liblogin (was: Re: AIX authenticate patches)
Andre Lucas
andre.lucas at dial.pipex.com
Mon May 15 23:04:02 EST 2000
I've not had any feedback on liblogin for a long time, and I've not done
any work on it for a while either. The login.c code in openssh is
workable, does most of what's required, and is actively maintained.
Like any such project, liblogin is only worth doing if it's being used.
I never expected anyone to get excited about it - it is dull, all things
considered - but I heard nothing at all for three months. So, I consider
it an ex-project. It has ceased to be.
I'm sorry I haven't changed the webpage to reflect this, I will do so
tonight.
-Andre'
Tom Bertelson wrote:
>
> Here are some patches to re-enable support for AIX's authenticate
> routines. With them, ssh will honor locked & unlocked accounts, record
> successful and unsuccessful logins, and deny accounts that are
> prohibited to log in via the network. Tested with AIX 4.3.
>
> It also includes a fix for handling SIGCHLD that may be needed for
> other platforms (HP-UX 10.20, for example).
>
> If I get the time I'll see about rolling these changes into liblogin,
> where I guess they really belong.
>
> I didn't include the changes to configure; run "autoconf" to rebuild the
> configure script.
>
> [Is this the correct method for submitting patches, posting them to the
> list?]
> --
> Tom Bertelson "Any sufficiently advanced technology
> RHI Consulting is indistinguishable from magic."
> tbert at abac.com -- Arthur C. Clarke
>
> ------------------------------------------------------------------------
> --- acconfig.h.orig Tue May 9 09:50:13 2000
> +++ acconfig.h Tue May 9 09:50:19 2000
> @@ -9,7 +9,7 @@
> /* Define if you want to disable PAM support */
> #undef DISABLE_PAM
>
> -/* Define if you want to disable AIX4's authenticate function */
> +/* Define if you want to enable AIX4's authenticate function */
> #undef WITH_AIXAUTHENTICATE
>
> /* Define if you want to disable lastlog support */
> --- auth.c.orig Wed May 10 16:00:39 2000
> +++ auth.c Thu May 11 13:11:23 2000
> @@ -19,6 +19,9 @@
> #include "compat.h"
> #include "channels.h"
> #include "match.h"
> +#ifdef HAVE_LOGIN_H
> +#include <login.h>
> +#endif
>
> #include "bufaux.h"
> #include "ssh2.h"
> @@ -111,8 +114,20 @@
> }
>
> #ifdef WITH_AIXAUTHENTICATE
> - if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
> + if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) {
> + if (loginmsg && *loginmsg) {
> + /* Remove embedded newlines (if any) */
> + char *p;
> + for (p = loginmsg; *p; p++)
> + if (*p == '\n')
> + *p = ' ';
> + /* Remove trailing newline */
> + *--p = '\0';
> + log("Login restricted for %s: %.100s",
> + pw->pw_name, loginmsg);
> + }
> return 0;
> + }
> #endif /* WITH_AIXAUTHENTICATE */
>
> /* We found no reason not to let this user try to log on... */
> --- auth1.c.orig Wed May 10 15:53:51 2000
> +++ auth1.c Thu May 11 15:13:37 2000
> @@ -66,9 +66,7 @@
> get_remote_port());
>
> #ifdef WITH_AIXAUTHENTICATE
> - if (strncmp(get_authname(type),"password",
> - strlen(get_authname(type))) == 0)
> - loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
> + loginfailed(user,get_canonical_hostname(),"ssh");
> #endif /* WITH_AIXAUTHENTICATE */
>
> /* Indicate that authentication is needed. */
> @@ -408,8 +406,12 @@
> client_user = NULL;
> }
>
> - if (attempt > AUTH_FAIL_MAX)
> + if (attempt > AUTH_FAIL_MAX) {
> +#ifdef WITH_AIXAUTHENTICATE
> + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
> +#endif /* WITH_AIXAUTHENTICATE */
> packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
> + }
>
> /* Send a message indicating that the authentication attempt failed. */
> packet_start(SSH_SMSG_FAILURE);
> @@ -430,7 +432,7 @@
> unsigned int ulen;
> char *user;
> #ifdef WITH_AIXAUTHENTICATE
> - char *loginmsg;
> + extern char *aixloginmsg;
> #endif /* WITH_AIXAUTHENTICATE */
>
> /* Get the name of the user that we wish to log in as. */
> @@ -501,7 +503,9 @@
>
> /* The user has been authenticated and accepted. */
> #ifdef WITH_AIXAUTHENTICATE
> - loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
> + /* We don't have a pty yet, so just label the line as "ssh" */
> + if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)
> + aixloginmsg = NULL;
> #endif /* WITH_AIXAUTHENTICATE */
> packet_start(SSH_SMSG_SUCCESS);
> packet_send();
> --- auth2.c.orig Thu May 11 14:31:01 2000
> +++ auth2.c Thu May 11 15:16:21 2000
> @@ -154,9 +154,9 @@
> int authenticated = 0;
> char *raw, *user, *service, *method, *authmsg = NULL;
> struct passwd *pw;
> -
> - if (++attempt == AUTH_FAIL_MAX)
> - packet_disconnect("too many failed userauth_requests");
