[openssh-unix-dev] Re: AIX lastlog change?

[David Bronder]

In playing with this some, it seems like the right place for the AIX
loginsuccess() call would be with the rest of the lastlog stuff, but
it looked to me like it'd be ugly to make that happen.  So I'm looking
at two alternatives; but since I'm not that familiar with the intended
extent of purpose of the functions below, I'm not sure which is the
better choice.

1) Take the loginsuccess() out of do_authentication() in auth1.c and
   add it to do_authenticated() in session.c to provide for both
   protocol versions (as described below).

2) Take the loginsuccess() out of do_authentication() in auth1.c and
   add it to auth_log() in auth.c with appropriate conditional based
   on the "authenticated" argument.

I'm leaning toward the second one at the moment, in part because I'd
also like to move the loginfailed() call currently in do_authloop()
in auth1.c into auth_log() as well.  In the current location, it not
only doesn't cover protocol 2, but it never seems to get called since
the connection is closed before enough login failures occur.  If it's
in auth_log(), the right AIX call can be made regardless of what kind
of authentication or protocol is used.

Can anyone offer some insight for me?

Thanks,
=Dave

Damien Miller wrote:
> 
> On Thu, 27 Sep 2001, David Bronder wrote:
> 
> > Somewhere between 2.9p1 and 2.9.9p2 there was a change to auth2.c that
> > removed the userauth_reply() function.  There were a few lines of code
> > in that function, #ifdef'd with WITH_AIXAUTHENTICATE, that handled the
> > AIX method of lastlog type stuff (specifically, a loginsuccess() call).
> > There is a similar call in auth1.c, down in do_authentication(), which
> > is still there in 2.9.9p2.
> > 
> > So with 2.9.9p2, the lastlog stuff is handled properly if you connect
> > with protocol version 1, but not with protocol version 2.  Looking at
> > the code a little, maybe this can be moved into do_authenticated() in
> > session.c covering both the protocol versions.  There's already other
> > WITH_AIXAUTHENTICATE code in there, too.  Not being familiar with the
> > "proper" place for various steps, I don't know if this is the correct
> > place, though.
> > 
> > If that would be considered the right place for it, I can throw out a
> > quick patch, I guess.
> 
> Yes please :)
> 
> -d
> 
> -- 
> | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's 
> | http://www.mindrot.org          /   distributed filesystem'' - Dan Geer
> 


-- 
Hello World.                                    David Bronder - Systems Admin
Segmentation Fault                                     ITS-SPA, Univ. of Iowa
Core dumped, disk trashed, quota filled, soda warm.   david-bronder at uiowa.edu