1 /*
2  *
3  * Copyright (c) 2001 Gert Doering.  All rights reserved.
4  * Copyright (c) 2003,2004,2005 Darren Tucker.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  *
26  */
27 #include "includes.h"
28 
29 #include "xmalloc.h"
30 #include "buffer.h"
31 #include "key.h"
32 #include "hostfile.h"
33 #include "auth.h"
34 #include "ssh.h"
35 #include "log.h"
36 
37 #ifdef _AIX
38 
39 #include <errno.h>
40 #if defined(HAVE_NETDB_H)
41 # include <netdb.h>
42 #endif
43 #include <uinfo.h>
44 #include <stdarg.h>
45 #include <string.h>
46 #include <unistd.h>
47 #include <sys/socket.h>
48 
49 #ifdef WITH_AIXAUTHENTICATE
50 # include <login.h>
51 # include <userpw.h>
52 # if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG)
53 #  include <sys/audit.h>
54 # endif
55 # include <usersec.h>
56 #endif
57 
58 #include "port-aix.h"
59 
60 # ifdef HAVE_SETAUTHDB
61 static char old_registry[REGISTRY_SIZE] = "";
62 # endif
63 
64 /*
65  * AIX has a "usrinfo" area where logname and other stuff is stored -
66  * a few applications actually use this and die if it's not set
67  *
68  * NOTE: TTY= should be set, but since no one uses it and it's hard to
69  * acquire due to privsep code.  We will just drop support.
70  */
71 void
72 aix_usrinfo(struct passwd *pw)
73 {
74 	u_int i;
75 	size_t len;
76 	char *cp;
77 
78 	len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
79 	cp = xmalloc(len);
80 
81 	i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
82 	    pw->pw_name, '\0');
83 	if (usrinfo(SETUINFO, cp, i) == -1)
84 		fatal("Couldn't set usrinfo: %s", strerror(errno));
85 	debug3("AIX/UsrInfo: set len %d", i);
86 
87 	xfree(cp);
88 }
89 
90 # ifdef WITH_AIXAUTHENTICATE
91 /*
92  * Remove embedded newlines in string (if any).
93  * Used before logging messages returned by AIX authentication functions
94  * so the message is logged on one line.
95  */
96 void
97 aix_remove_embedded_newlines(char *p)
98 {
99 	if (p == NULL)
100 		return;
101 
102 	for (; *p; p++) {
103 		if (*p == '\n')
104 			*p = ' ';
105 	}
106 	/* Remove trailing whitespace */
107 	if (*--p == ' ')
108 		*p = '\0';
109 }
110 
111 /*
112  * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
113  * anything other than NONE or SYSTEM, which indicates that the admin has
114  * configured the account for purely AUTH1-type authentication.
115  *
116  * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
117  * AUTH1 itself, in such a case authenticate() will allow access without
118  * authentation, which is almost certainly not what the admin intends.
119  *
120  * (The native tools, eg login, will process the AUTH1 list in addition to
121  * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
122  * have been deprecated since AIX 4.2.x and would be very difficult for sshd
123  * to support.
124  *
125  * Returns 0 if an unsupportable combination is found, 1 otherwise.
126  */
127 static int
128 aix_valid_authentications(const char *user)
129 {
130 	char *auth1, *sys, *p;
131 	int valid = 1;
132 
133 	if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
134 		logit("Can't retrieve attribute SYSTEM for %s: %.100s",
135 		    user, strerror(errno));
136 		return 0;
137 	}
138 
139 	debug3("AIX SYSTEM attribute %s", sys);
140 	if (strcmp(sys, "NONE") != 0)
141 		return 1;	/* not "NONE", so is OK */
142 
143 	if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
144 		logit("Can't retrieve attribute auth1 for %s: %.100s",
145 		    user, strerror(errno));
146 		return 0;
147 	}
148 
149 	p = auth1;
150 	/* A SEC_LIST is concatenated strings, ending with two NULs. */
151 	while (p[0] != '\0' && p[1] != '\0') {
152 		debug3("AIX auth1 attribute list member %s", p);
153 		if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
154 			logit("Account %s has unsupported auth1 value '%s'",
155 			    user, p);
156 			valid = 0;
157 		}
158 		p += strlen(p) + 1;
159 	}
160 
161 	return (valid);
162 }
163 
164 /*
165  * Do authentication via AIX's authenticate routine.  We loop until the
166  * reenter parameter is 0, but normally authenticate is called only once.
