When a user connects to 3.4p1 on AIX with privilege separation on, no last login message is displayed. It seems, that the message is retrieved by a call to loginsuccess() as root, the output of the message is done in the nonprivileged child.
It looks like the call to loginsuccess() fails because it's done as a non-privileged user. This is bad because in addition to generating the message it also clears the failed login counter that leads to account lockout. The following patch fixes it for me but I'm not sure this is the right approach. I still don't properly understand privsep... Would someone who does please sanity-check this?
Created attachment 140 [details] Move loginsuccess call into auth.c so it works with privsep on
*** Bug 385 has been marked as a duplicate of this bug. ***
Ignore previous patch, it's plain wrong. It clears the counter whether or not the login was successful.
Created attachment 141 [details] Move loginsuccess to auth-passwd.c Relocated loginsuccess call as per comments in bugid 385. Removed unused loginmsg variable.
Created attachment 142 [details] Enables tracking of unsuccessful logins on AIX I've included a patch that adds one line to the end of the previous auth-passwd.c patch, #141. Before, AIX unsuccessful logins would go unnoticed. In the enclosed patch, if the AIX authenticate in unsuccessful the loginfailed subroutine is run, which logs the unsuccessful login to /etc/security/failedlogin as well as updates the user's attributes in /etc/security/lastlog
While that's true of 3.4p1 the loginfailed() bug has been fixed in -current for a while (see bug #145)
Darren's patch applied. Thanks.
Mass change of RESOLVED bugs to CLOSED