diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | auth.c | 31 |
2 files changed, 29 insertions, 7 deletions
| @@ -30,6 +30,9 @@ | |||
| 30 | - stevesk@cvs.openbsd.org 2002/02/28 20:46:10 | 30 | - stevesk@cvs.openbsd.org 2002/02/28 20:46:10 |
| 31 | [sshd.8] | 31 | [sshd.8] |
| 32 | -u0 DNS for user@host | 32 | -u0 DNS for user@host |
| 33 | - stevesk@cvs.openbsd.org 2002/02/28 20:56:00 | ||
| 34 | [auth.c] | ||
| 35 | log user not allowed details, from dwd@bell-labs.com; ok markus@ | ||
| 33 | 36 | ||
| 34 | 20020226 | 37 | 20020226 |
| 35 | - (tim) Bug 12 [configure.ac] add sys/bitypes.h to int64_t tests | 38 | - (tim) Bug 12 [configure.ac] add sys/bitypes.h to int64_t tests |
| @@ -7761,4 +7764,4 @@ | |||
| 7761 | - Wrote replacements for strlcpy and mkdtemp | 7764 | - Wrote replacements for strlcpy and mkdtemp |
| 7762 | - Released 1.0pre1 | 7765 | - Released 1.0pre1 |
| 7763 | 7766 | ||
| 7764 | $Id: ChangeLog,v 1.1899 2002/03/05 01:38:57 mouring Exp $ | 7767 | $Id: ChangeLog,v 1.1900 2002/03/05 01:40:37 mouring Exp $ |
| @@ -23,7 +23,7 @@ | |||
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include "includes.h" | 25 | #include "includes.h" |
| 26 | RCSID("$OpenBSD: auth.c,v 1.33 2002/02/28 19:36:28 stevesk Exp $"); | 26 | RCSID("$OpenBSD: auth.c,v 1.34 2002/02/28 20:56:00 stevesk Exp $"); |
| 27 | 27 | ||
| 28 | #ifdef HAVE_LOGIN_H | 28 | #ifdef HAVE_LOGIN_H |
| 29 | #include <login.h> | 29 | #include <login.h> |
| @@ -104,17 +104,26 @@ allowed_user(struct passwd * pw) | |||
| 104 | shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; | 104 | shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; |
| 105 | 105 | ||
| 106 | /* deny if shell does not exists or is not executable */ | 106 | /* deny if shell does not exists or is not executable */ |
| 107 | if (stat(shell, &st) != 0) | 107 | if (stat(shell, &st) != 0) { |
| 108 | log("User %.100s not allowed because shell %.100s does not exist", | ||
| 109 | pw->pw_name, shell); | ||
| 108 | return 0; | 110 | return 0; |
| 109 | if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) | 111 | } |
| 112 | if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) { | ||
| 113 | log("User %.100s not allowed because shell %.100s is not executable", | ||
| 114 | pw->pw_name, shell); | ||
| 110 | return 0; | 115 | return 0; |
| 116 | } | ||
| 111 | 117 | ||
| 112 | /* Return false if user is listed in DenyUsers */ | 118 | /* Return false if user is listed in DenyUsers */ |
| 113 | if (options.num_deny_users > 0) { | 119 | if (options.num_deny_users > 0) { |
| 114 | for (i = 0; i < options.num_deny_users; i++) | 120 | for (i = 0; i < options.num_deny_users; i++) |
| 115 | if (match_user(pw->pw_name, options.verify_reverse_mapping, | 121 | if (match_user(pw->pw_name, options.verify_reverse_mapping, |
| 116 | options.deny_users[i])) | 122 | options.deny_users[i])) { |
| 123 | log("User %.100s not allowed because listed in DenyUsers", | ||
| 124 | pw->pw_name); | ||
| 117 | return 0; | 125 | return 0; |
| 126 | } | ||
| 118 | } | 127 | } |
| 119 | /* Return false if AllowUsers isn't empty and user isn't listed there */ | 128 | /* Return false if AllowUsers isn't empty and user isn't listed there */ |
| 120 | if (options.num_allow_users > 0) { | 129 | if (options.num_allow_users > 0) { |
| @@ -123,19 +132,27 @@ allowed_user(struct passwd * pw) | |||
| 123 | options.allow_users[i])) | 132 | options.allow_users[i])) |
| 124 | break; | 133 | break; |
| 125 | /* i < options.num_allow_users iff we break for loop */ | 134 | /* i < options.num_allow_users iff we break for loop */ |
| 126 | if (i >= options.num_allow_users) | 135 | if (i >= options.num_allow_users) { |
| 136 | log("User %.100s not allowed because not listed in AllowUsers", | ||
| 137 | pw->pw_name); | ||
| 127 | return 0; | 138 | return 0; |
| 139 | } | ||
| 128 | } | 140 | } |
| 129 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { | 141 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { |
| 130 | /* Get the user's group access list (primary and supplementary) */ | 142 | /* Get the user's group access list (primary and supplementary) */ |
| 131 | if (ga_init(pw->pw_name, pw->pw_gid) == 0) | 143 | if (ga_init(pw->pw_name, pw->pw_gid) == 0) { |
| 144 | log("User %.100s not allowed because not in any group", | ||
| 145 | pw->pw_name); | ||
| 132 | return 0; | 146 | return 0; |
| 147 | } | ||
| 133 | 148 | ||
| 134 | /* Return false if one of user's groups is listed in DenyGroups */ | 149 | /* Return false if one of user's groups is listed in DenyGroups */ |
| 135 | if (options.num_deny_groups > 0) | 150 | if (options.num_deny_groups > 0) |
| 136 | if (ga_match(options.deny_groups, | 151 | if (ga_match(options.deny_groups, |
| 137 | options.num_deny_groups)) { | 152 | options.num_deny_groups)) { |
| 138 | ga_free(); | 153 | ga_free(); |
| 154 | log("User %.100s not allowed because a group is listed in DenyGroups", | ||
| 155 | pw->pw_name); | ||
| 139 | return 0; | 156 | return 0; |
| 140 | } | 157 | } |
| 141 | /* | 158 | /* |
| @@ -146,6 +163,8 @@ allowed_user(struct passwd * pw) | |||
| 146 | if (!ga_match(options.allow_groups, | 163 | if (!ga_match(options.allow_groups, |
| 147 | options.num_allow_groups)) { | 164 | options.num_allow_groups)) { |
| 148 | ga_free(); | 165 | ga_free(); |
| 166 | log("User %.100s not allowed because none of user's groups are listed in AllowGroups", | ||
| 167 | pw->pw_name); | ||
| 149 | return 0; | 168 | return 0; |
| 150 | } | 169 | } |
| 151 | ga_free(); | 170 | ga_free(); |