search for: loginsuccess

On AIX 4.3.3 and AIX 5.1, the last successful and unsuccessful logins are no longer printer prior to the motd with either the stock openssh-3.7.1p2 or Darren's openssh-3.7.1p2-pwexp24.patch. In both cases it appears that the loginsuccess() call (auth-passwd.c stock or auth.c Darren's patch) is returning -1 and msg is not appended to loginmsg. /etc/security/lastlog is updated despite the negative return code from loginsuccess(). I am not using privilege separation. The last successful and unsuccessful logins are printed u...

http://cvs-mirror.mozilla.org/webtools/bugzilla/show_bug.cgi?id=385 Summary: loginsuccess on AIX fails Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: minor Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: ge...

Hi, I noticed that the AIX specific loginsuccess call uses char *aixloginmsg to retrieve login information. Later this message is printed in session.c (around line 753). Loginsuccess mallocs space for this message and according to the aix docs it's the responsibility of the calling program to free this message. I didn't notice any code...

http://bugzilla.mindrot.org/show_bug.cgi?id=385 ------- Additional Comments From mouring at eviladmin.org 2002-08-21 05:12 ------- Just skimming the code it seems to only affect AIX. So as it sounds like a plan. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...Platform: PPC OS/Version: AIX Status: NEW Severity: major Priority: P1 Component: scp AssignedTo: bitbucket at mindrot.org ReportedBy: johntmills at yahoo.com On AIX 5.2 unsuccessful_login_count is incremented by scp because loginsuccess is not run. ssh will run the loginsuccess but scp does not. Since lastlog is not reset users can lock themselves out of the system via our max failure checks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...rom dtucker at zip.com.au 2003-02-22 16:01 ------- Created an attachment (id=235) --> (http://bugzilla.mindrot.org/attachment.cgi?id=235&action=view) Generate login message as part of login recording. This patch moves the generation of the generic last login message to sshlogin.c, the AIX loginsuccess call to loginrec.c and provides a monitor call to get the login message. (The AIX problem was that loginsuccess did not get called for non-password auth). The reason the monitor call is necessary is that on AIX, the last login message is generated as a side-effect of calling loginsuccess(). This...

http://bugzilla.mindrot.org/show_bug.cgi?id=355 ------- Additional Comments From dtucker at zip.com.au 2002-08-25 18:10 ------- It looks like the call to loginsuccess() fails because it's done as a non-privileged user. This is bad because in addition to generating the message it also clears the failed login counter that leads to account lockout. The following patch fixes it for me but I'm not sure this is the right approach. I still don't proper...

...003 --- openssh-3.7.1p2.patched/auth-passwd.c Mon Sep 22 12:24:15 2003 *************** *** 110,116 **** --- 110,118 ---- pw->pw_name, authmsg); /* No pty yet, so just label the line as "ssh" */ + #if 0 aix_setauthdb(authctxt->user); + #endif if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0) { if (msg != NULL) { *** openssh-3.7.1p2/configure Tue Sep 23 05:55:43 2003 --- openssh-3.7.1p2.patched/configure Tue Oct 28 08:24:57 2003 *************** *** 3100,3105 **** --- 3100,3106 ---- # Check for some target-specif...

...script sets the DISABLE_LASTLOG define. A small code snippet from getlast_entry in loginrec.c shows this #if defined(DISABLE_LASTLOG) /* On some systems we shouldn't even try to obtain last login * time, e.g. AIX */ return (0); On the other hand, when issuing the AIX loginsuccess() call (which writes a new login record), the last login record can be retrieved by that very same call. If we look at port-aix.c, we can see the following: if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; if (msg != NULL && loginmsg !...

...ulen; char *user; #ifdef WITH_AIXAUTHENTICATE - char *loginmsg; + extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */ /* Get the name of the user that we wish to log in as. */ @@ -501,7 +503,9 @@ /* The user has been authenticated and accepted. */ #ifdef WITH_AIXAUTHENTICATE - loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) + aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ packet_...

