C program to authenticate user on AIX?

[Litening]

Hi

Can someone please supply me with a program (perhaps the C source)
that authenticates a user on AIX (against the password/shadow/security
file(s))?

So far I have the following from IBM, but I don't know how to
implement it (I'm not really a programmer):

_______________________
<CUT>
authenticate Subroutine

Purpose
Verifies a user's name and password.

Library
Security Library (libc.a)

Syntax
#include <usersec.h>

int authenticate (UserName, Response, Reenter, Message)
char *UserName;
char *Response;
int *Reenter;
char **Message;

</CUT>
______________________
Taken from the following link (which has more info):
[url]http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/genprogc/ls_sec_audit_subrs.htm#lwurf19cjef[/url]
______________________

Thanks,
Litening

[Darren Tucker]

In article <d3d692b9.0307301518.4de7e749@posting.google.com >,
Litening <google@zxmoon.com> wrote:

>Can someone please supply me with a program (perhaps the C source)
>that authenticates a user on AIX (against the password/shadow/security
>file(s))?

Take a look at OpenSSH's auth-passwd.c. There's not a lot to it, it's
basically:

char *authmsg, *user, *password;
int reenter, result;

/* get username and password from user */
[...]

result = authenticate(user, password, &reenter, &authmsg);

/* check result, 0 = succeeded */
[...]

By rights you should loop until reenter == 0 but OpenSSH doesn't
(currently).

If you're using a *really* old AIX, you'll need to link with libs.a
(cc [options] -ls).

Hey, does anyone actually use a multi-step authentication process,
or secondary authentication methods? Can anyone point me to an example?
I've tried Google and read the "Elements of Security" Redbook.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Michael W Ryder]

Darren Tucker wrote:

> In article <d3d692b9.0307301518.4de7e749@posting.google.com >,
> Litening <google@zxmoon.com> wrote:
>

>>Can someone please supply me with a program (perhaps the C source)
>>that authenticates a user on AIX (against the password/shadow/security
>>file(s))?

>
>
> Take a look at OpenSSH's auth-passwd.c. There's not a lot to it, it's
> basically:
>
> char *authmsg, *user, *password;
> int reenter, result;
>
> /* get username and password from user */
> [...]
>
> result = authenticate(user, password, &reenter, &authmsg);
>
> /* check result, 0 = succeeded */
> [...]
>
> By rights you should loop until reenter == 0 but OpenSSH doesn't
> (currently).
>
> If you're using a *really* old AIX, you'll need to link with libs.a
> (cc [options] -ls).
>
> Hey, does anyone actually use a multi-step authentication process,
> or secondary authentication methods? Can anyone point me to an example?
> I've tried Google and read the "Elements of Security" Redbook.
>

Not sure if this is what you are looking for but I created my own
secondary authentication for our system. Once a user logs into our AIX
system I run a program that asks for their password. This is checked
not only for being valid but also if they are allowed "normal" access to
the TTY or telnet address they are loggin into. If they aren't it asks
for an "override" code. If this code is entered correctly the program
continues otherwise it locks up the session until a supervisor clears
it. The user's password that they entered in my program is also used to
control what programs they can run. It is also logged into a log that
is printed monthly.
The above was instituted because people were misusing passwords and in
one case set our company up for a lawsuit. Once their attorney was told
we had proof that their client's nephew had set us up the lawsuit was
quickly dropped. I then instituted the controls on requiring override
codes for supervisors.

[Darren Tucker]

In article <dm3Wa.416$jp.213@newsread4.news.pas.earthlink.net >,
Michael W Ryder <mwryder@_earthlink_.net> wrote:

>Darren Tucker wrote:

>> Hey, does anyone actually use a multi-step authentication process,
>> or secondary authentication methods? Can anyone point me to an example?
>> I've tried Google and read the "Elements of Security" Redbook.
>>

>Not sure if this is what you are looking for but I created my own
>secondary authentication for our system.

[snip description]

I'm specifically interested in any implementation using AIX's
PRIMARY or SECONDARY authentication methods (ie something other than
"SYSTEM" for "authentication method" under SMIT/user). I'd like to test
OpenSSH's behaviour in those configurations.

If your system uses those, is the code available?

(followup-to set)

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Nicholas Dronen]

In comp.unix.aix Darren Tucker <dtucker@dodgy.net.au> wrote:
DT> In article <dm3Wa.416$jp.213@newsread4.news.pas.earthlink.net >,
DT> Michael W Ryder <mwryder@_earthlink_.net> wrote:

>>Darren Tucker wrote:

>>> Hey, does anyone actually use a multi-step authentication process,
>>> or secondary authentication methods? Can anyone point me to an example?
>>> I've tried Google and read the "Elements of Security" Redbook.
>>>

>>Not sure if this is what you are looking for but I created my own
>>secondary authentication for our system.

