien Exp $"); #include "ssh.h" #include "cipher.h" +#include "config.h" #ifdef HAVE_OPENSSL #include diff --git a/configure.in b/configure.in index 4d414573f..6f5cdafc7 100644 --- a/configure.in +++ b/configure.in @@ -518,13 +518,53 @@ dnl Compile with dante SOCKS library AC_ARG_WITH(dante, [ --with-dante=DIR Use Dante SOCKS lib (default is system library path)], [ - AC_DEFINE(HAVE_DANTE) + SAVELIBS="$LIBS" + SOCKSLIBS="" + SOCKSLIBPATH="" if test "x$withval" != "xno" ; then if test -n $withval ; then LIBS="$LIBS -L$withval" + SOCKSLIBPATH="-L$withval" fi - LIBS="$LIBS -lsocks" + AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_DANTE) SOCKSLIBS="$SOCKSLIBPATH -lsocks") fi + LIBS="$SAVELIBS $SOCKSLIBS" + ] +) + +dnl Compile with SOCKS4 SOCKS library +AC_ARG_WITH(socks4, + [ --with-socks4=DIR Use Socks4 SOCKS lib (default is system library path)], + [ + SAVELIBS="$LIBS" + SOCKSLIBS="" + SOCKSLIBPATH="" + if test "x$withval" != "xno" ; then + if test -n $withval ; then + LIBS="$LIBS -L$withval" + SOCKSLIBPATH="-L$withval" + fi + AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_SOCKS4) SOCKSLIBS="$SOCKSLIBPATH -lsocks") + fi + LIBS="$SAVELIBS $SOCKSLIBS" + ] +) + +dnl Compile with SOCKS5 SOCKS library +AC_ARG_WITH(socks5, + [ --with-socks5=DIR Use Socks5 SOCKS lib (default is system library path)], + [ + SAVELIBS="$LIBS" + SOCKSLIBS="" + SOCKSLIBPATH="" + if test "x$withval" != "xno" ; then + if test -n $withval ; then + LIBS="$LIBS -L$withval" + SOCKSLIBPATH="-L$withval" + fi + AC_CHECK_LIB(socks5, SOCKSconnect, AC_DEFINE(HAVE_SOCKS5) SOCKSLIBS="$SOCKSLIBPATH -lsocks5") + fi + LIBS="$SAVELIBS $SOCKSLIBS" ] ) AC_ARG_WITH(catman, diff --git a/ssh.c b/ssh.c index 2a2fb2d35..bf0ac6bd8 100644 --- a/ssh.c +++ b/ssh.c @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$Id: ssh.c,v 1.17 2000/01/19 03:36:49 damien Exp $"); +RCSID("$Id: ssh.c,v 1.18 2000/01/22 23:32:04 damien Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -217,6 +217,10 @@ main(int ac, char **av) /* Save our own name. */ av0 = av[0]; +#ifdef SOCKS + SOCKSinit(av0); +#endif /* SOCKS */ + /* Initialize option structure to indicate that no values have been set. */ initialize_options(&options); diff --git a/ssh.h b/ssh.h index 0f3302a69..390f463e5 100644 --- a/ssh.h +++ b/ssh.h @@ -13,7 +13,7 @@ * */ -/* RCSID("$Id: ssh.h,v 1.24 2000/01/14 04:45:52 damien Exp $"); */ +/* RCSID("$Id: ssh.h,v 1.25 2000/01/22 23:32:04 damien Exp $"); */ #ifndef SSH_H #define SSH_H @@ -752,7 +752,7 @@ extern int IPv4or6; #include "auth-pam.h" #endif /* USE_PAM */ -#ifdef HAVE_DANTE +#if defined(HAVE_DANTE) || defined(HAVE_SOCKS4) /* * The following defines map the normal socket operations to SOCKSified * versions coming from the Dante SOCKS package. @@ -795,6 +795,54 @@ ssize_t Rsendto (int, const void *, size_t, int, const struct sockaddr *, socklen_t); ssize_t Rwrite(int , const void *, size_t ); ssize_t Rwritev(int , const struct iovec *, int ); -#endif /* HAVE_DANTE */ +#endif /* HAVE_DANTE || HAVE_SOCKS4 */ +#if defined(HAVE_SOCKS5) +/* + * The following defines map the normal socket operations to SOCKSified + * versions coming from the SOCKS package. + */ +#define accept SOCKSaccept +#define bind SOCKSbind +#define bindresvport SOCKSbindresvport +#define connect SOCKSconnect +#define gethostbyname SOCKSgethostbyname +#define gethostbyname2 SOCKSgethostbyname2 +#define getpeername SOCKSgetpeername +#define getsockname SOCKSgetsockname +#define read SOCKSread +#define readv SOCKSreadv +#define recv SOCKSrecv +#define recvmsg SOCKSrecvmsg +#define recvfrom SOCKSrecvfrom +#define rresvport SOCKSrresvport +#define send SOCKSsend +#define sendmsg SOCKSsendmsg +#define