- djm@cvs.openbsd.org 2008/07/02 02:24:18

[openssh.git] / auth.c

diff --git a/auth.c b/auth.c
index 6901c936a3ff6a43ec5a8b436b8d8b936fb987a3..f94c7d1d559e3f0de4a53c40b9a6983e4530902d 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.69 2006/07/10 16:37:36 stevesk Exp $ */
+/* $OpenBSD: auth.c,v 1.78 2007/09/21 08:15:29 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -27,7 +27,11 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/param.h>
 
+#include <netinet/in.h>
+
+#include <errno.h>
 #ifdef HAVE_PATHS_H
 # include <paths.h>
 #endif
@@ -42,28 +46,34 @@
 #include <libgen.h>
 #endif
 #include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
 
 #include "xmalloc.h"
 #include "match.h"
 #include "groupaccess.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
 #include "canohost.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "uidswap.h"
 #include "misc.h"
-#include "bufaux.h"
 #include "packet.h"
 #include "loginrec.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
 extern int use_privsep;
 extern Buffer loginmsg;
+extern struct passwd *privsep_pw;
 
 /* Debugging messages */
 Buffer auth_debug;
@@ -105,11 +115,11 @@ allowed_user(struct passwd * pw)
        /* grab passwd field for locked account check */
 #ifdef USE_SHADOW
        if (spw != NULL)
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
                passwd = get_iaf_password(pw);
 #else
                passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
 #else
        passwd = pw->pw_passwd;
 #endif
@@ -131,9 +141,9 @@ allowed_user(struct passwd * pw)
                if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
                        locked = 1;
 #endif
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
                free(passwd);
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
                if (locked) {
                        logit("User %.100s not allowed because account is locked",
                            pw->pw_name);
@@ -270,6 +280,11 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
            strcmp(method, "challenge-response") == 0))
                record_failed_login(authctxt->user,
                    get_canonical_hostname(options.use_dns), "ssh");
+# ifdef WITH_AIXAUTHENTICATE
+       if (authenticated)
+               sys_auth_record_login(authctxt->user,
+                   get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
+# endif
 #endif
 #ifdef SSH_AUDIT_EVENTS
        if (authenticated == 0 && !authctxt->postponed)
@@ -466,6 +481,9 @@ getpwnamallow(const char *user)
 #endif
        struct passwd *pw;
 
+       parse_server_match_config(&options, user,
+           get_canonical_hostname(options.use_dns), get_remote_ipaddr());
+
        pw = getpwnam(user);
        if (pw == NULL) {
                logit("Invalid user %.100s from %.100s",
@@ -551,8 +569,8 @@ fakepw(void)
        fake.pw_passwd =
            "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
        fake.pw_gecos = "NOUSER";
-       fake.pw_uid = (uid_t)-1;
-       fake.pw_gid = (gid_t)-1;
+       fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
+       fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
 #ifdef HAVE_PW_CLASS_IN_PASSWD
        fake.pw_class = "";
 #endif