AIX lastlog change

K.Wolkersdorfer at fz-juelich.de K.Wolkersdorfer at fz-juelich.de
Sat Nov 10 03:02:56 EST 2001


Hi David,

I'm sure loginfailed(..) should be called immediately after
authenticate(..) returned an error. It is directly related
to an invalid password try. (Please see my attached mail from May 2001
to the list).
I'm not so sure when loginsuccess(..) should be called
(setting the loginfailed counter to zero):
Either
1) when somebody logs in successfully using all kinds
   of valid openssh-login mechanisms
or
2) when somebody logs in successfully WITH the correct password ONLY

Probably 2) would be correct, but we could live with 1) also
as it works now.

Best regards from Germany

Klaus
---------------------------------------------------------------------------
From: K.Wolkersdorfer at fz-juelich.de
Date: Mon, 21 May 2001 14:08:00 +0000
Reply-To: K.Wolkersdorfer at fz-juelich.de
To: openssh-unix-dev at mindrot.org
Subject: openssh-2.9p1 bug: loginfailed() with AIX 4.3.3

Hi,

first let me thank you for all the excellent work with openssh!

Bug-Description (for AIX - current release 4.3.3 - only):

  During password-authentication if a user enters a wrong
  password, the failed attempt is not at all recorded in
  /etc/security/lastlog, although the loginfailed()
  subroutine in auth1.c is supposed to do that.

Suggestion:

  In AIX the loginfailed() subroutine should be called
  if and only if
  the user enters a wrong password:
  From man loginfailed:
  ..."A login failure audit record is cut to indicate that
   an unsuccessful login attempt occurred. A utmp entry
   is appended to /etc/security/failedlogin file,
   which tracks all failed login attempts." ...

  So it seems that in auth1.c the loginfailed() subroutine
  is on the wrong place. It should be immediately after
  the password-authentication.

Bug-Fix:

  The following fix works for us:
------------------------------------------------------------------------
  diff auth-passwd.c.orig auth-passwd.c
151c151,160
<       return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
---
>         { int iau;
>       iau = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
>         debug("auth-passwd (FZJ-authenticate): rc: %d msg: %s", iau,
authmsg);
>         if (iau)
>            return 1;
>         loginfailed(authctxt->user,
>                     get_canonical_hostname(options.reverse_mapping_check),
>                     "ssh");
>         return 0;
>         }
-------------------------------------------------------------------------



-- 
Klaus Wolkersdorfer                     (K.Wolkersdorfer at fz-juelich.de)
Zentralinstitut fuer Angewandte Mathematik (ZAM)  Tel: +49-2461-61-6579
John von Neumann - Institute for Computing (NIC)  Fax:            -6656
Forschungszentrum Juelich GmbH, D-52425 Juelich,  Germany



More information about the openssh-unix-dev mailing list