summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--auth-passwd.c28
-rw-r--r--auth.c37
-rw-r--r--openbsd-compat/port-aix.c22
-rw-r--r--openbsd-compat/port-aix.h1
-rw-r--r--session.c16
-rw-r--r--sshd.c6
7 files changed, 78 insertions, 38 deletions
diff --git a/ChangeLog b/ChangeLog
index 58b188eb..89adc126 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,9 @@
- (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
Include AIX headers for authentication functions and make calls match
prototypes. Test for and handle 3-args and 4-arg variants of loginfailed.
- - (dtucker) Check return value of setpcred().
+ - (dtucker) [session.c] Check return value of setpcred().
+ - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
+ Convert aixloginmsg into platform-independant Buffer loginmsg.
20030707
- (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
@@ -668,4 +670,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.2848 2003/07/08 11:01:04 dtucker Exp $
+$Id: ChangeLog,v 1.2849 2003/07/08 12:59:59 dtucker Exp $
diff --git a/auth-passwd.c b/auth-passwd.c
index ea65a012..f078eddd 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -42,6 +42,8 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
#include "log.h"
#include "servconf.h"
#include "auth.h"
+#include "buffer.h"
+#include "xmalloc.h"
#include "canohost.h"
#if !defined(HAVE_OSF_SIA)
@@ -79,9 +81,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
#endif /* !HAVE_OSF_SIA */
extern ServerOptions options;
-#ifdef WITH_AIXAUTHENTICATE
-extern char *aixloginmsg;
-#endif
+extern Buffer loginmsg;
/*
* Tries to authenticate the user using password. Returns true if
@@ -149,15 +149,29 @@ auth_password(Authctxt *authctxt, const char *password)
# endif
# ifdef WITH_AIXAUTHENTICATE
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+ aix_remove_embedded_newlines(authmsg);
if (authsuccess) {
+ char *msg;
+ char *host = (char *)get_canonical_hostname(options.use_dns);
+
+ debug3("AIX/authenticate succeeded for user %s: %.100s",
+ pw->pw_name, authmsg);
+
/* We don't have a pty yet, so just label the line as "ssh" */
- if (loginsuccess(authctxt->user,
- get_canonical_hostname(options.use_dns),
- "ssh", &aixloginmsg) < 0) {
- aixloginmsg = NULL;
+ if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0){
+ if (msg != NULL) {
+ debug("%s: msg %s", __func__, msg);
+ buffer_append(&loginmsg, msg, strlen(msg));
+ xfree(msg);
+ }
}
+ } else {
+ debug3("AIX/authenticate failed for user %s: %.100s",
+ pw->pw_name, authmsg);
}
+ if (authmsg != NULL)
+ xfree(authmsg);
return (authsuccess);
# endif
diff --git a/auth.c b/auth.c
index 6b48addf..d4768a15 100644
--- a/auth.c
+++ b/auth.c
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
/* import */
extern ServerOptions options;
+extern Buffer loginmsg;
/* Debugging messages */
Buffer auth_debug;
@@ -75,9 +76,6 @@ allowed_user(struct passwd * pw)
const char *hostname = NULL, *ipaddr = NULL;
char *shell;
int i;
-#ifdef WITH_AIXAUTHENTICATE
- char *loginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
defined(HAS_SHADOW_EXPIRE)
struct spwd *spw;
@@ -206,26 +204,23 @@ allowed_user(struct passwd * pw)
* PermitRootLogin to control logins via ssh), or if running as
* non-root user (since loginrestrictions will always fail).
