X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/c6a69271324b45f667ce6da1588f4cc84101069b..54b974dcab3a3e8486caf6181ad0555efd181154:/auth.c diff --git a/auth.c b/auth.c index 59c95fe4..3e31a448 100644 --- a/auth.c +++ b/auth.c @@ -1,15 +1,5 @@ /* - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - * All rights reserved - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - * - * - * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -33,20 +23,8 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.19 2001/03/02 18:54:31 deraadt Exp $"); -#include "xmalloc.h" -#include "rsa.h" -#include "ssh.h" -#include "pty.h" -#include "packet.h" -#include "buffer.h" -#include "mpaux.h" -#include "servconf.h" -#include "compat.h" -#include "channels.h" -#include "match.h" -#include "groupaccess.h" #ifdef HAVE_LOGIN_H #include #endif @@ -54,10 +32,14 @@ RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $"); #include #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ -#include "bufaux.h" -#include "ssh2.h" +#include "xmalloc.h" +#include "match.h" +#include "groupaccess.h" +#include "log.h" +#include "servconf.h" #include "auth.h" -#include "session.h" +#include "auth-options.h" +#include "canohost.h" /* import */ extern ServerOptions options; @@ -97,7 +79,7 @@ allowed_user(struct passwd * pw) return 0; /* Check password expiry */ - if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && + if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && (days > (spw->sp_lstchg + spw->sp_max))) return 0; } @@ -179,3 +161,64 @@ allowed_user(struct passwd * pw) /* We found no reason not to let this user try to log on... */ return 1; } + +Authctxt * +authctxt_new(void) +{ + Authctxt *authctxt = xmalloc(sizeof(*authctxt)); + memset(authctxt, 0, sizeof(*authctxt)); + return authctxt; +} + +void +auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) +{ + void (*authlog) (const char *fmt,...) = verbose; + char *authmsg; + + /* Raise logging level */ + if (authenticated == 1 || + !authctxt->valid || + authctxt->failures >= AUTH_FAIL_LOG || + strcmp(method, "password") == 0) + authlog = log; + + if (authctxt->postponed) + authmsg = "Postponed"; + else + authmsg = authenticated ? "Accepted" : "Failed"; + + authlog("%s %s for %s%.100s from %.200s port %d%s", + authmsg, + method, + authctxt->valid ? "" : "illegal user ", + authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user, + get_remote_ipaddr(), + get_remote_port(), + info); +} + +/* + * Check whether root logins are disallowed. + */ +int +auth_root_allowed(char *method) +{ + switch (options.permit_root_login) { + case PERMIT_YES: + return 1; + break; + case PERMIT_NO_PASSWD: + if (strcmp(method, "password") != 0) + return 1; + break; + case PERMIT_FORCED_ONLY: + if (forced_command) { + log("Root login accepted for forced command."); + return 1; + } + break; + } + log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); + return 0; +}