summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c50
1 files changed, 32 insertions, 18 deletions
diff --git a/auth.c b/auth.c
index 48720da8f..1268accb1 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $"); 26RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
27 27
28#ifdef HAVE_LOGIN_H 28#ifdef HAVE_LOGIN_H
29#include <login.h> 29#include <login.h>
@@ -79,17 +79,20 @@ allowed_user(struct passwd * pw)
79 char *loginmsg; 79 char *loginmsg;
80#endif /* WITH_AIXAUTHENTICATE */ 80#endif /* WITH_AIXAUTHENTICATE */
81#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ 81#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
82 !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 82 !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
83 struct spwd *spw; 83 struct spwd *spw;
84 time_t today;
85#endif
84 86
85 /* Shouldn't be called if pw is NULL, but better safe than sorry... */ 87 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
86 if (!pw || !pw->pw_name) 88 if (!pw || !pw->pw_name)
87 return 0; 89 return 0;
88 90
91#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
92 !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
89#define DAY (24L * 60 * 60) /* 1 day in seconds */ 93#define DAY (24L * 60 * 60) /* 1 day in seconds */
90 spw = getspnam(pw->pw_name); 94 if ((spw = getspnam(pw->pw_name)) != NULL) {
91 if (spw != NULL) { 95 today = time(NULL) / DAY;
92 time_t today = time(NULL) / DAY;
93 debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" 96 debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
94 " sp_max %d", (int)today, (int)spw->sp_expire, 97 " sp_max %d", (int)today, (int)spw->sp_expire,
95 (int)spw->sp_lstchg, (int)spw->sp_max); 98 (int)spw->sp_lstchg, (int)spw->sp_max);
@@ -116,10 +119,6 @@ allowed_user(struct passwd * pw)
116 return 0; 119 return 0;
117 } 120 }
118 } 121 }
119#else
120 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
121 if (!pw || !pw->pw_name)
122 return 0;
123#endif 122#endif
124 123
125 /* 124 /*
@@ -202,7 +201,15 @@ allowed_user(struct passwd * pw)
202 } 201 }
203 202
204#ifdef WITH_AIXAUTHENTICATE 203#ifdef WITH_AIXAUTHENTICATE
205 if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { 204 /*
205 * Don't check loginrestrictions() for root account (use
206 * PermitRootLogin to control logins via ssh), or if running as
207 * non-root user (since loginrestrictions will always fail).
208 */
209 if ((pw->pw_uid != 0) && (geteuid() == 0) &&
210 loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
211 int loginrestrict_errno = errno;
212
206 if (loginmsg && *loginmsg) { 213 if (loginmsg && *loginmsg) {
207 /* Remove embedded newlines (if any) */ 214 /* Remove embedded newlines (if any) */
208 char *p; 215 char *p;
@@ -212,9 +219,13 @@ allowed_user(struct passwd * pw)
212 } 219 }
213 /* Remove trailing newline */ 220 /* Remove trailing newline */
214 *--p = '\0'; 221 *--p = '\0';
215 log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); 222 log("Login restricted for %s: %.100s", pw->pw_name,
223 loginmsg);
216 } 224 }
217 return 0; 225 /* Don't fail if /etc/nologin set */
226 if (!(loginrestrict_errno == EPERM &&
227 stat(_PATH_NOLOGIN, &st) == 0))
228 return 0;
218 } 229 }
219#endif /* WITH_AIXAUTHENTICATE */ 230#endif /* WITH_AIXAUTHENTICATE */
220 231
@@ -417,6 +428,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
417 uid_t uid = pw->pw_uid; 428 uid_t uid = pw->pw_uid;
418 char buf[MAXPATHLEN], homedir[MAXPATHLEN]; 429 char buf[MAXPATHLEN], homedir[MAXPATHLEN];
419 char *cp; 430 char *cp;
431 int comparehome = 0;
420 struct stat st; 432 struct stat st;
421 433
422 if (realpath(file, buf) == NULL) { 434 if (realpath(file, buf) == NULL) {
@@ -424,11 +436,8 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
424 strerror(errno)); 436 strerror(errno));
425 return -1; 437 return -1;
426 } 438 }
427 if (realpath(pw->pw_dir, homedir) == NULL) { 439 if (realpath(pw->pw_dir, homedir) != NULL)
428 snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir, 440 comparehome = 1;
429 strerror(errno));
430 return -1;
431 }
432 441
433 /* check the open file to avoid races */ 442 /* check the open file to avoid races */
434 if (fstat(fileno(f), &st) < 0 || 443 if (fstat(fileno(f), &st) < 0 ||
@@ -457,7 +466,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
457 } 466 }
458 467
459 /* If are passed the homedir then we can stop */ 468 /* If are passed the homedir then we can stop */
460 if (strcmp(homedir, buf) == 0) { 469 if (comparehome && strcmp(homedir, buf) == 0) {
461 debug3("secure_filename: terminating check at '%s'", 470 debug3("secure_filename: terminating check at '%s'",
462 buf); 471 buf);
463 break; 472 break;
@@ -487,6 +496,11 @@ getpwnamallow(const char *user)
487 if (pw == NULL) { 496 if (pw == NULL) {
488 log("Illegal user %.100s from %.100s", 497 log("Illegal user %.100s from %.100s",
489 user, get_remote_ipaddr()); 498 user, get_remote_ipaddr());
499#ifdef WITH_AIXAUTHENTICATE
500 loginfailed(user,
501 get_canonical_hostname(options.verify_reverse_mapping),
502 "ssh");
503#endif
490 return (NULL); 504 return (NULL);
491 } 505 }
492 if (!allowed_user(pw)) 506 if (!allowed_user(pw))
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-09 13:01:17 +0000