Attachment #813 for bug #835

Lines 209-215 allowed_user(struct passwd * pw) Link Here

(-)auth.c (-1 / +1 lines)
209	}	209	}
210		210
211	#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER	211	#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
212	if (!sys_auth_allowed_user(pw))	212	if (!sys_auth_allowed_user(pw, &loginmsg))
213	return 0;	213	return 0;
214	#endif	214	#endif
215		215




		[#include <usersec.h>]
	)
	AC_CHECK_FUNCS(setauthdb)
	check_for_aix_broken_getaddrinfo=1
	AC_DEFINE(BROKEN_REALPATH)
	AC_DEFINE(SETEUID_BREAKS_SETUID)
	AC_DEFINE(BROKEN_SETREUID)

	)
fi

if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then
	AC_MSG_CHECKING(if getaddrinfo seems to work)
	AC_TRY_RUN(
		[
#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <netinet/in.h>

#define TEST_PORT "2222"

int
main(void)
{
	int err, sock;
	struct addrinfo *gai_ai, *ai, hints;
	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_PASSIVE;

	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
	if (err != 0) {
		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
		exit(1);
	}

	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
			continue;

		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
		    sizeof(ntop), strport, sizeof(strport),
		    NI_NUMERICHOST|NI_NUMERICSERV);

		if (ai->ai_family == AF_INET && err != 0) {
			perror("getnameinfo");
			exit(2);
		}
	}
	exit(0);
}
		],
		[
			AC_MSG_RESULT(yes)
			AC_DEFINE(AIX_GETNAMEINFO_HACK, [],
[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address])
		],
		[
			AC_MSG_RESULT(no)
			AC_DEFINE(BROKEN_GETADDRINFO)
		]
	)
fi

if test "x$check_for_conflicting_getspnam" = "x1"; then
	AC_MSG_CHECKING(for conflicting getspnam in shadow.h)
	AC_COMPILE_IFELSE(

Lines 192-197 int lastlog_get_entry(struct logininfo * Link Here

(-)loginrec.c (-1 / +3 lines)
192	int wtmp_get_entry(struct logininfo *li);	192	int wtmp_get_entry(struct logininfo *li);
193	int wtmpx_get_entry(struct logininfo *li);	193	int wtmpx_get_entry(struct logininfo *li);
194		194
		195	extern Buffer loginmsg;
		196
195	/* pick the shortest string */	197	/* pick the shortest string */
196	#define MIN_SIZEOF(s1,s2) (sizeof(s1) < sizeof(s2) ? sizeof(s1) : sizeof(s2))	198	#define MIN_SIZEOF(s1,s2) (sizeof(s1) < sizeof(s2) ? sizeof(s1) : sizeof(s2))
197		199
Lines 441-447 login_write(struct logininfo *li) Link Here
441	#endif	443	#endif
442	#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN	444	#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
443	if (li->type == LTYPE_LOGIN &&	445	if (li->type == LTYPE_LOGIN &&
444	!sys_auth_record_login(li->username,li->hostname,li->line))	446	!sys_auth_record_login(li->username,li->hostname,li->line, &loginmsg))
445	logit("Writing login record failed for %s", li->username);	447	logit("Writing login record failed for %s", li->username);
446	#endif	448	#endif
447	#ifdef SSH_AUDIT_EVENTS	449	#ifdef SSH_AUDIT_EVENTS




#ifdef _AIX

#include <uinfo.h>
#include <sys/socket.h>
#include "port-aix.h"

/* These should be in the system headers but are not. */
int usrinfo(int, char *, int);
int setauthdb(const char *, char *);

extern Buffer loginmsg;

# ifdef HAVE_SETAUTHDB
static char old_registry[REGISTRY_SIZE] = "";
# endif

	xfree(cp);
}

# if defined(HAVE_GETNAMEINFO) && defined(AIX_GETNAMEINFO_HACK)
# undef getnameinfo
/*
 * For some reason, AIX's getnameinfo will refuse to resolve the all-zeros
 * IPv6 address into its textual representation ("::"), so we wrap it
 * with a function that will.
 */
int
sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
    size_t hostlen, char *serv, size_t servlen, int flags)
{
	struct sockaddr_in6 *sa6;
	u_int32_t *a6;

	if (flags & (NI_NUMERICHOST|NI_NUMERICSERV) &&
	    sa->sa_family == AF_INET6) {
		sa6 = (struct sockaddr_in6 *)sa;
		a6 = sa6->sin6_addr.u6_addr.u6_addr32;

		if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) {
			strlcpy(host, "::", hostlen);
			snprintf(serv, servlen, "%d", sa6->sin6_port);
			return 0;
		}
	}
	return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
}
# endif /* AIX_GETNAMEINFO_HACK */

