version 1.56, 2004/07/28 09:40:29 |
version 1.56.2.3, 2005/09/02 03:44:59 |
|
|
struct stat st; |
struct stat st; |
const char *hostname = NULL, *ipaddr = NULL; |
const char *hostname = NULL, *ipaddr = NULL; |
char *shell; |
char *shell; |
int i; |
u_int i; |
|
|
/* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
/* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
if (!pw || !pw->pw_name) |
if (!pw || !pw->pw_name) |
|
|
return 0; |
return 0; |
} |
} |
|
|
if (options.num_deny_users > 0 || options.num_allow_users > 0) { |
if (options.num_deny_users > 0 || options.num_allow_users > 0 || |
|
options.num_deny_groups > 0 || options.num_allow_groups > 0) { |
hostname = get_canonical_hostname(options.use_dns); |
hostname = get_canonical_hostname(options.use_dns); |
ipaddr = get_remote_ipaddr(); |
ipaddr = get_remote_ipaddr(); |
} |
} |
|
|
for (i = 0; i < options.num_deny_users; i++) |
for (i = 0; i < options.num_deny_users; i++) |
if (match_user(pw->pw_name, hostname, ipaddr, |
if (match_user(pw->pw_name, hostname, ipaddr, |
options.deny_users[i])) { |
options.deny_users[i])) { |
logit("User %.100s not allowed because listed in DenyUsers", |
logit("User %.100s from %.100s not allowed " |
pw->pw_name); |
"because listed in DenyUsers", |
|
pw->pw_name, hostname); |
return 0; |
return 0; |
} |
} |
} |
} |
|
|
break; |
break; |
/* i < options.num_allow_users iff we break for loop */ |
/* i < options.num_allow_users iff we break for loop */ |
if (i >= options.num_allow_users) { |
if (i >= options.num_allow_users) { |
logit("User %.100s not allowed because not listed in AllowUsers", |
logit("User %.100s from %.100s not allowed because " |
pw->pw_name); |
"not listed in AllowUsers", pw->pw_name, hostname); |
return 0; |
return 0; |
} |
} |
} |
} |
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { |
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { |
/* Get the user's group access list (primary and supplementary) */ |
/* Get the user's group access list (primary and supplementary) */ |
if (ga_init(pw->pw_name, pw->pw_gid) == 0) { |
if (ga_init(pw->pw_name, pw->pw_gid) == 0) { |
logit("User %.100s not allowed because not in any group", |
logit("User %.100s from %.100s not allowed because " |
pw->pw_name); |
"not in any group", pw->pw_name, hostname); |
return 0; |
return 0; |
} |
} |
|
|
|
|
if (ga_match(options.deny_groups, |
if (ga_match(options.deny_groups, |
options.num_deny_groups)) { |
options.num_deny_groups)) { |
ga_free(); |
ga_free(); |
logit("User %.100s not allowed because a group is listed in DenyGroups", |
logit("User %.100s from %.100s not allowed " |
pw->pw_name); |
"because a group is listed in DenyGroups", |
|
pw->pw_name, hostname); |
return 0; |
return 0; |
} |
} |
/* |
/* |
|
|
if (!ga_match(options.allow_groups, |
if (!ga_match(options.allow_groups, |
options.num_allow_groups)) { |
options.num_allow_groups)) { |
ga_free(); |
ga_free(); |
logit("User %.100s not allowed because none of user's groups are listed in AllowGroups", |
logit("User %.100s from %.100s not allowed " |
pw->pw_name); |
"because none of user's groups are listed " |
|
"in AllowGroups", pw->pw_name, hostname); |
return 0; |
return 0; |
} |
} |
ga_free(); |
ga_free(); |
|
|
* |
* |
* This returns a buffer allocated by xmalloc. |
* This returns a buffer allocated by xmalloc. |
*/ |
*/ |
char * |
static char * |
expand_filename(const char *filename, struct passwd *pw) |
expand_authorized_keys(const char *filename, struct passwd *pw) |
{ |
{ |
Buffer buffer; |
char *file, *ret; |
char *file; |
|
const char *cp; |
|
|
|
/* |
file = percent_expand(filename, "h", pw->pw_dir, |
* Build the filename string in the buffer by making the appropriate |
"u", pw->pw_name, (char *)NULL); |
* substitutions to the given file name. |
|
*/ |
|
buffer_init(&buffer); |
|
for (cp = filename; *cp; cp++) { |
|
if (cp[0] == '%' && cp[1] == '%') { |
|
buffer_append(&buffer, "%", 1); |
|
cp++; |
|
continue; |
|
} |
|
if (cp[0] == '%' && cp[1] == 'h') { |
|
buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir)); |
|
cp++; |
|
continue; |
|
} |
|
if (cp[0] == '%' && cp[1] == 'u') { |
|
buffer_append(&buffer, pw->pw_name, |
|
strlen(pw->pw_name)); |
|
cp++; |
|
continue; |
|
} |
|
buffer_append(&buffer, cp, 1); |
|
} |
|
buffer_append(&buffer, "\0", 1); |
|
|
|
/* |
/* |
* Ensure that filename starts anchored. If not, be backward |
* Ensure that filename starts anchored. If not, be backward |
* compatible and prepend the '%h/' |
* compatible and prepend the '%h/' |
*/ |
*/ |
file = xmalloc(MAXPATHLEN); |
if (*file == '/') |
cp = buffer_ptr(&buffer); |
return (file); |
if (*cp != '/') |
|
snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp); |
|
else |
|
strlcpy(file, cp, MAXPATHLEN); |
|
|
|
buffer_free(&buffer); |
ret = xmalloc(MAXPATHLEN); |
return file; |
if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN || |
|
strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN || |
|
strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN) |
|
fatal("expand_authorized_keys: path too long"); |
|
|
|
xfree(file); |
|
return (ret); |
} |
} |
|
|
char * |
char * |
authorized_keys_file(struct passwd *pw) |
authorized_keys_file(struct passwd *pw) |
{ |
{ |
return expand_filename(options.authorized_keys_file, pw); |
return expand_authorized_keys(options.authorized_keys_file, pw); |
} |
} |
|
|
char * |
char * |
authorized_keys_file2(struct passwd *pw) |
authorized_keys_file2(struct passwd *pw) |
{ |
{ |
return expand_filename(options.authorized_keys_file2, pw); |
return expand_authorized_keys(options.authorized_keys_file2, pw); |
} |
} |
|
|
/* return ok if key exists in sysfile or userfile */ |
/* return ok if key exists in sysfile or userfile */ |