diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | acconfig.h | 7 | ||||
| -rw-r--r-- | auth.c | 51 | ||||
| -rw-r--r-- | configure.ac | 10 | ||||
| -rw-r--r-- | sshd.8 | 23 |
5 files changed, 84 insertions, 11 deletions
| @@ -6,6 +6,8 @@ | |||
| 6 | - (bal) redo how we handle 'mysignal()'. Move it to | 6 | - (bal) redo how we handle 'mysignal()'. Move it to |
| 7 | openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to | 7 | openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to |
| 8 | be our 'mysignal' by default. OK djm@ | 8 | be our 'mysignal' by default. OK djm@ |
| 9 | - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny | ||
| 10 | any access to locked accounts. ok djm@ | ||
| 9 | 11 | ||
| 10 | 20030822 | 12 | 20030822 |
| 11 | - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal | 13 | - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal |
| @@ -860,4 +862,4 @@ | |||
| 860 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 862 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
| 861 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 863 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
| 862 | 864 | ||
| 863 | $Id: ChangeLog,v 1.2901 2003/08/25 01:16:21 mouring Exp $ | 865 | $Id: ChangeLog,v 1.2902 2003/08/25 01:51:19 dtucker Exp $ |
diff --git a/acconfig.h b/acconfig.h index 24c07beed..0e04c65b2 100644 --- a/acconfig.h +++ b/acconfig.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */ | 1 | /* $Id: acconfig.h,v 1.161 2003/08/25 01:51:19 dtucker Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. | 4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. |
| @@ -398,6 +398,11 @@ | |||
| 398 | /* Define if cmsg_type is not passed correctly */ | 398 | /* Define if cmsg_type is not passed correctly */ |
| 399 | #undef BROKEN_CMSG_TYPE | 399 | #undef BROKEN_CMSG_TYPE |
| 400 | 400 | ||
| 401 | /* Strings used in /etc/passwd to denote locked account */ | ||
| 402 | #undef LOCKED_PASSWD_STRING | ||
| 403 | #undef LOCKED_PASSWD_PREFIX | ||
| 404 | #undef LOCKED_PASSWD_SUBSTR | ||
| 405 | |||
| 401 | /* Define if DNS support is to be activated */ | 406 | /* Define if DNS support is to be activated */ |
| 402 | #undef DNS | 407 | #undef DNS |
| 403 | 408 | ||
| @@ -73,23 +73,25 @@ int | |||
| 73 | allowed_user(struct passwd * pw) | 73 | allowed_user(struct passwd * pw) |
| 74 | { | 74 | { |
| 75 | struct stat st; | 75 | struct stat st; |
| 76 | const char *hostname = NULL, *ipaddr = NULL; | 76 | const char *hostname = NULL, *ipaddr = NULL, *passwd; |
| 77 | char *shell; | 77 | char *shell; |
| 78 | int i; | 78 | int i; |
| 79 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ | 79 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) |
| 80 | defined(HAS_SHADOW_EXPIRE) | 80 | struct spwd *spw = NULL; |
| 81 | struct spwd *spw; | ||
| 82 | time_t today; | ||
| 83 | #endif | 81 | #endif |
| 84 | 82 | ||
| 85 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 83 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
| 86 | if (!pw || !pw->pw_name) | 84 | if (!pw || !pw->pw_name) |
| 87 | return 0; | 85 | return 0; |
| 88 | 86 | ||
| 89 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ | 87 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) |
| 90 | defined(HAS_SHADOW_EXPIRE) | 88 | if (!options.use_pam) |
| 89 | spw = getspnam(pw->pw_name); | ||
| 90 | #ifdef HAS_SHADOW_EXPIRE | ||
| 91 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ | 91 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ |
| 92 | if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { | 92 | if (!options.use_pam && spw != NULL) { |
| 93 | time_t today; | ||
| 94 | |||
| 93 | today = time(NULL) / DAY; | 95 | today = time(NULL) / DAY; |
| 94 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" | 96 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" |
| 95 | " sp_max %d", (int)today, (int)spw->sp_expire, | 97 | " sp_max %d", (int)today, (int)spw->sp_expire, |
| @@ -117,8 +119,41 @@ allowed_user(struct passwd * pw) | |||
