search for: loginrestrict

Hi All. This patch moves the AIX-specific loginrestrictions() test and associated code to port-aix.c and replaces it with a generic hook (in case any other platforms need this kind of functionality). Comments? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes wit...

...wing annoyances: * On AIX there is a signal called SIGDANGER which is sent to all processes when the machine runs low on virtual memory. This patch makes sure that this signal is ignored, because the default on older AIX releases is to kill the running process (which is pretty bad). * On AIX loginrestrictions() is called to decide whether the user is allowed to log in. Since OpenSSH has the PermitRootLogin configuration option you don't want loginrestrictions() pertain to root (since you generally disable remote root logins and only enable root logins with 'PermitRootLogin without-pa...

Hi All. With one eye on the do_pam_chauthtok() stuff I've merged contributions by Pablo Sor and Mark Pitt into a patch against -current. I'm interested in testers and suggestions for improvements. The patch extends the loginrestrictions test to include expired accounts (but unlike Mark's patch, doesn't log accounts with expired passwords unless they're locked) and adds PAM-like password expiry and forced change (based on Pablo's patch). Tested on AIX 4.3.3 with and without privsep, including regression tests....

Hi All, I have found that the regression tests on AIX failed as a non-root user. This is due to a call to loginrestrictions() failing. The man page for loginrestrictions says: "Access Control:The calling process must have access to the account information in the user database and the port information in the port database." These files are: /etc/security/user, /etc/security/login.cfg and /...

I am in the process of introducing OpenSSH into our corporate environment. This environment includes Solaris / HP-UX / AIX and Linux We have had audit tell us we need to disable root logins through telnet... we can do this through the use of OpenSSH on all platforms except AIX apparently bug # 383 was supposed to take care of this and I have downloaded -current snapshot and tested but remote

http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From markus at openbsd.org 2002-08-23 07:46 ------- what does "rlogin set to false" mean? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...ACCESS IS NOT ALLOWED Beauty of maxage with expires is, that no manual intervention is required to block inactive users. With maxage=5 and expires=1 an inactive user will be locked out after 6 weeks, even if he knows the password, also you can avoid "smoking joes" or inactive accounts. loginrestrictions in auth.c checks everything EXCEPT this. Security problem is, this allows access when access should be denied. Default for expires is -1, which means a password will expire as in maxage, but the user can change his password at anytime, however once set, access should be denied. Being a simple...

...- today)); + buffer_append(&expire_message, msg, strlen(msg)); } } -#else - /* Shouldn't be called if pw is NULL, but better safe than sorry... */ - if (!pw || !pw->pw_name) - return 0; #endif /* @@ -203,25 +218,46 @@ #ifdef WITH_AIXAUTHENTICATE /* - * Don't check loginrestrictions() for root account (use + * Don't check loginrestrictions or expiry for root account (use * PermitRootLogin to control logins via ssh), or if running as * non-root user (since loginrestrictions will always fail). */ - if ( (pw->pw_uid != 0) && (geteuid() == 0) &&amp...

...Version: 3.1p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Ralf.Wenk at fh-karlsruhe.de If /etc/nologin is given, the loginrestrictions() function in auth.c will decline any non-root login. So the users will get some kind of wrong password message and do not see any content of /etc/nologin at all. The below fix will correct this behavior. Unfortunately it triggers another - possible AIX 4.3.3 only - bug which will cause the ser...

...e: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.73 diff -u -r1.73 auth.c --- auth.c 3 Jun 2003 00:25:48 -0000 1.73 +++ auth.c 5 Jul 2003 01:30:52 -0000 @@ -206,26 +206,23 @@ * PermitRootLogin to control logins via ssh), or if running as * non-root user (since loginrestrictions will always fail). */ - if ((pw->pw_uid != 0) && (geteuid() == 0) && - loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - int loginrestrict_errno = errno; + if ((pw->pw_uid != 0) && (geteuid() == 0)) { + char *msg; - if (loginmsg...

...matter whether it is AFS, DFS, SecureID, local. 2) loginsuccess - this function will log to /etc/security/lastlog as well as clear the failed logins. 3) loginfailed - this function will increase the number of failed logins and update /etc/security/lastlog and /etc/security/failedlogins. 4) loginrestrictions - this function will determine if a user is allowed to login (ie too many failed logins, account disabled, etc). This function is used in conjunction with authenticate. 5) SOCKS5 and SOCKS4 support. 6) Support for the system random function instead of egd or /dev/urandom. There is one...

...ompat/port-aix.c Sun May 14 05:19:43 2006 @@ -231,231 +231,234 @@ debug3("%s: not checking", __func__); return 1; } + if (getuserattr(pw->pw_name, S_RLOGINCHK, &rlogin, SEC_BOOL) == -1) + rlogin=1; - result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg); + result = loginrestrictions(pw->pw_name, 0, NULL, &msg); if (result == 0) permitted = 1; /* --- openssh-4.3p2/session.c Tue Feb 7 17:18:55 2006 +++ 52/session.c Sun May 14 05:19:16 2006 @@ -660,...

...ICATE - if (aixloginmsg && *aixloginmsg) + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + free(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ if (last_login_time != 0) { Also what about the loginrestrictions call ? Should openssh free the loginmsg from loginrestrictions call ? The aix docs are not clear about this. -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland...

...the trick Patch enclosed below (apply after the p20) I'm guessing he'll either update p20 or issue p21 soon. Many thanks Andrew --- auth.c.orig 2003-06-25 23:14:16.000000000 +1000 +++ auth.c 2003-06-25 23:13:36.000000000 +1000 @@ -240,11 +240,12 @@ * non-root user (since loginrestrictions will always fail). */ if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { - int loginrestrict_errno = errno; char *msg; /* check for AIX account restrictions */ if (loginrestrictions(pw->pw_name, S_RLOGIN,...

...FC 3808 E141 CDCD 74AE 01C5 5731 8496 -------------- next part -------------- *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { !...

...:23 2000 @@ -19,6 +19,9 @@ #include "compat.h" #include "channels.h" #include "match.h" +#ifdef HAVE_LOGIN_H +#include <login.h> +#endif #include "bufaux.h" #include "ssh2.h" @@ -111,8 +114,20 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) + if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) { + if (loginmsg && *loginmsg) { + /* Remove embedded newlines (if any) */ + char *p; + for (p = loginmsg; *p; p++) + if (*p == '\n') + *p = &...

...), I can then do bad things like rsh, telnet, etc. into the box as root. [...] *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { !...

The following aix patch to configure.in forces /usr/include to be searched before /usr/local/include on AIX systems only. This allows the normal include rules to untangle <login.h> from "login.h" on AIX when using the AIX cc compiler or gcc. Please see that it gets applied to the current cvs source tree. It fixes the only compile time error the current cvs tree has on aix with

Hi there, I have just compiled up 3.6.1p2 both with and without Darren Tuckers passexpire patch. However, with the patch applied /etc/nologin isn't displayed to users (on AIX 5.1 / PSSP) The patched vesion seems to fail with "illegal user" - some parts of a debug 3 log... debug1: userauth-request for user ade45 service ssh-connection method none debug1: attempt 0 failures 0

Folks, During testing, we found a couple of issues with openssh3.0.2p1: 1. In userauth_finish() in auth2.c (as well as in do_authloop in auth1.c), the foll. check: if (authctxt->failures++ > AUTH_FAIL_MAX) is never satisfied and thus packet_disconnect() never gets called. I suspect the code just drops out of the dispatch_run function list instead. This should be an == instead of >.