openssh unix dev - Apr 2003 - [Bug 543] sshd does not use AIX's setauthdb

http://bugzilla.mindrot.org/show_bug.cgi?id=543

           Summary: sshd does not use AIX's setauthdb
           Product: Portable OpenSSH
           Version: 3.6p1
          Platform: PPC
        OS/Version: AIX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: cawlfiel at us.ibm.com


On AIX, if an LDAP user authenticates through SSH, the user's registry info
is
not updated.  For instance, if an LDAP user enters an incorrect password while 
logging in through SSH, the LDAP user's unsuccessful_login_count is not 
increased.  

This is solved by adding calls to setuserdb(), getuserattr(), and setauthdb() 
in auth.c.

I will be submitting a patch that adds these calls for 3.6p1.  If anyone sees 
something in the patch that isn't kosher, let me know...



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=543





------- Additional Comments From cawlfiel at us.ibm.com  2003-04-16 07:26
-------
Created an attachment (id=269)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=269&action=view)
Add calls to AIX's setuserdb(), setauthdb() in auth.c




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=543





------- Additional Comments From dtucker at zip.com.au  2003-04-16 14:28 -------
Created an attachment (id=270)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=270&action=view)
Untested patch containing discussed changes.

I can't find much documentation on setauthdb (no man pages, only a couple of
references on Google) but from what I can gather it loads some authentication
code at runtime somewhat like PAM.

A few things on the patch:

1) setauthdb is not on AIX 4.2 so you patch breaks there.  You can add a test
to configure.ac and put your additions inside "#ifdef HAVE_SETAUTHDB".

2) the indentation in the "if (authenticated.." block is misleading. 
You also
have a whitespace-only change.

3) I'd move the variables you need inside the "if
(authenticated.." block.
That will remove one #ifdef.

4) Is 16 an absolute maximum for S_REGISTRY?  You should probably use
sizeof(registry) instead of a magic number in the strncpy.  Do you even need
the char *tmp and strncpy?  Does setauthdb allocate oldauthdb for you (many of
those functions do).

5) Do you need to explicitly set "files" in the case where getuserattr
fails?
Would you be better off just skipping the setauthdb in that case (which is
equivalent to the old behaviour)?

FWIW, I'd like to see all of this code moved out of the mainline and into a
compatibility function (see
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104936325924401).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=543

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #270 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2003-05-03 10:33 -------
Created an attachment (id=280)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=280&action=view)
Update patch to use record_failed_login (largely untested)

Added AC_CHECK_FUNCS(setauthdb) to configure.ac.
Added (char **)"" to setpcred call to match prototype (including
usersec.h
defines the prototype so the build will fail with a mismatch).

Note: you will need to run "autoreconf" to rebuild configure if you
use this
patch



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.