]> andersk Git - openssh.git/blobdiff - auth.c
andersk / openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
- provos@cvs.openbsd.org 2002/03/18 03:41:08
[openssh.git] / auth.c
diff --git a/auth.c b/auth.c
index a58bf9b7405b33282019109478b325718d0cb542..62c184ddf5aad608fb22f9b2c67c2d509e977cdf 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.34 2002/02/28 20:56:00 stevesk Exp $");
+RCSID("$OpenBSD: auth.c,v 1.38 2002/03/18 03:41:08 provos Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -65,6 +65,7 @@ int
 allowed_user(struct passwd * pw)
 {
        struct stat st;
+       const char *hostname = NULL, *ipaddr = NULL;
        char *shell;
        int i;
 #ifdef WITH_AIXAUTHENTICATE
@@ -109,16 +110,22 @@ allowed_user(struct passwd * pw)
                    pw->pw_name, shell);
                return 0;
        }
-       if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) {
+       if (S_ISREG(st.st_mode) == 0 ||
+           (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
                log("User %.100s not allowed because shell %.100s is not executable",
                    pw->pw_name, shell);
                return 0;
        }
 
+       if (options.num_deny_users > 0 || options.num_allow_users > 0) {
+               hostname = get_canonical_hostname(options.verify_reverse_mapping);
+               ipaddr = get_remote_ipaddr();
+       }
+
        /* Return false if user is listed in DenyUsers */
        if (options.num_deny_users > 0) {
                for (i = 0; i < options.num_deny_users; i++)
-                       if (match_user(pw->pw_name, options.verify_reverse_mapping,
+                       if (match_user(pw->pw_name, hostname, ipaddr,
                            options.deny_users[i])) {
                                log("User %.100s not allowed because listed in DenyUsers",
                                    pw->pw_name);
@@ -128,7 +135,7 @@ allowed_user(struct passwd * pw)
        /* Return false if AllowUsers isn't empty and user isn't listed there */
        if (options.num_allow_users > 0) {
                for (i = 0; i < options.num_allow_users; i++)
-                       if (match_user(pw->pw_name, options.verify_reverse_mapping,
+                       if (match_user(pw->pw_name, hostname, ipaddr,
                            options.allow_users[i]))
                                break;
                /* i < options.num_allow_users iff we break for loop */
@@ -432,3 +439,35 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
        }
        return 0;
 }
+
+struct passwd *
+getpwnamallow(const char *user)
+{
+#ifdef HAVE_LOGIN_CAP
+       extern login_cap_t *lc;
+#ifdef BSD_AUTH
+       auth_session_t *as;
+#endif
+#endif
+       struct passwd *pw;
+
+       pw = getpwnam(user);
+       if (pw == NULL || !allowed_user(pw))
+               return (NULL);
+#ifdef HAVE_LOGIN_CAP
+       if ((lc = login_getclass(pw->pw_class)) == NULL) {
+               debug("unable to get login class: %s", user);
+               return (NULL);
+       }
+#ifdef BSD_AUTH
+       if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+           auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+               debug("Approval failure for %s", user);
+               pw = NULL;
+       }
+       if (as != NULL)
+               auth_close(as);
+#endif
+#endif
+       return (pw);
+}
git-cvsimport mirror of OpenSSH
This page took 0.068399 seconds and 4 git commands to generate.