diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | servconf.c | 56 | ||||
| -rw-r--r-- | servconf.h | 3 | ||||
| -rw-r--r-- | sshd_config.5 | 3 |
4 files changed, 64 insertions, 4 deletions
| @@ -14,6 +14,10 @@ | |||
| 14 | Revert previous include file ordering change, for ssh to compile under | 14 | Revert previous include file ordering change, for ssh to compile under |
| 15 | gcc2 (or until openssl include files are cleaned of parameter names | 15 | gcc2 (or until openssl include files are cleaned of parameter names |
| 16 | in function prototypes) | 16 | in function prototypes) |
| 17 | - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 | ||
| 18 | [servconf.c servconf.h sshd_config.5] | ||
| 19 | Add ability to match groups to Match keyword in sshd_config. Feedback | ||
| 20 | djm@, stevesk@, ok stevesk@. | ||
| 17 | 21 | ||
| 18 | 20060817 | 22 | 20060817 |
| 19 | - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] | 23 | - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] |
| @@ -5235,4 +5239,4 @@ | |||
| 5235 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 5239 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 5236 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 5240 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 5237 | 5241 | ||
| 5238 | $Id: ChangeLog,v 1.4488 2006/08/18 14:22:40 djm Exp $ | 5242 | $Id: ChangeLog,v 1.4489 2006/08/18 14:23:15 djm Exp $ |
diff --git a/servconf.c b/servconf.c index 5884b95be..1f80de22d 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -16,6 +16,7 @@ | |||
| 16 | #include <sys/socket.h> | 16 | #include <sys/socket.h> |
| 17 | 17 | ||
| 18 | #include <netdb.h> | 18 | #include <netdb.h> |
| 19 | #include <pwd.h> | ||
| 19 | #include <stdio.h> | 20 | #include <stdio.h> |
| 20 | #include <stdlib.h> | 21 | #include <stdlib.h> |
| 21 | #include <string.h> | 22 | #include <string.h> |
| @@ -37,6 +38,7 @@ | |||
| 37 | #include "mac.h" | 38 | #include "mac.h" |
| 38 | #include "match.h" | 39 | #include "match.h" |
| 39 | #include "channels.h" | 40 | #include "channels.h" |
| 41 | #include "groupaccess.h" | ||
| 40 | 42 | ||
| 41 | static void add_listen_addr(ServerOptions *, char *, u_short); | 43 | static void add_listen_addr(ServerOptions *, char *, u_short); |
| 42 | static void add_one_listen_addr(ServerOptions *, char *, u_short); | 44 | static void add_one_listen_addr(ServerOptions *, char *, u_short); |
| @@ -497,6 +499,51 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) | |||
| 497 | */ | 499 | */ |
| 498 | 500 | ||
| 499 | static int | 501 | static int |
| 502 | match_cfg_line_group(const char *grps, int line, const char *user) | ||
| 503 | { | ||
| 504 | int result = 0; | ||
| 505 | u_int ngrps = 0; | ||
| 506 | char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS]; | ||
| 507 | struct passwd *pw; | ||
| 508 | |||
| 509 | /* | ||
| 510 | * Even if we do not have a user yet, we still need to check for | ||
| 511 | * valid syntax. | ||
| 512 | */ | ||
| 513 | arg = cp = xstrdup(grps); | ||
| 514 | while ((p = strsep(&cp, ",")) != NULL && *p != '\0') { | ||
| 515 | if (ngrps >= MAX_MATCH_GROUPS) { | ||
| 516 | error("line %d: too many groups in Match Group", line); | ||
| 517 | result = -1; | ||
| 518 | goto out; | ||
| 519 | } | ||
| 520 | grplist[ngrps++] = p; | ||
| 521 | } | ||
| 522 | |||
| 523 | if (user == NULL) | ||
| 524 | goto out; | ||
| 525 | |||
| 526 | if ((pw = getpwnam(user)) == NULL) { | ||
| 527 | debug("Can't match group at line %d because user %.100s does " | ||
| 528 | "not exist", line, user); | ||
| 529 | } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { | ||
| 530 | debug("Can't Match group because user %.100s not in any group " | ||
| 531 | "at line %d", user, line); | ||
| 532 | } else if (ga_match(grplist, ngrps) != 1) { | ||
| 533 | debug("user %.100s does not match group %.100s at line %d", | ||
| 534 | user, arg, line); | ||
| 535 | } else { | ||
| 536 | debug("user %.100s matched group %.100s at line %d", user, | ||
| 537 | arg, line); | ||
| 538 | result = 1; | ||
| 539 | } | ||
| 540 | out: | ||
| 541 | ga_free(); | ||
| 542 | xfree(arg); | ||
| 543 | return result; | ||
| 544 | } | ||
| 545 | |||
| 546 | static int | ||
| 500 | match_cfg_line(char **condition, int line, const char *user, const char *host, | 547 | match_cfg_line(char **condition, int line, const char *user, const char *host, |
| 501 | const char *address) | 548 | const char *address) |
| 502 | { | 549 | { |
| @@ -527,6 +574,13 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, | |||
| 527 | else | 574 | else |
| 528 | debug("user %.100s matched 'User %.100s' at " | 575 | debug("user %.100s matched 'User %.100s' at " |
| 529 | "line %d", user, arg, line); | 576 | "line %d", user, arg, line); |
| 577 | } else if (strcasecmp(attrib, "group") == 0) { | ||
| 578 | switch (match_cfg_line_group(arg, line, user)) { | ||
| 579 | case -1: | ||
| 580 | return -1; | ||
| 581 | case 0: | ||
| 582 | result = 0; | ||
| 583 | } | ||
| 530 | } else if (strcasecmp(attrib, "host") == 0) { | 584 | } else if (strcasecmp(attrib, "host") == 0) { |
| 531 | if (!host) { | 585 | if (!host) { |
| 532 | result = 0; | 586 | result = 0; |
diff --git a/servconf.h b/servconf.h index 2593b1cd1..ad496f64b 100644 --- a/servconf.h +++ b/servconf.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: servconf.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -25,6 +25,7 @@ | |||
| 25 | #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ | 25 | #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ |
| 26 | #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ | 26 | #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ |
| 27 | #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ | 27 | #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ |
| 28 | #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ | ||
| 28 | 29 | ||
| 29 | /* permit_root_login */ | 30 | /* permit_root_login */ |
| 30 | #define PERMIT_NOT_SET -1 | 31 | #define PERMIT_NOT_SET -1 |
diff --git a/sshd_config.5 b/sshd_config.5 index ff5457dff..3c20c1faa 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.69 2006/08/14 12:40:25 dtucker Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
| 40 | .Os | 40 | .Os |
| @@ -488,6 +488,7 @@ The arguments to | |||
| 488 | are one or more criteria-pattern pairs. | 488 | are one or more criteria-pattern pairs. |
| 489 | The available criteria are | 489 | The available criteria are |
| 490 | .Cm User , | 490 | .Cm User , |
| 491 | .Cm Group , | ||
| 491 | .Cm Host , | 492 | .Cm Host , |
| 492 | and | 493 | and |
| 493 | .Cm Address . | 494 | .Cm Address . |