167  *
168  * Note: this function returns 1 on success, whereas AIX's authenticate()
169  * returns 0.
170  */
171 int
172 sys_auth_passwd(Authctxt *ctxt, const char *password)
173 {
174 	char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
175 	int authsuccess = 0, expired, reenter, result;
176 
177 	do {
178 		result = authenticate((char *)name, (char *)password, &reenter,
179 		    &authmsg);
180 		aix_remove_embedded_newlines(authmsg);
181 		debug3("AIX/authenticate result %d, authmsg %.100s", result,
182 		    authmsg);
183 	} while (reenter);
184 
185 	if (!aix_valid_authentications(name))
186 		result = -1;
187 
188 	if (result == 0) {
189 		authsuccess = 1;
190 
191 		/*
192 		 * Record successful login.  We don't have a pty yet, so just
193 		 * label the line as "ssh"
194 		 */
195 		aix_setauthdb(name);
196 
197 		/*
198 		 * Check if the user's password is expired.
199 		 */
200 		expired = passwdexpired(name, &msg);
201 		if (msg && *msg) {
202 			buffer_append(ctxt->loginmsg, msg, strlen(msg));
203 			aix_remove_embedded_newlines(msg);
204 		}
205 		debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
206 
207 		switch (expired) {
208 		case 0: /* password not expired */
209 			break;
210 		case 1: /* expired, password change required */
211 			ctxt->force_pwchange = 1;
212 			break;
213 		default: /* user can't change(2) or other error (-1) */
214 			logit("Password can't be changed for user %s: %.100s",
215 			    name, msg);
216 			if (msg)
217 				xfree(msg);
218 			authsuccess = 0;
219 		}
220 
221 		aix_restoreauthdb();
222 	}
223 
224 	if (authmsg != NULL)
225 		xfree(authmsg);
226 
227 	return authsuccess;
228 }
229 
230 /*
231  * Check if specified account is permitted to log in.
232  * Returns 1 if login is allowed, 0 if not allowed.
233  */
234 int
235 sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
236 {
237 	char *msg = NULL;
238 	int result, permitted = 0;
239 	struct stat st;
240 
241 	/*
242 	 * Don't perform checks for root account (PermitRootLogin controls
243 	 * logins via ssh) or if running as non-root user (since
244 	 * loginrestrictions will always fail due to insufficient privilege).
245 	 */
246 	if (pw->pw_uid == 0 || geteuid() != 0) {
247 		debug3("%s: not checking", __func__);
248 		return 1;
249 	}
250 
251 	result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
252 	if (result == 0)
253 		permitted = 1;
254 	/*
255 	 * If restricted because /etc/nologin exists, the login will be denied
256 	 * in session.c after the nologin message is sent, so allow for now
257 	 * and do not append the returned message.
