Bugzilla – Attachment 534 Details for
Bug 712
ssh does not properly utilize OS specified authentication methods on AIX
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Check AIX accounts for SYSTEM=NONE
openssh-aix-systemauth2.patch (text/plain), 2.48 KB, created by
Darren Tucker
on 2004-01-22 23:56:37 AEDT
(
hide
)
Description:
Check AIX accounts for SYSTEM=NONE
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2004-01-22 23:56:37 AEDT
Size:
2.48 KB
patch
obsolete
>Index: openbsd-compat/port-aix.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.c,v >retrieving revision 1.16 >diff -u -r1.16 port-aix.c >--- openbsd-compat/port-aix.c 22 Nov 2003 03:16:57 -0000 1.16 >+++ openbsd-compat/port-aix.c 23 Jan 2004 06:42:12 -0000 >@@ -99,6 +99,9 @@ > char *authmsg = NULL, *msg; > int authsuccess = 0, reenter, result; > >+ if (!aix_valid_authentications(name)) >+ return 0; >+ > do { > result = authenticate((char *)name, (char *)password, &reenter, > &authmsg); >@@ -181,6 +184,51 @@ > # endif /* HAVE_SETAUTHDB */ > } > >+/* XXX: rewrite comment >+ * Since we can't sanely support accounts using non=SYSTEM authentication >+ * settings (ie auth1 != "SYSTEM") then deny the login. Otherwise, you may >+ * get a nasty surprise if you set an account to SYSTEM=NONE and >+ * auth1=[something] as only SYSTEM is checked. >+ * >+ * Returns 0 if non-SYSTEM auth found, 1 otherwise. >+ */ >+int >+aix_valid_authentications(const char *user) >+{ >+ char *auth1, *sys, *p; >+ int valid = 1; >+ >+ if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) { >+ logit("Can't retrieve attribute SYSTEM for %s: %.100s", >+ user, strerror(errno)); >+ return 0; >+ } >+ >+ debug3("AIX SYSTEM attribute %s", sys); >+ if (strcmp(sys, "NONE") != 0) >+ return 1; >+ >+ if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) { >+ logit("Can't retrieve attribute auth1 for %s: %.100s", >+ user, strerror(errno)); >+ return 0; >+ } >+ >+ p = auth1; >+ /* A SEC_LIST is concatenated strings, ending with two NULs. */ >+ while (p[0] != '\0' && p[1] != '\0') { >+ debug3("AIX auth1 attribute list member %s", p); >+ if (strcmp(p, "NONE") != 0) { >+ logit("Account %s has unsupported auth1 value '%s'", >+ user, p); >+ valid = 0; >+ } >+ p += strlen(p) + 1; >+ } >+ >+ return (valid); >+} >+ > # endif /* WITH_AIXAUTHENTICATE */ > > #endif /* _AIX */ >Index: openbsd-compat/port-aix.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.h,v >retrieving revision 1.16 >diff -u -r1.16 port-aix.h >--- openbsd-compat/port-aix.h 22 Nov 2003 03:16:57 -0000 1.16 >+++ openbsd-compat/port-aix.h 23 Jan 2004 04:37:55 -0000 >@@ -61,4 +61,5 @@ > int aix_authenticate(const char *, const char *, const char *); > void aix_setauthdb(const char *); > void aix_remove_embedded_newlines(char *); >+int aix_valid_authentications(const char *); > #endif /* _AIX */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=534">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 712
:
464
|
465
|
534
|
668