| 117 | return 0; | 119 | return 0; |
| 118 | } | 120 | } |
| 119 | } | 121 | } |
| 122 | #endif /* HAS_SHADOW_EXPIRE */ | ||
| 123 | #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ | ||
| 124 | |||
| 125 | /* grab passwd field for locked account check */ | ||
| 126 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
| 127 | if (spw != NULL) | ||
| 128 | passwd = spw->sp_pwdp; | ||
| 129 | #else | ||
| 130 | passwd = pw->pw_passwd; | ||
| 120 | #endif | 131 | #endif |
| 121 | 132 | ||
| 133 | /* check for locked account */ | ||
| 134 | if (passwd && *passwd) { | ||
| 135 | int locked = 0; | ||
| 136 | |||
| 137 | #ifdef LOCKED_PASSWD_STRING | ||
| 138 | if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) | ||
| 139 | locked = 1; | ||
| 140 | #endif | ||
| 141 | #ifdef LOCKED_PASSWD_PREFIX | ||
| 142 | if (strncmp(passwd, LOCKED_PASSWD_PREFIX, | ||
| 143 | strlen(LOCKED_PASSWD_PREFIX)) == 0) | ||
| 144 | locked = 1; | ||
| 145 | #endif | ||
| 146 | #ifdef LOCKED_PASSWD_SUBSTR | ||
| 147 | if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) | ||
| 148 | locked = 1; | ||
| 149 | #endif | ||
| 150 | if (locked) { | ||
| 151 | logit("User %.100s not allowed because account is locked", | ||
| 152 | pw->pw_name); | ||
| 153 | return 0; | ||
| 154 | } | ||
| 155 | } | ||
| 156 | |||
| 122 | /* | 157 | /* |
| 123 | * Get the shell from the password data. An empty shell field is | 158 | * Get the shell from the password data. An empty shell field is |
| 124 | * legal, and means /bin/sh. | 159 | * legal, and means /bin/sh. |
diff --git a/configure.ac b/configure.ac index 115b80a4c..89b59eaa4 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $Id: configure.ac,v 1.140 2003/08/21 07:58:29 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.141 2003/08/25 01:51:19 dtucker Exp $ |
| 2 | 2 | ||
| 3 | AC_INIT | 3 | AC_INIT |
| 4 | AC_CONFIG_SRCDIR([ssh.c]) | 4 | AC_CONFIG_SRCDIR([ssh.c]) |
| @@ -141,6 +141,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
| 141 | AC_DEFINE(LOGIN_NEEDS_UTMPX) | 141 | AC_DEFINE(LOGIN_NEEDS_UTMPX) |
| 142 | AC_DEFINE(DISABLE_SHADOW) | 142 | AC_DEFINE(DISABLE_SHADOW) |
| 143 | AC_DEFINE(DISABLE_UTMP) | 143 | AC_DEFINE(DISABLE_UTMP) |
| 144 | AC_DEFINE(LOCKED_PASSWD_STRING, "*") | ||
| 144 | AC_DEFINE(SPT_TYPE,SPT_PSTAT) | 145 | AC_DEFINE(SPT_TYPE,SPT_PSTAT) |
| 145 | LIBS="$LIBS -lsec -lsecpw" | 146 | LIBS="$LIBS -lsec -lsecpw" |
| 146 | AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) | 147 | AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) |
| @@ -157,6 +158,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
| 157 | AC_DEFINE(LOGIN_NEEDS_UTMPX) | 158 | AC_DEFINE(LOGIN_NEEDS_UTMPX) |
| 158 | AC_DEFINE(DISABLE_SHADOW) | 159 | AC_DEFINE(DISABLE_SHADOW) |
| 159 | AC_DEFINE(DISABLE_UTMP) | 160 | AC_DEFINE(DISABLE_UTMP) |
| 161 | AC_DEFINE(LOCKED_PASSWD_STRING, "*") | ||
| 160 | AC_DEFINE(SPT_TYPE,SPT_PSTAT) | 162 | AC_DEFINE(SPT_TYPE,SPT_PSTAT) |
| 161 | LIBS="$LIBS -lsec" | 163 | LIBS="$LIBS -lsec" |
| 162 | AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) | 164 | AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) |
| @@ -170,6 +172,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
| 170 | AC_DEFINE(LOGIN_NEEDS_UTMPX) | 172 | AC_DEFINE(LOGIN_NEEDS_UTMPX) |
| 171 | AC_DEFINE(DISABLE_SHADOW) | 173 | AC_DEFINE(DISABLE_SHADOW) |
| 172 | AC_DEFINE(DISABLE_UTMP) | 174 | AC_DEFINE(DISABLE_UTMP) |
| 175 | AC_DEFINE(LOCKED_PASSWD_STRING, "*") | ||
| 173 | AC_DEFINE(SPT_TYPE,SPT_PSTAT) | 176 | AC_DEFINE(SPT_TYPE,SPT_PSTAT) |
| 174 | LIBS="$LIBS -lsec" | 177 | LIBS="$LIBS -lsec" |
| 175 | AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) | 178 | AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) |
| @@ -180,6 +183,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
| 180 | PATH="$PATH:/usr/etc" | 183 | PATH="$PATH:/usr/etc" |
| 181 | AC_DEFINE(BROKEN_INET_NTOA) | 184 | AC_DEFINE(BROKEN_INET_NTOA) |
| 182 | AC_DEFINE(WITH_ABBREV_NO_TTY) | 185 | AC_DEFINE(WITH_ABBREV_NO_TTY) |
| 186 | AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") | ||
