summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/sshd.c
diff options
context:
space:
mode:
authormarkm <markm@FreeBSD.org>2000-03-09 14:52:31 +0000
committermarkm <markm@FreeBSD.org>2000-03-09 14:52:31 +0000
commitb0cba82a4f20bc5a6b45756ed7573301110d26f1 (patch)
treee3ed8f42e6559ae11806d261a59f9ac3217609b1 /crypto/openssh/sshd.c
parent48f6832d33ea06fc0dace0e3707d8dc45125eeb9 (diff)
downloadFreeBSD-src-b0cba82a4f20bc5a6b45756ed7573301110d26f1.zip
FreeBSD-src-b0cba82a4f20bc5a6b45756ed7573301110d26f1.tar.gz
Make LOGIN_CAP work properly.
Diffstat (limited to 'crypto/openssh/sshd.c')
-rw-r--r--crypto/openssh/sshd.c45
1 files changed, 27 insertions, 18 deletions
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index d67dd22..627d09c 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -1292,10 +1292,13 @@ do_authentication()
char *user;
#ifdef LOGIN_CAP
login_cap_t *lc;
- char *hosts;
- const char *from_host, *from_ip;
- int denied;
#endif /* LOGIN_CAP */
+#if defined(LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname();
+ from_ip = get_remote_ipaddr();
+#endif /* LOGIN_CAP || LOGIN_ACCESS */
/* Get the name of the user that we wish to log in as. */
packet_read_expect(&plen, SSH_CMSG_USER);
@@ -1374,28 +1377,25 @@ do_authentication()
lc = login_getpwclass(pw);
if (lc == NULL)
lc = login_getclassbyname(NULL, pw);
- from_host = get_canonical_hostname();
- from_ip = get_remote_ipaddr();
-
- denied = 0;
- if ((hosts = login_getcapstr(lc, "host.deny", NULL, NULL)) != NULL) {
- denied = match_hostname(from_host, hosts, strlen(hosts));
- if (!denied)
- denied = match_hostname(from_ip, hosts, strlen(hosts));
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
}
- if (!denied &&
- (hosts = login_getcapstr(lc, "host.allow", NULL, NULL)) != NULL) {
- denied = !match_hostname(from_host, hosts, strlen(hosts));
- if (denied)
- denied = !match_hostname(from_ip, hosts, strlen(hosts));
+ if (!auth_timeok(lc, time(NULL))) {
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
}
login_close(lc);
- if (denied) {
+#endif /* LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+ if (!login_access(pw->pw_name, from_host)) {
log("Denied connection for %.200s from %.200s [%.200s].",
pw->pw_name, from_host, from_ip);
packet_disconnect("Sorry, you are not allowed to connect.");
}
-#endif /* LOGIN_CAP */
+#endif /* LOGIN_ACCESS */
if (pw->pw_uid == 0)
log("ROOT LOGIN as '%.100s' from %.100s",
@@ -2340,6 +2340,15 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
ctime(&pw->pw_expire));
}
#endif /* __FreeBSD__ */
+#ifdef LOGIN_CAP
+ if (!auth_ttyok(lc, ttyname)) {
+ (void)printf("Permission denied.\n");
+ log(
+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+ pw->pw_name, hostname, ttyname);
+ exit(254);
+ }
+#endif /* LOGIN_CAP */
/*
* If the user has logged in before, display the time of last
OpenPOWER on IntegriCloud