search for: loginmsg

Hi All. I've decided to try to merge the -Portable parts of the password expiry patch (see bug #14) that do not depend on the OpenBSD change in bug #463. The attached patch is the first step in this process. It removes the AIX-specific "char *aixloginmsg" and replaces it with a platform-neutral "Buffer loginmsg". I think this is worth having in -Portable even if it does not make it to OpenBSD. Does anyone see any problems with or have any objections to this patch? -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69...

Cf. http://seclists.org/fulldisclosure/2008/Jul/0090.html This Mrdkaaa character claims to have exploited this, but does not say how. The issue is that if do_pam_account() fails, do_authloop() will call packet_disconnect() with loginmsg as the format string (classic printf(foo) instead of printf("%s", foo) bug). The stuff that do_authloop() appends to loginmsg is harmless (the user name is safe, since at this point we know the account exists). The question is, what does loginmsg contain before do_authloop()? Can login...

...ext part -------------- *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') !...

...the box as root. [...] *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') !...

...word_change_required; +#endif + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -202,19 +208,39 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to contro...

..." #include "channels.h" #include "match.h" +#ifdef HAVE_LOGIN_H +#include <login.h> +#endif #include "bufaux.h" #include "ssh2.h" @@ -111,8 +114,20 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) + if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) { + if (loginmsg && *loginmsg) { + /* Remove embedded newlines (if any) */ + char *p; + for (p = loginmsg; *p; p++) + if (*p == '\n') + *p = ' '; + /* Remove trailing newline */...

..., access should be denied. Being a simple soul, I have added a routine passwdexpires ( AIX Lib ) directly after loginrestrictions with the same code. I think this should be urgently added to the code - hope this helps. auth.c /* mpi change expiresmsg */ #ifdef WITH_AIXAUTHENTICATE char *loginmsg; char *expiresmsg; int passexpcode; #endif /* WITH_AIXAUTHENTICATE */ #ifdef WITH_AIXAUTHENTICATE auth.c /* mpi change passwdexpires hinein */ if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { if (loginmsg && *loginms...

http://bugzilla.mindrot.org/show_bug.cgi?id=1087 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Group|Portable OpenSSH | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...2p1.old/monitor.c Sun Jul 17 03:53:31 2005 +++ openssh-4.2p1.new/monitor.c Tue Dec 20 09:10:04 2005 @@ -1716,6 +1716,11 @@ child_state.input = buffer_get_string(&m, &child_state.ilen); child_state.output = buffer_get_string(&m, &child_state.olen); + /* Let's not forget our loginmsg, now, eh? */ + p = buffer_get_string (&m, &plen); + if (plen) buffer_append (&loginmsg, p, plen); + xfree (p); + buffer_free(&m); } diff -Naur openssh-4.2p1.old/monitor_wrap.c openssh-4.2p1.new/monitor_wrap.c --- openssh-4.2p1.old/monitor_wrap.c Sun Jul 17 03:53:31 2005 +++ ope...

...file: /usr/local/.cvs/auth/openssh/auth.c,v retrieving revision 1.1.1.5 diff -c -r1.1.1.5 auth.c *** auth.c 2002/03/08 07:55:38 1.1.1.5 --- auth.c 2002/03/15 12:54:01 *************** *** 177,183 **** } #ifdef WITH_AIXAUTHENTICATE ! if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { if (loginmsg && *loginmsg) { /* Remove embedded newlines (if any) */ char *p; --- 177,190 ---- } #ifdef WITH_AIXAUTHENTICATE ! /* ! * To let the user read a possible message in /etc/nologin we have to ! * accept him here. Otherwise the message will just b...

http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From markus at openbsd.org 2002-08-23 07:46 ------- what does "rlogin set to false" mean? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From dtucker at zip.com.au 2003-05-10 12:59 ------- I've had a look at the OpenBSD source and I don't think OpenBSD *needs* a "Buffer loginmsg" right now. PrintLastLog can be easily fixed by updating s->last_login_time before the privsep split. So, is there another reason OpenBSD needs (or wants) a "Buffer loginmsg"? Or should it be -portable only? Have I overlooked something? And what's the feeling on the mo...

...======================= RCS file: /cvs/openssh/auth.c,v retrieving revision 1.58 diff -u -r1.58 auth.c --- auth.c 21 Sep 2002 15:26:53 -0000 1.58 +++ auth.c 29 Sep 2002 05:53:43 -0000 @@ -202,7 +202,7 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + if ((geteuid()==0) && loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { if (loginmsg && *loginmsg) { /* Remove embedded newlines (if any) */ char *p;

...success() call (which writes a new login record), the last login record can be retrieved by that very same call. If we look at port-aix.c, we can see the following: if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; if (msg != NULL && loginmsg != NULL && !msg_done) { debug("AIX/loginsuccess: msg %s", msg); buffer_append(loginmsg, msg, strlen(msg)); xfree(msg); msg_done = 1; } } The pointer "msg" points to the new...

Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is because the authentication is postponed and the messages will be collected after the post-auth privsep split. Comments? OK? -- Darren Tucker (dtucker at zip.com.au) GPG key 8F...

...;servconf.h" #include "auth.h" +#include "auth-options.h" +#include "misc.h" +#include "buffer.h" #include "openbsd-compat/xcrypt.h" #ifdef WITH_AIXAUTHENTICATE # include "buffer.h" # include "canohost.h" -extern Buffer loginmsg; #endif extern ServerOptions options; +extern Buffer loginmsg; +int password_change_required = 0; /* * Tries to authenticate the user using password. Returns true if @@ -168,4 +172,81 @@ } # endif #endif /* !HAVE_OSF_SIA */ +} + +/* + * Perform generic password change via tty. Like d...

...ned(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,8 +83,10 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; +extern Buffer login_message; +extern int password_change_required; #ifdef WITH_AIXAUTHENTICATE -extern char *aixloginmsg; +void aix_remove_embedded_newlines(char *); #endif /* @@ -149,13 +153,23 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); - if (authsuccess) + if (authsuccess) { + char *m...

...in the compilation of "auth.c". *** openssh_cvs/auth.c- Sun Mar 18 12:52:30 2001 --- openssh_cvs/auth.c Sun Mar 18 13:32:20 2001 *************** *** 57,63 **** allowed_user(struct passwd * pw) { struct stat st; ! char *shell, *cp; int i; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; --- 57,63 ---- allowed_user(struct passwd * pw) { struct stat st; ! char *shell, *cp, *getusershell(); int i; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; -- ayamura

...ginsuccess() call (which writes a new login record), the last login record can be retrieved by that very same call. If we look at port-aix.c, we can see the following: if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; if (msg != NULL && loginmsg != NULL && !msg_done) { debug("AIX/loginsuccess: msg %s", msg); buffer_append(loginmsg, msg, strlen(msg)); xfree(msg); msg_done = 1; } } The pointer "msg" points to the new...

...fer.h" #include "xmalloc.h" #include "canohost.h" +#include "misc.h" +#include "auth-options.h" #if !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the SIA cases */ @@ -82,6 +84,7 @@ extern ServerOptions options; extern Buffer loginmsg; +int password_change_required = 0; /* * Tries to authenticate the user using password. Returns true if @@ -248,4 +251,81 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !HAVE_OSF_SIA */ +} + +...