version 1.21.2.4, 2002/03/09 00:20:43 |
version 1.21.2.5, 2002/06/02 22:56:09 |
|
|
#include "bufaux.h" |
#include "bufaux.h" |
#include "uidswap.h" |
#include "uidswap.h" |
#include "tildexpand.h" |
#include "tildexpand.h" |
|
#include "misc.h" |
|
#include "bufaux.h" |
|
#include "packet.h" |
|
|
/* import */ |
/* import */ |
extern ServerOptions options; |
extern ServerOptions options; |
|
|
|
/* Debugging messages */ |
|
Buffer auth_debug; |
|
int auth_debug_init; |
|
|
/* |
/* |
* Check if the user is allowed to log in via ssh. If user is listed |
* Check if the user is allowed to log in via ssh. If user is listed |
* in DenyUsers or one of user's groups is listed in DenyGroups, false |
* in DenyUsers or one of user's groups is listed in DenyGroups, false |
|
|
pw->pw_name, shell); |
pw->pw_name, shell); |
return 0; |
return 0; |
} |
} |
if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) { |
if (S_ISREG(st.st_mode) == 0 || |
|
(st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { |
log("User %.100s not allowed because shell %.100s is not executable", |
log("User %.100s not allowed because shell %.100s is not executable", |
pw->pw_name, shell); |
pw->pw_name, shell); |
return 0; |
return 0; |
|
|
/* Return false if user is listed in DenyUsers */ |
/* Return false if user is listed in DenyUsers */ |
if (options.num_deny_users > 0) { |
if (options.num_deny_users > 0) { |
for (i = 0; i < options.num_deny_users; i++) |
for (i = 0; i < options.num_deny_users; i++) |
if (match_user(pw->pw_name, hostname, ipaddr, |
if (match_user(pw->pw_name, hostname, ipaddr, |
options.deny_users[i])) { |
options.deny_users[i])) { |
log("User %.100s not allowed because listed in DenyUsers", |
log("User %.100s not allowed because listed in DenyUsers", |
pw->pw_name); |
pw->pw_name); |
return 0; |
return 0; |
} |
} |
} |
} |
/* Return false if AllowUsers isn't empty and user isn't listed there */ |
/* Return false if AllowUsers isn't empty and user isn't listed there */ |
if (options.num_allow_users > 0) { |
if (options.num_allow_users > 0) { |
for (i = 0; i < options.num_allow_users; i++) |
for (i = 0; i < options.num_allow_users; i++) |
if (match_user(pw->pw_name, hostname, ipaddr, |
if (match_user(pw->pw_name, hostname, ipaddr, |
options.allow_users[i])) |
options.allow_users[i])) |
break; |
break; |
/* i < options.num_allow_users iff we break for loop */ |
/* i < options.num_allow_users iff we break for loop */ |
|
|
break; |
break; |
} |
} |
return 0; |
return 0; |
|
} |
|
|
|
struct passwd * |
|
getpwnamallow(const char *user) |
|
{ |
|
#ifdef HAVE_LOGIN_CAP |
|
extern login_cap_t *lc; |
|
#ifdef BSD_AUTH |
|
auth_session_t *as; |
|
#endif |
|
#endif |
|
struct passwd *pw; |
|
|
|
pw = getpwnam(user); |
|
if (pw == NULL || !allowed_user(pw)) |
|
return (NULL); |
|
#ifdef HAVE_LOGIN_CAP |
|
if ((lc = login_getclass(pw->pw_class)) == NULL) { |
|
debug("unable to get login class: %s", user); |
|
return (NULL); |
|
} |
|
#ifdef BSD_AUTH |
|
if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || |
|
auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { |
|
debug("Approval failure for %s", user); |
|
pw = NULL; |
|
} |
|
if (as != NULL) |
|
auth_close(as); |
|
#endif |
|
#endif |
|
if (pw != NULL) |
|
return (pwcopy(pw)); |
|
return (NULL); |
|
} |
|
|
|
void |
|
auth_debug_add(const char *fmt,...) |
|
{ |
|
char buf[1024]; |
|
va_list args; |
|
|
|
if (!auth_debug_init) |
|
return; |
|
|
|
va_start(args, fmt); |
|
vsnprintf(buf, sizeof(buf), fmt, args); |
|
va_end(args); |
|
buffer_put_cstring(&auth_debug, buf); |
|
} |
|
|
|
void |
|
auth_debug_send(void) |
|
{ |
|
char *msg; |
|
|
|
if (!auth_debug_init) |
|
return; |
|
while (buffer_len(&auth_debug)) { |
|
msg = buffer_get_string(&auth_debug, NULL); |
|
packet_send_debug("%s", msg); |
|
xfree(msg); |
|
} |
|
} |
|
|
|
void |
|
auth_debug_reset(void) |
|
{ |
|
if (auth_debug_init) |
|
buffer_clear(&auth_debug); |
|
else { |
|
buffer_init(&auth_debug); |
|
auth_debug_init = 1; |
|
} |
} |
} |