[openssh.git] / auth.c

/*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 * Copyright (c) 2000 Markus Friedl. All rights reserved.
 */

#include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $");

#include "xmalloc.h"
#include "rsa.h"
#include "ssh.h"
#include "pty.h"
#include "packet.h"
#include "buffer.h"
#include "cipher.h"
#include "mpaux.h"
#include "servconf.h"
#include "compat.h"
#include "channels.h"
#include "match.h"

#include "bufaux.h"
#include "ssh2.h"
#include "auth.h"
#include "session.h"
#include "dispatch.h"


/* import */
extern ServerOptions options;
extern char *forced_command;

/*
 * Check if the user is allowed to log in via ssh. If user is listed in
 * DenyUsers or user's primary group is listed in DenyGroups, false will
 * be returned. If AllowUsers isn't empty and user isn't listed there, or
 * if AllowGroups isn't empty and user isn't listed there, false will be
 * returned.
 * If the user's shell is not executable, false will be returned.
 * Otherwise true is returned.
 */
int
allowed_user(struct passwd * pw)
{
	struct stat st;
	struct group *grp;
	int i;
#ifdef WITH_AIXAUTHENTICATE
	char *loginmsg;
#endif /* WITH_AIXAUTHENTICATE */

	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
	if (!pw)
		return 0;

	/* deny if shell does not exists or is not executable */
	if (stat(pw->pw_shell, &st) != 0)
		return 0;
	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
		return 0;

	/* Return false if user is listed in DenyUsers */
	if (options.num_deny_users > 0) {
		if (!pw->pw_name)
			return 0;
		for (i = 0; i < options.num_deny_users; i++)
			if (match_pattern(pw->pw_name, options.deny_users[i]))
				return 0;
	}
	/* Return false if AllowUsers isn't empty and user isn't listed there */
	if (options.num_allow_users > 0) {
		if (!pw->pw_name)
			return 0;
		for (i = 0; i < options.num_allow_users; i++)
			if (match_pattern(pw->pw_name, options.allow_users[i]))
				break;
		/* i < options.num_allow_users iff we break for loop */
		if (i >= options.num_allow_users)
			return 0;
	}
	/* Get the primary group name if we need it. Return false if it fails */
	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
		grp = getgrgid(pw->pw_gid);
		if (!grp)
			return 0;

		/* Return false if user's group is listed in DenyGroups */
		if (options.num_deny_groups > 0) {
			if (!grp->gr_name)
				return 0;
			for (i = 0; i < options.num_deny_groups; i++)
				if (match_pattern(grp->gr_name, options.deny_groups[i]))
					return 0;
		}
		/*
		 * Return false if AllowGroups isn't empty and user's group
		 * isn't listed there
		 */
		if (options.num_allow_groups > 0) {
			if (!grp->gr_name)
				return 0;
			for (i = 0; i < options.num_allow_groups; i++)
				if (match_pattern(grp->gr_name, options.allow_groups[i]))
					break;
			/* i < options.num_allow_groups iff we break for
			   loop */
			if (i >= options.num_allow_groups)
				return 0;
		}
	}

#ifdef WITH_AIXAUTHENTICATE
	if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
		return 0;
#endif /* WITH_AIXAUTHENTICATE */

	/* We found no reason not to let this user try to log on... */
	return 1;
}
Commit	Line	Data
7368a6c8	1	/*
	2	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	3	* All rights reserved
e78a59f5	4	* Copyright (c) 2000 Markus Friedl. All rights reserved.
7368a6c8	5	*/
	6
	7	#include "includes.h"
a306f2dd	8	RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $");
7368a6c8	9
	10	#include "xmalloc.h"
	11	#include "rsa.h"
	12	#include "ssh.h"
	13	#include "pty.h"
	14	#include "packet.h"
	15	#include "buffer.h"
	16	#include "cipher.h"
	17	#include "mpaux.h"
	18	#include "servconf.h"
e78a59f5	19	#include "compat.h"
7368a6c8	20	#include "channels.h"
	21	#include "match.h"
	22
e78a59f5	23	#include "bufaux.h"
	24	#include "ssh2.h"
	25	#include "auth.h"
7368a6c8	26	#include "session.h"
	27	#include "dispatch.h"
	28
e78a59f5	29
7368a6c8	30	/* import */
	31	extern ServerOptions options;
	32	extern char *forced_command;
	33
	34	/*
	35	* Check if the user is allowed to log in via ssh. If user is listed in
	36	* DenyUsers or user's primary group is listed in DenyGroups, false will
	37	* be returned. If AllowUsers isn't empty and user isn't listed there, or
	38	* if AllowGroups isn't empty and user isn't listed there, false will be
6ae2364d	39	* returned.
7368a6c8	40	* If the user's shell is not executable, false will be returned.
6ae2364d	41	* Otherwise true is returned.
7368a6c8	42	*/
a306f2dd	43	int
7368a6c8	44	allowed_user(struct passwd * pw)
	45	{
	46	struct stat st;
	47	struct group *grp;
	48	int i;
	49	#ifdef WITH_AIXAUTHENTICATE
	50	char *loginmsg;
	51	#endif /* WITH_AIXAUTHENTICATE */
	52
	53	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
	54	if (!pw)
	55	return 0;
	56
	57	/* deny if shell does not exists or is not executable */
	58	if (stat(pw->pw_shell, &st) != 0)
	59	return 0;
	60	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH\|S_IXUSR\|S_IXGRP))))
	61	return 0;
	62
	63	/* Return false if user is listed in DenyUsers */
	64	if (options.num_deny_users > 0) {
	65	if (!pw->pw_name)
	66	return 0;
	67	for (i = 0; i < options.num_deny_users; i++)
	68	if (match_pattern(pw->pw_name, options.deny_users[i]))
	69	return 0;
	70	}
	71	/* Return false if AllowUsers isn't empty and user isn't listed there */
	72	if (options.num_allow_users > 0) {
	73	if (!pw->pw_name)
	74	return 0;
	75	for (i = 0; i < options.num_allow_users; i++)
	76	if (match_pattern(pw->pw_name, options.allow_users[i]))
	77	break;
	78	/* i < options.num_allow_users iff we break for loop */
	79	if (i >= options.num_allow_users)
	80	return 0;
	81	}
	82	/* Get the primary group name if we need it. Return false if it fails */
	83	if (options.num_deny_groups > 0 \|\| options.num_allow_groups > 0) {
	84	grp = getgrgid(pw->pw_gid);
	85	if (!grp)
	86	return 0;
	87
	88	/* Return false if user's group is listed in DenyGroups */
	89	if (options.num_deny_groups > 0) {
	90	if (!grp->gr_name)
	91	return 0;
	92	for (i = 0; i < options.num_deny_groups; i++)
	93	if (match_pattern(grp->gr_name, options.deny_groups[i]))
	94	return 0;
	95	}
	96	/*
	97	* Return false if AllowGroups isn't empty and user's group
	98	* isn't listed there
	99	*/
	100	if (options.num_allow_groups > 0) {
	101	if (!grp->gr_name)
	102	return 0;
	103	for (i = 0; i < options.num_allow_groups; i++)
	104	if (match_pattern(grp->gr_name, options.allow_groups[i]))
	105	break;
	106	/* i < options.num_allow_groups iff we break for
	107	loop */
108	if (i >= options.num_allow_groups)
109	return 0;
110	}
111	}
112
113	#ifdef WITH_AIXAUTHENTICATE
114	if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
115	return 0;
116	#endif /* WITH_AIXAUTHENTICATE */
117
118	/* We found no reason not to let this user try to log on... */
119	return 1;
120	}