diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 60 |
1 files changed, 25 insertions, 35 deletions
| @@ -33,7 +33,7 @@ | |||
| 33 | */ | 33 | */ |
| 34 | 34 | ||
| 35 | #include "includes.h" | 35 | #include "includes.h" |
| 36 | RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); | 36 | RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $"); |
| 37 | 37 | ||
| 38 | #include "xmalloc.h" | 38 | #include "xmalloc.h" |
| 39 | #include "rsa.h" | 39 | #include "rsa.h" |
| @@ -46,6 +46,7 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); | |||
| 46 | #include "compat.h" | 46 | #include "compat.h" |
| 47 | #include "channels.h" | 47 | #include "channels.h" |
| 48 | #include "match.h" | 48 | #include "match.h" |
| 49 | #include "groupaccess.h" | ||
| 49 | #ifdef HAVE_LOGIN_H | 50 | #ifdef HAVE_LOGIN_H |
| 50 | #include <login.h> | 51 | #include <login.h> |
| 51 | #endif | 52 | #endif |
| @@ -62,11 +63,11 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); | |||
| 62 | extern ServerOptions options; | 63 | extern ServerOptions options; |
| 63 | 64 | ||
| 64 | /* | 65 | /* |
| 65 | * Check if the user is allowed to log in via ssh. If user is listed in | 66 | * Check if the user is allowed to log in via ssh. If user is listed |
| 66 | * DenyUsers or user's primary group is listed in DenyGroups, false will | 67 | * in DenyUsers or one of user's groups is listed in DenyGroups, false |
| 67 | * be returned. If AllowUsers isn't empty and user isn't listed there, or | 68 | * will be returned. If AllowUsers isn't empty and user isn't listed |
| 68 | * if AllowGroups isn't empty and user isn't listed there, false will be | 69 | * there, or if AllowGroups isn't empty and one of user's groups isn't |
| 69 | * returned. | 70 | * listed there, false will be returned. |
| 70 | * If the user's shell is not executable, false will be returned. | 71 | * If the user's shell is not executable, false will be returned. |
| 71 | * Otherwise true is returned. | 72 | * Otherwise true is returned. |
| 72 | */ | 73 | */ |
| @@ -74,7 +75,6 @@ int | |||
| 74 | allowed_user(struct passwd * pw) | 75 | allowed_user(struct passwd * pw) |
| 75 | { | 76 | { |
| 76 | struct stat st; | 77 | struct stat st; |
| 77 | struct group *grp; | ||
| 78 | char *shell; | 78 | char *shell; |
| 79 | int i; | 79 | int i; |
| 80 | #ifdef WITH_AIXAUTHENTICATE | 80 | #ifdef WITH_AIXAUTHENTICATE |
| @@ -82,10 +82,10 @@ allowed_user(struct passwd * pw) | |||
| 82 | #endif /* WITH_AIXAUTHENTICATE */ | 82 | #endif /* WITH_AIXAUTHENTICATE */ |
| 83 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | 83 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ |
| 84 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 84 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) |
| 85 | struct spwd *spw; | 85 | struct spwd *spw; |
| 86 | 86 | ||
| 87 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 87 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
| 88 | if (!pw) | 88 | if (!pw || !pw->pw_name) |
| 89 | return 0; | 89 | return 0; |
| 90 | 90 | ||
| 91 | spw = getspnam(pw->pw_name); | 91 | spw = getspnam(pw->pw_name); |
| @@ -103,7 +103,7 @@ allowed_user(struct passwd * pw) | |||
| 103 | } | 103 | } |
| 104 | #else | 104 | #else |
| 105 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 105 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
| 106 | if (!pw) | 106 | if (!pw || !pw->pw_name) |
| 107 | return 0; | 107 | return 0; |
