===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.28.2.2
retrieving revision 1.28.2.3
diff -u -r1.28.2.2 -r1.28.2.3
--- src/usr.bin/ssh/auth.c	2002/03/07 17:37:46	1.28.2.2
+++ src/usr.bin/ssh/auth.c	2002/05/17 00:03:23	1.28.2.3
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.28.2.2 2002/03/07 17:37:46 jason Exp $");
+RCSID("$OpenBSD: auth.c,v 1.28.2.3 2002/05/17 00:03:23 miod Exp $");
 
 #include <libgen.h>
 
@@ -39,10 +39,17 @@
 #include "bufaux.h"
 #include "uidswap.h"
 #include "tildexpand.h"
+#include "misc.h"
+#include "bufaux.h"
+#include "packet.h"
 
 /* import */
 extern ServerOptions options;
 
+/* Debugging messages */
+Buffer auth_debug;
+int auth_debug_init;
+
 /*
  * Check if the user is allowed to log in via ssh. If user is listed
  * in DenyUsers or one of user's groups is listed in DenyGroups, false
@@ -76,7 +83,8 @@
 		    pw->pw_name, shell);
 		return 0;
 	}
-	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) {
+	if (S_ISREG(st.st_mode) == 0 ||
+	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
 		log("User %.100s not allowed because shell %.100s is not executable",
 		    pw->pw_name, shell);
 		return 0;
@@ -90,17 +98,17 @@
 	/* Return false if user is listed in DenyUsers */
 	if (options.num_deny_users > 0) {
 		for (i = 0; i < options.num_deny_users; i++)
- 			if (match_user(pw->pw_name, hostname, ipaddr,
+			if (match_user(pw->pw_name, hostname, ipaddr,
 			    options.deny_users[i])) {
- 				log("User %.100s not allowed because listed in DenyUsers",
- 				    pw->pw_name);
+				log("User %.100s not allowed because listed in DenyUsers",
+				    pw->pw_name);
 				return 0;
 			}
 	}
 	/* Return false if AllowUsers isn't empty and user isn't listed there */
 	if (options.num_allow_users > 0) {
 		for (i = 0; i < options.num_allow_users; i++)
- 			if (match_user(pw->pw_name, hostname, ipaddr,
+			if (match_user(pw->pw_name, hostname, ipaddr,
 			    options.allow_users[i]))
 				break;
 		/* i < options.num_allow_users iff we break for loop */
@@ -385,4 +393,78 @@
 			break;
 	}
 	return 0;
+}
+
+struct passwd *
+getpwnamallow(const char *user)
+{
+#ifdef HAVE_LOGIN_CAP
+	extern login_cap_t *lc;
+#ifdef BSD_AUTH
+	auth_session_t *as;
+#endif
+#endif
+	struct passwd *pw;
+
+	pw = getpwnam(user);
+	if (pw == NULL || !allowed_user(pw))
+		return (NULL);
+#ifdef HAVE_LOGIN_CAP
+	if ((lc = login_getclass(pw->pw_class)) == NULL) {
+		debug("unable to get login class: %s", user);
+		return (NULL);
+	}
+#ifdef BSD_AUTH
+	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+	    auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+		debug("Approval failure for %s", user);
+		pw = NULL;
+	}
+	if (as != NULL)
+		auth_close(as);
+#endif
+#endif
+	if (pw != NULL)
+		return (pwcopy(pw));
+	return (NULL);
+}
+
+void
+auth_debug_add(const char *fmt,...)
+{
+	char buf[1024];
+	va_list args;
+
+	if (!auth_debug_init)
+		return;
+
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+	buffer_put_cstring(&auth_debug, buf);
+}
+
+void
+auth_debug_send(void)
+{
+	char *msg;
+
+	if (!auth_debug_init)
+		return;
+	while (buffer_len(&auth_debug)) {
+		msg = buffer_get_string(&auth_debug, NULL);
+		packet_send_debug("%s", msg);
+		xfree(msg);
+	}
+}
+
+void
+auth_debug_reset(void)
+{
+	if (auth_debug_init)
+		buffer_clear(&auth_debug);
+	else {
+		buffer_init(&auth_debug);
+		auth_debug_init = 1;
+	}
 }