summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--auth.c60
-rw-r--r--sshd.812
3 files changed, 36 insertions, 41 deletions
diff --git a/ChangeLog b/ChangeLog
index 072cb4c2d..437bada8f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,11 @@
5 - add bsd-getgrouplist.h 5 - add bsd-getgrouplist.h
6 - new files groupaccess.[ch] 6 - new files groupaccess.[ch]
7 - build but don't use yet (need to merge auth.c changes) 7 - build but don't use yet (need to merge auth.c changes)
8 - (stevesk) complete:
9 - markus@cvs.openbsd.org 2001/01/13 11:56:48
10 [auth.c sshd.8]
11 support supplementary group in {Allow,Deny}Groups
12 from stevesk@pobox.com
8 13
920010112 1420010112
10 - (bal) OpenBSD Sync 15 - (bal) OpenBSD Sync
diff --git a/auth.c b/auth.c
index d0edab54b..59c95fe48 100644
--- a/auth.c
+++ b/auth.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); 36RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $");
37 37
38#include "xmalloc.h" 38#include "xmalloc.h"
39#include "rsa.h" 39#include "rsa.h"
@@ -46,6 +46,7 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $");
46#include "compat.h" 46#include "compat.h"
47#include "channels.h" 47#include "channels.h"
48#include "match.h" 48#include "match.h"
49#include "groupaccess.h"
49#ifdef HAVE_LOGIN_H 50#ifdef HAVE_LOGIN_H
50#include <login.h> 51#include <login.h>
51#endif 52#endif
@@ -62,11 +63,11 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $");
62extern ServerOptions options; 63extern ServerOptions options;
63 64
64/* 65/*
65 * Check if the user is allowed to log in via ssh. If user is listed in 66 * Check if the user is allowed to log in via ssh. If user is listed
66 * DenyUsers or user's primary group is listed in DenyGroups, false will 67 * in DenyUsers or one of user's groups is listed in DenyGroups, false
67 * be returned. If AllowUsers isn't empty and user isn't listed there, or 68 * will be returned. If AllowUsers isn't empty and user isn't listed
68 * if AllowGroups isn't empty and user isn't listed there, false will be 69 * there, or if AllowGroups isn't empty and one of user's groups isn't
69 * returned. 70 * listed there, false will be returned.
70 * If the user's shell is not executable, false will be returned. 71 * If the user's shell is not executable, false will be returned.
71 * Otherwise true is returned. 72 * Otherwise true is returned.
72 */ 73 */
@@ -74,7 +75,6 @@ int
74allowed_user(struct passwd * pw) 75allowed_user(struct passwd * pw)
75{ 76{
76 struct stat st; 77 struct stat st;
77 struct group *grp;
78 char *shell; 78 char *shell;
79 int i; 79 int i;
80#ifdef WITH_AIXAUTHENTICATE 80#ifdef WITH_AIXAUTHENTICATE
@@ -82,10 +82,10 @@ allowed_user(struct passwd * pw)
82#endif /* WITH_AIXAUTHENTICATE */ 82#endif /* WITH_AIXAUTHENTICATE */
83#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ 83#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
84 !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 84 !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
85 struct spwd *spw; 85 struct spwd *spw;
86 86
87 /* Shouldn't be called if pw is NULL, but better safe than sorry... */ 87 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
88 if (!pw) 88 if (!pw || !pw->pw_name)
89 return 0; 89 return 0;
90 90
91 spw = getspnam(pw->pw_name); 91 spw = getspnam(pw->pw_name);
@@ -103,7 +103,7 @@ allowed_user(struct passwd * pw)
103 } 103 }
104#else 104#else
105 /* Shouldn't be called if pw is NULL, but better safe than sorry... */ 105 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
106 if (!pw) 106 if (!pw || !pw->pw_name)
107 return 0; 107 return 0;
108#endif 108#endif
109 109
@@ -121,16 +121,12 @@ allowed_user(struct passwd * pw)
121 121
122 /* Return false if user is listed in DenyUsers */ 122 /* Return false if user is listed in DenyUsers */
123 if (options.num_deny_users > 0) { 123 if (options.num_deny_users > 0) {
124 if (!pw->pw_name)
125 return 0;
126 for (i = 0; i < options.num_deny_users; i++) 124 for (i = 0; i < options.num_deny_users; i++)
127 if (match_pattern(pw->pw_name, options.deny_users[i])) 125 if (match_pattern(pw->pw_name, options.deny_users[i]))
128 return 0; 126 return 0;
129 } 127 }
130 /* Return false if AllowUsers isn't empty and user isn't listed there */ 128 /* Return false if AllowUsers isn't empty and user isn't listed there */
131 if (options.num_allow_users > 0) { 129 if (options.num_allow_users > 0) {
