2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
8 RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $");
31 extern ServerOptions options;
32 extern char *forced_command;
35 * Check if the user is allowed to log in via ssh. If user is listed in
36 * DenyUsers or user's primary group is listed in DenyGroups, false will
37 * be returned. If AllowUsers isn't empty and user isn't listed there, or
38 * if AllowGroups isn't empty and user isn't listed there, false will be
40 * If the user's shell is not executable, false will be returned.
41 * Otherwise true is returned.
44 allowed_user(struct passwd * pw)
49 #ifdef WITH_AIXAUTHENTICATE
51 #endif /* WITH_AIXAUTHENTICATE */
53 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
57 /* deny if shell does not exists or is not executable */
58 if (stat(pw->pw_shell, &st) != 0)
60 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
63 /* Return false if user is listed in DenyUsers */
64 if (options.num_deny_users > 0) {
67 for (i = 0; i < options.num_deny_users; i++)
68 if (match_pattern(pw->pw_name, options.deny_users[i]))
71 /* Return false if AllowUsers isn't empty and user isn't listed there */
72 if (options.num_allow_users > 0) {
75 for (i = 0; i < options.num_allow_users; i++)
76 if (match_pattern(pw->pw_name, options.allow_users[i]))
78 /* i < options.num_allow_users iff we break for loop */
79 if (i >= options.num_allow_users)
82 /* Get the primary group name if we need it. Return false if it fails */
83 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
84 grp = getgrgid(pw->pw_gid);
88 /* Return false if user's group is listed in DenyGroups */
89 if (options.num_deny_groups > 0) {
92 for (i = 0; i < options.num_deny_groups; i++)
93 if (match_pattern(grp->gr_name, options.deny_groups[i]))
97 * Return false if AllowGroups isn't empty and user's group
100 if (options.num_allow_groups > 0) {
103 for (i = 0; i < options.num_allow_groups; i++)
104 if (match_pattern(grp->gr_name, options.allow_groups[i]))
106 /* i < options.num_allow_groups iff we break for
108 if (i >= options.num_allow_groups)
113 #ifdef WITH_AIXAUTHENTICATE
114 if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
116 #endif /* WITH_AIXAUTHENTICATE */
118 /* We found no reason not to let this user try to log on... */