258 	 */
259 	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
260 		permitted = 1;
261 	else if (msg != NULL)
262 		buffer_append(loginmsg, msg, strlen(msg));
263 	if (msg == NULL)
264 		msg = xstrdup("(none)");
265 	aix_remove_embedded_newlines(msg);
266 	debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
267 
268 	if (!permitted)
269 		logit("Login restricted for %s: %.100s", pw->pw_name, msg);
270 	xfree(msg);
271 	return permitted;
272 }
273 
274 int
275 sys_auth_record_login(const char *user, const char *host, const char *ttynm,
276     Buffer *loginmsg)
277 {
278 	char *msg = NULL;
279 	static int msg_done = 0;
280 	int success = 0;
281 
282 	aix_setauthdb(user);
283 	if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
284 		success = 1;
285 		if (msg != NULL && loginmsg != NULL && !msg_done) {
286 			debug("AIX/loginsuccess: msg %s", msg);
287 			buffer_append(loginmsg, msg, strlen(msg));
288 			xfree(msg);
289 			msg_done = 1;
290 		}
291 	}
292 	aix_restoreauthdb();
293 	return (success);
294 }
295 
296 #  ifdef CUSTOM_FAILED_LOGIN
297 /*
298  * record_failed_login: generic "login failed" interface function
299  */
300 void
301 record_failed_login(const char *user, const char *hostname, const char *ttyname)
302 {
303 	if (geteuid() != 0)
304 		return;
305 
306 	aix_setauthdb(user);
307 #   ifdef AIX_LOGINFAILED_4ARG
308 	loginfailed((char *)user, (char *)hostname, (char *)ttyname,
309 	    AUDIT_FAIL_AUTH);
310 #   else
311 	loginfailed((char *)user, (char *)hostname, (char *)ttyname);
312 #   endif
313 	aix_restoreauthdb();
314 }
315 #  endif /* CUSTOM_FAILED_LOGIN */
316 
317 /*
318  * If we have setauthdb, retrieve the password registry for the user's
319  * account then feed it to setauthdb.  This will mean that subsequent AIX auth
320  * functions will only use the specified loadable module.  If we don't have
321  * setauthdb this is a no-op.
322  */
323 void
324 aix_setauthdb(const char *user)
325 {
326 #  ifdef HAVE_SETAUTHDB
327 	char *registry;
328 
329 	if (setuserdb(S_READ) == -1) {
330 		debug3("%s: Could not open userdb to read", __func__);
331 		return;
332 	}
333 
334 	if (getuserattr((char *)user, S_REGISTRY, &registry, SEC_CHAR) == 0) {
335 		if (setauthdb(registry, old_registry) == 0)
336 			debug3("AIX/setauthdb set registry '%s'", registry);
337 		else
338 			debug3("AIX/setauthdb set registry '%s' failed: %s",
339 			    registry, strerror(errno));
340 	} else
341 		debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
342 		    strerror(errno));
343 	enduserdb();
344 #  endif /* HAVE_SETAUTHDB */
345 }
346 
347 /*
348  * Restore the user's registry settings from old_registry.
349  * Note that if the first aix_setauthdb fails, setauthdb("") is still safe
350  * (it restores the system default behaviour).  If we don't have setauthdb,
351  * this is a no-op.
352  */
353 void
354 aix_restoreauthdb(void)
355 {
356 #  ifdef HAVE_SETAUTHDB
357 	if (setauthdb(old_registry, NULL) == 0)
358 		debug3("%s: restoring old registry '%s'", __func__,
359 		    old_registry);
360 	else
361 		debug3("%s: failed to restore old registry %s", __func__,
362 		    old_registry);
363 #  endif /* HAVE_SETAUTHDB */
364 }
365 
366 # endif /* WITH_AIXAUTHENTICATE */
367 
368 # if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO)
369 # undef getnameinfo
370 /*
371  * For some reason, AIX's getnameinfo will refuse to resolve the all-zeros
372  * IPv6 address into its textual representation ("::"), so we wrap it
373  * with a function that will.
374  */
375 int
376 sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
377     size_t hostlen, char *serv, size_t servlen, int flags)
378 {
379 	struct sockaddr_in6 *sa6;
380 	u_int32_t *a6;
381 
382 	if (flags & (NI_NUMERICHOST|NI_NUMERICSERV) &&
383 	    sa->sa_family == AF_INET6) {
384 		sa6 = (struct sockaddr_in6 *)sa;
385 		a6 = sa6->sin6_addr.u6_addr.u6_addr32;
386 
387 		if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) {
388 			strlcpy(host, "::", hostlen);
389 			snprintf(serv, servlen, "%d", sa6->sin6_port);
390 			return 0;
391 		}
392 	}
393 	return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
394 }
395 # endif /* AIX_GETNAMEINFO_HACK */
396 
397 #endif /* _AIX */
398