# ifdef WITH_AIXAUTHENTICATE
/*
 * Remove embedded newlines in string (if any).

 * returns 0.
 */
int
sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
{
	char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
	int authsuccess = 0, expired, reenter, result;

		 */
		expired = passwdexpired(name, &msg);
		if (msg && *msg) {
			buffer_append(loginmsg, msg, strlen(msg));
			aix_remove_embedded_newlines(msg);
		}
		debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);

 * Returns 1 if login is allowed, 0 if not allowed.
 */
int
sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
{
	char *msg = NULL;
	int result, permitted = 0;

	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
		permitted = 1;
	else if (msg != NULL)
		buffer_append(loginmsg, msg, strlen(msg));
	if (msg == NULL)
		msg = xstrdup("(none)");
	aix_remove_embedded_newlines(msg);

}

int
sys_auth_record_login(const char *user, const char *host, const char *ttynm,
    Buffer *loginmsg)
{
	char *msg;
	int success = 0;

		success = 1;
		if (msg != NULL) {
			debug("AIX/loginsuccess: msg %s", msg);
			buffer_append(loginmsg, msg, strlen(msg));
			xfree(msg);
		}
	}

Lines 27-32 Link Here

(-)openbsd-compat/port-aix.h (-2 / +18 lines)
27		27
28	#ifdef _AIX	28	#ifdef _AIX
29		29
		30	#ifdef HAVE_SYS_SOCKET_H
		31	# include <sys/socket.h>
		32	#endif
		33
30	#ifdef WITH_AIXAUTHENTICATE	34	#ifdef WITH_AIXAUTHENTICATE
31	# include <login.h>	35	# include <login.h>
32	# include <userpw.h>	36	# include <userpw.h>
Lines 36-41 Link Here
36	# include <usersec.h>	40	# include <usersec.h>
37	#endif	41	#endif
38		42
		43	#include "buffer.h"
		44
39	/* Some versions define r_type in the above headers, which causes a conflict */	45	/* Some versions define r_type in the above headers, which causes a conflict */
40	#ifdef r_type	46	#ifdef r_type
41	# undef r_type	47	# undef r_type
Lines 64-76 void aix_usrinfo(struct passwd *); Link Here
64	#ifdef WITH_AIXAUTHENTICATE	70	#ifdef WITH_AIXAUTHENTICATE
65	# define CUSTOM_SYS_AUTH_PASSWD 1	71	# define CUSTOM_SYS_AUTH_PASSWD 1
66	# define CUSTOM_SYS_AUTH_ALLOWED_USER 1	72	# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
67	int sys_auth_allowed_user(struct passwd *);	73	int sys_auth_allowed_user(struct passwd , Buffer );
68	# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1	74	# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
69	int sys_auth_record_login(const char , const char , const char *);	75	int sys_auth_record_login(const char , const char , const char , Buffer );
70	# define CUSTOM_FAILED_LOGIN 1	76	# define CUSTOM_FAILED_LOGIN 1
71	#endif	77	#endif
72		78
73	void aix_setauthdb(const char *);	79	void aix_setauthdb(const char *);
74	void aix_restoreauthdb(void);	80	void aix_restoreauthdb(void);
75	void aix_remove_embedded_newlines(char *);	81	void aix_remove_embedded_newlines(char *);
		82
		83	#if defined(HAVE_GETNAMEINFO) && defined(AIX_GETNAMEINFO_HACK)
		84	# ifdef getnameinfo
		85	# undef getnameinfo
		86	# endif
		87	int sshaix_getnameinfo(const struct sockaddr , size_t, char , size_t,
		88	char *, size_t, int);
		89	# define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g))
		90	#endif
		91
76	#endif /* _AIX */	92	#endif /* _AIX */

