2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
8 RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
34 extern ServerOptions options;
35 extern char *forced_command;
38 * Check if the user is allowed to log in via ssh. If user is listed in
39 * DenyUsers or user's primary group is listed in DenyGroups, false will
40 * be returned. If AllowUsers isn't empty and user isn't listed there, or
41 * if AllowGroups isn't empty and user isn't listed there, false will be
43 * If the user's shell is not executable, false will be returned.
44 * Otherwise true is returned.
47 allowed_user(struct passwd * pw)
53 #ifdef WITH_AIXAUTHENTICATE
55 #endif /* WITH_AIXAUTHENTICATE */
57 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
62 * Get the shell from the password data. An empty shell field is
63 * legal, and means /bin/sh.
65 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
67 /* deny if shell does not exists or is not executable */
68 if (stat(shell, &st) != 0)
70 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
73 /* Return false if user is listed in DenyUsers */
74 if (options.num_deny_users > 0) {
77 for (i = 0; i < options.num_deny_users; i++)
78 if (match_pattern(pw->pw_name, options.deny_users[i]))
81 /* Return false if AllowUsers isn't empty and user isn't listed there */
82 if (options.num_allow_users > 0) {
85 for (i = 0; i < options.num_allow_users; i++)
86 if (match_pattern(pw->pw_name, options.allow_users[i]))
88 /* i < options.num_allow_users iff we break for loop */
89 if (i >= options.num_allow_users)
92 /* Get the primary group name if we need it. Return false if it fails */
93 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
94 grp = getgrgid(pw->pw_gid);
98 /* Return false if user's group is listed in DenyGroups */
99 if (options.num_deny_groups > 0) {
102 for (i = 0; i < options.num_deny_groups; i++)
103 if (match_pattern(grp->gr_name, options.deny_groups[i]))
107 * Return false if AllowGroups isn't empty and user's group
110 if (options.num_allow_groups > 0) {
113 for (i = 0; i < options.num_allow_groups; i++)
114 if (match_pattern(grp->gr_name, options.allow_groups[i]))
116 /* i < options.num_allow_groups iff we break for
118 if (i >= options.num_allow_groups)
123 #ifdef WITH_AIXAUTHENTICATE
124 if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
125 if (loginmsg && *loginmsg) {
126 /* Remove embedded newlines (if any) */
128 for (p = loginmsg; *p; p++) {
132 /* Remove trailing newline */
134 log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
138 #endif /* WITH_AIXAUTHENTICATE */
140 /* We found no reason not to let this user try to log on... */