Attachment 239 Details for Bug 442 – Fix PAM case and add configure defs for IRIX

[patch] Fix PAM case and add configure defs for IRIX

openssh-pwlock7.patch (text/plain), 6.48 KB, created by Darren Tucker on 2003-02-24 19:23:05 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2003-02-24 19:23:05 AEDT

Size: 6.48 KB

patch

obsolete

>Index: acconfig.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v
>retrieving revision 1.148
>diff -u -r1.148 acconfig.h
>--- acconfig.h	28 Jan 2003 00:33:44 -0000	1.148
>+++ acconfig.h	23 Feb 2003 11:09:07 -0000
>@@ -374,6 +374,11 @@
> /* Some systems put this outside of libc */
> #undef HAVE_NANOSLEEP
> 
>+/* Strings used in /etc/passwd to denote locked account */
>+#undef LOCKED_PASSWD_STRING
>+#undef LOCKED_PASSWD_PREFIX
>+#undef LOCKED_PASSWD_SUBSTR
>+
> @BOTTOM@
> 
> /* ******************* Shouldn't need to edit below this line ************** */
>Index: auth.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
>retrieving revision 1.67
>diff -u -r1.67 auth.c
>--- auth.c	18 Jan 2003 05:24:06 -0000	1.67
>+++ auth.c	24 Feb 2003 08:13:00 -0000
>@@ -72,26 +72,27 @@
> allowed_user(struct passwd * pw)
> {
> 	struct stat st;
>-	const char *hostname = NULL, *ipaddr = NULL;
>+	const char *hostname = NULL, *ipaddr = NULL, *passwd;
> 	char *shell;
> 	int i;
> #ifdef WITH_AIXAUTHENTICATE
> 	char *loginmsg;
> #endif /* WITH_AIXAUTHENTICATE */
>-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
>-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
> 	struct spwd *spw;
>-	time_t today;
> #endif
> 
> 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
> 	if (!pw || !pw->pw_name)
> 		return 0;
> 
>-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
>-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>+	spw = getspnam(pw->pw_name);
>+#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)
> #define	DAY		(24L * 60 * 60) /* 1 day in seconds */
>-	if ((spw = getspnam(pw->pw_name)) != NULL) {
>+	if (spw != NULL) {
>+		time_t today;
>+
> 		today = time(NULL) / DAY;
> 		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
> 		    " sp_max %d", (int)today, (int)spw->sp_expire,
>@@ -119,7 +120,40 @@
> 			return 0;
> 		}
> 	}
>+#endif /* !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE) */
>+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
>+
>+    	/* grab passwd field for locked account check */
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>+	if (spw != NULL)
>+		passwd = spw->sp_pwdp;
>+#else
>+	passwd = pw->pw_passwd;
>+#endif
>+
>+	/* check for locked account */ 
>+	if (passwd && *passwd) {
>+		int locked = 0;
>+
>+#ifdef LOCKED_PASSWD_STRING
>+		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
>+			 locked = 1;
>+#endif
>+#ifdef LOCKED_PASSWD_PREFIX
>+		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
>+		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
>+			 locked = 1;
> #endif
>+#ifdef LOCKED_PASSWD_SUBSTR
>+		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
>+			locked = 1;
>+#endif
>+		if (locked) {
>+			log("User %.100s not allowed because account is locked",
>+			    pw->pw_name);
>+			return 0;
>+		}
>+	}
> 
> 	/*
> 	 * Get the shell from the password data.  An empty shell field is
>Index: configure.ac
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v
>retrieving revision 1.109
>diff -u -r1.109 configure.ac
>--- configure.ac	24 Feb 2003 04:45:43 -0000	1.109
>+++ configure.ac	24 Feb 2003 08:18:08 -0000
>@@ -126,6 +126,7 @@
> 	AC_DEFINE(DISABLE_SHADOW)
> 	AC_DEFINE(DISABLE_UTMP)
> 	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> 	LIBS="$LIBS -lsec -lsecpw"
> 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
> 	disable_ptmx_check=yes
>@@ -142,6 +143,7 @@
> 	AC_DEFINE(DISABLE_SHADOW)
> 	AC_DEFINE(DISABLE_UTMP)
> 	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> 	LIBS="$LIBS -lsec"
> 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
> 	;;
>@@ -155,6 +157,7 @@
> 	AC_DEFINE(DISABLE_SHADOW)
> 	AC_DEFINE(DISABLE_UTMP)
> 	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> 	LIBS="$LIBS -lsec"
> 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
> 	;;
>@@ -164,6 +167,7 @@
> 	PATH="$PATH:/usr/etc"
> 	AC_DEFINE(BROKEN_INET_NTOA)
> 	AC_DEFINE(WITH_ABBREV_NO_TTY)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
> 	;;
> *-*-irix6*)
> 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
>@@ -175,6 +179,7 @@
> 	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
> 	AC_DEFINE(BROKEN_INET_NTOA)
> 	AC_DEFINE(WITH_ABBREV_NO_TTY)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
> 	;;
> *-*-linux*)
> 	no_dev_ptmx=1
>@@ -183,6 +188,7 @@
> 	AC_DEFINE(PAM_TTY_KLUDGE)
> 	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
> 	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
>+	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
> 	inet6_default_4in6=yes
> 	;;
> mips-sony-bsd|mips-sony-newsos4)
>@@ -216,6 +222,7 @@
> 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
> 	AC_DEFINE(LOGIN_NEEDS_TERM)
> 	AC_DEFINE(PAM_TTY_KLUDGE)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
> 	# hardwire lastlog location (can't detect it on some versions)
> 	conf_lastlog_location="/var/adm/lastlog"
> 	AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
>@@ -336,6 +343,7 @@
> 		fi
> 	fi
> 	AC_DEFINE(DISABLE_FD_PASSING)
>+	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
> 	;;
> 
> *-*-nto-qnx)
>Index: sshd.8
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.8,v
>retrieving revision 1.151
>diff -u -r1.151 sshd.8
>--- sshd.8	24 Feb 2003 00:52:27 -0000	1.151
>+++ sshd.8	24 Feb 2003 03:35:59 -0000
>@@ -114,6 +114,29 @@
> authentication, RSA challenge-response authentication, or password
> based authentication.
> .Pp
>+Regardless of the authentication type, the account is checked to
>+ensure that it is accessible.  An account is not accessible if it is
>+locked, listed in
>+.Cm DenyUsers
>+or its group is listed in
>+.Cm DenyGroups
>+\&.  The definition of a locked account is system dependant. Some platforms
>+have their own account database (eg AIX) and some modify the passwd field (
>+.Ql \&*LK\&*
>+on Solaris,
>+.Ql \&*
>+on HP-UX, containing
>+.Ql Nologin
>+on Tru64 and a leading
>+.Ql \&!!
>+on Linux).  If there is a requirement to disable password authentication
>+for the account while allowing still public-key, then the passwd field
>+should be set to something other than these values (eg
>+.Ql NP
>+or
>+.Ql \&*NP\&*
>+).
>+.Pp
> Rhosts authentication is normally disabled
> because it is fundamentally insecure, but can be enabled in the server
> configuration file if desired.

Actions: View | Diff

Attachments on bug 442: 181 | 183 | 237 | 239 | 249 | 368 | 370