Return to bug 835

Lines 135-141 case "$host" in Link Here

(-)configure.ac (-1 / +59 lines)
135	[#include <usersec.h>]	135	[#include <usersec.h>]
136	)	136	)
137	AC_CHECK_FUNCS(setauthdb)	137	AC_CHECK_FUNCS(setauthdb)
138	AC_DEFINE(BROKEN_GETADDRINFO)	138	check_for_aix_broken_getaddrinfo=1
139	AC_DEFINE(BROKEN_REALPATH)	139	AC_DEFINE(BROKEN_REALPATH)
140	AC_DEFINE(SETEUID_BREAKS_SETUID)	140	AC_DEFINE(SETEUID_BREAKS_SETUID)
141	AC_DEFINE(BROKEN_SETREUID)	141	AC_DEFINE(BROKEN_SETREUID)
Lines 1147-1152 main(void) Link Here
1147	)	1147	)
1148	fi	1148	fi
1149		1149
		1150	if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then
		1151	AC_MSG_CHECKING(if getaddrinfo seems to work)
		1152	AC_TRY_RUN(
		1153	[
		1154	#include <stdio.h>
		1155	#include <sys/socket.h>
		1156	#include <netdb.h>
		1157	#include <errno.h>
		1158	#include <netinet/in.h>
		1159
		1160	#define TEST_PORT "2222"
		1161
		1162	int
		1163	main(void)
		1164	{
		1165	int err, sock;
		1166	struct addrinfo gai_ai, ai, hints;
		1167	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
		1168
		1169	memset(&hints, 0, sizeof(hints));
		1170	hints.ai_family = PF_UNSPEC;
		1171	hints.ai_socktype = SOCK_STREAM;
		1172	hints.ai_flags = AI_PASSIVE;
		1173
		1174	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
		1175	if (err != 0) {
		1176	fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
		1177	exit(1);
		1178	}
		1179
		1180	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
		1181	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
		1182	continue;
		1183
		1184	err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
		1185	sizeof(ntop), strport, sizeof(strport),
		1186	NI_NUMERICHOST\|NI_NUMERICSERV);
		1187
		1188	if (ai->ai_family == AF_INET && err != 0) {
		1189	perror("getnameinfo");
		1190	exit(2);
		1191	}
		1192	}
		1193	exit(0);
		1194	}
		1195	],
		1196	[
		1197	AC_MSG_RESULT(yes)
		1198	AC_DEFINE(AIX_GETNAMEINFO_HACK, [],
		1199	[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address])
		1200	],
		1201	[
		1202	AC_MSG_RESULT(no)
		1203	AC_DEFINE(BROKEN_GETADDRINFO)
		1204	]
		1205	)
		1206	fi
		1207
1150	if test "x$check_for_conflicting_getspnam" = "x1"; then	1208	if test "x$check_for_conflicting_getspnam" = "x1"; then
1151	AC_MSG_CHECKING(for conflicting getspnam in shadow.h)	1209	AC_MSG_CHECKING(for conflicting getspnam in shadow.h)
1152	AC_COMPILE_IFELSE(	1210	AC_COMPILE_IFELSE(

