===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.45
retrieving revision 1.45.2.2
diff -u -r1.45 -r1.45.2.2
--- src/usr.bin/ssh/auth.c	2002/09/20 18:41:29	1.45
+++ src/usr.bin/ssh/auth.c	2003/09/16 21:20:24	1.45.2.2
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $");
+RCSID("$OpenBSD: auth.c,v 1.45.2.2 2003/09/16 21:20:24 brad Exp $");
 
 #include <libgen.h>
 
@@ -79,19 +79,19 @@
 
 	/* deny if shell does not exists or is not executable */
 	if (stat(shell, &st) != 0) {
-		log("User %.100s not allowed because shell %.100s does not exist",
+		logit("User %.100s not allowed because shell %.100s does not exist",
 		    pw->pw_name, shell);
 		return 0;
 	}
 	if (S_ISREG(st.st_mode) == 0 ||
 	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
-		log("User %.100s not allowed because shell %.100s is not executable",
+		logit("User %.100s not allowed because shell %.100s is not executable",
 		    pw->pw_name, shell);
 		return 0;
 	}
 
 	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
-		hostname = get_canonical_hostname(options.verify_reverse_mapping);
+		hostname = get_canonical_hostname(options.use_dns);
 		ipaddr = get_remote_ipaddr();
 	}
 
@@ -100,7 +100,7 @@
 		for (i = 0; i < options.num_deny_users; i++)
 			if (match_user(pw->pw_name, hostname, ipaddr,
 			    options.deny_users[i])) {
-				log("User %.100s not allowed because listed in DenyUsers",
+				logit("User %.100s not allowed because listed in DenyUsers",
 				    pw->pw_name);
 				return 0;
 			}
@@ -113,7 +113,7 @@
 				break;
 		/* i < options.num_allow_users iff we break for loop */
 		if (i >= options.num_allow_users) {
-			log("User %.100s not allowed because not listed in AllowUsers",
+			logit("User %.100s not allowed because not listed in AllowUsers",
 			    pw->pw_name);
 			return 0;
 		}
@@ -121,7 +121,7 @@
 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
 		/* Get the user's group access list (primary and supplementary) */
 		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
-			log("User %.100s not allowed because not in any group",
+			logit("User %.100s not allowed because not in any group",
 			    pw->pw_name);
 			return 0;
 		}
@@ -131,7 +131,7 @@
 			if (ga_match(options.deny_groups,
 			    options.num_deny_groups)) {
 				ga_free();
-				log("User %.100s not allowed because a group is listed in DenyGroups",
+				logit("User %.100s not allowed because a group is listed in DenyGroups",
 				    pw->pw_name);
 				return 0;
 			}
@@ -143,7 +143,7 @@
 			if (!ga_match(options.allow_groups,
 			    options.num_allow_groups)) {
 				ga_free();
-				log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
+				logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
 				    pw->pw_name);
 				return 0;
 			}
@@ -172,7 +172,7 @@
 	    !authctxt->valid ||
 	    authctxt->failures >= AUTH_FAIL_LOG ||
 	    strcmp(method, "password") == 0)
-		authlog = log;
+		authlog = logit;
 
 	if (authctxt->postponed)
 		authmsg = "Postponed";
@@ -205,12 +205,12 @@
 		break;
 	case PERMIT_FORCED_ONLY:
 		if (forced_command) {
-			log("Root login accepted for forced command.");
+			logit("Root login accepted for forced command.");
 			return 1;
 		}
 		break;
 	}
-	log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
+	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
 	return 0;
 }
 
@@ -302,7 +302,7 @@
 		    (stat(user_hostfile, &st) == 0) &&
 		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
 		    (st.st_mode & 022) != 0)) {
-			log("Authentication refused for %.100s: "
+			logit("Authentication refused for %.100s: "
 			    "bad owner or modes for %.200s",
 			    pw->pw_name, user_hostfile);
 		} else {
@@ -340,6 +340,7 @@
 	uid_t uid = pw->pw_uid;
 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
 	char *cp;
+	int comparehome = 0;
 	struct stat st;
 
 	if (realpath(file, buf) == NULL) {
@@ -347,11 +348,8 @@
 		    strerror(errno));
 		return -1;
 	}
-	if (realpath(pw->pw_dir, homedir) == NULL) {
-		snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir,
-		    strerror(errno));
-		return -1;
-	}
+	if (realpath(pw->pw_dir, homedir) != NULL)
+		comparehome = 1;
 
 	/* check the open file to avoid races */
 	if (fstat(fileno(f), &st) < 0 ||
@@ -380,7 +378,7 @@
 		}
 
 		/* If are passed the homedir then we can stop */
-		if (strcmp(homedir, buf) == 0) {
+		if (comparehome && strcmp(homedir, buf) == 0) {
 			debug3("secure_filename: terminating check at '%s'",
 			    buf);
 			break;
@@ -408,7 +406,7 @@
 
 	pw = getpwnam(user);
 	if (pw == NULL) {
-		log("Illegal user %.100s from %.100s",
+		logit("Illegal user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 		return (NULL);
 	}
@@ -472,4 +470,23 @@
 		buffer_init(&auth_debug);
 		auth_debug_init = 1;
 	}
+}
+
+struct passwd *
+fakepw(void)
+{
+	static struct passwd fake;
+
+	memset(&fake, 0, sizeof(fake));
+	fake.pw_name = "NOUSER";
+	fake.pw_passwd =
+	    "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";	
+	fake.pw_gecos = "NOUSER";
+	fake.pw_uid = -1;
+	fake.pw_gid = -1;
+	fake.pw_class = "";
+	fake.pw_dir = "/nonexist";
+	fake.pw_shell = "/nonexist";
+
+	return (&fake);
 }