diff options
| author | green <green@FreeBSD.org> | 2000-11-14 04:35:03 +0000 |
|---|---|---|
| committer | green <green@FreeBSD.org> | 2000-11-14 04:35:03 +0000 |
| commit | 0bc5843790af30eda24f862c34d78495bf8fec50 (patch) | |
| tree | 5f5ca11747d1ab5b50ce737dced91c134d4c62d4 /crypto | |
| parent | fb253173aee65108d2c6148fcc989c44792b8689 (diff) | |
| download | FreeBSD-src-0bc5843790af30eda24f862c34d78495bf8fec50.zip FreeBSD-src-0bc5843790af30eda24f862c34d78495bf8fec50.tar.gz | |
Add login_cap and login_access support. Previously, these FreeBSD-local
checks were only made when using the 1.x protocol.
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/openssh/auth2.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index a834e14..de61221 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -53,6 +53,10 @@ RCSID("$FreeBSD$"); #include "uidswap.h" #include "auth-options.h" +#ifdef HAVE_LOGIN_CAP +#include <login_cap.h> +#endif /* HAVE_LOGIN_CAP */ + /* import */ extern ServerOptions options; extern unsigned char *session_id2; @@ -152,6 +156,15 @@ input_userauth_request(int type, int plen) int authenticated = 0; char *user, *service, *method, *authmsg = NULL; struct passwd *pw; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; +#endif /* HAVE_LOGIN_CAP */ +#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(); + from_ip = get_remote_ipaddr(); +#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ if (++attempt == AUTH_FAIL_MAX) packet_disconnect("too many failed userauth_requests"); @@ -178,6 +191,30 @@ input_userauth_request(int type, int plen) get_canonical_hostname()); } +#ifdef HAVE_LOGIN_CAP + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + if (!auth_hostok(lc, from_host, from_ip)) { + log("Denied connection for %.200s from %.200s [%.200s].", + pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + log("LOGIN %.200s REFUSED (TIME) FROM %.200s", + pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); + } + login_close(lc); +#endif /* HAVE_LOGIN_CAP */ +#ifdef LOGIN_ACCESS + if (!login_access(pw->pw_name, from_host)) { + log("Denied connection for %.200s from %.200s [%.200s].", + pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } +#endif /* LOGIN_ACCESS */ + /* Raise logging level */ if (authenticated == 1 || attempt == AUTH_FAIL_LOG || |
