[PATCH] for Re: OSF_SIA bug in 2.3.0p1

John P Speno speno at isc.upenn.edu
Sat Mar 10 07:38:14 EST 2001


On Thu, Mar 01, 2001 at 11:33:11AM -0500, John P Speno wrote:
> The issue is that last login times and /etc/motd are printed from do_login
> in session.c, but session_setup_sia which checks for locked accounts is in
> do_child which runs after do_login. So, if you authenticate yourself but
> your account is locked, you will still see your last login time and
> /etc/motd. What's worse is that the login will be recorded in
> /var/adm/lastlog as if it were a normal successful login (which it really
> isn't, as the account is locked).
> 
> When using SIA on Tru64 UNIX, perhaps it would be "best" if updating and
> printing the last login time was disabled because sia_ses_launch will
> already take care of it (and do it "better" in this case).
> 
> By the same token, perhaps the printing of /etc/motd could be disabled in
> do_login when SIA support is enabled, and moved into session_setup_sia?

Chris (et al):

Could you test these patches on your Tru64 UNIX 4.x and 5.x systems. They
implement the above ideas. In short, do_login is skipped when HAVE_OSF_SIA
is enabled since the things do_login does are also done better in the
Tru64 SIA routines.

Also, session_setup_sia will now show /etc/motd if appropriate. I needed a place to
stick this, and session_setup_sia in auth-sia.c seemed ok at the time. I'm not sure of
that now. Consider this a first draft for changes:

--- session.c	2001/03/01 15:59:54
+++ session.c	2001/03/09 20:22:25
@@ -638,10 +638,11 @@
 		/* Close the extra descriptor for the pseudo tty. */
 		close(ttyfd);
 
+#ifndef HAVE_OSF_SIA
 		/* record login, etc. similar to login(1) */
 		if (!(options.use_login && command == NULL))
 			do_login(s, command);
-
+#endif 
 		/* Do common processing for the child, such as execing the command. */
 		do_child(command, pw, s->term, s->display, s->auth_proto,
 		    s->auth_data, s->tty);
@@ -773,6 +774,7 @@
 		else
 			printf("Last login: %s from %s\r\n", time_string, hostname);
 	}
+
 	if (options.print_motd) {
 #ifdef HAVE_LOGIN_CAP
 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
@@ -1042,7 +1044,7 @@
 	/* login(1) is only called if we execute the login shell */
 	if (options.use_login && command != NULL)
 		options.use_login = 0;
-
+#ifndef HAVE_OSF_SIA
 #ifndef USE_PAM /* pam_nologin handles this */
 	if (!options.use_login) {
 # ifdef HAVE_LOGIN_CAP
@@ -1062,6 +1064,7 @@
 		}
 	}
 #endif /* USE_PAM */
+#endif /* HAVE_OSF_SIA */
 
 	/* Set login name, uid, gid, and groups. */
 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
@@ -1068,7 +1071,7 @@
 	   switch, so we let login(1) to this for us. */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		session_setup_sia(pw->pw_name, ttyname);
+		session_setup_sia(pw->pw_name, ttyname, command==NULL);
 #else /* HAVE_OSF_SIA */
 #ifdef HAVE_CYGWIN
 		if (is_winnt) {
--- auth-sia.h	2001/03/01 20:43:38
+++ auth-sia.h	2001/03/09 20:22:38
@@ -3,6 +3,6 @@
 #ifdef HAVE_OSF_SIA
 
 int	auth_sia_password(char *user, char *pass);
-void	session_setup_sia(char *user, char *tty);
+void	session_setup_sia(char *user, char *tty, int showmotd);
 
 #endif /* HAVE_OSF_SIA */
--- auth-sia.c 2001/03/01 19:29:24
+++ auth-sia.c 2001/03/09 20:22:51
@@ -51,7 +51,7 @@
 }
 
 void
-session_setup_sia(char *user, char *tty)
+session_setup_sia(char *user, char *tty, int showmotd)
 {
 	int ret;
 	struct passwd *pw;
@@ -88,6 +88,20 @@
 	
 	sia_ses_release(&ent);
 
+        if (showmotd)
+            if (options.print_motd) {
+                    char buf[256];
+                    FILE *f = NULL;
+
+                    f = fopen("/etc/motd", "r");
+
+                    if (f) {
+                            while (fgets(buf, sizeof(buf), f))
+                            fputs(buf, stderr);
+                            fclose(f);
+                    }
+            }
+
 	if (setreuid(geteuid(), geteuid()) < 0)
 		fatal("setreuid failed: %s", strerror (errno));
 }





More information about the openssh-unix-dev mailing list