| 108 | #endif | 108 | #endif |
| 109 | 109 | ||
| @@ -121,16 +121,12 @@ allowed_user(struct passwd * pw) | |||
| 121 | 121 | ||
| 122 | /* Return false if user is listed in DenyUsers */ | 122 | /* Return false if user is listed in DenyUsers */ |
| 123 | if (options.num_deny_users > 0) { | 123 | if (options.num_deny_users > 0) { |
| 124 | if (!pw->pw_name) | ||
| 125 | return 0; | ||
| 126 | for (i = 0; i < options.num_deny_users; i++) | 124 | for (i = 0; i < options.num_deny_users; i++) |
| 127 | if (match_pattern(pw->pw_name, options.deny_users[i])) | 125 | if (match_pattern(pw->pw_name, options.deny_users[i])) |
| 128 | return 0; | 126 | return 0; |
| 129 | } | 127 | } |
| 130 | /* Return false if AllowUsers isn't empty and user isn't listed there */ | 128 | /* Return false if AllowUsers isn't empty and user isn't listed there */ |
| 131 | if (options.num_allow_users > 0) { | 129 | if (options.num_allow_users > 0) { |
| 132 | if (!pw->pw_name) | ||
| 133 | return 0; | ||
| 134 | for (i = 0; i < options.num_allow_users; i++) | 130 | for (i = 0; i < options.num_allow_users; i++) |
| 135 | if (match_pattern(pw->pw_name, options.allow_users[i])) | 131 | if (match_pattern(pw->pw_name, options.allow_users[i])) |
| 136 | break; | 132 | break; |
| @@ -138,35 +134,29 @@ allowed_user(struct passwd * pw) | |||
| 138 | if (i >= options.num_allow_users) | 134 | if (i >= options.num_allow_users) |
| 139 | return 0; | 135 | return 0; |
| 140 | } | 136 | } |
| 141 | /* Get the primary group name if we need it. Return false if it fails */ | ||
| 142 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { | 137 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { |
| 143 | grp = getgrgid(pw->pw_gid); | 138 | /* Get the user's group access list (primary and supplementary) */ |
| 144 | if (!grp) | 139 | if (ga_init(pw->pw_name, pw->pw_gid) == 0) |
| 145 | return 0; | 140 | return 0; |
| 146 | 141 | ||
| 147 | /* Return false if user's group is listed in DenyGroups */ | 142 | /* Return false if one of user's groups is listed in DenyGroups */ |
| 148 | if (options.num_deny_groups > 0) { | 143 | if (options.num_deny_groups > 0) |
| 149 | if (!grp->gr_name) | 144 | if (ga_match(options.deny_groups, |
| 145 | options.num_deny_groups)) { | ||
| 146 | ga_free(); | ||
| 150 | return 0; | 147 | return 0; |
| 151 | for (i = 0; i < options.num_deny_groups; i++) | 148 | } |
| 152 | if (match_pattern(grp->gr_name, options.deny_groups[i])) | ||
| 153 | return 0; | ||
| 154 | } | ||
| 155 | /* | 149 | /* |
| 156 | * Return false if AllowGroups isn't empty and user's group | 150 | * Return false if AllowGroups isn't empty and one of user's groups |
| 157 | * isn't listed there | 151 | * isn't listed there |
| 158 | */ | 152 | */ |
| 159 | if (options.num_allow_groups > 0) { | 153 | if (options.num_allow_groups > 0) |
| 160 | if (!grp->gr_name) | 154 | if (!ga_match(options.allow_groups, |
| 155 | options.num_allow_groups)) { | ||
| 156 | ga_free(); | ||
| 161 | return 0; | 157 | return 0; |
| 162 | for (i = 0; i < options.num_allow_groups; i++) | 158 | } |
| 163 | if (match_pattern(grp->gr_name, options.allow_groups[i])) | 159 | ga_free(); |
| 164 | break; | ||
| 165 | /* i < options.num_allow_groups iff we break for | ||
| 166 | loop */ | ||
| 167 | if (i >= options.num_allow_groups) | ||
| 168 | return 0; | ||
| 169 | } | ||
| 170 | } | 160 | } |
| 171 | 161 | ||
| 172 | #ifdef WITH_AIXAUTHENTICATE | 162 | #ifdef WITH_AIXAUTHENTICATE |