AIX authenticate() interface.

diff --git a/pwauth/CHANGES b/pwauth/CHANGES
index 1def5f508a747b8c20f53ba6cc7cd34c985c3dd1..88240ce9201d3dee20043df9254494037fdac37a 100644 (file)
--- a/pwauth/CHANGES
+++ b/pwauth/CHANGES
@@ -1,7 +1,10 @@
 Pwauth Change Log
 =================
 
-VERSION 2.3.9 - 
+VERSION 2.3.9 - May 2, 2011
+  - Add AUTHENTICATE_AIX option for authenticating via AIX's authentication
+    configuration system.  Thanks to Hans Dieter Petersen of the University
+    of Bonn for this implementation.
   - Renamed PAM_OS_X configuration setting to PAM_OLD_OS_X since it only
     is needed for OS X 10.5 and older.
   - Rearranged ifdef's so that undefining SLEEP_LOCK actually completely

diff --git a/pwauth/auth_aix.c b/pwauth/auth_aix.c
index e0ded2a137a033d5bb43cbdfbbc774da490fa884..31405fb698aa17751be008a084bab0cd6d7cbaee 100644 (file)
--- a/pwauth/auth_aix.c
+++ b/pwauth/auth_aix.c
@@ -40,11 +40,11 @@
 #endif
 #include <userpw.h>
 
-/* ===================== AIX Authentication ===================== */
+/* ============= Low-Level AIX Authentication ===================== */
 
 
-/* CHECK_AUTH - Check a login and return a status code.
- * (This version for systems with a getuserpw() call.)
+/* CHECK_AUTH - Check a login against the system password file and return a
+ * status code. (This version for systems with a getuserpw() call.)
  */
 
 int check_auth(char *login, char *passwd)
@@ -68,3 +68,41 @@ int check_auth(char *login, char *passwd)
     return(strcmp(cpass, upwd->upw_passwd) ? STATUS_INVALID : STATUS_OK);
 }
 #endif /* SHADOW_AIX */
+
+
+#ifdef AUTHENTICATE_AIX
+#ifdef NEED_UID
+#include <sys/types.h>
+#include <pwd.h>
+#endif
+#include <userpw.h>
+#include <usersec.h>
+
+/* ================ High-Level AIX Authentication ==================== */
+
+
+/* CHECK_AUTH - Check a login through the high-level AIX authentication
+ * interface and return a status code.
+ */
+
+int check_auth(char *login, char *passwd)
+{
+    char *cpass;
+    char *message;
+    int i= 0;
+    int stat = STATUS_INVALID;
+#ifdef NEED_UID
+    struct passwd *pwd;
+    if ((pwd= getpwnam(login)) == NULL) return(STATUS_UNKNOWN);
+    hisuid= pwd->pw_uid;
+    haveuid= 1;
+#endif
+#ifdef MIN_UNIX_UID
+    if (hisuid < MIN_UNIX_UID) return(STATUS_BLOCKED);
+#endif
+    if (authenticate(login, passwd, &i, &message) == 0)
+      { stat = STATUS_OK; }
+    free(&message);  
+    return(stat);
+}
+#endif /* AUTHENICATE_AIX */

diff --git a/pwauth/config.h b/pwauth/config.h
index 55caf4608931baaba674589b246c4c51a1a49375..ddcdd3f912201af07c10fe06bdad656767842807 100644 (file)
--- a/pwauth/config.h
+++ b/pwauth/config.h
@@ -71,8 +71,9 @@
  *    ain't Grex, you ain't got it.
  *
  *  - SHADOW_AIX:  This is the AIX shadow password system.  It uses getuserpw()
- *    to fetch passwords and (apparantly) crypt() to encrypt them.  This has
- *    not been tested.  Shadow BSD is also likely to work with AIX.
+ *    to fetch passwords and (apparantly) crypt() to encrypt them. This has
+ *    not been tested.  Shadow BSD is also likely to work with AIX. The
+ *    AUTHENTICATE_AIX option is probably a better option for AIX users.
  *
  *  - SHADOW_HPUX:  This is the HP-UX shadow password system.  It uses
  *    getprpwnam() to fetch passwords and either crypt() or bigcrypt() to
@@ -103,26 +104,39 @@
  *  - LOGIN_CONF_OPENBSD:  Many BSD derived systems use a login.conf file to
  *    configure authentication instead of (or in addition to) PAM.  We
  *    currently support authentication through this mechanism only for
- *    OpenBSD.  Of course, if you login.conf configuration is standard, you
+ *    OpenBSD.  Of course, if your login.conf configuration is standard, you
  *    can just use SHADOW_BSD, but if you want pwauth to respect settings
- *    in login.conf this option can be used instead.  The API used here, is
+ *    in login.conf this option can be used instead. The API used here, is
  *    however, pretty much unique to OpenBSD and will not work on NetBSD or
  *    FreeBSD.
+ *
+ *  - AUTHENTICATE_AIX: AIX has it's own system for configuring authentication
+ *    via various files in the /etc/security directory. This can be used to
+ *    configure special authenication parameters on a per-user basis including
+ *    things like authenticating via kerberos and ldap and such like. We can
+ *    tie into this interface via the authenticate() system call. The module
+ *    to suppor this was contributed by a user and has not been tested by
+ *    the author.
  */
 
+   /* LOW-LEVEL OPTIONS */
+
 /* #define SHADOW_NONE         /**/
 /* #define SHADOW_BSD          /* FreeBSD, NetBSD, OpenBSD, BSDI, OS X */
 #define SHADOW_SUN             /* Linux, Solaris, IRIX */
 /* #define SHADOW_JFH          /**/
 /* #define SHADOW_MDW          /**/
-/* #define SHADOW_AIX          /* AIX */
+/* #define SHADOW_AIX          /* AIX (see also AUTHENTICATE_AIX) */
 /* #define SHADOW_HPUX         /* HPUX ? */
 
+   /* HIGH-LEVEL OPTIONS */
+
 /* #define PAM                 /* Linux PAM or OpenPAM */
 /* #define PAM_OLD_OS_X                /* PAM on OS X version 10.5 or older */
 /* #define PAM_SOLARIS         /* PAM on Solaris other than 2.6 */
 /* #define PAM_SOLARIS_26      /* PAM on Solaris 2.6 */
 /* #define LOGIN_CONF_OPENBSD  /* login.conf on OpenBSD */
+/* #define AUTHENTICATE_AIX    /* AIX authenticate() function */
 
 
 /* There is also limited support for two failure logging systems (the database
@@ -138,8 +152,8 @@
  * Very few Unix systems seem to have faillog files installed, so most
  * installations will not want this option.
  *
- * No faillog option should be used with PAM.  This kind of logging is handled
- * at a lower level with PAM.
+ * No faillog option should be used with PAM or AUTHENTICATE_AIX.  This kind
+ * of logging is handled at a lower level within those systems.
  *
  *  - FAILLOG_JFH:  This is associated with the JFH shadow system.  Some Linux
  *    systems may have this, but most don't seem to.  Failures are logged in