openssh bugs - May 2009 - [Bug 1595] New: Server option PrintLastLog does not work on AIX

https://bugzilla.mindrot.org/show_bug.cgi?id=1595

           Summary: Server option PrintLastLog does not work on AIX
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: PPC
        OS/Version: AIX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: miguel.sanders at arcelormittal.com
                CC: miguel.sanders at arcelormittal.com


Created an attachment (id=1631)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1631)
auth.c patch

Hi

Apparently, the server option "PrintLastLog" does not work on AIX.
The last login time is always displayed, disregarding the option.
When browsing the code, I found out there are several functions in
loginrec.c which solely handle the processing of the last login info
(login_get_lastlog, getlast_entry).
Since AIX does not provide such a function natively, the configure
script sets the DISABLE_LASTLOG define. 
A small code snippet from getlast_entry in loginrec.c shows this

#if defined(DISABLE_LASTLOG)
        /* On some systems we shouldn't even try to obtain last login
         * time, e.g. AIX */
        return (0);

On the other hand, when issuing the AIX loginsuccess() call (which
writes a new login record), the last login record can be retrieved by
that very same call.
If we look at port-aix.c, we can see the following:

if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0)
{
    success = 1;
            if (msg != NULL && loginmsg != NULL && !msg_done) {
                     debug("AIX/loginsuccess: msg %s", msg);
                     buffer_append(loginmsg, msg, strlen(msg));
                     xfree(msg);
                     msg_done = 1;
            }
 }


The pointer "msg" points to the new last login info for the user and
it
always appended to the loginmsg buffer. 
The buffer_append call should only be called if options.print_lastlog
is set.

Proposed solution:

At first I thought it would be sufficient to embed the buffer_append
call 
if (options.print_lastlog)
    buffer_append(loginmsg, msg, strlen(msg));

And to add the following to port-aix.c
#include "servconf.h"
extern ServerOptions options;

But then compiling other modules (f.e. ssh-keyscan) will fail because
of the missing "options" in the openbsd-compat library .
        cc -qlanglvl=extc89 -o ssh-keyscan ssh-keyscan.o -L.
-Lopenbsd-compat/ -L/usr/lib -L/usr/lib -q64 -L/usr/lib
-blibpath:/usr/lib:/lib:/usr/lib -lssh -lopenbsd-compat -lssh -lcrypto
-lz -lksvc -lgssapi_krb5 -lkrb5
ld: 0711-224 WARNING: Duplicate symbol: .bcopy
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
information.
ld: 0711-317 ERROR: Undefined symbol: options

The only solution I currently see for this is to add an additional
parameter (value of options.print_lastlog) to the sys_auth_record_login
function in port-aix.c, port-aix.h and auth.c.
auth.c
# ifdef WITH_AIXAUTHENTICATE
        if (authenticated)
                sys_auth_record_login(authctxt->user,
                    get_canonical_hostname(options.use_dns), "ssh",
&loginmsg, options.print_lastlog);
# endif

port-aix.c
int
sys_auth_record_login(const char *user, const char *host, const char
*ttynm,
    Buffer *loginmsg, int print_lastlog)
{
...
    if(print_lastlog == 1)
        buffer_append(loginmsg, msg, strlen(msg));
    xfree(msg);
    msg_done = 1;
...
}

I uploaded some patches.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595





--- Comment #1 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-05-04 02:11:05 ---
Created an attachment (id=1632)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1632)
port-aix.c patch

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595





--- Comment #2 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-05-04 02:17:05 ---
Created an attachment (id=1633)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1633)
port-aix.h patch

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595





--- Comment #3 from Darren Tucker <dtucker at zip.com.au>  2009-05-04
13:06:26 ---
Created an attachment (id=1634)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1634)
Updated patch: loginrec.c plus minor style nits

This looks mostly reasonable.  There's a call in loginrec.c that you
didn't patch (I suspect you just didn't attach it, it would cause a
compile error) and a few minor style nits (line length, spacing,
nothing major).

I did consider having a function in port-aix.c return the login message
instead and using the !print_lastlog logic in store_lastlog_message()
but that's shared code.

BTW these are easier to read if you append related diffs together and
attach them as a unit.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1634|0                           |1
        is obsolete|                            |




--- Comment #4 from Darren Tucker <dtucker at zip.com.au>  2009-05-04
13:13:37 ---
Created an attachment (id=1635)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1635)
add missing argument in port-aix.c

oops, left off the argument in port-aix.c while I was playing with the
diff.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1631|0                           |1
        is obsolete|                            |
   Attachment #1632|0                           |1
        is obsolete|                            |
   Attachment #1633|0                           |1
        is obsolete|                            |




--- Comment #5 from Darren Tucker <dtucker at zip.com.au>  2009-05-04
13:55:28 ---
Created an attachment (id=1636)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1636)
option 2: leave print_lastlog logic all in sshlogin.c

This is an implementation of the other option which has less layering
violations but more code.  I'm not sure which I prefer.  djm?

Note: both patches are currently untested (my AIX box is currently
offline).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595





--- Comment #6 from Miguel Sanders <miguel.sanders at arcelormittal.com> 
2009-05-04 15:59:54 ---
Strangely enough, the login_write call from loginrec.c never gets
called. That's also the reason why I didn't have to alter it.
The way I see it:
auth_log (auth.c) calls sys_auth_record_login (port-aix.c) directly
without using the generic login recording functions of loginrec.c. As a
result I only had to modify auth.c,port-aix.h and port-aix.c (tested it
and works well).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1560




--- Comment #7 from Damien Miller <djm at mindrot.org>  2009-07-31
12:12:55 ---
I prefer option 2

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au


--- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2009-08-17
09:40:59 EST ---
option 2 applied, it will be in the 5.3p1 release.  Thanks for the
report.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1595

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #9 from Damien Miller <djm at mindrot.org> 2009-10-06 15:02:46
EST ---
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.