> +#ifdef WITH_AIXAUTHENTICATE
> + extern char *aixloginmsg;
> +#endif /* WITH_AIXAUTHENTICATE */
>
> raw = packet_get_raw(&rlen);
> if (plen != rlen)
> @@ -164,6 +164,12 @@
> user = packet_get_string(&len);
> service = packet_get_string(&len);
> method = packet_get_string(&len);
> + if (++attempt == AUTH_FAIL_MAX) {
> +#ifdef WITH_AIXAUTHENTICATE
> + loginfailed(user,get_canonical_hostname(),"ssh");
> +#endif /* WITH_AIXAUTHENTICATE */
> + packet_disconnect("too many failed userauth_requests");
> + }
> debug("userauth-request for user %s service %s method %s", user, service, method);
>
> /* XXX we only allow the ssh-connection service */
> @@ -211,6 +217,12 @@
>
> /* XXX todo: check if multiple auth methods are needed */
> if (authenticated == 1) {
> +#ifdef WITH_AIXAUTHENTICATE
> + /* We don't have a pty yet, so just label the line as "ssh" */
> + if (loginsuccess(user,get_canonical_hostname(),"ssh",
> + &aixloginmsg) < 0)
> + aixloginmsg = NULL;
> +#endif /* WITH_AIXAUTHENTICATE */
> /* turn off userauth */
> dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
> packet_start(SSH2_MSG_USERAUTH_SUCCESS);
> --- config.h.in.orig Tue May 9 03:00:57 2000
> +++ config.h.in Wed May 10 15:26:43 2000
> @@ -12,6 +12,9 @@
> /* Define if you want to disable PAM support */
> #undef DISABLE_PAM
>
> +/* Define if you want to enable AIX4's authenticate function */
> +#undef WITH_AIXAUTHENTICATE
> +
> /* Define if you want to disable lastlog support */
> #undef DISABLE_LASTLOG
>
> --- configure.in.orig Tue May 9 09:53:53 2000
> +++ configure.in Wed May 10 11:10:59 2000
> @@ -32,6 +32,7 @@
> if test "$LD" != "gcc" -a -z "$blibpath"; then
> blibpath="/usr/lib:/lib:/usr/local/lib"
> fi
> + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)])
> AC_DEFINE(BROKEN_GETADDRINFO)
> ;;
> *-*-hpux10*)
> --- login.c.orig Tue May 9 13:11:36 2000
> +++ login.c Tue May 9 13:10:40 2000
> @@ -53,6 +53,10 @@
> get_last_login_time(uid_t uid, const char *logname,
> char *buf, unsigned int bufsize)
> {
> +#if defined(WITH_AIXAUTHENTICATE)
> + /* This is done in do_authentication */
> + return (unsigned long) 0;
> +#else
> #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
> struct lastlog ll;
> char *lastlog;
> @@ -128,6 +132,7 @@
>
> return t;
> #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
> +#endif /* defined(WITH_AIXAUTHENTICATE) */
> }
>
> /*
> @@ -242,7 +247,8 @@
> login(&u);
> #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
>
> -#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
> +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE)
> + /* AIX does this in do_authentication */
> lastlog = _PATH_LASTLOG;
>
> /* Update lastlog unless actually recording a logout. */
> @@ -272,7 +278,7 @@
> close(fd);
> }
> }
> -#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
> +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */
> }
>
> /* Records that the user has logged out. */
> --- serverloop.c.orig Wed May 10 14:34:00 2000
> +++ serverloop.c Thu May 11 08:17:17 2000
> @@ -85,7 +85,6 @@
> int save_errno = errno;
> debug("Received SIGCHLD.");
> child_terminated = 1;
> - signal(SIGCHLD, sigchld_handler2);
> errno = save_errno;
> }
>
> @@ -640,6 +639,7 @@
> while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
> session_close_by_pid(pid, status);
> child_terminated = 0;
> + signal(SIGCHLD, sigchld_handler2);
> }
> channel_after_select(&readset, &writeset);
> process_input(&readset);
> --- session.c.orig Wed May 10 10:23:59 2000
> +++ session.c Wed May 10 16:16:06 2000
> @@ -27,6 +27,13 @@
> #include "ssh2.h"
> #include "auth.h"
>
> +#ifndef WCOREFLG
> +#define WCOREFLG 0200
> +#endif
> +#ifndef WCOREDUMP
> +#define WCOREDUMP(stat) ((stat)&WCOREFLG)
> +#endif
> +
> /* types */
>
> #define TTYSZ 64
> @@ -83,6 +90,10 @@
> /* data */
> #define MAX_SESSIONS 10
> Session sessions[MAX_SESSIONS];
> +#ifdef WITH_AIXAUTHENTICATE
> +/* AIX's lastlogin message, set in auth1.c */
> +char *aixloginmsg;
> +#endif /* WITH_AIXAUTHENTICATE */
>
> /* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */
> int no_port_forwarding_flag = 0;
> @@ -631,6 +642,15 @@
> fclose(f);
> }
> }
> +#if defined(WITH_AIXAUTHENTICATE)
> + /*
> + * AIX handles the lastlog info differently. Display it here.
> + */
> + if (command == NULL && aixloginmsg && *aixloginmsg &&
> + !quiet_login && !options.use_login) {
> + printf("%s\n", aixloginmsg);
> + }
> +#endif
> /* Do common processing for the child, such as execing the command. */
> do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty);
> /* NOTREACHED */
>
More information about the openssh-unix-dev
mailing list