- provos@cvs.openbsd.org 2002/03/18 03:41:08

     [auth.c session.c]
     move auth_approval into getpwnamallow with help from millert@

diff --git a/ChangeLog b/ChangeLog
index 3ff072b01462e24041444d96dda72258c7bdbf07..060f33b9d4acfb0e50015c9c3c146a693cc22ae4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,9 @@
      [auth-krb4.c]
      set client to NULL after xfree(), from Rolf Braun 
      <rbraun+ssh@andrew.cmu.edu>
+   - provos@cvs.openbsd.org 2002/03/18 03:41:08
+     [auth.c session.c]
+     move auth_approval into getpwnamallow with help from millert@
 
 20020317
  - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,

diff --git a/auth.c b/auth.c
index 19ef605f430208af623e952db02fc2839e9a5720..62c184ddf5aad608fb22f9b2c67c2d509e977cdf 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.37 2002/03/17 20:25:56 provos Exp $");
+RCSID("$OpenBSD: auth.c,v 1.38 2002/03/18 03:41:08 provos Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -443,11 +443,31 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 struct passwd *
 getpwnamallow(const char *user)
 {
+#ifdef HAVE_LOGIN_CAP
+       extern login_cap_t *lc;
+#ifdef BSD_AUTH
+       auth_session_t *as;
+#endif
+#endif
        struct passwd *pw;
 
        pw = getpwnam(user);
-       if (pw != NULL && !allowed_user(pw))
+       if (pw == NULL || !allowed_user(pw))
+               return (NULL);
+#ifdef HAVE_LOGIN_CAP
+       if ((lc = login_getclass(pw->pw_class)) == NULL) {
+               debug("unable to get login class: %s", user);
+               return (NULL);
+       }
+#ifdef BSD_AUTH
+       if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+           auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+               debug("Approval failure for %s", user);
                pw = NULL;
-
+       }
+       if (as != NULL)
+               auth_close(as);
+#endif
+#endif
        return (pw);
 }

diff --git a/session.c b/session.c
index a31ff85d84929e984a906202318af106a5816220..29467029dc3059d42d7bc3a6c570bdeb866ed9d6 100644 (file)
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.128 2002/02/16 00:51:44 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.129 2002/03/18 03:41:08 provos Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -136,7 +136,7 @@ char *aixloginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
 
 #ifdef HAVE_LOGIN_CAP
-static login_cap_t *lc;
+login_cap_t *lc;
 #endif
 
 void
@@ -151,18 +151,6 @@ do_authenticated(Authctxt *authctxt)
                close(startup_pipe);
                startup_pipe = -1;
        }
-#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD)
-       if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
-               error("unable to get login class");
-               return;
-       }
-#ifdef BSD_AUTH
-       if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) {
-               packet_disconnect("Approval failure for %s",
-                   authctxt->pw->pw_name);
-       }
-#endif
-#endif
 #ifdef WITH_AIXAUTHENTICATE
        /* We don't have a pty yet, so just label the line as "ssh" */
        if (loginsuccess(authctxt->user,