| 183 | ;; | 187 | ;; |
| 184 | *-*-irix6*) | 188 | *-*-irix6*) |
| 185 | CPPFLAGS="$CPPFLAGS -I/usr/local/include" | 189 | CPPFLAGS="$CPPFLAGS -I/usr/local/include" |
| @@ -191,6 +195,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
| 191 | AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) | 195 | AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) |
| 192 | AC_DEFINE(BROKEN_INET_NTOA) | 196 | AC_DEFINE(BROKEN_INET_NTOA) |
| 193 | AC_DEFINE(WITH_ABBREV_NO_TTY) | 197 | AC_DEFINE(WITH_ABBREV_NO_TTY) |
| 198 | AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") | ||
| 194 | ;; | 199 | ;; |
| 195 | *-*-linux*) | 200 | *-*-linux*) |
| 196 | no_dev_ptmx=1 | 201 | no_dev_ptmx=1 |
| @@ -198,6 +203,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
| 198 | check_for_openpty_ctty_bug=1 | 203 | check_for_openpty_ctty_bug=1 |
| 199 | AC_DEFINE(DONT_TRY_OTHER_AF) | 204 | AC_DEFINE(DONT_TRY_OTHER_AF) |
| 200 | AC_DEFINE(PAM_TTY_KLUDGE) | 205 | AC_DEFINE(PAM_TTY_KLUDGE) |
| 206 | AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") | ||
| 201 | AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) | 207 | AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) |
| 202 | inet6_default_4in6=yes | 208 | inet6_default_4in6=yes |
| 203 | case `uname -r` in | 209 | case `uname -r` in |
| @@ -237,6 +243,7 @@ mips-sony-bsd|mips-sony-newsos4) | |||
| 237 | AC_DEFINE(LOGIN_NEEDS_UTMPX) | 243 | AC_DEFINE(LOGIN_NEEDS_UTMPX) |
| 238 | AC_DEFINE(LOGIN_NEEDS_TERM) | 244 | AC_DEFINE(LOGIN_NEEDS_TERM) |
| 239 | AC_DEFINE(PAM_TTY_KLUDGE) | 245 | AC_DEFINE(PAM_TTY_KLUDGE) |
| 246 | AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") | ||
| 240 | # Pushing STREAMS modules will cause sshd to acquire a controlling tty. | 247 | # Pushing STREAMS modules will cause sshd to acquire a controlling tty. |
| 241 | AC_DEFINE(SSHD_ACQUIRES_CTTY) | 248 | AC_DEFINE(SSHD_ACQUIRES_CTTY) |
| 242 | # hardwire lastlog location (can't detect it on some versions) | 249 | # hardwire lastlog location (can't detect it on some versions) |
| @@ -362,6 +369,7 @@ mips-sony-bsd|mips-sony-newsos4) | |||
| 362 | fi | 369 | fi |
| 363 | fi | 370 | fi |
| 364 | AC_DEFINE(DISABLE_FD_PASSING) | 371 | AC_DEFINE(DISABLE_FD_PASSING) |
| 372 | AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") | ||
| 365 | ;; | 373 | ;; |
| 366 | 374 | ||
| 367 | *-*-nto-qnx) | 375 | *-*-nto-qnx) |
| @@ -114,6 +114,29 @@ authentication combined with RSA host | |||
| 114 | authentication, RSA challenge-response authentication, or password | 114 | authentication, RSA challenge-response authentication, or password |
| 115 | based authentication. | 115 | based authentication. |
| 116 | .Pp | 116 | .Pp |
| 117 | Regardless of the authentication type, the account is checked to | ||
| 118 | ensure that it is accessible. An account is not accessible if it is | ||
| 119 | locked, listed in | ||
| 120 | .Cm DenyUsers | ||
| 121 | or its group is listed in | ||
| 122 | .Cm DenyGroups | ||
| 123 | \&. The definition of a locked account is system dependant. Some platforms | ||
| 124 | have their own account database (eg AIX) and some modify the passwd field ( | ||
| 125 | .Ql \&*LK\&* | ||
| 126 | on Solaris, | ||
| 127 | .Ql \&* | ||
| 128 | on HP-UX, containing | ||
| 129 | .Ql Nologin | ||
| 130 | on Tru64 and a leading | ||
| 131 | .Ql \&!! | ||
| 132 | on Linux). If there is a requirement to disable password authentication | ||
| 133 | for the account while allowing still public-key, then the passwd field | ||
| 134 | should be set to something other than these values (eg | ||
| 135 | .Ql NP | ||
| 136 | or | ||
| 137 | .Ql \&*NP\&* | ||
| 138 | ). | ||
| 139 | .Pp | ||
| 117 | Rhosts authentication is normally disabled | 140 | Rhosts authentication is normally disabled |
| 118 | because it is fundamentally insecure, but can be enabled in the server | 141 | because it is fundamentally insecure, but can be enabled in the server |
| 119 | configuration file if desired. | 142 | configuration file if desired. |