diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | auth-options.c | 19 | ||||
| -rw-r--r-- | match.c | 27 | ||||
| -rw-r--r-- | match.h | 26 |
4 files changed, 40 insertions, 37 deletions
| @@ -92,6 +92,9 @@ | |||
| 92 | [sshconnect1.c] | 92 | [sshconnect1.c] |
| 93 | consistent with ssh2: skip key if empty passphrase is entered, | 93 | consistent with ssh2: skip key if empty passphrase is entered, |
| 94 | retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@ | 94 | retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@ |
| 95 | - markus@cvs.openbsd.org 2001/06/24 05:25:10 | ||
| 96 | [auth-options.c match.c match.h] | ||
| 97 | move ip+hostname check to match.c | ||
| 95 | 98 | ||
| 96 | 20010622 | 99 | 20010622 |
| 97 | - (stevesk) handle systems without pw_expire and pw_change. | 100 | - (stevesk) handle systems without pw_expire and pw_change. |
| @@ -5776,4 +5779,4 @@ | |||
| 5776 | - Wrote replacements for strlcpy and mkdtemp | 5779 | - Wrote replacements for strlcpy and mkdtemp |
| 5777 | - Released 1.0pre1 | 5780 | - Released 1.0pre1 |
| 5778 | 5781 | ||
| 5779 | $Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $ | 5782 | $Id: ChangeLog,v 1.1320 2001/06/25 05:17:53 mouring Exp $ |
diff --git a/auth-options.c b/auth-options.c index 210fbe7ea..83ef02c42 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include "includes.h" | 12 | #include "includes.h" |
| 13 | RCSID("$OpenBSD: auth-options.c,v 1.18 2001/05/31 10:30:12 markus Exp $"); | 13 | RCSID("$OpenBSD: auth-options.c,v 1.19 2001/06/24 05:25:09 markus Exp $"); |
| 14 | 14 | ||
| 15 | #include "packet.h" | 15 | #include "packet.h" |
| 16 | #include "xmalloc.h" | 16 | #include "xmalloc.h" |
| @@ -167,7 +167,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 167 | } | 167 | } |
| 168 | cp = "from=\""; | 168 | cp = "from=\""; |
| 169 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 169 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 170 | int mname, mip; | ||
| 171 | const char *remote_ip = get_remote_ipaddr(); | 170 | const char *remote_ip = get_remote_ipaddr(); |
| 172 | const char *remote_host = get_canonical_hostname( | 171 | const char *remote_host = get_canonical_hostname( |
| 173 | options.reverse_mapping_check); | 172 | options.reverse_mapping_check); |
| @@ -195,18 +194,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 195 | } | 194 | } |
| 196 | patterns[i] = 0; | 195 | patterns[i] = 0; |
| 197 | opts++; | 196 | opts++; |
| 198 | /* | 197 | if (match_host_and_ip(remote_host, remote_ip, |
| 199 | * Deny access if we get a negative | 198 | patterns) != 1) { |
| 200 | * match for the hostname or the ip | 199 | xfree(patterns); |
| 201 | * or if we get not match at all | ||
| 202 | */ | ||
| 203 | mname = match_hostname(remote_host, patterns, | ||
| 204 | strlen(patterns)); | ||
| 205 | mip = match_hostname(remote_ip, patterns, | ||
| 206 | strlen(patterns)); | ||
| 207 | xfree(patterns); | ||
| 208 | if (mname == -1 || mip == -1 || | ||
| 209 | (mname != 1 && mip != 1)) { | ||
| 210 | log("Authentication tried for %.100s with " | 200 | log("Authentication tried for %.100s with " |
| 211 | "correct key but not from a permitted " | 201 | "correct key but not from a permitted " |
| 212 | "host (host=%.200s, ip=%.200s).", | 202 | "host (host=%.200s, ip=%.200s).", |
| @@ -217,6 +207,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 217 | /* deny access */ | 207 | /* deny access */ |
| 218 | return 0; | 208 | return 0; |
| 219 | } | 209 | } |
| 210 | xfree(patterns); | ||
| 220 | /* Host name matches. */ | 211 | /* Host name matches. */ |
| 221 | goto next_option; | 212 | goto next_option; |
| 222 | } | 213 | } |
| @@ -35,7 +35,7 @@ | |||
| 35 | */ | 35 | */ |
| 36 | 36 | ||
| 37 | #include "includes.h" | 37 | #include "includes.h" |