DT> [snip description]

DT> I'm specifically interested in any implementation using AIX's
DT> PRIMARY or SECONDARY authentication methods (ie something other than
DT> "SYSTEM" for "authentication method" under SMIT/user). I'd like to test
DT> OpenSSH's behaviour in those configurations.

DT> If your system uses those, is the code available?

I think in AIX 5.1 PRIMARY and SECONDARY went away. Loadable
authentication modules are the new regime. They're PAM-ish.

Regards,

Nicholas

--
"Why shouldn't I top-post?" [url]http://www.aglami.com/tpfaq.html[/url]
"Meanings are another story." [url]http://www.ifas.org/wa/glossolalia.html[/url]

[Darren Tucker]

In article <3f295a70$0$190$75868355@news.frii.net>,
Nicholas Dronen <ndronen@io.frii.com> wrote:

>In comp.unix.aix Darren Tucker <dtucker@dodgy.net.au> wrote:
>DT> I'm specifically interested in any implementation using AIX's
>DT> PRIMARY or SECONDARY authentication methods (ie something other than
>DT> "SYSTEM" for "authentication method" under SMIT/user). I'd like to test
>DT> OpenSSH's behaviour in those configurations.
>
>I think in AIX 5.1 PRIMARY and SECONDARY went away. Loadable
>authentication modules are the new regime. They're PAM-ish.

Primary and Secondary authentication methods are still there in 5.2,
as is the authenticate() call, so I think it will need to be supported
for the forseeable future.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Nicholas Dronen]

Darren Tucker <dtucker@dodgy.net.au> wrote:
DT> In article <3f295a70$0$190$75868355@news.frii.net>,
DT> Nicholas Dronen <ndronen@io.frii.com> wrote:

>>In comp.unix.aix Darren Tucker <dtucker@dodgy.net.au> wrote:
>>DT> I'm specifically interested in any implementation using AIX's
>>DT> PRIMARY or SECONDARY authentication methods (ie something other than
>>DT> "SYSTEM" for "authentication method" under SMIT/user). I'd like to test
>>DT> OpenSSH's behaviour in those configurations.
>>
>>I think in AIX 5.1 PRIMARY and SECONDARY went away. Loadable
>>authentication modules are the new regime. They're PAM-ish.

DT> Primary and Secondary authentication methods are still there in 5.2,
DT> as is the authenticate() call, so I think it will need to be supported
DT> for the forseeable future.

What do you mean by "still there"?

IIRC, my shop had a secondary authentication method that stopped
working at 5.1. I had to rewrite it as a loadable authentication
module (which is partly just a user-implemented version of
authenticate()).

Regards,

Nicholas

--
"Why shouldn't I top-post?" [url]http://www.aglami.com/tpfaq.html[/url]
"Meanings are another story." [url]http://www.ifas.org/wa/glossolalia.html[/url]

[Darren Tucker]

In article <3f2aa6c9$0$200$75868355@news.frii.net>,
Nicholas Dronen <ndronen@io.frii.com> wrote:
[Primary and Secondary Authentication methods]

>What do you mean by "still there"?

The options to set them are still present in SMIT/users.

>IIRC, my shop had a secondary authentication method that stopped
>working at 5.1. I had to rewrite it as a loadable authentication
>module (which is partly just a user-implemented version of
>authenticate()).

I don't know if they work or not, I started this thread looking for an
example I could play with.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Nicholas Dronen]

Darren Tucker <dtucker@dodgy.net.au> wrote:
DT> In article <3f2aa6c9$0$200$75868355@news.frii.net>,
DT> Nicholas Dronen <ndronen@io.frii.com> wrote:
DT> [Primary and Secondary Authentication methods]

>>What do you mean by "still there"?

DT> The options to set them are still present in SMIT/users.

I doubt they work. Could be wrong.

>>IIRC, my shop had a secondary authentication method that stopped
>>working at 5.1. I had to rewrite it as a loadable authentication
>>module (which is partly just a user-implemented version of
>>authenticate()).

DT> I don't know if they work or not, I started this thread looking for an
DT> example I could play with.

I had to use the a loadable module with a method_authenticate function:

[url]http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm[/url]

Regards,

Nicholas

--
"Why shouldn't I top-post?" [url]http://www.aglami.com/tpfaq.html[/url]
"Meanings are another story." [url]http://www.ifas.org/wa/glossolalia.html[/url]