1 /*
2  *
3  * Copyright (c) 2001 Gert Doering.  All rights reserved.
4  * Copyright (c) 2003,2004,2005 Darren Tucker.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  *
26  */
27 #include "includes.h"
28 #include "auth.h"
29 #include "ssh.h"
30 #include "log.h"
31 #include "xmalloc.h"
32 #include "buffer.h"
33 
34 #ifdef _AIX
35 
36 #include <errno.h>
37 #if defined(HAVE_NETDB_H)
38 # include <netdb.h>
39 #endif
40 #include <uinfo.h>
41 #include <sys/socket.h>
42 #include "port-aix.h"
43 
44 # ifdef HAVE_SETAUTHDB
45 static char old_registry[REGISTRY_SIZE] = "";
46 # endif
47 
48 /*
49  * AIX has a "usrinfo" area where logname and other stuff is stored -
50  * a few applications actually use this and die if it's not set
51  *
52  * NOTE: TTY= should be set, but since no one uses it and it's hard to
53  * acquire due to privsep code.  We will just drop support.
54  */
55 void
56 aix_usrinfo(struct passwd *pw)
57 {
58 	u_int i;
59 	size_t len;
60 	char *cp;
61 
62 	len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
63 	cp = xmalloc(len);
64 
65 	i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
66 	    pw->pw_name, '\0');
67 	if (usrinfo(SETUINFO, cp, i) == -1)
68 		fatal("Couldn't set usrinfo: %s", strerror(errno));
69 	debug3("AIX/UsrInfo: set len %d", i);
70 
71 	xfree(cp);
72 }
73 
74 # ifdef WITH_AIXAUTHENTICATE
75 /*
76  * Remove embedded newlines in string (if any).
77  * Used before logging messages returned by AIX authentication functions
78  * so the message is logged on one line.
79  */
80 void
81 aix_remove_embedded_newlines(char *p)
82 {
83 	if (p == NULL)
84 		return;
85 
86 	for (; *p; p++) {
87 		if (*p == '\n')
88 			*p = ' ';
89 	}
90 	/* Remove trailing whitespace */
91 	if (*--p == ' ')
92 		*p = '\0';
93 }
94 
95 /*
96  * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
97  * anything other than NONE or SYSTEM, which indicates that the admin has
98  * configured the account for purely AUTH1-type authentication.
99  *
100  * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
101  * AUTH1 itself, in such a case authenticate() will allow access without
102  * authentation, which is almost certainly not what the admin intends.
103  *
104  * (The native tools, eg login, will process the AUTH1 list in addition to
105  * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
106  * have been deprecated since AIX 4.2.x and would be very difficult for sshd
107  * to support.
108  *
109  * Returns 0 if an unsupportable combination is found, 1 otherwise.
110  */
111 static int
112 aix_valid_authentications(const char *user)
113 {
114 	char *auth1, *sys, *p;
115 	int valid = 1;
116 
117 	if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
118 		logit("Can't retrieve attribute SYSTEM for %s: %.100s",
119 		    user, strerror(errno));
120 		return 0;
121 	}
122 
123 	debug3("AIX SYSTEM attribute %s", sys);
124 	if (strcmp(sys, "NONE") != 0)
125 		return 1;	/* not "NONE", so is OK */
126 
127 	if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
128 		logit("Can't retrieve attribute auth1 for %s: %.100s",
129 		    user, strerror(errno));
130 		return 0;
131 	}
132 
133 	p = auth1;
134 	/* A SEC_LIST is concatenated strings, ending with two NULs. */
135 	while (p[0] != '\0' && p[1] != '\0') {
136 		debug3("AIX auth1 attribute list member %s", p);
137 		if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
138 			logit("Account %s has unsupported auth1 value '%s'",
139 			    user, p);
140 			valid = 0;
141 		}
142 		p += strlen(p) + 1;
143 	}
144 
145 	return (valid);
146 }
147 
148 /*
149  * Do authentication via AIX's authenticate routine.  We loop until the
150  * reenter parameter is 0, but normally authenticate is called only once.
151  *
152  * Note: this function returns 1 on success, whereas AIX's authenticate()
153  * returns 0.
154  */
155 int
156 sys_auth_passwd(Authctxt *ctxt, const char *password)
157 {
158 	char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
159 	int authsuccess = 0, expired, reenter, result;
160 
161 	do {
162 		result = authenticate((char *)name, (char *)password, &reenter,
163 		    &authmsg);
164 		aix_remove_embedded_newlines(authmsg);
165 		debug3("AIX/authenticate result %d, authmsg %.100s", result,
166 		    authmsg);
167 	} while (reenter);
168 
169 	if (!aix_valid_authentications(name))
170 		result = -1;
171 
172 	if (result == 0) {
173 		authsuccess = 1;
174 
175 		/*
176 		 * Record successful login.  We don't have a pty yet, so just
177 		 * label the line as "ssh"
178 		 */
179 		aix_setauthdb(name);
180 
181 		/*
182 		 * Check if the user's password is expired.
183 		 */
184 		expired = passwdexpired(name, &msg);
185 		if (msg && *msg) {
186 			buffer_append(ctxt->loginmsg, msg, strlen(msg));
187 			aix_remove_embedded_newlines(msg);
188 		}
189 		debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
190 
191 		switch (expired) {
192 		case 0: /* password not expired */
193 			break;
194 		case 1: /* expired, password change required */
195 			ctxt->force_pwchange = 1;
196 			break;
197 		default: /* user can't change(2) or other error (-1) */
198 			logit("Password can't be changed for user %s: %.100s",
199 			    name, msg);
200 			if (msg)
201 				xfree(msg);
202 			authsuccess = 0;
203 		}
204 
205 		aix_restoreauthdb();
206 	}
207 
208 	if (authmsg != NULL)
209 		xfree(authmsg);
210 
211 	return authsuccess;
212 }
213 
214 /*
215  * Check if specified account is permitted to log in.
