Hi All.
First the questions:
Is there anything objectionable in this patch?
Is AUDIT_FAIL_AUTH appropriate for the "Reason" field?
Now the details: attached is a patch that changes some of the #includes
for AIX. It moves the AIX-specific includes to port-aix.h and adds
includes that contain the prototypes for many of the authentication
functions. The idea isto fix some warnings.
Unfortunately this exposes a couple of problems:
* setpcred call does not match prototype
* loginfailed on AIX 5.2 takes an (optional?) extra argument: Reason
The patch changes the setpcred call to:
setpcred(pw->pw_name, (char **)NULL);
It also adds configure magic to detect a 4-arg loginfailed and #defines
to use the appropriate call (hidden in port-aix.c, fortunately):
loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH);
There are still a couple of warnings left which I hope to address in
other patches.
-Daz.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: acconfig.h
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v
retrieving revision 1.157
diff -u -r1.157 acconfig.h
--- acconfig.h 11 Jun 2003 12:51:32 -0000 1.157
+++ acconfig.h 1 Jul 2003 12:22:40 -0000
@@ -110,6 +110,9 @@
/* Define if you want to enable AIX4's authenticate function */
#undef WITH_AIXAUTHENTICATE
+/* Define if your AIX loginfailed() function takes 4 arguments */
+#undef AIX_LOGINFAILED_4ARG
+
/* Define if you have/want arrays (cluster-wide session managment, not C
arrays) */
#undef WITH_IRIX_ARRAY
Index: auth-passwd.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v
retrieving revision 1.54
diff -u -r1.54 auth-passwd.c
--- auth-passwd.c 3 Jun 2003 00:25:48 -0000 1.54
+++ auth-passwd.c 2 Jul 2003 04:57:12 -0000
@@ -42,15 +42,13 @@
#include "log.h"
#include "servconf.h"
#include "auth.h"
+#include "canohost.h"
#if !defined(HAVE_OSF_SIA)
/* Don't need any of these headers for the SIA cases */
# ifdef HAVE_CRYPT_H
# include <crypt.h>
# endif
-# ifdef WITH_AIXAUTHENTICATE
-# include <login.h>
-# endif
# ifdef __hpux
# include <hpsecurity.h>
# include <prot.h>
@@ -150,7 +148,7 @@
}
# endif
# ifdef WITH_AIXAUTHENTICATE
- authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg)
== 0);
+ authsuccess = (authenticate((char
*)pw->pw_name,password,&reenter,&authmsg) == 0);
if (authsuccess) {
/* We don't have a pty yet, so just label the line as
"ssh" */
Index: configure.ac
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v
retrieving revision 1.130
diff -u -r1.130 configure.ac
--- configure.ac 30 Jun 2003 09:21:36 -0000 1.130
+++ configure.ac 2 Jul 2003 03:57:23 -0000
@@ -75,12 +75,25 @@
AC_MSG_RESULT($blibflags)
fi
LDFLAGS="$saved_LDFLAGS"
- AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)],
+ dnl Check for authenticate. Might be in libs.a on older AIXes
+ AC_CHECK_FUNC(authenticate, [with_aixauthenticate=1],
[AC_CHECK_LIB(s,authenticate,
- [ AC_DEFINE(WITH_AIXAUTHENTICATE)
+ [ with_aixaixauthenticate=1
LIBS="$LIBS -ls"
])
])
+ dnl Check if loginfailed takes 4 arguments
+ if (test "x$with_aixauthenticate" = "x1" ); then
+ AC_DEFINE(WITH_AIXAUTHENTICATE)
+ AC_MSG_CHECKING(if loginfailed takes 4 arguments)
+ AC_TRY_COMPILE(
+ [#include <usersec.h>],
+ [(void)loginfailed("user","host","tty",0);],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE(AIX_LOGINFAILED_4ARG)],
+ [AC_MSG_RESULT(no)]
+ )
+ fi
AC_DEFINE(BROKEN_GETADDRINFO)
AC_DEFINE(BROKEN_REALPATH)
dnl AIX handles lastlog as part of its login message
@@ -456,8 +469,8 @@
login_cap.h maillock.h netdb.h netgroup.h \
netinet/in_systm.h paths.h pty.h readpassphrase.h \
rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
- strings.h sys/strtio.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
- sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
+ strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
+ sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
sys/un.h time.h tmpdir.h ttyent.h usersec.h \
util.h utime.h utmp.h utmpx.h)
Index: session.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v
retrieving revision 1.238
diff -u -r1.238 session.c
--- session.c 3 Jun 2003 00:25:48 -0000 1.238
+++ session.c 2 Jul 2003 04:37:09 -0000
@@ -1215,7 +1215,7 @@
{
#ifdef HAVE_SETPCRED
- setpcred(pw->pw_name);
+ setpcred(pw->pw_name, (char **)NULL);
#endif /* HAVE_SETPCRED */
#ifdef HAVE_LOGIN_CAP
# ifdef __bsdi__
Index: openbsd-compat/port-aix.c
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.c,v
retrieving revision 1.10
diff -u -r1.10 port-aix.c
--- openbsd-compat/port-aix.c 3 Jun 2003 02:45:27 -0000 1.10
+++ openbsd-compat/port-aix.c 2 Jul 2003 05:01:34 -0000
@@ -68,9 +68,13 @@
void
record_failed_login(const char *user, const char *ttyname)
{
- char *hostname = get_canonical_hostname(options.use_dns);
+ char *hostname = (char *)get_canonical_hostname(options.use_dns);
- loginfailed(user, hostname, ttyname);
+# ifdef AIX_LOGINFAILED_4ARG
+ loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH);
+# else
+ loginfailed((char *)user, hostname, (char *)ttyname);
+# endif
}
# endif /* CUSTOM_FAILED_LOGIN */
#endif /* _AIX */
Index: openbsd-compat/port-aix.h
==================================================================RCS file:
/usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.h,v
retrieving revision 1.8
diff -u -r1.8 port-aix.h
--- openbsd-compat/port-aix.h 2 May 2003 13:42:25 -0000 1.8
+++ openbsd-compat/port-aix.h 2 Jul 2003 01:17:06 -0000
@@ -26,6 +26,15 @@
#ifdef _AIX
+#ifdef WITH_AIXAUTHENTICATE
+# include <login.h>
+# include <userpw.h>
+# include <usersec.h>
+# ifdef HAVE_SYS_AUDIT_H
+# include <sys/audit.h>
+# endif
+#endif
+
/* AIX 4.2.x doesn't have nanosleep but does have nsleep which is
equivalent */
#if !defined(HAVE_NANOSLEEP) && defined(HAVE_NSLEEP)
# define nanosleep(a,b) nsleep(a,b)
