diff options
| author | Colin Watson <cjwatson@debian.org> | 2016-12-20 00:22:52 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2016-12-20 00:22:52 +0000 |
| commit | 971a7653746a6972b907dfe0ce139c06e4a6f482 (patch) | |
| tree | 70fb964265d57ae4967be55b75dbb2a122e9b969 /auth.c | |
| parent | a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff) | |
| parent | 4a354fc231174901f2629437c2a6e924a2dd6772 (diff) | |
Import openssh_7.4p1.orig.tar.gz
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 33 |
1 files changed, 21 insertions, 12 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.115 2016/06/15 00:40:40 dtucker Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.119 2016/12/15 21:29:05 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -103,6 +103,7 @@ allowed_user(struct passwd * pw) | |||
| 103 | struct stat st; | 103 | struct stat st; |
| 104 | const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; | 104 | const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; |
| 105 | u_int i; | 105 | u_int i; |
| 106 | int r; | ||
| 106 | #ifdef USE_SHADOW | 107 | #ifdef USE_SHADOW |
| 107 | struct spwd *spw = NULL; | 108 | struct spwd *spw = NULL; |
| 108 | #endif | 109 | #endif |
| @@ -191,21 +192,31 @@ allowed_user(struct passwd * pw) | |||
| 191 | 192 | ||
| 192 | /* Return false if user is listed in DenyUsers */ | 193 | /* Return false if user is listed in DenyUsers */ |
| 193 | if (options.num_deny_users > 0) { | 194 | if (options.num_deny_users > 0) { |
| 194 | for (i = 0; i < options.num_deny_users; i++) | 195 | for (i = 0; i < options.num_deny_users; i++) { |
| 195 | if (match_user(pw->pw_name, hostname, ipaddr, | 196 | r = match_user(pw->pw_name, hostname, ipaddr, |
| 196 | options.deny_users[i])) { | 197 | options.deny_users[i]); |
| 198 | if (r < 0) { | ||
| 199 | fatal("Invalid DenyUsers pattern \"%.100s\"", | ||
| 200 | options.deny_users[i]); | ||
| 201 | } else if (r != 0) { | ||
| 197 | logit("User %.100s from %.100s not allowed " | 202 | logit("User %.100s from %.100s not allowed " |
| 198 | "because listed in DenyUsers", | 203 | "because listed in DenyUsers", |
| 199 | pw->pw_name, hostname); | 204 | pw->pw_name, hostname); |
| 200 | return 0; | 205 | return 0; |
| 201 | } | 206 | } |
| 207 | } | ||
| 202 | } | 208 | } |
| 203 | /* Return false if AllowUsers isn't empty and user isn't listed there */ | 209 | /* Return false if AllowUsers isn't empty and user isn't listed there */ |
| 204 | if (options.num_allow_users > 0) { | 210 | if (options.num_allow_users > 0) { |
| 205 | for (i = 0; i < options.num_allow_users; i++) | 211 | for (i = 0; i < options.num_allow_users; i++) { |
| 206 | if (match_user(pw->pw_name, hostname, ipaddr, | 212 | r = match_user(pw->pw_name, hostname, ipaddr, |
| 207 | options.allow_users[i])) | 213 | options.allow_users[i]); |
| 214 | if (r < 0) { | ||
| 215 | fatal("Invalid AllowUsers pattern \"%.100s\"", | ||
| 216 | options.allow_users[i]); | ||
| 217 | } else if (r == 1) | ||
| 208 | break; | 218 | break; |
| 219 | } | ||
| 209 | /* i < options.num_allow_users iff we break for loop */ | 220 | /* i < options.num_allow_users iff we break for loop */ |
| 210 | if (i >= options.num_allow_users) { | 221 | if (i >= options.num_allow_users) { |
| 211 | logit("User %.100s from %.100s not allowed because " | 222 | logit("User %.100s from %.100s not allowed because " |
| @@ -298,7 +309,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
| 298 | else | 309 | else |
| 299 | authmsg = authenticated ? "Accepted" : "Failed"; | 310 | authmsg = authenticated ? "Accepted" : "Failed"; |
| 300 | 311 | ||
| 301 | authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", | 312 | authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", |
| 302 | authmsg, | 313 | authmsg, |
| 303 | method, | 314 | method, |
| 304 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, | 315 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, |
| @@ -306,7 +317,6 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
| 306 | authctxt->user, | 317 | authctxt->user, |
| 307 | ssh_remote_ipaddr(ssh), | 318 | ssh_remote_ipaddr(ssh), |
| 308 | ssh_remote_port(ssh), | 319 | ssh_remote_port(ssh), |
| 309 | compat20 ? "ssh2" : "ssh1", | ||
| 310 | authctxt->info != NULL ? ": " : "", | 320 | authctxt->info != NULL ? ": " : "", |
| 311 | authctxt->info != NULL ? authctxt->info : ""); | 321 | authctxt->info != NULL ? authctxt->info : ""); |
| 312 | free(authctxt->info); | 322 | free(authctxt->info); |
| @@ -339,12 +349,11 @@ auth_maxtries_exceeded(Authctxt *authctxt) | |||
| 339 | struct ssh *ssh = active_state; /* XXX */ | 349 | struct ssh *ssh = active_state; /* XXX */ |
| 340 | 350 | ||
| 341 | error("maximum authentication attempts exceeded for " | 351 | error("maximum authentication attempts exceeded for " |
| 342 | "%s%.100s from %.200s port %d %s", | 352 | "%s%.100s from %.200s port %d ssh2", |
| 343 | authctxt->valid ? "" : "invalid user ", | 353 | authctxt->valid ? "" : "invalid user ", |
| 344 | authctxt->user, | 354 | authctxt->user, |
| 345 | ssh_remote_ipaddr(ssh), | 355 | ssh_remote_ipaddr(ssh), |
| 346 | ssh_remote_port(ssh), | 356 | ssh_remote_port(ssh)); |
| 347 | compat20 ? "ssh2" : "ssh1"); | ||
| 348 | packet_disconnect("Too many authentication failures"); | 357 | packet_disconnect("Too many authentication failures"); |
| 349 | /* NOTREACHED */ | 358 | /* NOTREACHED */ |
| 350 | } | 359 | } |