216  * Returns 1 if login is allowed, 0 if not allowed.
217  */
218 int
219 sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
220 {
221 	char *msg = NULL;
222 	int result, permitted = 0;
223 	struct stat st;
224 
225 	/*
226 	 * Don't perform checks for root account (PermitRootLogin controls
227 	 * logins via * ssh) or if running as non-root user (since
228 	 * loginrestrictions will always fail due to insufficient privilege).
229 	 */
230 	if (pw->pw_uid == 0 || geteuid() != 0) {
231 		debug3("%s: not checking", __func__);
232 		return 1;
233 	}
234 
235 	result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
236 	if (result == 0)
237 		permitted = 1;
238 	/*
239 	 * If restricted because /etc/nologin exists, the login will be denied
240 	 * in session.c after the nologin message is sent, so allow for now
241 	 * and do not append the returned message.
242 	 */
243 	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
244 		permitted = 1;
245 	else if (msg != NULL)
246 		buffer_append(loginmsg, msg, strlen(msg));
247 	if (msg == NULL)
248 		msg = xstrdup("(none)");
249 	aix_remove_embedded_newlines(msg);
250 	debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
251 
252 	if (!permitted)
253 		logit("Login restricted for %s: %.100s", pw->pw_name, msg);
254 	xfree(msg);
255 	return permitted;
256 }
257 
258 int
259 sys_auth_record_login(const char *user, const char *host, const char *ttynm,
260     Buffer *loginmsg)
261 {
262 	char *msg = NULL;
263 	int success = 0;
264 
265 	aix_setauthdb(user);
266 	if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
267 		success = 1;
268 		if (msg != NULL) {
269 			debug("AIX/loginsuccess: msg %s", msg);
270 			buffer_append(loginmsg, msg, strlen(msg));
271 			xfree(msg);
272 		}
273 	}
274 	aix_restoreauthdb();
275 	return (success);
276 }
277 
278 #  ifdef CUSTOM_FAILED_LOGIN
279 /*
280  * record_failed_login: generic "login failed" interface function
281  */
282 void
283 record_failed_login(const char *user, const char *hostname, const char *ttyname)
284 {
285 	if (geteuid() != 0)
286 		return;
287 
288 	aix_setauthdb(user);
289 #   ifdef AIX_LOGINFAILED_4ARG
290 	loginfailed((char *)user, (char *)hostname, (char *)ttyname,
291 	    AUDIT_FAIL_AUTH);
292 #   else
293 	loginfailed((char *)user, (char *)hostname, (char *)ttyname);
294 #   endif
295 	aix_restoreauthdb();
296 }
297 #  endif /* CUSTOM_FAILED_LOGIN */
298 
299 /*
300  * If we have setauthdb, retrieve the password registry for the user's
301  * account then feed it to setauthdb.  This will mean that subsequent AIX auth
302  * functions will only use the specified loadable module.  If we don't have
303  * setauthdb this is a no-op.
304  */
305 void
306 aix_setauthdb(const char *user)
307 {
308 #  ifdef HAVE_SETAUTHDB
309 	char *registry;
310 
311 	if (setuserdb(S_READ) == -1) {
312 		debug3("%s: Could not open userdb to read", __func__);
313 		return;
314 	}
315 
316 	if (getuserattr((char *)user, S_REGISTRY, &registry, SEC_CHAR) == 0) {
317 		if (setauthdb(registry, old_registry) == 0)
318 			debug3("AIX/setauthdb set registry '%s'", registry);
319 		else
320 			debug3("AIX/setauthdb set registry '%s' failed: %s",
321 			    registry, strerror(errno));
322 	} else
323 		debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
324 		    strerror(errno));
325 	enduserdb();
326 #  endif /* HAVE_SETAUTHDB */
327 }
328 
329 /*
330  * Restore the user's registry settings from old_registry.
331  * Note that if the first aix_setauthdb fails, setauthdb("") is still safe
332  * (it restores the system default behaviour).  If we don't have setauthdb,
333  * this is a no-op.
334  */
335 void
336 aix_restoreauthdb(void)
337 {
338 #  ifdef HAVE_SETAUTHDB
339 	if (setauthdb(old_registry, NULL) == 0)
340 		debug3("%s: restoring old registry '%s'", __func__,
341 		    old_registry);
342 	else
343 		debug3("%s: failed to restore old registry %s", __func__,
344 		    old_registry);
345 #  endif /* HAVE_SETAUTHDB */
346 }
347 
348 # endif /* WITH_AIXAUTHENTICATE */
349 
350 # if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO)
351 # undef getnameinfo
352 /*
353  * For some reason, AIX's getnameinfo will refuse to resolve the all-zeros
354  * IPv6 address into its textual representation ("::"), so we wrap it
355  * with a function that will.
356  */
357 int
358 sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
359     size_t hostlen, char *serv, size_t servlen, int flags)
360 {
361 	struct sockaddr_in6 *sa6;
362 	u_int32_t *a6;
363 
364 	if (flags & (NI_NUMERICHOST|NI_NUMERICSERV) &&
365 	    sa->sa_family == AF_INET6) {
366 		sa6 = (struct sockaddr_in6 *)sa;
367 		a6 = sa6->sin6_addr.u6_addr.u6_addr32;
368 
369 		if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) {
370 			strlcpy(host, "::", hostlen);
371 			snprintf(serv, servlen, "%d", sa6->sin6_port);
372 			return 0;
373 		}
374 	}
375 	return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
376 }
377 # endif /* AIX_GETNAMEINFO_HACK */
378 
379 #endif /* _AIX */
380