diff options
author | kris <kris@FreeBSD.org> | 2000-05-15 04:37:24 +0000 |
---|---|---|
committer | kris <kris@FreeBSD.org> | 2000-05-15 04:37:24 +0000 |
commit | 4dc8aa85ced77e9e02dea6939edd4d3564b5086e (patch) | |
tree | 772b9de8852fb4c32957c00639a4fd5460f8a62b /crypto/openssh/auth.c | |
parent | b201b15ee1575ab28ed4f9b5a7d430e835a7c7ae (diff) | |
download | FreeBSD-src-4dc8aa85ced77e9e02dea6939edd4d3564b5086e.zip FreeBSD-src-4dc8aa85ced77e9e02dea6939edd4d3564b5086e.tar.gz |
Initial import of OpenSSH v2.1.
Diffstat (limited to 'crypto/openssh/auth.c')
-rw-r--r-- | crypto/openssh/auth.c | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c new file mode 100644 index 0000000..d3425a2 --- /dev/null +++ b/crypto/openssh/auth.c @@ -0,0 +1,111 @@ +/* + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland + * All rights reserved + * Copyright (c) 2000 Markus Friedl. All rights reserved. + */ + +#include "includes.h" +RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $"); + +#include "xmalloc.h" +#include "rsa.h" +#include "ssh.h" +#include "pty.h" +#include "packet.h" +#include "buffer.h" +#include "cipher.h" +#include "mpaux.h" +#include "servconf.h" +#include "compat.h" +#include "channels.h" +#include "match.h" + +#include "bufaux.h" +#include "ssh2.h" +#include "auth.h" +#include "session.h" +#include "dispatch.h" + + +/* import */ +extern ServerOptions options; +extern char *forced_command; + +/* + * Check if the user is allowed to log in via ssh. If user is listed in + * DenyUsers or user's primary group is listed in DenyGroups, false will + * be returned. If AllowUsers isn't empty and user isn't listed there, or + * if AllowGroups isn't empty and user isn't listed there, false will be + * returned. + * If the user's shell is not executable, false will be returned. + * Otherwise true is returned. + */ +int +allowed_user(struct passwd * pw) +{ + struct stat st; + struct group *grp; + int i; + + /* Shouldn't be called if pw is NULL, but better safe than sorry... */ + if (!pw) + return 0; + + /* deny if shell does not exists or is not executable */ + if (stat(pw->pw_shell, &st) != 0) + return 0; + if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) + return 0; + + /* Return false if user is listed in DenyUsers */ + if (options.num_deny_users > 0) { + if (!pw->pw_name) + return 0; + for (i = 0; i < options.num_deny_users; i++) + if (match_pattern(pw->pw_name, options.deny_users[i])) + return 0; + } + /* Return false if AllowUsers isn't empty and user isn't listed there */ + if (options.num_allow_users > 0) { + if (!pw->pw_name) + return 0; + for (i = 0; i < options.num_allow_users; i++) + if (match_pattern(pw->pw_name, options.allow_users[i])) + break; + /* i < options.num_allow_users iff we break for loop */ + if (i >= options.num_allow_users) + return 0; + } + /* Get the primary group name if we need it. Return false if it fails */ + if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { + grp = getgrgid(pw->pw_gid); + if (!grp) + return 0; + + /* Return false if user's group is listed in DenyGroups */ + if (options.num_deny_groups > 0) { + if (!grp->gr_name) + return 0; + for (i = 0; i < options.num_deny_groups; i++) + if (match_pattern(grp->gr_name, options.deny_groups[i])) + return 0; + } + /* + * Return false if AllowGroups isn't empty and user's group + * isn't listed there + */ + if (options.num_allow_groups > 0) { + if (!grp->gr_name) + return 0; + for (i = 0; i < options.num_allow_groups; i++) + if (match_pattern(grp->gr_name, options.allow_groups[i])) + break; + /* i < options.num_allow_groups iff we break for + loop */ + if (i >= options.num_allow_groups) + return 0; + } + } + /* We found no reason not to let this user try to log on... */ + return 1; +} |