===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.41
retrieving revision 1.41.2.5
diff -u -r1.41 -r1.41.2.5
--- src/usr.bin/ssh/auth.c	2002/03/19 15:31:47	1.41
+++ src/usr.bin/ssh/auth.c	2003/04/03 22:35:16	1.41.2.5
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.41 2002/03/19 15:31:47 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.41.2.5 2003/04/03 22:35:16 miod Exp $");
 
 #include <libgen.h>
 
@@ -40,10 +40,16 @@
 #include "uidswap.h"
 #include "tildexpand.h"
 #include "misc.h"
+#include "bufaux.h"
+#include "packet.h"
 
 /* import */
 extern ServerOptions options;
 
+/* Debugging messages */
+Buffer auth_debug;
+int auth_debug_init;
+
 /*
  * Check if the user is allowed to log in via ssh. If user is listed
  * in DenyUsers or one of user's groups is listed in DenyGroups, false
@@ -317,7 +323,7 @@
 
 /*
  * Check a given file for security. This is defined as all components
- * of the path to the file must either be owned by either the owner of
+ * of the path to the file must be owned by either the owner of
  * of the file or root and no directories must be group or world writable.
  *
  * XXX Should any specific check be done for sym links ?
@@ -334,6 +340,7 @@
 	uid_t uid = pw->pw_uid;
 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
 	char *cp;
+	int comparehome = 0;
 	struct stat st;
 
 	if (realpath(file, buf) == NULL) {
@@ -341,11 +348,8 @@
 		    strerror(errno));
 		return -1;
 	}
-	if (realpath(pw->pw_dir, homedir) == NULL) {
-		snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir,
-		    strerror(errno));
-		return -1;
-	}
+	if (realpath(pw->pw_dir, homedir) != NULL)
+		comparehome = 1;
 
 	/* check the open file to avoid races */
 	if (fstat(fileno(f), &st) < 0 ||
@@ -374,7 +378,7 @@
 		}
 
 		/* If are passed the homedir then we can stop */
-		if (strcmp(homedir, buf) == 0) {
+		if (comparehome && strcmp(homedir, buf) == 0) {
 			debug3("secure_filename: terminating check at '%s'",
 			    buf);
 			break;
@@ -401,8 +405,13 @@
 	struct passwd *pw;
 
 	pw = getpwnam(user);
-	if (pw == NULL || !allowed_user(pw))
+	if (pw == NULL) {
+		log("Illegal user %.100s from %.100s",
+		    user, get_remote_ipaddr());
 		return (NULL);
+	}
+	if (!allowed_user(pw))
+		return (NULL);
 #ifdef HAVE_LOGIN_CAP
 	if ((lc = login_getclass(pw->pw_class)) == NULL) {
 		debug("unable to get login class: %s", user);
@@ -410,7 +419,7 @@
 	}
 #ifdef BSD_AUTH
 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
-	    auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
 		debug("Approval failure for %s", user);
 		pw = NULL;
 	}
@@ -421,4 +430,44 @@
 	if (pw != NULL)
 		return (pwcopy(pw));
 	return (NULL);
+}
+
+void
+auth_debug_add(const char *fmt,...)
+{
+	char buf[1024];
+	va_list args;
+
+	if (!auth_debug_init)
+		return;
+
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+	buffer_put_cstring(&auth_debug, buf);
+}
+
+void
+auth_debug_send(void)
+{
+	char *msg;
+
+	if (!auth_debug_init)
+		return;
+	while (buffer_len(&auth_debug)) {
+		msg = buffer_get_string(&auth_debug, NULL);
+		packet_send_debug("%s", msg);
+		xfree(msg);
+	}
+}
+
+void
+auth_debug_reset(void)
+{
+	if (auth_debug_init)
+		buffer_clear(&auth_debug);
+	else {
+		buffer_init(&auth_debug);
+		auth_debug_init = 1;
+	}
 }