Bug 543 - sshd does not use AIX's setauthdb
Summary: sshd does not use AIX's setauthdb
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: -current
Hardware: PPC AIX
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-04-16 07:19 AEST by Kevin Cawlfield
Modified: 2004-04-14 12:24 AEST (History)
0 users

See Also:


Attachments
Add calls to AIX's setuserdb(), setauthdb() in auth.c (1.85 KB, patch)
2003-04-16 07:26 AEST, Kevin Cawlfield
no flags Details | Diff
Untested patch containing discussed changes. (985 bytes, patch)
2003-04-16 14:28 AEST, Darren Tucker
no flags Details | Diff
Update patch to use record_failed_login (largely untested) (2.31 KB, patch)
2003-05-03 10:33 AEST, Darren Tucker
no flags Details | Diff
Put setauthdb in its own function. (2.95 KB, patch)
2003-07-13 23:36 AEST, Darren Tucker
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Cawlfield 2003-04-16 07:19:11 AEST
On AIX, if an LDAP user authenticates through SSH, the user's registry info is 
not updated.  For instance, if an LDAP user enters an incorrect password while 
logging in through SSH, the LDAP user's unsuccessful_login_count is not 
increased.  

This is solved by adding calls to setuserdb(), getuserattr(), and setauthdb() 
in auth.c.

I will be submitting a patch that adds these calls for 3.6p1.  If anyone sees 
something in the patch that isn't kosher, let me know...
Comment 1 Kevin Cawlfield 2003-04-16 07:26:27 AEST
Created attachment 269 [details]
Add calls to AIX's setuserdb(), setauthdb() in auth.c
Comment 2 Darren Tucker 2003-04-16 14:28:52 AEST
Created attachment 270 [details]
Untested patch containing discussed changes.

I can't find much documentation on setauthdb (no man pages, only a couple of
references on Google) but from what I can gather it loads some authentication
code at runtime somewhat like PAM.

A few things on the patch:

1) setauthdb is not on AIX 4.2 so you patch breaks there.  You can add a test
to configure.ac and put your additions inside "#ifdef HAVE_SETAUTHDB".

2) the indentation in the "if (authenticated.." block is misleading.  You also
have a whitespace-only change.

3) I'd move the variables you need inside the "if (authenticated.." block. 
That will remove one #ifdef.

4) Is 16 an absolute maximum for S_REGISTRY?  You should probably use
sizeof(registry) instead of a magic number in the strncpy.  Do you even need
the char *tmp and strncpy?  Does setauthdb allocate oldauthdb for you (many of
those functions do).

5) Do you need to explicitly set "files" in the case where getuserattr fails? 
Would you be better off just skipping the setauthdb in that case (which is
equivalent to the old behaviour)?

FWIW, I'd like to see all of this code moved out of the mainline and into a
compatibility function (see
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104936325924401).
Comment 3 Darren Tucker 2003-05-03 10:33:39 AEST
Created attachment 280 [details]
Update patch to use record_failed_login (largely untested)

Added AC_CHECK_FUNCS(setauthdb) to configure.ac.
Added (char **)"" to setpcred call to match prototype (including usersec.h
defines the prototype so the build will fail with a mismatch).

Note: you will need to run "autoreconf" to rebuild configure if you use this
patch
Comment 4 Darren Tucker 2003-07-13 23:36:18 AEST
Created attachment 356 [details]
Put setauthdb in its own function.

Updated patch against -current.
Comment 5 Darren Tucker 2003-07-14 16:46:10 AEST
Patch applied, thanks.
Comment 6 Damien Miller 2004-04-14 12:24:19 AEST
Mass change of RESOLVED bugs to CLOSED