Lines 34-47 Link Here

(-)openbsd-compat/port-aix.c (-8 / +37 lines)
34	#ifdef _AIX	34	#ifdef _AIX
35		35
36	#include <uinfo.h>	36	#include <uinfo.h>
		37	#include <sys/socket.h>
37	#include "port-aix.h"	38	#include "port-aix.h"
38		39
39	/* These should be in the system headers but are not. */	40	/* These should be in the system headers but are not. */
40	int usrinfo(int, char *, int);	41	int usrinfo(int, char *, int);
41	int setauthdb(const char , char );	42	int setauthdb(const char , char );
42		43
43	extern Buffer loginmsg;
44
45	# ifdef HAVE_SETAUTHDB	44	# ifdef HAVE_SETAUTHDB
46	static char old_registry[REGISTRY_SIZE] = "";	45	static char old_registry[REGISTRY_SIZE] = "";
47	# endif	46	# endif
Lines 74-79 aix_usrinfo(struct passwd *pw) Link Here
74	xfree(cp);	73	xfree(cp);
75	}	74	}
76		75
		76	# if defined(HAVE_GETNAMEINFO) && defined(AIX_GETNAMEINFO_HACK)
		77	# undef getnameinfo
		78	/*
		79	* For some reason, AIX's getnameinfo will refuse to resolve the all-zeros
		80	* IPv6 address into its textual representation ("::"), so we wrap it
		81	* with a function that will.
		82	*/
		83	int
		84	sshaix_getnameinfo(const struct sockaddr sa, size_t salen, char host,
		85	size_t hostlen, char *serv, size_t servlen, int flags)
		86	{
		87	struct sockaddr_in6 *sa6;
		88	u_int32_t *a6;
		89
		90	if (flags & (NI_NUMERICHOST\|NI_NUMERICSERV) &&
		91	sa->sa_family == AF_INET6) {
		92	sa6 = (struct sockaddr_in6 *)sa;
		93	a6 = sa6->sin6_addr.u6_addr.u6_addr32;
		94
		95	if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) {
		96	strlcpy(host, "::", hostlen);
		97	snprintf(serv, servlen, "%d", sa6->sin6_port);
		98	return 0;
		99	}
		100	}
		101	return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
		102	}
		103	# endif /* AIX_GETNAMEINFO_HACK */
		104
77	# ifdef WITH_AIXAUTHENTICATE	105	# ifdef WITH_AIXAUTHENTICATE
78	/*	106	/*
79	* Remove embedded newlines in string (if any).	107	* Remove embedded newlines in string (if any).
Lines 156-162 aix_valid_authentications(const char *us Link Here
156	* returns 0.	184	* returns 0.
157	*/	185	*/
158	int	186	int
159	sys_auth_passwd(Authctxt ctxt, const char password)	187	sys_auth_passwd(Authctxt ctxt, const char password, Buffer *loginmsg)
160	{	188	{
161	char authmsg = NULL, msg, *name = ctxt->pw->pw_name;	189	char authmsg = NULL, msg, *name = ctxt->pw->pw_name;
162	int authsuccess = 0, expired, reenter, result;	190	int authsuccess = 0, expired, reenter, result;
Lines 186-192 sys_auth_passwd(Authctxt *ctxt, const ch Link Here
186	*/	214	*/
187	expired = passwdexpired(name, &msg);	215	expired = passwdexpired(name, &msg);
188	if (msg && *msg) {	216	if (msg && *msg) {
189	buffer_append(&loginmsg, msg, strlen(msg));	217	buffer_append(loginmsg, msg, strlen(msg));
190	aix_remove_embedded_newlines(msg);	218	aix_remove_embedded_newlines(msg);
191	}	219	}
192	debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);	220	debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
Lines 219-225 sys_auth_passwd(Authctxt *ctxt, const ch Link Here
219	* Returns 1 if login is allowed, 0 if not allowed.	247	* Returns 1 if login is allowed, 0 if not allowed.
220	*/	248	*/
221	int	249	int
222	sys_auth_allowed_user(struct passwd *pw)	250	sys_auth_allowed_user(struct passwd pw, Buffer loginmsg)
223	{	251	{
224	char *msg = NULL;	252	char *msg = NULL;
225	int result, permitted = 0;	253	int result, permitted = 0;
Lines 246-252 sys_auth_allowed_user(struct passwd *pw) Link Here
246	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)	274	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
247	permitted = 1;	275	permitted = 1;
248	else if (msg != NULL)	276	else if (msg != NULL)
249	buffer_append(&loginmsg, msg, strlen(msg));	277	buffer_append(loginmsg, msg, strlen(msg));
250	if (msg == NULL)	278	if (msg == NULL)
251	msg = xstrdup("(none)");	279	msg = xstrdup("(none)");
252	aix_remove_embedded_newlines(msg);	280	aix_remove_embedded_newlines(msg);
Lines 259-265 sys_auth_allowed_user(struct passwd *pw) Link Here
259	}	287	}
260		288
261	int	289	int
262	sys_auth_record_login(const char user, const char host, const char *ttynm)	290	sys_auth_record_login(const char user, const char host, const char *ttynm,
		291	Buffer *loginmsg)
263	{	292	{
264	char *msg;	293	char *msg;
265	int success = 0;	294	int success = 0;
Lines 269-275 sys_auth_record_login(const char *user, Link Here
269	success = 1;	298	success = 1;
270	if (msg != NULL) {	299	if (msg != NULL) {
271	debug("AIX/loginsuccess: msg %s", msg);	300	debug("AIX/loginsuccess: msg %s", msg);
272	buffer_append(&loginmsg, msg, strlen(msg));	301	buffer_append(loginmsg, msg, strlen(msg));
273	xfree(msg);	302	xfree(msg);
274	}	303	}
275	}	304	}