summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--auth.c31
2 files changed, 29 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index e0f4584e6..21c719332 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
30 - stevesk@cvs.openbsd.org 2002/02/28 20:46:10 30 - stevesk@cvs.openbsd.org 2002/02/28 20:46:10
31 [sshd.8] 31 [sshd.8]
32 -u0 DNS for user@host 32 -u0 DNS for user@host
33 - stevesk@cvs.openbsd.org 2002/02/28 20:56:00
34 [auth.c]
35 log user not allowed details, from dwd@bell-labs.com; ok markus@
33 36
3420020226 3720020226
35 - (tim) Bug 12 [configure.ac] add sys/bitypes.h to int64_t tests 38 - (tim) Bug 12 [configure.ac] add sys/bitypes.h to int64_t tests
@@ -7761,4 +7764,4 @@
7761 - Wrote replacements for strlcpy and mkdtemp 7764 - Wrote replacements for strlcpy and mkdtemp
7762 - Released 1.0pre1 7765 - Released 1.0pre1
7763 7766
7764$Id: ChangeLog,v 1.1899 2002/03/05 01:38:57 mouring Exp $ 7767$Id: ChangeLog,v 1.1900 2002/03/05 01:40:37 mouring Exp $
diff --git a/auth.c b/auth.c
index eae6a7bdf..a58bf9b74 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth.c,v 1.33 2002/02/28 19:36:28 stevesk Exp $"); 26RCSID("$OpenBSD: auth.c,v 1.34 2002/02/28 20:56:00 stevesk Exp $");
27 27
28#ifdef HAVE_LOGIN_H 28#ifdef HAVE_LOGIN_H
29#include <login.h> 29#include <login.h>
@@ -104,17 +104,26 @@ allowed_user(struct passwd * pw)
104 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; 104 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
105 105
106 /* deny if shell does not exists or is not executable */ 106 /* deny if shell does not exists or is not executable */
107 if (stat(shell, &st) != 0) 107 if (stat(shell, &st) != 0) {
108 log("User %.100s not allowed because shell %.100s does not exist",
109 pw->pw_name, shell);
108 return 0; 110 return 0;
109 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) 111 }
112 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) {
113 log("User %.100s not allowed because shell %.100s is not executable",
114 pw->pw_name, shell);
110 return 0; 115 return 0;
116 }
111 117
112 /* Return false if user is listed in DenyUsers */ 118 /* Return false if user is listed in DenyUsers */
113 if (options.num_deny_users > 0) { 119 if (options.num_deny_users > 0) {
114 for (i = 0; i < options.num_deny_users; i++) 120 for (i = 0; i < options.num_deny_users; i++)
115 if (match_user(pw->pw_name, options.verify_reverse_mapping, 121 if (match_user(pw->pw_name, options.verify_reverse_mapping,
116 options.deny_users[i])) 122 options.deny_users[i])) {
123 log("User %.100s not allowed because listed in DenyUsers",
124 pw->pw_name);
117 return 0; 125 return 0;
126 }
118 } 127 }
119 /* Return false if AllowUsers isn't empty and user isn't listed there */ 128 /* Return false if AllowUsers isn't empty and user isn't listed there */
120 if (options.num_allow_users > 0) { 129 if (options.num_allow_users > 0) {
@@ -123,19 +132,27 @@ allowed_user(struct passwd * pw)
123 options.allow_users[i])) 132 options.allow_users[i]))
124 break; 133 break;
125 /* i < options.num_allow_users iff we break for loop */ 134 /* i < options.num_allow_users iff we break for loop */
126 if (i >= options.num_allow_users) 135 if (i >= options.num_allow_users) {
136 log("User %.100s not allowed because not listed in AllowUsers",
137 pw->pw_name);
127 return 0; 138 return 0;
139 }
128 } 140 }
129 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { 141 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
130 /* Get the user's group access list (primary and supplementary) */ 142 /* Get the user's group access list (primary and supplementary) */
131 if (ga_init(pw->pw_name, pw->pw_gid) == 0) 143 if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
144 log("User %.100s not allowed because not in any group",
145 pw->pw_name);
132 return 0; 146 return 0;
147 }
133 148
134 /* Return false if one of user's groups is listed in DenyGroups */ 149 /* Return false if one of user's groups is listed in DenyGroups */
135 if (options.num_deny_groups > 0) 150 if (options.num_deny_groups > 0)
136 if (ga_match(options.deny_groups, 151 if (ga_match(options.deny_groups,
137 options.num_deny_groups)) { 152 options.num_deny_groups)) {
138 ga_free(); 153 ga_free();
154 log("User %.100s not allowed because a group is listed in DenyGroups",
155 pw->pw_name);
139 return 0; 156 return 0;
140 } 157 }
141 /* 158 /*
@@ -146,6 +163,8 @@ allowed_user(struct passwd * pw)
146 if (!ga_match(options.allow_groups, 163 if (!ga_match(options.allow_groups,
147 options.num_allow_groups)) { 164 options.num_allow_groups)) {
148 ga_free(); 165 ga_free();
166 log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
167 pw->pw_name);
149 return 0; 168 return 0;
150 } 169 }
151 ga_free(); 170 ga_free();