AIX openssh patches

David Rankin drankin at bohemians.lexington.ky.us
Thu Jan 20 21:51:57 EST 2000 

On Thu, Jan 20, 2000 at 09:53:10AM +0200, Jarno Huuskonen wrote:
> > > 1) authenticate support - this function allows the system to determine
> > >    authentification. Whatever the system allows for login, authenticate
> > >    will too. It doesn't matter whether it is AFS, DFS, SecureID, local.

> > > 2) loginsuccess - this function will log to /etc/security/lastlog as
> > >    well as clear the failed logins.

> > > 3) loginfailed - this function will increase the number of failed logins
> > >    and update /etc/security/lastlog and /etc/security/failedlogins.

> > > 4) loginrestrictions - this function will determine if a user is allowed
> > >    to login (ie too many failed logins, account disabled, etc). This
> > >    function is used in conjunction with authenticate.

> Would it be better to call the loginrestrictions (and maybe passwdexpired)
> from allowed_user, because I think now if the user is authenticated with
> eg. RSA then no loginrestrictions check is done ?

This is a good idea, but instead of moving the loginrestrictions() call,
I just added it to allowed_user.  Matt, can you test this and see how well
it works?

David


Index: sshd.c
===================================================================
RCS file: /usr/local/cvs/openssh/sshd.c,v
retrieving revision 1.18
diff -u -r1.18 sshd.c
--- sshd.c	2000/01/17 19:24:22	1.18
+++ sshd.c	2000/01/20 10:38:17
@@ -32,6 +32,10 @@
 int deny_severity = LOG_WARNING;
 #endif /* LIBWRAP */
 
+#ifdef WITH_AIXAUTHENTICATE
+#include <login.h>
+#endif /* WITH_AIXAUTHENTICATE */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@@ -1102,11 +1106,21 @@
 {
 	struct group *grp;
 	int i;
+#ifdef WITH_AIXAUTHENTICATE
+	char *loginmsg;
+#endif
 
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
-	if (!pw)
+	if (pw == NULL)
 		return 0;
 
+#ifdef WITH_AIXAUTHENTICATE
+	/* On AIX, loginrestrictions() tells us whether the person has been
+	 * locked out at the OS level or not. */
+	if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+		return 0;
+#endif /* WITH_AIXAUTHENTICATE
+
 	/* XXX Should check for valid login shell */
 
 	/* Return false if user is listed in DenyUsers */

More information about the openssh-unix-dev mailing list