- (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]

Convert aixloginmsg into platform-independant Buffer loginmsg.

ChangeLog

@@ -2,7 +2,9 @@
  - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
    Include AIX headers for authentication functions and make calls match
    prototypes.  Test for and handle 3-args and 4-arg variants of loginfailed.
- - (dtucker) Check return value of setpcred().
+ - (dtucker) [session.c] Check return value of setpcred().
+ - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
+   Convert aixloginmsg into platform-independant Buffer loginmsg.
 
 20030707
  - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
@@ -668,4 +670,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2848 2003/07/08 11:01:04 dtucker Exp $
+$Id: ChangeLog,v 1.2849 2003/07/08 12:59:59 dtucker Exp $

auth-passwd.c

@@ -42,6 +42,8 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
+#include "buffer.h"
+#include "xmalloc.h"
 #include "canohost.h"
 
 #if !defined(HAVE_OSF_SIA)
@@ -79,9 +81,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
 #endif /* !HAVE_OSF_SIA */
 
 extern ServerOptions options;
-#ifdef WITH_AIXAUTHENTICATE
+extern Buffer loginmsg;
-extern char *aixloginmsg;
-#endif
 
 /*
  * Tries to authenticate the user using password.  Returns true if
@@ -149,15 +149,29 @@ auth_password(Authctxt *authctxt, const char *password)
 # endif
 # ifdef WITH_AIXAUTHENTICATE
 	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+	aix_remove_embedded_newlines(authmsg);	
 
 	if (authsuccess) {
+		char *msg;
+		char *host = (char *)get_canonical_hostname(options.use_dns);
+
+		debug3("AIX/authenticate succeeded for user %s: %.100s",
+			pw->pw_name, authmsg);
+
 	        /* We don't have a pty yet, so just label the line as "ssh" */
-	        if (loginsuccess(authctxt->user,
+	        if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0){
-		    get_canonical_hostname(options.use_dns),
+			if (msg != NULL) {
-		    "ssh", &aixloginmsg) < 0) {
+				debug("%s: msg %s", __func__, msg);
-			aixloginmsg = NULL;
+				buffer_append(&loginmsg, msg, strlen(msg));
+				xfree(msg);
+			}
 		}
+	} else {
+		debug3("AIX/authenticate failed for user %s: %.100s",
+		    pw->pw_name, authmsg);
 	}
+	if (authmsg != NULL)
+		xfree(authmsg);
 
 	return (authsuccess);
 # endif

auth.c

@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
 
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 /* Debugging messages */
 Buffer auth_debug;
@@ -75,9 +76,6 @@ allowed_user(struct passwd * pw)
 	const char *hostname = NULL, *ipaddr = NULL;
 	char *shell;
 	int i;
-#ifdef WITH_AIXAUTHENTICATE
-	char *loginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
     defined(HAS_SHADOW_EXPIRE)
 	struct spwd *spw;
@@ -206,26 +204,23 @@ allowed_user(struct passwd * pw)
 	 * PermitRootLogin to control logins via ssh), or if running as
 	 * non-root user (since loginrestrictions will always fail).
 	 */
-	if ((pw->pw_uid != 0) && (geteuid() == 0) &&
+	if ((pw->pw_uid != 0) && (geteuid() == 0)) {
-	    loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+		char *msg;
-		int loginrestrict_errno = errno;
 
