diff options
| author | des <des@FreeBSD.org> | 2002-06-29 10:57:13 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2002-06-29 10:57:13 +0000 |
| commit | c6ba2ba489be65498933b63cda1dfd392d041303 (patch) | |
| tree | c603492a1eb4ad539d5ca8eac68663d88628b00d /crypto | |
| parent | 3003a57dbbcf38476f27752cd854e24da3938070 (diff) | |
| download | FreeBSD-src-c6ba2ba489be65498933b63cda1dfd392d041303.zip FreeBSD-src-c6ba2ba489be65498933b63cda1dfd392d041303.tar.gz | |
Apply class-imposed login restrictions.
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/openssh/auth2.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index 6dfd91f..3ff0b57 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -24,6 +24,7 @@ #include "includes.h" RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $"); +RCSID("$FreeBSD$"); #include "ssh2.h" #include "xmalloc.h" @@ -137,6 +138,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(options.verify_reverse_mapping); + from_ip = get_remote_ipaddr(); +#endif if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); @@ -178,6 +186,27 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP + if (authctxt->pw != NULL) { + lc = login_getpwclass(authctxt->pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, authctxt->pw); + if (!auth_hostok(lc, from_host, from_ip)) { + log("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + log("LOGIN %.200s REFUSED (TIME) FROM %.200s", + authctxt->pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); + } + login_close(lc); + lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ + /* reset state */ auth2_challenge_stop(authctxt); authctxt->postponed = 0; |