| 38 | RCSID("$OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $"); | 38 | RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $"); |
| 39 | 39 | ||
| 40 | #include "match.h" | 40 | #include "match.h" |
| 41 | #include "xmalloc.h" | 41 | #include "xmalloc.h" |
| @@ -162,7 +162,32 @@ match_hostname(const char *host, const char *pattern, u_int len) | |||
| 162 | return got_positive; | 162 | return got_positive; |
| 163 | } | 163 | } |
| 164 | 164 | ||
| 165 | /* | ||
| 166 | * returns 0 if we get a negative match for the hostname or the ip | ||
| 167 | * or if we get no match at all. returns 1 otherwise. | ||
| 168 | */ | ||
| 169 | int | ||
| 170 | match_host_and_ip(const char *host, const char *ipaddr, | ||
| 171 | const char *patterns) | ||
| 172 | { | ||
| 173 | int mhost, mip; | ||
| 174 | |||
| 175 | /* negative ipaddr match */ | ||
| 176 | if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) | ||
| 177 | return 0; | ||
| 178 | /* negative hostname match */ | ||
| 179 | if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) | ||
| 180 | return 0; | ||
| 181 | /* no match at all */ | ||
| 182 | if (mhost == 0 && mip == 0) | ||
| 183 | return 0; | ||
| 184 | return 1; | ||
| 185 | } | ||
| 165 | 186 | ||
| 187 | /* | ||
| 188 | * Returns first item from client-list that is also supported by server-list, | ||
| 189 | * caller must xfree() returned string. | ||
| 190 | */ | ||
| 166 | #define MAX_PROP 20 | 191 | #define MAX_PROP 20 |
| 167 | #define SEP "," | 192 | #define SEP "," |
| 168 | char * | 193 | char * |
| @@ -1,11 +1,9 @@ | |||
| 1 | /* $OpenBSD: match.h,v 1.7 2001/03/10 17:51:04 markus Exp $ */ | 1 | /* $OpenBSD: match.h,v 1.8 2001/06/24 05:25:10 markus Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 5 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 5 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 6 | * All rights reserved | 6 | * All rights reserved |
| 7 | * This file contains various auxiliary functions related to multiple | ||
| 8 | * precision integers. | ||
| 9 | * | 7 | * |
| 10 | * As far as I am concerned, the code I have written for this software | 8 | * As far as I am concerned, the code I have written for this software |
| 11 | * can be used freely for any purpose. Any derived versions of this | 9 | * can be used freely for any purpose. Any derived versions of this |
| @@ -16,24 +14,10 @@ | |||
| 16 | #ifndef MATCH_H | 14 | #ifndef MATCH_H |
| 17 | #define MATCH_H | 15 | #define MATCH_H |
| 18 | 16 | ||
| 19 | /* | 17 | int match_pattern(const char *s, const char *pattern); |
| 20 | * Returns true if the given string matches the pattern (which may contain ? | 18 | int match_hostname(const char *host, const char *pattern, u_int len); |
| 21 | * and * as wildcards), and zero if it does not match. | 19 | int match_host_and_ip(const char *host, const char *ip, const char *p); |
| 22 | */ | 20 | int match_user(const char *u, const char *h, const char *i, const char *p); |
| 23 | int match_pattern(const char *s, const char *pattern); | ||
| 24 | |||
| 25 | /* | ||
| 26 | * Tries to match the host name (which must be in all lowercase) against the | ||
| 27 | * comma-separated sequence of subpatterns (each possibly preceded by ! to | ||
| 28 | * indicate negation). Returns -1 if negation matches, 1 if there is | ||
| 29 | * a positive match, 0 if there is no match at all. | ||
| 30 | */ | ||
| 31 | int match_hostname(const char *host, const char *pattern, u_int len); | ||
| 32 | |||
| 33 | /* | ||
| 34 | * Returns first item from client-list that is also supported by server-list, | ||
| 35 | * caller must xfree() returned string. | ||
| 36 | */ | ||
| 37 | char *match_list(const char *client, const char *server, u_int *next); | 21 | char *match_list(const char *client, const char *server, u_int *next); |
| 38 | 22 | ||
| 39 | #endif | 23 | #endif |