summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--crypto/openssh/auth1.c11
-rw-r--r--crypto/openssh/auth2.c12
-rw-r--r--etc/pam.d/sshd1
-rw-r--r--secure/usr.sbin/sshd/Makefile8
4 files changed, 8 insertions, 24 deletions
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 54a23d5..9611c6d 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -88,12 +88,12 @@ do_authloop(Authctxt *authctxt)
#ifdef USE_PAM
struct inverted_pam_cookie *pam_cookie;
#endif /* USE_PAM */
-#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+#if defined(HAVE_LOGIN_CAP)
const char *from_host, *from_ip;
from_host = get_canonical_hostname(options.verify_reverse_mapping);
from_ip = get_remote_ipaddr();
-#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif /* HAVE_LOGIN_CAP */
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "illegal user ", authctxt->user);
@@ -369,13 +369,6 @@ do_authloop(Authctxt *authctxt)
lc = NULL;
}
#endif /* HAVE_LOGIN_CAP */
-#ifdef LOGIN_ACCESS
- if (pw != NULL && !login_access(pw->pw_name, from_host)) {
- log("Denied connection for %.200s from %.200s [%.200s].",
- pw->pw_name, from_host, from_ip);
- packet_disconnect("Sorry, you are not allowed to connect.");
- }
-#endif /* LOGIN_ACCESS */
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index 1592da2..117415d 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -174,12 +174,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
#ifdef HAVE_LOGIN_CAP
login_cap_t *lc;
#endif /* HAVE_LOGIN_CAP */
-#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+#if defined(HAVE_LOGIN_CAP)
const char *from_host, *from_ip;
from_host = get_canonical_hostname(options.verify_reverse_mapping);
from_ip = get_remote_ipaddr();
-#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif /* HAVE_LOGIN_CAP */
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -238,14 +238,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
lc = NULL;
}
#endif /* HAVE_LOGIN_CAP */
-#ifdef LOGIN_ACCESS
- if (authctxt->pw != NULL &&
- !login_access(authctxt->pw->pw_name, from_host)) {
- log("Denied connection for %.200s from %.200s [%.200s].",
- authctxt->pw->pw_name, from_host, from_ip);
- packet_disconnect("Sorry, you are not allowed to connect.");
- }
-#endif /* LOGIN_ACCESS */
/* reset state */
auth2_challenge_stop(authctxt);
authctxt->postponed = 0;
diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd
index 8dbb05f..9ec85e7 100644
--- a/etc/pam.d/sshd
+++ b/etc/pam.d/sshd
@@ -9,6 +9,7 @@ auth required pam_nologin.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
+account required pam_login_access.so
account required pam_unix.so
# session
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index bf22015..f453bc1 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -1,17 +1,15 @@
# $FreeBSD$
#
-LOGINSRC= ${.CURDIR}/../../../usr.bin/login
-
PROG= sshd
SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
sshpty.c sshlogin.c servconf.c serverloop.c \
auth.c auth1.c auth2.c auth-options.c session.c \
auth-chall.c auth2-chall.c auth-skey.c auth-pam.c auth2-pam.c \
- groupaccess.c login_access.c
+ groupaccess.c
MAN= sshd.8
-CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DLOGIN_ACCESS -I${LOGINSRC} -DUSE_PAM -DHAVE_PAM_GETENVLIST
+CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DUSE_PAM -DHAVE_PAM_GETENVLIST
.if defined(MAKE_KERBEROS4) && \
((${MAKE_KERBEROS4} == "yes") || (${MAKE_KERBEROS4} == "YES"))
@@ -44,4 +42,4 @@ DPADD+= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPA
.include <bsd.prog.mk>
-.PATH: ${SSHDIR} ${LOGINSRC}
+.PATH: ${SSHDIR}
OpenPOWER on IntegriCloud