-		if (loginmsg && *loginmsg) {
+	   	if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
-			/* Remove embedded newlines (if any) */
+			int loginrestrict_errno = errno;
-			char *p;
+
-			for (p = loginmsg; *p; p++) {
+			if (msg && *msg) {
-				if (*p == '\n')
+				buffer_append(&loginmsg, msg, strlen(msg));
-					*p = ' ';
+				aix_remove_embedded_newlines(msg);
+				logit("Login restricted for %s: %.100s",
+				    pw->pw_name, msg);
 			}
-			/* Remove trailing newline */
+			/* Don't fail if /etc/nologin  set */
-			*--p = '\0';
+		    	if (!(loginrestrict_errno == EPERM && 
-			logit("Login restricted for %s: %.100s", pw->pw_name, 
+			    stat(_PATH_NOLOGIN, &st) == 0))
-			    loginmsg);
+				return 0;
 		}
-		/* Don't fail if /etc/nologin  set */
-	    	if (!(loginrestrict_errno == EPERM && 
-		    stat(_PATH_NOLOGIN, &st) == 0))
-			return 0;
 	}
 #endif /* WITH_AIXAUTHENTICATE */
 

openbsd-compat/port-aix.c

@@ -61,6 +61,28 @@ aix_usrinfo(struct passwd *pw)
 	xfree(cp);
 }
 
+#ifdef WITH_AIXAUTHENTICATE
+/*
+ * Remove embedded newlines in string (if any).
+ * Used before logging messages returned by AIX authentication functions
+ * so the message is logged on one line.
+ */
+void
+aix_remove_embedded_newlines(char *p)
+{
+	if (p == NULL)
+		return;
+
+	for (; *p; p++) {
+		if (*p == '\n')
+			*p = ' ';
+	}
+	/* Remove trailing whitespace */
+	if (*--p == ' ')
+		*p = '\0';
+}
+#endif /* WITH_AIXAUTHENTICATE */
+  
 # ifdef CUSTOM_FAILED_LOGIN
 /*
  * record_failed_login: generic "login failed" interface function

openbsd-compat/port-aix.h

@@ -51,4 +51,5 @@ void record_failed_login(const char *user, const char *ttyname);
 #endif
 
 void aix_usrinfo(struct passwd *pw);
+void aix_remove_embedded_newlines(char *);
 #endif /* _AIX */

session.c

@@ -95,6 +95,7 @@ extern int debug_flag;
 extern u_int utmp_len;
 extern int startup_pipe;
 extern void destroy_sensitive_data(void);
+extern Buffer loginmsg;
 
 /* original command from peer. */
 const char *original_command = NULL;
@@ -103,10 +104,6 @@ const char *original_command = NULL;
 #define MAX_SESSIONS 10
 Session	sessions[MAX_SESSIONS];
 
-#ifdef WITH_AIXAUTHENTICATE
-char *aixloginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
-
 #ifdef HAVE_LOGIN_CAP
 login_cap_t *lc;
 #endif
@@ -770,10 +767,13 @@ do_login(Session *s, const char *command)
 	if (options.use_pam && !is_pam_password_change_required())
 		print_pam_messages();
 #endif /* USE_PAM */
-#ifdef WITH_AIXAUTHENTICATE
+
-	if (aixloginmsg && *aixloginmsg)
+	/* display post-login message */
-		printf("%s\n", aixloginmsg);
+	if (buffer_len(&loginmsg) > 0) {
-#endif /* WITH_AIXAUTHENTICATE */
+		buffer_append(&loginmsg, "\0", 1);
+		printf("%s\n", (char *)buffer_ptr(&loginmsg));
+	}
+	buffer_free(&loginmsg);
 
 #ifndef NO_SSH_LASTLOG
 	if (options.print_lastlog && s->last_login_time != 0) {

sshd.c

@@ -201,6 +201,9 @@ int startup_pipe;		/* in child */
 int use_privsep;
 struct monitor *pmonitor;
 
+/* message to be displayed after login */
+Buffer loginmsg;
+
 /* Prototypes for various functions defined later in this file. */
 void destroy_sensitive_data(void);
 void demote_sensitive_data(void);
@@ -1501,6 +1504,9 @@ main(int ac, char **av)
 
 	packet_set_nonblocking();
 
+        /* prepare buffers to collect authentication messages */
+	buffer_init(&loginmsg);
+
 	if (use_privsep)
 		if ((authctxt = privsep_preauth()) != NULL)
 			goto authenticated;