X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/b334badd4efe2860928e2438864976cd93502a3d..1836f69f0538fd8f9ecdad854e2fd6ed9990546f:/auth.c

diff --git a/auth.c b/auth.c
index a58bf9b7..62c184dd 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.34 2002/02/28 20:56:00 stevesk Exp $");
+RCSID("$OpenBSD: auth.c,v 1.38 2002/03/18 03:41:08 provos Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -65,6 +65,7 @@ int
 allowed_user(struct passwd * pw)
 {
 	struct stat st;
+	const char *hostname = NULL, *ipaddr = NULL;
 	char *shell;
 	int i;
 #ifdef WITH_AIXAUTHENTICATE
@@ -109,16 +110,22 @@ allowed_user(struct passwd * pw)
 		    pw->pw_name, shell);
 		return 0;
 	}
-	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) {
+	if (S_ISREG(st.st_mode) == 0 ||
+	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
 		log("User %.100s not allowed because shell %.100s is not executable",
 		    pw->pw_name, shell);
 		return 0;
 	}
 
+	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
+		hostname = get_canonical_hostname(options.verify_reverse_mapping);
+		ipaddr = get_remote_ipaddr();
+	}
+
 	/* Return false if user is listed in DenyUsers */
 	if (options.num_deny_users > 0) {
 		for (i = 0; i < options.num_deny_users; i++)
-			if (match_user(pw->pw_name, options.verify_reverse_mapping,
+ 			if (match_user(pw->pw_name, hostname, ipaddr,
 			    options.deny_users[i])) {
  				log("User %.100s not allowed because listed in DenyUsers",
  				    pw->pw_name);
@@ -128,7 +135,7 @@ allowed_user(struct passwd * pw)
 	/* Return false if AllowUsers isn't empty and user isn't listed there */
 	if (options.num_allow_users > 0) {
 		for (i = 0; i < options.num_allow_users; i++)
-			if (match_user(pw->pw_name, options.verify_reverse_mapping,
+ 			if (match_user(pw->pw_name, hostname, ipaddr,
 			    options.allow_users[i]))
 				break;
 		/* i < options.num_allow_users iff we break for loop */
@@ -432,3 +439,35 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 	}
 	return 0;
 }
+
+struct passwd *
+getpwnamallow(const char *user)
+{
+#ifdef HAVE_LOGIN_CAP
+	extern login_cap_t *lc;
+#ifdef BSD_AUTH
+	auth_session_t *as;
+#endif
+#endif
+	struct passwd *pw;
+
+	pw = getpwnam(user);
+	if (pw == NULL || !allowed_user(pw))
+		return (NULL);
+#ifdef HAVE_LOGIN_CAP
+	if ((lc = login_getclass(pw->pw_class)) == NULL) {
+		debug("unable to get login class: %s", user);
+		return (NULL);
+	}
+#ifdef BSD_AUTH
+	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+	    auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+		debug("Approval failure for %s", user);
+		pw = NULL;
+	}
+	if (as != NULL)
+		auth_close(as);
+#endif
+#endif
+	return (pw);
+}