Attachment #668 for bug #712




/*
 *
 * Copyright (c) 2001 Gert Doering.  All rights reserved.
 * Copyright (c) 2003,2004 Darren Tucker.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions

}

/*
 * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
 * anything other than NONE or SYSTEM, which indicates that the admin has
 * configured the account for purely AUTH1-type authentication.
 *
 * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
 * AUTH1 itself, in such a case authenticate() will allow access without
 * authentation, which is almost certainly not what the admin intends.
 *
 * (The native tools, eg login, will process the AUTH1 list in addition to
 * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
 * have been deprecated since AIX 4.2.x and would be very difficult for sshd
 * to support.
 *
 * Returns 0 if an unsupportable combination is found, 1 otherwise.
 */
static int
aix_valid_authentications(const char *user)
{
	char *auth1, *sys, *p;
	int valid = 1;

	if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
		logit("Can't retrieve attribute SYSTEM for %s: %.100s",
		    user, strerror(errno));
		return 0;
	}

	debug3("AIX SYSTEM attribute %s", sys);
	if (strcmp(sys, "NONE") != 0)
		return 1;	/* not "NONE", so is OK */

	if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
		logit("Can't retrieve attribute auth1 for %s: %.100s",
		    user, strerror(errno));
		return 0;
	}

	p = auth1;
	/* A SEC_LIST is concatenated strings, ending with two NULs. */
	while (p[0] != '\0' && p[1] != '\0') {
		debug3("AIX auth1 attribute list member %s", p);
		if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
			logit("Account %s has unsupported auth1 value '%s'",
			    user, p);
			valid = 0;
		}
		p += strlen(p) + 1;
	}

	return (valid);
}

/*
 * Do authentication via AIX's authenticate routine.  We loop until the
 * reenter parameter is 0, but normally authenticate is called only once.
 *

		debug3("AIX/authenticate result %d, msg %.100s", result,
		    authmsg);
	} while (reenter);

	if (!aix_valid_authentications(name))
		result = -1;

	if (result == 0) {
		authsuccess = 1;

Return to bug 712

Lines 1-6 Link Here

(-)openbsd-compat/port-aix.c (+57 lines)
1	/*	1	/*
2	*	2	*
3	* Copyright (c) 2001 Gert Doering. All rights reserved.	3	* Copyright (c) 2001 Gert Doering. All rights reserved.
		4	* Copyright (c) 2003,2004 Darren Tucker. All rights reserved.
4	*	5	*
5	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
Lines 92-97 aix_remove_embedded_newlines(char *p) Link Here
92	}	93	}
93		94
94	/*	95	/*
		96	* Test specifically for the case where SYSTEM == NONE and AUTH1 contains
		97	* anything other than NONE or SYSTEM, which indicates that the admin has
		98	* configured the account for purely AUTH1-type authentication.
		99	*
		100	* Since authenticate() doesn't check AUTH1, and sshd can't sanely support
		101	* AUTH1 itself, in such a case authenticate() will allow access without
		102	* authentation, which is almost certainly not what the admin intends.
		103	*
		104	* (The native tools, eg login, will process the AUTH1 list in addition to
		105	* the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
		106	* have been deprecated since AIX 4.2.x and would be very difficult for sshd
		107	* to support.
		108	*
		109	* Returns 0 if an unsupportable combination is found, 1 otherwise.
		110	*/
		111	static int
		112	aix_valid_authentications(const char *user)
		113	{
		114	char auth1, sys, *p;
		115	int valid = 1;
		116
		117	if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
		118	logit("Can't retrieve attribute SYSTEM for %s: %.100s",
		119	user, strerror(errno));
		120	return 0;
		121	}
		122
		123	debug3("AIX SYSTEM attribute %s", sys);
		124	if (strcmp(sys, "NONE") != 0)
		125	return 1; /* not "NONE", so is OK */
		126
		127	if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
		128	logit("Can't retrieve attribute auth1 for %s: %.100s",
		129	user, strerror(errno));
		130	return 0;
		131	}
		132
		133	p = auth1;
		134	/* A SEC_LIST is concatenated strings, ending with two NULs. */
		135	while (p[0] != '\0' && p[1] != '\0') {
		136	debug3("AIX auth1 attribute list member %s", p);
		137	if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
		138	logit("Account %s has unsupported auth1 value '%s'",
		139	user, p);
		140	valid = 0;
		141	}
		142	p += strlen(p) + 1;
		143	}
		144
		145	return (valid);
		146	}
		147
		148	/*
95	* Do authentication via AIX's authenticate routine. We loop until the	149	* Do authentication via AIX's authenticate routine. We loop until the
96	* reenter parameter is 0, but normally authenticate is called only once.	150	* reenter parameter is 0, but normally authenticate is called only once.
97	*	151	*
Lines 111-116 sys_auth_passwd(Authctxt *ctxt, const ch Link Here
111	debug3("AIX/authenticate result %d, msg %.100s", result,	165	debug3("AIX/authenticate result %d, msg %.100s", result,
112	authmsg);	166	authmsg);
113	} while (reenter);	167	} while (reenter);
		168
		169	if (!aix_valid_authentications(name))
		170	result = -1;
114		171
115	if (result == 0) {	172	if (result == 0) {
116	authsuccess = 1;	173	authsuccess = 1;