*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.47 2003/04/08 20:21:28 itojun Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
allowed_user(struct passwd * pw)
{
struct stat st;
- const char *hostname = NULL, *ipaddr = NULL, *passwd;
+ const char *hostname = NULL, *ipaddr = NULL;
char *shell;
int i;
#ifdef WITH_AIXAUTHENTICATE
#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
!defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
struct spwd *spw;
+ time_t today;
#endif
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
!defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
#define DAY (24L * 60 * 60) /* 1 day in seconds */
- spw = getspnam(pw->pw_name);
- if (spw != NULL) {
- time_t today = time(NULL) / DAY;
+ if ((spw = getspnam(pw->pw_name)) != NULL) {
+ today = time(NULL) / DAY;
debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
" sp_max %d", (int)today, (int)spw->sp_expire,
(int)spw->sp_lstchg, (int)spw->sp_max);
* day after the day specified.
*/
if (spw->sp_expire != -1 && today > spw->sp_expire) {
- log("Account %.100s has expired", pw->pw_name);
+ logit("Account %.100s has expired", pw->pw_name);
return 0;
}
if (spw->sp_lstchg == 0) {
- log("User %.100s password has expired (root forced)",
+ logit("User %.100s password has expired (root forced)",
pw->pw_name);
return 0;
}
if (spw->sp_max != -1 &&
today > spw->sp_lstchg + spw->sp_max) {
- log("User %.100s password has expired (password aged)",
+ logit("User %.100s password has expired (password aged)",
pw->pw_name);
return 0;
}
}
- passwd = spw->sp_pwdp;
-#else
- passwd = pw->pw_passwd;
#endif
- /* check for locked account */
- if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
- log("User %.100s not allowed because account is locked",
- pw->pw_name);
- return 0;
- }
-
/*
* Get the shell from the password data. An empty shell field is
* legal, and means /bin/sh.
/* deny if shell does not exists or is not executable */
if (stat(shell, &st) != 0) {
- log("User %.100s not allowed because shell %.100s does not exist",
+ logit("User %.100s not allowed because shell %.100s does not exist",
pw->pw_name, shell);
return 0;
}
if (S_ISREG(st.st_mode) == 0 ||
(st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
- log("User %.100s not allowed because shell %.100s is not executable",
+ logit("User %.100s not allowed because shell %.100s is not executable",
pw->pw_name, shell);
return 0;
}
for (i = 0; i < options.num_deny_users; i++)
if (match_user(pw->pw_name, hostname, ipaddr,
options.deny_users[i])) {
- log("User %.100s not allowed because listed in DenyUsers",
+ logit("User %.100s not allowed because listed in DenyUsers",
pw->pw_name);
return 0;
}
break;
/* i < options.num_allow_users iff we break for loop */
if (i >= options.num_allow_users) {
- log("User %.100s not allowed because not listed in AllowUsers",
+ logit("User %.100s not allowed because not listed in AllowUsers",
pw->pw_name);
return 0;
}
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
/* Get the user's group access list (primary and supplementary) */
if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
- log("User %.100s not allowed because not in any group",
+ logit("User %.100s not allowed because not in any group",
pw->pw_name);
return 0;
}
if (ga_match(options.deny_groups,
options.num_deny_groups)) {
ga_free();
- log("User %.100s not allowed because a group is listed in DenyGroups",
+ logit("User %.100s not allowed because a group is listed in DenyGroups",
pw->pw_name);
return 0;
}
if (!ga_match(options.allow_groups,
options.num_allow_groups)) {
ga_free();
- log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
+ logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
pw->pw_name);
return 0;
}
* PermitRootLogin to control logins via ssh), or if running as
* non-root user (since loginrestrictions will always fail).
*/
- if ( (pw->pw_uid != 0) && (geteuid() == 0) &&
+ if ((pw->pw_uid != 0) && (geteuid() == 0) &&
loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
int loginrestrict_errno = errno;
}
/* Remove trailing newline */
*--p = '\0';
- log("Login restricted for %s: %.100s", pw->pw_name,
+ logit("Login restricted for %s: %.100s", pw->pw_name,
loginmsg);
}
/* Don't fail if /etc/nologin set */
!authctxt->valid ||
authctxt->failures >= AUTH_FAIL_LOG ||
strcmp(method, "password") == 0)
- authlog = log;
+ authlog = logit;
if (authctxt->postponed)
authmsg = "Postponed";
get_remote_port(),
info);
-#ifdef WITH_AIXAUTHENTICATE
+#ifdef CUSTOM_FAILED_LOGIN
if (authenticated == 0 && strcmp(method, "password") == 0)
- loginfailed(authctxt->user,
- get_canonical_hostname(options.verify_reverse_mapping),
- "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-
+ record_failed_login(authctxt->user, "ssh");
+#endif
}
/*
break;
case PERMIT_FORCED_ONLY:
if (forced_command) {
- log("Root login accepted for forced command.");
+ logit("Root login accepted for forced command.");
return 1;
}
break;
}
- log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
+ logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
return 0;
}
(stat(user_hostfile, &st) == 0) &&
((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
- log("Authentication refused for %.100s: "
+ logit("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
pw->pw_name, user_hostfile);
} else {
pw = getpwnam(user);
if (pw == NULL) {
- log("Illegal user %.100s from %.100s",
+ logit("Illegal user %.100s from %.100s",
user, get_remote_ipaddr());
-#ifdef WITH_AIXAUTHENTICATE
- loginfailed(user,
- get_canonical_hostname(options.verify_reverse_mapping),
- "ssh");
+#ifdef CUSTOM_FAILED_LOGIN
+ record_failed_login(user, "ssh");
#endif
return (NULL);
}
andersk / openssh.git / blobdiff