132 if (!pw->pw_name)
133 return 0;
134 for (i = 0; i < options.num_allow_users; i++) 130 for (i = 0; i < options.num_allow_users; i++)
135 if (match_pattern(pw->pw_name, options.allow_users[i])) 131 if (match_pattern(pw->pw_name, options.allow_users[i]))
136 break; 132 break;
@@ -138,35 +134,29 @@ allowed_user(struct passwd * pw)
138 if (i >= options.num_allow_users) 134 if (i >= options.num_allow_users)
139 return 0; 135 return 0;
140 } 136 }
141 /* Get the primary group name if we need it. Return false if it fails */
142 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { 137 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
143 grp = getgrgid(pw->pw_gid); 138 /* Get the user's group access list (primary and supplementary) */
144 if (!grp) 139 if (ga_init(pw->pw_name, pw->pw_gid) == 0)
145 return 0; 140 return 0;
146 141
147 /* Return false if user's group is listed in DenyGroups */ 142 /* Return false if one of user's groups is listed in DenyGroups */
148 if (options.num_deny_groups > 0) { 143 if (options.num_deny_groups > 0)
149 if (!grp->gr_name) 144 if (ga_match(options.deny_groups,
145 options.num_deny_groups)) {
146 ga_free();
150 return 0; 147 return 0;
151 for (i = 0; i < options.num_deny_groups; i++) 148 }
152 if (match_pattern(grp->gr_name, options.deny_groups[i]))
153 return 0;
154 }
155 /* 149 /*
156 * Return false if AllowGroups isn't empty and user's group 150 * Return false if AllowGroups isn't empty and one of user's groups
157 * isn't listed there 151 * isn't listed there
158 */ 152 */
159 if (options.num_allow_groups > 0) { 153 if (options.num_allow_groups > 0)
160 if (!grp->gr_name) 154 if (!ga_match(options.allow_groups,
155 options.num_allow_groups)) {
156 ga_free();
161 return 0; 157 return 0;
162 for (i = 0; i < options.num_allow_groups; i++) 158 }
163 if (match_pattern(grp->gr_name, options.allow_groups[i])) 159 ga_free();
164 break;
165 /* i < options.num_allow_groups iff we break for
166 loop */
167 if (i >= options.num_allow_groups)
168 return 0;
169 }
170 } 160 }
171 161
172#ifdef WITH_AIXAUTHENTICATE 162#ifdef WITH_AIXAUTHENTICATE
diff --git a/sshd.8 b/sshd.8
index fef26b50b..a513978d9 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.80 2001/01/08 22:29:05 markus Exp $ 37.\" $OpenBSD: sshd.8,v 1.81 2001/01/13 18:56:48 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -303,14 +303,14 @@ Default is
303This keyword can be followed by a number of group names, separated 303This keyword can be followed by a number of group names, separated
304by spaces. 304by spaces.
305If specified, login is allowed only for users whose primary 305If specified, login is allowed only for users whose primary
306group matches one of the patterns. 306group or supplementary group list matches one of the patterns.
307.Ql \&* 307.Ql \&*
308and 308and
309.Ql ? 309.Ql ?
310can be used as 310can be used as
311wildcards in the patterns. 311wildcards in the patterns.
312Only group names are valid; a numerical group ID isn't recognized. 312Only group names are valid; a numerical group ID isn't recognized.
313By default login is allowed regardless of the primary group. 313By default login is allowed regardless of the group list.
314.Pp 314.Pp
315.It Cm AllowTcpForwarding 315.It Cm AllowTcpForwarding
316Specifies whether TCP forwarding is permitted. 316Specifies whether TCP forwarding is permitted.
@@ -354,15 +354,15 @@ The default is
354.It Cm DenyGroups 354.It Cm DenyGroups
355This keyword can be followed by a number of group names, separated 355This keyword can be followed by a number of group names, separated
356by spaces. 356by spaces.
357Users whose primary group matches one of the patterns 357Users whose primary group or supplementary group list matches
358aren't allowed to log in. 358one of the patterns aren't allowed to log in.
359.Ql \&* 359.Ql \&*
360and 360and
361.Ql ? 361.Ql ?
362can be used as 362can be used as
363wildcards in the patterns. 363wildcards in the patterns.
364Only group names are valid; a numerical group ID isn't recognized. 364Only group names are valid; a numerical group ID isn't recognized.
365By default login is allowed regardless of the primary group. 365By default login is allowed regardless of the group list.
366.Pp 366.Pp
367.It Cm DenyUsers 367.It Cm DenyUsers
368This keyword can be followed by a number of user names, separated 368This keyword can be followed by a number of user names, separated