sendto SOCKSsendto +#define write SOCKSwrite +#define writev SOCKSwritev +int SOCKSaccept (int, struct sockaddr *, socklen_t *); +int SOCKSbind (int, const struct sockaddr *, socklen_t); +int SOCKSbindresvport(int , struct sockaddr_in *); +int SOCKSconnect (int, const struct sockaddr *, socklen_t); +struct hostent *SOCKSgethostbyname(const char *); +struct hostent *SOCKSgethostbyname2(const char *, int); +int SOCKSgetpeername (int, struct sockaddr *, socklen_t *); +int SOCKSgetsockname (int, struct sockaddr *, socklen_t *); +ssize_t SOCKSread(int , void *, size_t ); +ssize_t SOCKSreadv(int d, const struct iovec *iov, int iovcnt); +ssize_t SOCKSrecv (int, void *, size_t, int); +ssize_t SOCKSrecvfrom (int, void *, size_t, int, struct sockaddr *, + socklen_t *); +ssize_t SOCKSsend (int, const void *, size_t, int); +ssize_t SOCKSsendmsg (int, const struct msghdr *, int); +ssize_t SOCKSsendto (int, const void *, + size_t, int, const struct sockaddr *, socklen_t); +ssize_t SOCKSwrite(int , const void *, size_t ); +ssize_t SOCKSwritev(int , const struct iovec *, int ); +#endif /* SOCKS5 */ + +#if defined(DANTE) || defined(SOCKS4) || defined(SOCKS5) +#define SOCKS +#endif /* defined(DANTE) || defined(SOCKS4) || defined(SOCKS5) */ #endif /* SSH_H */ diff --git a/sshd.c b/sshd.c index 7f761bb14..a5cbbfc43 100644 --- a/sshd.c +++ b/sshd.c @@ -1099,6 +1099,9 @@ allowed_user(struct passwd * pw) { struct group *grp; int i; +#ifdef WITH_AIXAUTHENTICATE + char *loginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) @@ -1155,6 +1158,12 @@ allowed_user(struct passwd * pw) return 0; } } + +#ifdef WITH_AIXAUTHENTICATE + if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) + return 0; +#endif /* WITH_AIXAUTHENTICATE */ + /* We found no reason not to let this user try to log on... */ return 1; } @@ -1179,6 +1188,10 @@ do_authentication() setproctitle("%s", user); +#ifdef WITH_AIXAUTHENTICATE + char *loginmsg; +#endif /* WITH_AIXAUTHENTICATE */ + #ifdef AFS /* If machine has AFS, set process authentication group. */ if (k_hasafs()) { @@ -1244,6 +1257,9 @@ do_authentication() get_canonical_hostname()); } /* The user has been authenticated and accepted. */ +#ifdef WITH_AIXAUTHENTICATE + loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); +#endif /* WITH_AIXAUTHENTICATE */ packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); @@ -1498,8 +1514,7 @@ do_authloop(struct passwd * pw) if (authenticated) { #ifdef USE_PAM - if (!do_pam_account(pw->pw_name, client_user)) - { + if (!do_pam_account(pw->pw_name, client_user)) { if (client_user != NULL) xfree(client_user); @@ -1582,6 +1597,11 @@ do_fake_authloop(char *user) packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); +#ifdef WITH_AIXAUTHENTICATE + if (strncmp(get_authname(type),"password", + strlen(get_authname(type))) == 0) + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ } /* NOTREACHED */ abort(); @@ -2423,6 +2443,18 @@ do_child(const char *command, struct passwd * pw, const char *term, if (display) child_set_env(&env, &envsize, "DISPLAY", display); +#ifdef _AIX + { + char *authstate,*krb5cc; + + if ((authstate = getenv("AUTHSTATE")) != NULL) + child_set_env(&env,&envsize,"AUTHSTATE",authstate); + + if ((krb5cc = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc); + } +#endif + #ifdef KRB4 { extern char *ticket; @@ -2444,6 +2476,8 @@ do_child(const char *command, struct passwd * pw, const char *term, child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, auth_get_socket_name()); + read_environment_file(&env,&envsize,"/etc/environment"); + /* read $HOME/.ssh/environment. */ if (!options.use_login) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir);