3 files changed, 29 insertions, 18 deletions
diff --git a/ChangeLog b/ChangeLog
index e382cda76..e435d188d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,9 @@
     [auth-krb4.c]
     set client to NULL after xfree(), from Rolf Braun 
     <rbraun+ssh@andrew.cmu.edu>
+   - provos@cvs.openbsd.org 2002/03/18 03:41:08
+     [auth.c session.c]
+     move auth_approval into getpwnamallow with help from millert@
 20020317
 - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@@ -7887,4 +7890,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1936 2002/03/22 01:30:40 mouring Exp $
+$Id: ChangeLog,v 1.1937 2002/03/22 01:35:47 mouring Exp $
diff --git a/auth.c b/auth.c
index 19ef605f4..62c184ddf 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.37 2002/03/17 20:25:56 provos Exp $");
+RCSID("$OpenBSD: auth.c,v 1.38 2002/03/18 03:41:08 provos Exp $");
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -443,11 +443,31 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 struct passwd *
 getpwnamallow(const char *user)
 {
+#ifdef HAVE_LOGIN_CAP
+        extern login_cap_t *lc;
+#ifdef BSD_AUTH
+        auth_session_t *as;
+#endif
+#endif
        struct passwd *pw;
        pw = getpwnam(user);
-        if (pw != NULL && !allowed_user(pw))
+        if (pw == NULL || !allowed_user(pw))
+                return (NULL);
+#ifdef HAVE_LOGIN_CAP
+        if ((lc = login_getclass(pw->pw_class)) == NULL) {
+                debug("unable to get login class: %s", user);
+                return (NULL);
+        }
+#ifdef BSD_AUTH
+        if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+            auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+                debug("Approval failure for %s", user);
                pw = NULL;
+        }
+        if (as != NULL)
+                auth_close(as);
+#endif
+#endif
        return (pw);
 }
diff --git a/session.c b/session.c
index a31ff85d8..29467029d 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.128 2002/02/16 00:51:44 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.129 2002/03/18 03:41:08 provos Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -136,7 +136,7 @@ char *aixloginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
 #ifdef HAVE_LOGIN_CAP
-static login_cap_t *lc;
+login_cap_t *lc;
 #endif
 void
@@ -151,18 +151,6 @@ do_authenticated(Authctxt *authctxt)
                close(startup_pipe);
                startup_pipe = -1;
        }
-#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD)
-        if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
-                error("unable to get login class");
-                return;
-        }
-#ifdef BSD_AUTH
-        if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) {
-                packet_disconnect("Approval failure for %s",
-                    authctxt->pw->pw_name);
-        }
-#endif
-#endif
 #ifdef WITH_AIXAUTHENTICATE
        /* We don't have a pty yet, so just label the line as "ssh" */
        if (loginsuccess(authctxt->user,

diff --git a/ChangeLog b/ChangeLog index e382cda76..e435d188d 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -41,6 +41,9 @@
41	[auth-krb4.c]	41	[auth-krb4.c]
42	set client to NULL after xfree(), from Rolf Braun	42	set client to NULL after xfree(), from Rolf Braun
43	<rbraun+ssh@andrew.cmu.edu>	43	<rbraun+ssh@andrew.cmu.edu>
		44	- provos@cvs.openbsd.org 2002/03/18 03:41:08
		45	[auth.c session.c]
		46	move auth_approval into getpwnamallow with help from millert@
44		47
45	20020317	48	20020317
46	- (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,	49	- (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@@ -7887,4 +7890,4 @@
7887	- Wrote replacements for strlcpy and mkdtemp	7890	- Wrote replacements for strlcpy and mkdtemp
7888	- Released 1.0pre1	7891	- Released 1.0pre1
7889		7892
7890	$Id: ChangeLog,v 1.1936 2002/03/22 01:30:40 mouring Exp $	7893	$Id: ChangeLog,v 1.1937 2002/03/22 01:35:47 mouring Exp $


