diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 68 |
1 files changed, 26 insertions, 42 deletions
| @@ -23,7 +23,7 @@ | |||
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include "includes.h" | 25 | #include "includes.h" |
| 26 | RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $"); | 26 | RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $"); |
| 27 | 27 | ||
| 28 | #ifdef HAVE_LOGIN_H | 28 | #ifdef HAVE_LOGIN_H |
| 29 | #include <login.h> | 29 | #include <login.h> |
| @@ -76,7 +76,7 @@ allowed_user(struct passwd * pw) | |||
| 76 | struct stat st; | 76 | struct stat st; |
| 77 | const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; | 77 | const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; |
| 78 | char *shell; | 78 | char *shell; |
| 79 | int i; | 79 | u_int i; |
| 80 | #ifdef USE_SHADOW | 80 | #ifdef USE_SHADOW |
| 81 | struct spwd *spw = NULL; | 81 | struct spwd *spw = NULL; |
| 82 | #endif | 82 | #endif |
| @@ -97,7 +97,11 @@ allowed_user(struct passwd * pw) | |||
| 97 | /* grab passwd field for locked account check */ | 97 | /* grab passwd field for locked account check */ |
| 98 | #ifdef USE_SHADOW | 98 | #ifdef USE_SHADOW |
| 99 | if (spw != NULL) | 99 | if (spw != NULL) |
| 100 | #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) | ||
| 101 | passwd = get_iaf_password(pw); | ||
| 102 | #else | ||
| 100 | passwd = spw->sp_pwdp; | 103 | passwd = spw->sp_pwdp; |
| 104 | #endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ | ||
| 101 | #else | 105 | #else |
| 102 | passwd = pw->pw_passwd; | 106 | passwd = pw->pw_passwd; |
| 103 | #endif | 107 | #endif |
| @@ -119,6 +123,9 @@ allowed_user(struct passwd * pw) | |||
| 119 | if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) | 123 | if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) |
| 120 | locked = 1; | 124 | locked = 1; |
| 121 | #endif | 125 | #endif |
| 126 | #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) | ||
| 127 | free(passwd); | ||
| 128 | #endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ | ||
| 122 | if (locked) { | 129 | if (locked) { |
| 123 | logit("User %.100s not allowed because account is locked", | 130 | logit("User %.100s not allowed because account is locked", |
| 124 | pw->pw_name); | 131 | pw->pw_name); |
| @@ -326,64 +333,41 @@ auth_root_allowed(char *method) | |||
| 326 | * | 333 | * |
| 327 | * This returns a buffer allocated by xmalloc. | 334 | * This returns a buffer allocated by xmalloc. |
| 328 | */ | 335 | */ |
| 329 | char * | 336 | static char * |
| 330 | expand_filename(const char *filename, struct passwd *pw) | 337 | expand_authorized_keys(const char *filename, struct passwd *pw) |
| 331 | { | 338 | { |
| 332 | Buffer buffer; | 339 | char *file, *ret; |
| 333 | char *file; | ||
| 334 | const char *cp; | ||
| 335 | 340 | ||
| 336 | /* | 341 | file = percent_expand(filename, "h", pw->pw_dir, |
| 337 | * Build the filename string in the buffer by making the appropriate | 342 | "u", pw->pw_name, (char *)NULL); |
| 338 | * substitutions to the given file name. | ||
| 339 | */ | ||
| 340 | buffer_init(&buffer); | ||
| 341 | for (cp = filename; *cp; cp++) { | ||
| 342 | if (cp[0] == '%' && cp[1] == '%') { | ||
| 343 | buffer_append(&buffer, "%", 1); | ||
| 344 | cp++; | ||
| 345 | continue; | ||
| 346 | } | ||
| 347 | if (cp[0] == '%' && cp[1] == 'h') { | ||
| 348 | buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir)); | ||
| 349 | cp++; | ||
| 350 | continue; | ||
| 351 | } | ||
| 352 | if (cp[0] == '%' && cp[1] == 'u') { | ||
| 353 | buffer_append(&buffer, pw->pw_name, | ||
| 354 | strlen(pw->pw_name)); | ||
| 355 | cp++; | ||
| 356 | continue; | ||
| 357 | } | ||
| 358 | buffer_append(&buffer, cp, 1); | ||
| 359 | } | ||
| 360 | buffer_append(&buffer, "\0", 1); | ||
| 361 | 343 | ||
| 362 | /* | 344 | /* |
| 363 | * Ensure that filename starts anchored. If not, be backward | 345 | * Ensure that filename starts anchored. If not, be backward |
| 364 | * compatible and prepend the '%h/' | 346 | * compatible and prepend the '%h/' |
| 365 | */ | 347 | */ |
| 366 | file = xmalloc(MAXPATHLEN); | 348 | if (*file == '/') |
| 367 | cp = buffer_ptr(&buffer); | 349 | return (file); |
| 368 | if (*cp != '/') | 350 | |
| 369 | snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp); | 351 | ret = xmalloc(MAXPATHLEN); |
| 370 | else | 352 | if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN || |
| 371 | strlcpy(file, cp, MAXPATHLEN); | 353 | strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN || |
| 354 | strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN) | ||
| 355 | fatal("expand_authorized_keys: path too long"); | ||
| 372 | 356 | ||
| 373 | buffer_free(&buffer); | 357 | xfree(file); |
| 374 | return file; | 358 | return (ret); |
| 375 | } | 359 | } |
| 376 | 360 | ||
| 377 | char * | 361 | char * |
| 378 | authorized_keys_file(struct passwd *pw) | 362 | authorized_keys_file(struct passwd *pw) |
| 379 | { | 363 | { |
| 380 | return expand_filename(options.authorized_keys_file, pw); | 364 | return expand_authorized_keys(options.authorized_keys_file, pw); |
| 381 | } | 365 | } |
| 382 | 366 | ||
| 383 | char * | 367 | char * |
| 384 | authorized_keys_file2(struct passwd *pw) | 368 | authorized_keys_file2(struct passwd *pw) |
| 385 | { | 369 | { |
| 386 | return expand_filename(options.authorized_keys_file2, pw); | 370 | return expand_authorized_keys(options.authorized_keys_file2, pw); |
| 387 | } | 371 | } |
| 388 | 372 | ||
| 389 | /* return ok if key exists in sysfile or userfile */ | 373 | /* return ok if key exists in sysfile or userfile */ |