From c6ba2ba489be65498933b63cda1dfd392d041303 Mon Sep 17 00:00:00 2001 From: des Date: Sat, 29 Jun 2002 10:57:13 +0000 Subject: Apply class-imposed login restrictions. Sponsored by: DARPA, NAI Labs --- crypto/openssh/auth2.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'crypto') diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index 6dfd91f..3ff0b57 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -24,6 +24,7 @@ #include "includes.h" RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $"); +RCSID("$FreeBSD$"); #include "ssh2.h" #include "xmalloc.h" @@ -137,6 +138,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(options.verify_reverse_mapping); + from_ip = get_remote_ipaddr(); +#endif if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); @@ -178,6 +186,27 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP + if (authctxt->pw != NULL) { + lc = login_getpwclass(authctxt->pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, authctxt->pw); + if (!auth_hostok(lc, from_host, from_ip)) { + log("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + log("LOGIN %.200s REFUSED (TIME) FROM %.200s", + authctxt->pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); + } + login_close(lc); + lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ + /* reset state */ auth2_challenge_stop(authctxt); authctxt->postponed = 0; -- cgit v1.1