diff --git a/auth.c b/auth.c index 19ef605f4..62c184ddf 100644 --- a/auth.c +++ b/auth.c
@@ -23,7 +23,7 @@
23	*/	23	*/
24		24
25	#include "includes.h"	25	#include "includes.h"
26	RCSID("$OpenBSD: auth.c,v 1.37 2002/03/17 20:25:56 provos Exp $");	26	RCSID("$OpenBSD: auth.c,v 1.38 2002/03/18 03:41:08 provos Exp $");
27		27
28	#ifdef HAVE_LOGIN_H	28	#ifdef HAVE_LOGIN_H
29	#include <login.h>	29	#include <login.h>
@@ -443,11 +443,31 @@ secure_filename(FILE f, const char file, struct passwd *pw,
443	struct passwd *	443	struct passwd *
444	getpwnamallow(const char *user)	444	getpwnamallow(const char *user)
445	{	445	{
		446	#ifdef HAVE_LOGIN_CAP
		447	extern login_cap_t *lc;
		448	#ifdef BSD_AUTH
		449	auth_session_t *as;
		450	#endif
		451	#endif
446	struct passwd *pw;	452	struct passwd *pw;
447		453
448	pw = getpwnam(user);	454	pw = getpwnam(user);
449	if (pw != NULL && !allowed_user(pw))	455	if (pw == NULL \|\| !allowed_user(pw))
		456	return (NULL);
		457	#ifdef HAVE_LOGIN_CAP
		458	if ((lc = login_getclass(pw->pw_class)) == NULL) {
		459	debug("unable to get login class: %s", user);
		460	return (NULL);
		461	}
		462	#ifdef BSD_AUTH
		463	if ((as = auth_open()) == NULL \|\| auth_setpwd(as, pw) != 0 \|\|
		464	auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
		465	debug("Approval failure for %s", user);
450	pw = NULL;	466	pw = NULL;
451		467	}
		468	if (as != NULL)
		469	auth_close(as);
		470	#endif
		471	#endif
452	return (pw);	472	return (pw);
453	}	473	}


diff --git a/session.c b/session.c index a31ff85d8..29467029d 100644 --- a/session.c +++ b/session.c
@@ -33,7 +33,7 @@
33	*/	33	*/
34		34
35	#include "includes.h"	35	#include "includes.h"
36	RCSID("$OpenBSD: session.c,v 1.128 2002/02/16 00:51:44 markus Exp $");	36	RCSID("$OpenBSD: session.c,v 1.129 2002/03/18 03:41:08 provos Exp $");
37		37
38	#include "ssh.h"	38	#include "ssh.h"
39	#include "ssh1.h"	39	#include "ssh1.h"
@@ -136,7 +136,7 @@ char *aixloginmsg;
136	#endif /* WITH_AIXAUTHENTICATE */	136	#endif /* WITH_AIXAUTHENTICATE */
137		137
138	#ifdef HAVE_LOGIN_CAP	138	#ifdef HAVE_LOGIN_CAP
139	static login_cap_t *lc;	139	login_cap_t *lc;
140	#endif	140	#endif
141		141
142	void	142	void
@@ -151,18 +151,6 @@ do_authenticated(Authctxt *authctxt)
151	close(startup_pipe);	151	close(startup_pipe);
152	startup_pipe = -1;	152	startup_pipe = -1;
153	}	153	}
154	#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD)
155	if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
156	error("unable to get login class");
157	return;
158	}
159	#ifdef BSD_AUTH
160	if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) {
161	packet_disconnect("Approval failure for %s",
162	authctxt->pw->pw_name);
163	}
164	#endif
165	#endif
166	#ifdef WITH_AIXAUTHENTICATE	154	#ifdef WITH_AIXAUTHENTICATE
167	/* We don't have a pty yet, so just label the line as "ssh" */	155	/* We don't have a pty yet, so just label the line as "ssh" */
168	if (loginsuccess(authctxt->user,	156	if (loginsuccess(authctxt->user,