[PATCH] for Re: OSF_SIA bug in 2.3.0p1
John P Speno
speno at isc.upenn.edu
Sat Mar 10 07:38:14 EST 2001
On Thu, Mar 01, 2001 at 11:33:11AM -0500, John P Speno wrote:
> The issue is that last login times and /etc/motd are printed from do_login
> in session.c, but session_setup_sia which checks for locked accounts is in
> do_child which runs after do_login. So, if you authenticate yourself but
> your account is locked, you will still see your last login time and
> /etc/motd. What's worse is that the login will be recorded in
> /var/adm/lastlog as if it were a normal successful login (which it really
> isn't, as the account is locked).
>
> When using SIA on Tru64 UNIX, perhaps it would be "best" if updating and
> printing the last login time was disabled because sia_ses_launch will
> already take care of it (and do it "better" in this case).
>
> By the same token, perhaps the printing of /etc/motd could be disabled in
> do_login when SIA support is enabled, and moved into session_setup_sia?
Chris (et al):
Could you test these patches on your Tru64 UNIX 4.x and 5.x systems. They
implement the above ideas. In short, do_login is skipped when HAVE_OSF_SIA
is enabled since the things do_login does are also done better in the
Tru64 SIA routines.
Also, session_setup_sia will now show /etc/motd if appropriate. I needed a place to
stick this, and session_setup_sia in auth-sia.c seemed ok at the time. I'm not sure of
that now. Consider this a first draft for changes:
--- session.c 2001/03/01 15:59:54
+++ session.c 2001/03/09 20:22:25
@@ -638,10 +638,11 @@
/* Close the extra descriptor for the pseudo tty. */
close(ttyfd);
+#ifndef HAVE_OSF_SIA
/* record login, etc. similar to login(1) */
if (!(options.use_login && command == NULL))
do_login(s, command);
-
+#endif
/* Do common processing for the child, such as execing the command. */
do_child(command, pw, s->term, s->display, s->auth_proto,
s->auth_data, s->tty);
@@ -773,6 +774,7 @@
else
printf("Last login: %s from %s\r\n", time_string, hostname);
}
+
if (options.print_motd) {
#ifdef HAVE_LOGIN_CAP
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
@@ -1042,7 +1044,7 @@
/* login(1) is only called if we execute the login shell */
if (options.use_login && command != NULL)
options.use_login = 0;
-
+#ifndef HAVE_OSF_SIA
#ifndef USE_PAM /* pam_nologin handles this */
if (!options.use_login) {
# ifdef HAVE_LOGIN_CAP
@@ -1062,6 +1064,7 @@
}
}
#endif /* USE_PAM */
+#endif /* HAVE_OSF_SIA */
/* Set login name, uid, gid, and groups. */
/* Login(1) does this as well, and it needs uid 0 for the "-h"
@@ -1068,7 +1071,7 @@
switch, so we let login(1) to this for us. */
if (!options.use_login) {
#ifdef HAVE_OSF_SIA
- session_setup_sia(pw->pw_name, ttyname);
+ session_setup_sia(pw->pw_name, ttyname, command==NULL);
#else /* HAVE_OSF_SIA */
#ifdef HAVE_CYGWIN
if (is_winnt) {
--- auth-sia.h 2001/03/01 20:43:38
+++ auth-sia.h 2001/03/09 20:22:38
@@ -3,6 +3,6 @@
#ifdef HAVE_OSF_SIA
int auth_sia_password(char *user, char *pass);
-void session_setup_sia(char *user, char *tty);
+void session_setup_sia(char *user, char *tty, int showmotd);
#endif /* HAVE_OSF_SIA */
--- auth-sia.c 2001/03/01 19:29:24
+++ auth-sia.c 2001/03/09 20:22:51
@@ -51,7 +51,7 @@
}
void
-session_setup_sia(char *user, char *tty)
+session_setup_sia(char *user, char *tty, int showmotd)
{
int ret;
struct passwd *pw;
@@ -88,6 +88,20 @@
sia_ses_release(&ent);
+ if (showmotd)
+ if (options.print_motd) {
+ char buf[256];
+ FILE *f = NULL;
+
+ f = fopen("/etc/motd", "r");
+
+ if (f) {
+ while (fgets(buf, sizeof(buf), f))
+ fputs(buf, stderr);
+ fclose(f);
+ }
+ }
+
if (setreuid(geteuid(), geteuid()) < 0)
fatal("setreuid failed: %s", strerror (errno));
}
More information about the openssh-unix-dev
mailing list