Somewhere between 2.9p1 and 2.9.9p2 there was a change to auth2.c that removed the userauth_reply() function. There were a few lines of code in that function, #ifdef'd with WITH_AIXAUTHENTICATE, that handled the AIX method of lastlog type stuff (specifically, a loginsuccess() call). There is a similar call in auth1.c, down in do_authentication(), which is still there in 2.9.9p2. So with 2.9.9p2, the lastlog stuff is handled properly if you connect with protocol version 1, but not with protocol version 2. Looking at the code a little, maybe this can be moved into do_...

...eter list /usr/include/usersec.h:657: warning: `struct aud_rec' declared inside parameter list auth.c: In function `allowed_user': auth.c:283: warning: long unsigned int format, unsigned int arg (arg 3) auth.c: In function `generate_login_message': auth.c:341: warning: passing arg 1 of `loginsuccess' discards qualifiers from pointer target type auth.c:341: warning: passing arg 2 of `loginsuccess' discards qualifiers from pointer target type auth.c: In function `auth_log': auth.c:403: warning: passing arg 2 of `loginfailed' discards qualifiers from pointer target type auth.c:403...

...script sets the DISABLE_LASTLOG define. A small code snippet from getlast_entry in loginrec.c shows this #if defined(DISABLE_LASTLOG) /* On some systems we shouldn't even try to obtain last login * time, e.g. AIX */ return (0); On the other hand, when issuing the AIX loginsuccess() call (which writes a new login record), the last login record can be retrieved by that very same call. If we look at port-aix.c, we can see the following: if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { success = 1; if (msg != NULL && loginms...

http://bugzilla.mindrot.org/show_bug.cgi?id=463 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #235 is|0 |1 obsolete| | Attachment #288 is|0 |1 obsolete|

http://bugzilla.mindrot.org/show_bug.cgi?id=1207 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|unsuccessful_login_count |sshd does not clear |gets incremented by scp |unsuccessful login count on |

Hi David, I'm sure loginfailed(..) should be called immediately after authenticate(..) returned an error. It is directly related to an invalid password try. (Please see my attached mail from May 2001 to the list). I'm not so sure when loginsuccess(..) should be called (setting the loginfailed counter to zero): Either 1) when somebody logs in successfully using all kinds of valid openssh-login mechanisms or 2) when somebody logs in successfully WITH the correct password ONLY Probably 2) would be correct, but we could live with 1) also as...

....9p2/auth2.c Tue Oct 2 17:54:56 2001 *************** *** 275,280 **** --- 275,287 ---- /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { + #ifdef WITH_AIXAUTHENTICATE + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(authctxt->user?authctxt->user:"NOUSER", + get_canonical_hostname(options.reverse_mapping_check), + "ssh", &aixloginmsg) < 0) + aixloginmsg = NULL; + #endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_RE...

...riority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Heinrich.Mislik at univie.ac.at When a user connects to 3.4p1 on AIX with privilege separation on, no last login message is displayed. It seems, that the message is retrieved by a call to loginsuccess() as root, the output of the message is done in the nonprivileged child. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From dtucker at zip.com.au 2003-01-07 23:43 ------- Generate the message earlier in the login process and store for display after session startup? Rather than another variable for this (eg aixloginmsg, maybe __pam_msg), what about using a single Buffer for storing all of the messages to be displayed after login?

...en using my expiry patches, you should be aware that there are some differences in behaviour between them and -current: 1) password expiry is only checked for password authentication 2) after a change (successful or otherwise), the session is terminated and the user must log in again 3) AIX's loginsuccess() is not called for non-password authentications 4) There is no warning of pending account or password expirations for shadow passwords. 5) Last login times won't be displayed when lastlog is readable only be root. Most of the other authentication-related fixes have been merged into -curre...