From fc3454ee6752333ce7af349b71be12aa9cbe4fcc Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 14 Jul 2003 16:41:55 +1000 Subject: [PATCH] - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h] Call setauthdb() before loginfailed(), which may load password registry- specific functions. Based on patch by cawlfiel@us.ibm.com. --- CREDITS | 3 ++- ChangeLog | 5 ++++- configure.ac | 3 ++- openbsd-compat/port-aix.c | 38 ++++++++++++++++++++++++++++++++++++++ openbsd-compat/port-aix.h | 1 + 5 files changed, 47 insertions(+), 3 deletions(-) diff --git a/CREDITS b/CREDITS index 6434e5d35..d52c7cbcb 100644 --- a/CREDITS +++ b/CREDITS @@ -49,6 +49,7 @@ Juergen Keil - scp bugfixing KAMAHARA Junzo - Configure fixes Kees Cook - scp fixes Kenji Miyake - Configure fixes +Kevin Cawlfield - AIX fixes. Kevin O'Connor - RSAless operation Kevin Steves - HP support, bugfixes, improvements Kiyokazu SUTO - Bugfixes @@ -92,5 +93,5 @@ Apologies to anyone I have missed. Damien Miller -$Id: CREDITS,v 1.69 2003/06/28 04:27:29 dtucker Exp $ +$Id: CREDITS,v 1.70 2003/07/14 06:41:55 dtucker Exp $ diff --git a/ChangeLog b/ChangeLog index 884dd6360..28003b960 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ loginfailed at all, so assume 3-arg loginfailed if not declared. - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by undef'ing it. + - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h] + Call setauthdb() before loginfailed(), which may load password registry- + specific functions. Based on patch by cawlfiel@us.ibm.com. 20030708 - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]] @@ -676,4 +679,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2851 2003/07/14 06:26:51 dtucker Exp $ +$Id: ChangeLog,v 1.2852 2003/07/14 06:41:55 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 8a23469ad..516a24437 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.133 2003/07/14 06:21:44 dtucker Exp $ +# $Id: configure.ac,v 1.134 2003/07/14 06:41:55 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -95,6 +95,7 @@ case "$host" in [], [#include ] ) + AC_CHECK_FUNCS(setauthdb) AC_DEFINE(BROKEN_GETADDRINFO) AC_DEFINE(BROKEN_REALPATH) dnl AIX handles lastlog as part of its login message diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 562923720..7a981634b 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -32,6 +32,7 @@ #include #include <../xmalloc.h> +#include "port-aix.h" extern ServerOptions options; @@ -92,12 +93,49 @@ record_failed_login(const char *user, const char *ttyname) { char *hostname = get_canonical_hostname(options.use_dns); + if (geteuid() != 0) + return; + + aix_setauthdb(user); # ifdef AIX_LOGINFAILED_4ARG loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); # else loginfailed((char *)user, hostname, (char *)ttyname); # endif } + +/* + * If we have setauthdb, retrieve the password registry for the user's + * account then feed it to setauthdb. This may load registry-specific method + * code. If we don't have setauthdb or have already called it this is a no-op. + */ +void +aix_setauthdb(const char *user) +{ +# ifdef HAVE_SETAUTHDB + static char *registry = NULL; + + if (registry != NULL) /* have already done setauthdb */ + return; + + if (setuserdb(S_READ) == -1) { + debug3("%s: Could not open userdb to read", __func__); + return; + } + + if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) { + if (setauthdb(registry, NULL) == 0) + debug3("%s: AIX/setauthdb set registry %s", __func__, + registry); + else + debug3("%s: AIX/setauthdb set registry %s failed: %s", + __func__, registry, strerror(errno)); + } else + debug3("%s: Could not read S_REGISTRY for user: %s", __func__, + strerror(errno)); + enduserdb(); +# endif +} # endif /* CUSTOM_FAILED_LOGIN */ #endif /* _AIX */ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 2e5def54e..25ceb5b19 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -53,6 +53,7 @@ #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *user, const char *ttyname); +void aix_setauthdb(const char *); #endif void aix_usrinfo(struct passwd *pw);