Annotation of src/usr.bin/ssh/auth.c, Revision 1.6.2.2
1.1 markus 1: /*
2: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3: * All rights reserved
1.2 markus 4: * Copyright (c) 2000 Markus Friedl. All rights reserved.
1.1 markus 5: */
6:
7: #include "includes.h"
1.6.2.2 ! jason 8: RCSID("$OpenBSD: auth.c,v 1.8 2000/08/04 20:30:07 markus Exp $");
1.1 markus 9:
10: #include "xmalloc.h"
11: #include "rsa.h"
12: #include "ssh.h"
13: #include "pty.h"
14: #include "packet.h"
15: #include "buffer.h"
16: #include "cipher.h"
17: #include "mpaux.h"
18: #include "servconf.h"
1.2 markus 19: #include "compat.h"
1.1 markus 20: #include "channels.h"
21: #include "match.h"
1.6 markus 22:
1.2 markus 23: #include "bufaux.h"
24: #include "ssh2.h"
25: #include "auth.h"
1.1 markus 26: #include "session.h"
1.2 markus 27:
1.1 markus 28: /* import */
29: extern ServerOptions options;
30: extern char *forced_command;
31:
32: /*
33: * Check if the user is allowed to log in via ssh. If user is listed in
34: * DenyUsers or user's primary group is listed in DenyGroups, false will
35: * be returned. If AllowUsers isn't empty and user isn't listed there, or
36: * if AllowGroups isn't empty and user isn't listed there, false will be
1.4 markus 37: * returned.
1.1 markus 38: * If the user's shell is not executable, false will be returned.
1.4 markus 39: * Otherwise true is returned.
1.1 markus 40: */
1.5 markus 41: int
1.1 markus 42: allowed_user(struct passwd * pw)
43: {
44: struct stat st;
45: struct group *grp;
1.6.2.1 jason 46: char *shell;
1.1 markus 47: int i;
48:
49: /* Shouldn't be called if pw is NULL, but better safe than sorry... */
50: if (!pw)
51: return 0;
52:
1.6.2.1 jason 53: /*
54: * Get the shell from the password data. An empty shell field is
55: * legal, and means /bin/sh.
56: */
57: shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
58:
1.1 markus 59: /* deny if shell does not exists or is not executable */
1.6.2.1 jason 60: if (stat(shell, &st) != 0)
1.1 markus 61: return 0;
62: if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
63: return 0;
64:
65: /* Return false if user is listed in DenyUsers */
66: if (options.num_deny_users > 0) {
67: if (!pw->pw_name)
68: return 0;
69: for (i = 0; i < options.num_deny_users; i++)
70: if (match_pattern(pw->pw_name, options.deny_users[i]))
71: return 0;
72: }
73: /* Return false if AllowUsers isn't empty and user isn't listed there */
74: if (options.num_allow_users > 0) {
75: if (!pw->pw_name)
76: return 0;
77: for (i = 0; i < options.num_allow_users; i++)
78: if (match_pattern(pw->pw_name, options.allow_users[i]))
79: break;
80: /* i < options.num_allow_users iff we break for loop */
81: if (i >= options.num_allow_users)
82: return 0;
83: }
84: /* Get the primary group name if we need it. Return false if it fails */
85: if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
86: grp = getgrgid(pw->pw_gid);
87: if (!grp)
88: return 0;
89:
90: /* Return false if user's group is listed in DenyGroups */
91: if (options.num_deny_groups > 0) {
92: if (!grp->gr_name)
93: return 0;
94: for (i = 0; i < options.num_deny_groups; i++)
95: if (match_pattern(grp->gr_name, options.deny_groups[i]))
96: return 0;
97: }
98: /*
99: * Return false if AllowGroups isn't empty and user's group
100: * isn't listed there
101: */
102: if (options.num_allow_groups > 0) {
103: if (!grp->gr_name)
104: return 0;
105: for (i = 0; i < options.num_allow_groups; i++)
106: if (match_pattern(grp->gr_name, options.allow_groups[i]))
107: break;
108: /* i < options.num_allow_groups iff we break for
109: loop */
110: if (i >= options.num_allow_groups)
111: return 0;
112: }
113: }
114: /* We found no reason not to let this user try to log on... */
115: return 1;
116: }