diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth.c | 14 | ||||
-rw-r--r-- | match.c | 26 | ||||
-rw-r--r-- | sshd.8 | 5 |
4 files changed, 44 insertions, 6 deletions
@@ -83,6 +83,9 @@ | |||
83 | - markus@cvs.openbsd.org 2001/06/27 02:12:54 | 83 | - markus@cvs.openbsd.org 2001/06/27 02:12:54 |
84 | [serverloop.c serverloop.h session.c session.h] | 84 | [serverloop.c serverloop.h session.c session.h] |
85 | quick hack to make ssh2 work again. | 85 | quick hack to make ssh2 work again. |
86 | - markus@cvs.openbsd.org 2001/06/27 04:48:53 | ||
87 | [auth.c match.c sshd.8] | ||
88 | tridge@samba.org | ||
86 | 89 | ||
87 | 20010629 | 90 | 20010629 |
88 | - (bal) Removed net_aton() since we don't use it any more | 91 | - (bal) Removed net_aton() since we don't use it any more |
@@ -5910,4 +5913,4 @@ | |||
5910 | - Wrote replacements for strlcpy and mkdtemp | 5913 | - Wrote replacements for strlcpy and mkdtemp |
5911 | - Released 1.0pre1 | 5914 | - Released 1.0pre1 |
5912 | 5915 | ||
5913 | $Id: ChangeLog,v 1.1362 2001/07/04 04:53:53 mouring Exp $ | 5916 | $Id: ChangeLog,v 1.1363 2001/07/04 04:56:44 mouring Exp $ |
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth.c,v 1.25 2001/06/25 17:54:48 provos Exp $"); | 26 | RCSID("$OpenBSD: auth.c,v 1.26 2001/06/27 04:48:52 markus Exp $"); |
27 | 27 | ||
28 | #ifdef HAVE_LOGIN_H | 28 | #ifdef HAVE_LOGIN_H |
29 | #include <login.h> | 29 | #include <login.h> |
@@ -65,6 +65,7 @@ int | |||
65 | allowed_user(struct passwd * pw) | 65 | allowed_user(struct passwd * pw) |
66 | { | 66 | { |
67 | struct stat st; | 67 | struct stat st; |
68 | const char *hostname = NULL, *ipaddr = NULL; | ||
68 | char *shell; | 69 | char *shell; |
69 | int i; | 70 | int i; |
70 | #ifdef WITH_AIXAUTHENTICATE | 71 | #ifdef WITH_AIXAUTHENTICATE |
@@ -109,16 +110,23 @@ allowed_user(struct passwd * pw) | |||
109 | if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) | 110 | if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) |
110 | return 0; | 111 | return 0; |
111 | 112 | ||
113 | if (options.num_deny_users > 0 || options.num_allow_users > 0) { | ||
114 | hostname = get_canonical_hostname(options.reverse_mapping_check); | ||
115 | ipaddr = get_remote_ipaddr(); | ||
116 | } | ||
117 | |||
112 | /* Return false if user is listed in DenyUsers */ | 118 | /* Return false if user is listed in DenyUsers */ |
113 | if (options.num_deny_users > 0) { | 119 | if (options.num_deny_users > 0) { |
114 | for (i = 0; i < options.num_deny_users; i++) | 120 | for (i = 0; i < options.num_deny_users; i++) |
115 | if (match_pattern(pw->pw_name, options.deny_users[i])) | 121 | if (match_user(pw->pw_name, hostname, ipaddr, |
122 | options.deny_users[i])) | ||
116 | return 0; | 123 | return 0; |
117 | } | 124 | } |
118 | /* Return false if AllowUsers isn't empty and user isn't listed there */ | 125 | /* Return false if AllowUsers isn't empty and user isn't listed there */ |
119 | if (options.num_allow_users > 0) { | 126 | if (options.num_allow_users > 0) { |
120 | for (i = 0; i < options.num_allow_users; i++) | 127 | for (i = 0; i < options.num_allow_users; i++) |
121 | if (match_pattern(pw->pw_name, options.allow_users[i])) | 128 | if (match_user(pw->pw_name, hostname, ipaddr, |
129 | options.allow_users[i])) | ||
122 | break; | 130 | break; |
123 | /* i < options.num_allow_users iff we break for loop */ | 131 | /* i < options.num_allow_users iff we break for loop */ |
124 | if (i >= options.num_allow_users) | 132 | if (i >= options.num_allow_users) |
@@ -35,7 +35,7 @@ | |||
35 | */ | 35 | */ |
36 | 36 | ||
37 | #include "includes.h" | 37 | #include "includes.h" |
38 | RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $"); | 38 | RCSID("$OpenBSD: match.c,v 1.14 2001/06/27 04:48:53 markus Exp $"); |
39 | 39 | ||
40 | #include "match.h" | 40 | #include "match.h" |
41 | #include "xmalloc.h" | 41 | #include "xmalloc.h" |
@@ -185,6 +185,30 @@ match_host_and_ip(const char *host, const char *ipaddr, | |||
185 | } | 185 | } |
186 | 186 | ||
187 | /* | 187 | /* |
188 | * match user, user@host_or_ip, user@host_or_ip_list against pattern | ||
189 | */ | ||
190 | int | ||
191 | match_user(const char *user, const char *host, const char *ipaddr, | ||
192 | const char *pattern) | ||
193 | { | ||
194 | char *p, *pat; | ||
195 | int ret; | ||
196 | |||
197 | if ((p = strchr(pattern,'@')) == NULL) | ||
198 | return match_pattern(user, pattern); | ||
199 | |||
200 | pat = xstrdup(pattern); | ||
201 | p = strchr(pat, '@'); | ||
202 | *p++ = '\0'; | ||
203 | |||
204 | if ((ret = match_pattern(user, pat)) == 1) | ||
205 | ret = match_host_and_ip(host, ipaddr, p); | ||
206 | xfree(pat); | ||
207 | |||
208 | return ret; | ||
209 | } | ||
210 | |||
211 | /* | ||
188 | * Returns first item from client-list that is also supported by server-list, | 212 | * Returns first item from client-list that is also supported by server-list, |
189 | * caller must xfree() returned string. | 213 | * caller must xfree() returned string. |
190 | */ | 214 | */ |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.134 2001/06/26 05:48:07 mpech Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.135 2001/06/27 04:48:53 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -329,6 +329,9 @@ can be used as | |||
329 | wildcards in the patterns. | 329 | wildcards in the patterns. |
330 | Only user names are valid; a numerical user ID isn't recognized. | 330 | Only user names are valid; a numerical user ID isn't recognized. |
331 | By default login is allowed regardless of the user name. | 331 | By default login is allowed regardless of the user name. |
332 | If the pattern takes the form USER@HOST then USER and HOST | ||
333 | are separately checked, allowing you to restrict logins to particular | ||
334 | users from particular hosts. | ||
332 | .Pp | 335 | .Pp |
333 | .It Cm AuthorizedKeysFile | 336 | .It Cm AuthorizedKeysFile |
334 | Specifies the file that contains the public RSA keys that can be used | 337 | Specifies the file that contains the public RSA keys that can be used |