]> andersk Git - openssh.git/blobdiff - auth.c
andersk / openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[configure.ac] Make sure -lcrypto is before -lsocket for sco3. ok mouring@
[openssh.git] / auth.c
diff --git a/auth.c b/auth.c
index 10f7b2a1fc74b3a5cca671aed6710ce9ee62383a..c6e7c21c41d55bd4fb6c8384b1006ac1ff932447 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.51 2003/11/21 11:57:02 djm Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
 
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 /* Debugging messages */
 Buffer auth_debug;
@@ -72,26 +73,26 @@ int
 allowed_user(struct passwd * pw)
 {
        struct stat st;
-       const char *hostname = NULL, *ipaddr = NULL;
+       const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
        char *shell;
        int i;
-#ifdef WITH_AIXAUTHENTICATE
-       char *loginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-       struct spwd *spw;
-       time_t today;
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+       struct spwd *spw = NULL;
 #endif
 
        /* Shouldn't be called if pw is NULL, but better safe than sorry... */
        if (!pw || !pw->pw_name)
                return 0;
 
-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+       if (!options.use_pam)
+               spw = getspnam(pw->pw_name);
+#ifdef HAS_SHADOW_EXPIRE
 #define        DAY             (24L * 60 * 60) /* 1 day in seconds */
-       if ((spw = getspnam(pw->pw_name)) != NULL) {
+       if (!options.use_pam && spw != NULL) {
+               int disabled = 0;
+               time_t today;
+
                today = time(NULL) / DAY;
                debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
                    " sp_max %d", (int)today, (int)spw->sp_expire,
@@ -105,21 +106,41 @@ allowed_user(struct passwd * pw)
                        logit("Account %.100s has expired", pw->pw_name);
                        return 0;
                }
+       }
+#endif /* HAS_SHADOW_EXPIRE */
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
 
-               if (spw->sp_lstchg == 0) {
-                       logit("User %.100s password has expired (root forced)",
-                           pw->pw_name);
-                       return 0;
-               }
+       /* grab passwd field for locked account check */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+       if (spw != NULL)
+               passwd = spw->sp_pwdp;
+#else
+       passwd = pw->pw_passwd;
+#endif
 
-               if (spw->sp_max != -1 &&
-                   today > spw->sp_lstchg + spw->sp_max) {
-                       logit("User %.100s password has expired (password aged)",
+       /* check for locked account */
+       if (!options.use_pam && passwd && *passwd) {
+               int locked = 0;
+
+#ifdef LOCKED_PASSWD_STRING
+               if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
+                        locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_PREFIX
+               if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
+                   strlen(LOCKED_PASSWD_PREFIX)) == 0)
+                        locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_SUBSTR
+               if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
+                       locked = 1;
+#endif
+               if (locked) {
+                       logit("User %.100s not allowed because account is locked",
                            pw->pw_name);
                        return 0;
                }
        }
-#endif
 
        /*
         * Get the shell from the password data.  An empty shell field is
@@ -141,7 +162,7 @@ allowed_user(struct passwd * pw)
        }
 
        if (options.num_deny_users > 0 || options.num_allow_users > 0) {
-               hostname = get_canonical_hostname(options.verify_reverse_mapping);
+               hostname = get_canonical_hostname(options.use_dns);
                ipaddr = get_remote_ipaddr();
        }
 
@@ -206,26 +227,23 @@ allowed_user(struct passwd * pw)
         * PermitRootLogin to control logins via ssh), or if running as
         * non-root user (since loginrestrictions will always fail).
         */
-       if ((pw->pw_uid != 0) && (geteuid() == 0) &&
-           loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
-               int loginrestrict_errno = errno;
-
-               if (loginmsg && *loginmsg) {
-                       /* Remove embedded newlines (if any) */
-                       char *p;
-                       for (p = loginmsg; *p; p++) {
-                               if (*p == '\n')
-                                       *p = ' ';
+       if ((pw->pw_uid != 0) && (geteuid() == 0)) {
+               char *msg;
+
+               if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
+                       int loginrestrict_errno = errno;
+
+                       if (msg && *msg) {
+                               buffer_append(&loginmsg, msg, strlen(msg));
+                               aix_remove_embedded_newlines(msg);
+                               logit("Login restricted for %s: %.100s",
+                                   pw->pw_name, msg);
                        }
-                       /* Remove trailing newline */
-                       *--p = '\0';
-                       logit("Login restricted for %s: %.100s", pw->pw_name, 
-                           loginmsg);
+                       /* Don't fail if /etc/nologin  set */
+                       if (!(loginrestrict_errno == EPERM &&
+                           stat(_PATH_NOLOGIN, &st) == 0))
+                               return 0;
                }
-               /* Don't fail if /etc/nologin  set */
-               if (!(loginrestrict_errno == EPERM && 
-                   stat(_PATH_NOLOGIN, &st) == 0))
-                       return 0;
        }
 #endif /* WITH_AIXAUTHENTICATE */
 
@@ -233,14 +251,6 @@ allowed_user(struct passwd * pw)
        return 1;
 }
 
-Authctxt *
-authctxt_new(void)
-{
-       Authctxt *authctxt = xmalloc(sizeof(*authctxt));
-       memset(authctxt, 0, sizeof(*authctxt));
-       return authctxt;
-}
-
 void
 auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
 {
@@ -559,3 +569,24 @@ auth_debug_reset(void)
                auth_debug_init = 1;
        }
 }
+
+struct passwd *
+fakepw(void)
+{
+       static struct passwd fake;
+
+       memset(&fake, 0, sizeof(fake));
+       fake.pw_name = "NOUSER";
+       fake.pw_passwd =
+           "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
+       fake.pw_gecos = "NOUSER";
+       fake.pw_uid = -1;
+       fake.pw_gid = -1;
+#ifdef HAVE_PW_CLASS_IN_PASSWD
+       fake.pw_class = "";
+#endif
+       fake.pw_dir = "/nonexist";
+       fake.pw_shell = "/nonexist";
+
+       return (&fake);
+}
git-cvsimport mirror of OpenSSH
This page took 0.055172 seconds and 4 git commands to generate.