X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/20d0f77fa381d635706ce9f14f87567296f9635b..fe661d8f9f98e269ff5efb3a79918ed25cbe6ee7:/auth.c

diff --git a/auth.c b/auth.c
index 066b50d6..ee001283 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.43 2002/05/17 14:27:55 millert Exp $");
+RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -202,7 +202,13 @@ allowed_user(struct passwd * pw)
 	}
 
 #ifdef WITH_AIXAUTHENTICATE
-	if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+	/*
+	 * Don't check loginrestrictions() for root account (use
+	 * PermitRootLogin to control logins via ssh), or if running as
+	 * non-root user (since loginrestrictions will always fail).
+	 */
+	if ( (pw->pw_uid != 0) && (geteuid() == 0) &&
+	    loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
 		if (loginmsg && *loginmsg) {
 			/* Remove embedded newlines (if any) */
 			char *p;
@@ -256,6 +262,14 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
 	    get_remote_ipaddr(),
 	    get_remote_port(),
 	    info);
+
+#ifdef WITH_AIXAUTHENTICATE
+	if (authenticated == 0 && strcmp(method, "password") == 0)
+	    loginfailed(authctxt->user,
+		get_canonical_hostname(options.verify_reverse_mapping),
+		"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+
 }
 
 /*
@@ -392,7 +406,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
 
 /*
  * Check a given file for security. This is defined as all components
- * of the path to the file must either be owned by either the owner of
+ * of the path to the file must be owned by either the owner of
  * of the file or root and no directories must be group or world writable.
  *
  * XXX Should any specific check be done for sym links ?
@@ -409,6 +423,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 	uid_t uid = pw->pw_uid;
 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
 	char *cp;
+	int comparehome = 0;
 	struct stat st;
 
 	if (realpath(file, buf) == NULL) {
@@ -416,11 +431,8 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 		    strerror(errno));
 		return -1;
 	}
-	if (realpath(pw->pw_dir, homedir) == NULL) {
-		snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir,
-		    strerror(errno));
-		return -1;
-	}
+	if (realpath(pw->pw_dir, homedir) != NULL)
+		comparehome = 1;
 
 	/* check the open file to avoid races */
 	if (fstat(fileno(f), &st) < 0 ||
@@ -449,7 +461,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 		}
 
 		/* If are passed the homedir then we can stop */
-		if (strcmp(homedir, buf) == 0) {
+		if (comparehome && strcmp(homedir, buf) == 0) {
 			debug3("secure_filename: terminating check at '%s'",
 			    buf);
 			break;
@@ -476,7 +488,17 @@ getpwnamallow(const char *user)
 	struct passwd *pw;
 
 	pw = getpwnam(user);
-	if (pw == NULL || !allowed_user(pw))
+	if (pw == NULL) {
+		log("Illegal user %.100s from %.100s",
+		    user, get_remote_ipaddr());
+#ifdef WITH_AIXAUTHENTICATE
+		loginfailed(user,
+		    get_canonical_hostname(options.verify_reverse_mapping),
+		    "ssh");
+#endif
+		return (NULL);
+	}
+	if (!allowed_user(pw))
 		return (NULL);
 #ifdef HAVE_LOGIN_CAP
 	if ((lc = login_getclass(pw->pw_class)) == NULL) {