openssh unix dev - Jun 2003 - openssh-3.6.1p2-passexpire20.patch prevents /etc/nologin display on AIX

Hi there,

I have just compiled up 3.6.1p2 both with and without Darren Tuckers
passexpire patch.

However, with the patch applied /etc/nologin isn't displayed to users (on
AIX 5.1 / PSSP)

The patched vesion seems to fail with "illegal user" - some parts of a
debug
3 log...


debug1: userauth-request for user ade45 service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAMdebug3: monitor_read:
checking request 6
debug3: mm_request_receive_expect entering: type 7debug3:
mm_answer_pwnamallowdebug3: mm_request_receive entering
Login restricted for ade45:  this is a test
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling nowinput_userauth_request:
illegal user ade45
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try meth
 none


whereas the unpatched one goes...

debug1: userauth-request for user ade45 service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect enteri
: type 7
debug3: mm_request_receive e
ering
Login restricted for ade45: testing in progress
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling nowdebug2:
input_userauth_request: setting up authctxt for ade45
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try meth
 none


We have a dodgy workaround for this (touch /etc/nologin and update the sshd
banner if we're doing maintenance) but it would be nice to have.

A more pressing need is for us to be able to cope with changing the users
password on another box. (we use PSSP on a large cluster) hmm, some hacking
of /bin/passwd might be called for...

Andrew

-- 
Andrew Elwell <A.D.Elwell at dl.ac.uk>
Room A20, Daresbury Laboratory,
Keckwick Lane, Daresbury, WARRINGTON, WA4 4AD
Tel: +44 (0)1925 603966
Mob: +44 (0)7890 249969
Pager: 08700 555500 [883616]

"Elwell, AD (Andrew)" wrote:
> I have just compiled up 3.6.1p2 both with and without Darren Tuckers
> passexpire patch.
> 
> However, with the patch applied /etc/nologin isn't displayed to users
(on
> AIX 5.1 / PSSP)
> 
> The patched vesion seems to fail with "illegal user" - some parts
of a debug
> 3 log...
> 
> debug1: userauth-request for user ade45 service ssh-connection method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAMdebug3:
monitor_read:
> checking request 6
> debug3: mm_request_receive_expect entering: type 7debug3:
> mm_answer_pwnamallowdebug3: mm_request_receive entering
> Login restricted for ade45:  this is a test
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
[snip]

I would have expected to see some more debugging here, something like:
debug3: lastupdate [foo] maxage [foo] wks maxexpired
debug3: AIX/passwdexpired returned [whatever]

Was that there and if so what does it say?

Looking at the code here, I can't see a reason for this.  Did the patch
apply cleanly?
> A more pressing need is for us to be able to cope with changing the users
> password on another box. (we use PSSP on a large cluster) hmm, some hacking
> of /bin/passwd might be called for...
You can change PATH_PROGRAM_PATH in config.h to point to any program you
like.  Be aware that it'll get called as "/path/to/program" (as
the user)
if PrivSep is on and "/path/to/program [username]" (as root!) if
PrivSep
is off.

If it's a common requirement it might be worth adding a
--with-passwd-program=/bin/foo option to configure.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

"Elwell, AD (Andrew)" wrote:
> However, with the patch applied /etc/nologin isn't displayed to users
(on
> AIX 5.1 / PSSP)
> 
> The patched vesion seems to fail with "illegal user" - some parts
of a debug
> 3 log...
It's a bug, and it's mine.  I did not correctly relocate the saving of
errno when I reshuffled the loginrestictions call.

Try applying the following patch on top of -passexpire20 and recompiling.

		-Daz.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
--- auth.c.orig	2003-06-25 23:14:16.000000000 +1000
+++ auth.c	2003-06-25 23:13:36.000000000 +1000
@@ -240,11 +240,12 @@
 	 * non-root user (since loginrestrictions will always fail).
 	 */
 	if ( (pw->pw_uid != 0) && (geteuid() == 0) ) {
-		int loginrestrict_errno = errno;
 		char *msg;
 
 		/* check for AIX account restrictions */
 		if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
+			int loginrestrict_errno = errno;
+
 			if (msg && *msg) {
 				aix_remove_embedded_newlines(msg);
 				log("Login restricted for %s: %.100s",