openssh 4.6p1 bug / IRIX

Sat Mar 24 21:04:27 EST 2007

On Sat, Mar 24, 2007 at 09:19:43AM +0100, g.fischer at ah-online.com wrote:
> 
> thanks for the hints.
> i got it done by hardcoding the solution you mentioned. not nice but worked.
> 
> maybe the check for the libiaf should be refined.

This diff ought to do it (you will need to run "autoreconf" to rebuild
configure if you try this).  It also prevents libiaf from being linked
to anything other than sshd, and then only if it's used.

Hopefully this still works on the platforms that have libiaf (according
to the survey data, this includes UnixWare 2, 6 and 7).  Tim?

Index: auth.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/auth.c,v
retrieving revision 1.124
diff -u -p -r1.124 auth.c

--- auth.c	4 Dec 2006 22:08:55 -0000	1.124
+++ auth.c	24 Mar 2007 09:36:16 -0000
@@ -115,11 +115,11 @@ allowed_user(struct passwd * pw)
 	/* grab passwd field for locked account check */
 #ifdef USE_SHADOW
 	if (spw != NULL)
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
 		passwd = get_iaf_password(pw);
 #else
 		passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
 #else
 	passwd = pw->pw_passwd;
 #endif
@@ -141,9 +141,9 @@ allowed_user(struct passwd * pw)
 		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
 			locked = 1;
 #endif
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
 		free(passwd);
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
 		if (locked) {
 			logit("User %.100s not allowed because account is locked",
 			    pw->pw_name);
Index: configure.ac
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/configure.ac,v
retrieving revision 1.373
diff -u -p -r1.373 configure.ac
--- configure.ac	21 Mar 2007 10:39:57 -0000	1.373
+++ configure.ac	24 Mar 2007 09:58:23 -0000
@@ -1978,7 +1978,11 @@ fi
 # Search for SHA256 support in libc and/or OpenSSL
 AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
 
-AC_CHECK_LIB(iaf, ia_openinfo)
+saved_LIBS="$LIBS"
+AC_CHECK_LIB(iaf, ia_openinfo, [
+	AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf"])
+])
+LIBS="$saved_LIBS"
 
 ### Configure cryptographic random number support
 
Index: defines.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/defines.h,v
retrieving revision 1.138
diff -u -p -r1.138 defines.h
--- defines.h	21 Sep 2006 13:13:30 -0000	1.138
+++ defines.h	24 Mar 2007 09:33:59 -0000
@@ -696,7 +696,8 @@ struct winsize {
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
 
-#ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF) && defined(HAVE_SET_ID) && !defined(BROKEN_LIBIAF)
+# define USE_LIBIAF
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
 
Index: session.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v
retrieving revision 1.350
diff -u -p -r1.350 session.c
--- session.c	19 Feb 2007 11:10:25 -0000	1.350
+++ session.c	24 Mar 2007 09:35:07 -0000
@@ -1361,11 +1361,11 @@ do_setusercontext(struct passwd *pw)
 # ifdef _AIX
 		aix_usrinfo(pw);
 # endif /* _AIX */
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
 		if (set_id(pw->pw_name) != 0) {
 			exit(1);
 		}
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
 		/* Permanently switch to the desired uid. */
 		permanently_set_uid(pw);
 #endif

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
