summaryrefslogtreecommitdiff
path: root/openbsd-compat/port-aix.c
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2004-08-29 21:43:33 +1000
committerDarren Tucker <dtucker@zip.com.au>2004-08-29 21:43:33 +1000
commit5a88d003499744a374ec39279f4c6ec3971b5dab (patch)
tree3610057c95e337697df8d6cdd42088d3c27b2e67 /openbsd-compat/port-aix.c
parentcf59d31761cdc1fdd78f6563d0f9eadc8b4c2f71 (diff)
- (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
accounts with authentication configs that sshd can't support (ie SYSTEM=NONE and AUTH1=something).
Diffstat (limited to 'openbsd-compat/port-aix.c')
-rw-r--r--openbsd-compat/port-aix.c57
1 files changed, 57 insertions, 0 deletions
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 78f4faea..e7eb179e 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,6 +1,7 @@
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
+ * Copyright (c) 2003,2004 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -92,6 +93,59 @@ aix_remove_embedded_newlines(char *p)
}
/*
+ * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
+ * anything other than NONE or SYSTEM, which indicates that the admin has
+ * configured the account for purely AUTH1-type authentication.
+ *
+ * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
+ * AUTH1 itself, in such a case authenticate() will allow access without
+ * authentation, which is almost certainly not what the admin intends.
+ *
+ * (The native tools, eg login, will process the AUTH1 list in addition to
+ * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
+ * have been deprecated since AIX 4.2.x and would be very difficult for sshd
+ * to support.
+ *
+ * Returns 0 if an unsupportable combination is found, 1 otherwise.
+ */
+static int
+aix_valid_authentications(const char *user)
+{
+ char *auth1, *sys, *p;
+ int valid = 1;
+
+ if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
+ logit("Can't retrieve attribute SYSTEM for %s: %.100s",
+ user, strerror(errno));
+ return 0;
+ }
+
+ debug3("AIX SYSTEM attribute %s", sys);
+ if (strcmp(sys, "NONE") != 0)
+ return 1; /* not "NONE", so is OK */
+
+ if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
+ logit("Can't retrieve attribute auth1 for %s: %.100s",
+ user, strerror(errno));
+ return 0;
+ }
+
+ p = auth1;
+ /* A SEC_LIST is concatenated strings, ending with two NULs. */
+ while (p[0] != '\0' && p[1] != '\0') {
+ debug3("AIX auth1 attribute list member %s", p);
+ if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
+ logit("Account %s has unsupported auth1 value '%s'",
+ user, p);
+ valid = 0;
+ }
+ p += strlen(p) + 1;
+ }
+
+ return (valid);
+}
+
+/*
* Do authentication via AIX's authenticate routine. We loop until the
* reenter parameter is 0, but normally authenticate is called only once.
*
@@ -112,6 +166,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
authmsg);
} while (reenter);
+ if (!aix_valid_authentications(name))
+ result = -1;
+
if (result == 0) {
authsuccess = 1;