*/
- if ((pw->pw_uid != 0) && (geteuid() == 0) &&
- loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
- int loginrestrict_errno = errno;
-
- if (loginmsg && *loginmsg) {
- /* Remove embedded newlines (if any) */
- char *p;
- for (p = loginmsg; *p; p++) {
- if (*p == '\n')
- *p = ' ';
+ if ((pw->pw_uid != 0) && (geteuid() == 0)) {
+ char *msg;
+
+ if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
+ int loginrestrict_errno = errno;
+
+ if (msg && *msg) {
+ buffer_append(&loginmsg, msg, strlen(msg));
+ aix_remove_embedded_newlines(msg);
+ logit("Login restricted for %s: %.100s",
+ pw->pw_name, msg);
}
- /* Remove trailing newline */
- *--p = '\0';
- logit("Login restricted for %s: %.100s", pw->pw_name,
- loginmsg);
+ /* Don't fail if /etc/nologin set */
+ if (!(loginrestrict_errno == EPERM &&
+ stat(_PATH_NOLOGIN, &st) == 0))
+ return 0;
}
- /* Don't fail if /etc/nologin set */
- if (!(loginrestrict_errno == EPERM &&
- stat(_PATH_NOLOGIN, &st) == 0))
- return 0;
}
#endif /* WITH_AIXAUTHENTICATE */
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index c8d9517b..cc6190cb 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -61,6 +61,28 @@ aix_usrinfo(struct passwd *pw)
xfree(cp);
}
+#ifdef WITH_AIXAUTHENTICATE
+/*
+ * Remove embedded newlines in string (if any).
+ * Used before logging messages returned by AIX authentication functions
+ * so the message is logged on one line.
+ */
+void
+aix_remove_embedded_newlines(char *p)
+{
+ if (p == NULL)
+ return;
+
+ for (; *p; p++) {
+ if (*p == '\n')
+ *p = ' ';
+ }
+ /* Remove trailing whitespace */
+ if (*--p == ' ')
+ *p = '\0';
+}
+#endif /* WITH_AIXAUTHENTICATE */
+
# ifdef CUSTOM_FAILED_LOGIN
/*
* record_failed_login: generic "login failed" interface function
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 2787d919..4627a82f 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -51,4 +51,5 @@ void record_failed_login(const char *user, const char *ttyname);
#endif
void aix_usrinfo(struct passwd *pw);
+void aix_remove_embedded_newlines(char *);
#endif /* _AIX */
diff --git a/session.c b/session.c
index e9cf7e95..4b443831 100644
--- a/session.c
+++ b/session.c
@@ -95,6 +95,7 @@ extern int debug_flag;
extern u_int utmp_len;
extern int startup_pipe;
extern void destroy_sensitive_data(void);
+extern Buffer loginmsg;
/* original command from peer. */
const char *original_command = NULL;
@@ -103,10 +104,6 @@ const char *original_command = NULL;
#define MAX_SESSIONS 10
Session sessions[MAX_SESSIONS];
-#ifdef WITH_AIXAUTHENTICATE
-char *aixloginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
-
#ifdef HAVE_LOGIN_CAP
login_cap_t *lc;
#endif
@@ -770,10 +767,13 @@ do_login(Session *s, const char *command)
if (options.use_pam && !is_pam_password_change_required())
print_pam_messages();
#endif /* USE_PAM */
-#ifdef WITH_AIXAUTHENTICATE
- if (aixloginmsg && *aixloginmsg)
- printf("%s\n", aixloginmsg);
-#endif /* WITH_AIXAUTHENTICATE */
+
+ /* display post-login message */
+ if (buffer_len(&loginmsg) > 0) {
+ buffer_append(&loginmsg, "\0", 1);
+ printf("%s\n", (char *)buffer_ptr(&loginmsg));
+ }
+ buffer_free(&loginmsg);
#ifndef NO_SSH_LASTLOG
if (options.print_lastlog && s->last_login_time != 0) {
diff --git a/sshd.c b/sshd.c
index fafe0c66..14cd4a27 100644
--- a/sshd.c
+++ b/sshd.c
@@ -201,6 +201,9 @@ int startup_pipe; /* in child */
int use_privsep;
struct monitor *pmonitor;
+/* message to be displayed after login */
+Buffer loginmsg;
+
/* Prototypes for various functions defined later in this file. */
void destroy_sensitive_data(void);
void demote_sensitive_data(void);
@@ -1501,6 +1504,9 @@ main(int ac, char **av)
packet_set_nonblocking();
+ /* prepare buffers to collect authentication messages */
+ buffer_init(&loginmsg);
+
if (use_privsep)
if ((authctxt = privsep_preauth()) != NULL)
goto authenticated;