Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 3702396526a2569402696ff7d7c6d0fe2e5a447b / . / auth.c
blob: 5aeeec6dee62d93134cb96ffd327aa42937787cc [file] [log] [blame]
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]5 */
6
7#include "includes.h"
Damien Milleref7df542000-05-19 00:03:23 +1000[diff] [blame]8RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]9
10#include "xmalloc.h"
11#include "rsa.h"
12#include "ssh.h"
13#include "pty.h"
14#include "packet.h"
15#include "buffer.h"
16#include "cipher.h"
17#include "mpaux.h"
18#include "servconf.h"
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]19#include "compat.h"
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]20#include "channels.h"
21#include "match.h"
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]22#ifdef HAVE_LOGIN_H
23#include <login.h>
24#endif
Damien Miller1f335fb2000-06-26 11:31:33 +1000[diff] [blame]25#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
26#include <shadow.h>
27#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]28
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]29#include "bufaux.h"
30#include "ssh2.h"
31#include "auth.h"
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]32#include "session.h"
33#include "dispatch.h"
34
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]35
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]36/* import */
37extern ServerOptions options;
38extern char *forced_command;
39
40/*
41 * Check if the user is allowed to log in via ssh. If user is listed in
42 * DenyUsers or user's primary group is listed in DenyGroups, false will
43 * be returned. If AllowUsers isn't empty and user isn't listed there, or
44 * if AllowGroups isn't empty and user isn't listed there, false will be
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]45 * returned.
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]46 * If the user's shell is not executable, false will be returned.
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]47 * Otherwise true is returned.
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]48 */
Damien Millereba71ba2000-04-29 23:57:08 +1000[diff] [blame]49int
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]50allowed_user(struct passwd * pw)
51{
52 struct stat st;
53 struct group *grp;
Damien Milleref7df542000-05-19 00:03:23 +1000[diff] [blame]54 char *shell;
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]55 int i;
56#ifdef WITH_AIXAUTHENTICATE
57 char *loginmsg;
58#endif /* WITH_AIXAUTHENTICATE */
Damien Miller1f335fb2000-06-26 11:31:33 +1000[diff] [blame]59#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
60 defined(HAS_SHADOW_EXPIRE)
61 struct spwd *spw;
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]62
63 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
64 if (!pw)
65 return 0;
66
Damien Miller1f335fb2000-06-26 11:31:33 +1000[diff] [blame]67 spw = getspnam(pw->pw_name);
Damien Millerc7088432000-07-02 18:44:54 +1000[diff] [blame]68 if (spw != NULL) {
69 int days = time(NULL) / 86400;
Damien Miller1f335fb2000-06-26 11:31:33 +1000[diff] [blame]70
Damien Millerc7088432000-07-02 18:44:54 +1000[diff] [blame]71 /* Check account expiry */
72 if ((spw->sp_expire > 0) && (days > spw->sp_expire))
73 return 0;
74
75 /* Check password expiry */
76 if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) &&
77 (days > (spw->sp_lstchg + spw->sp_inact)))
78 return 0;
79 }
Damien Miller1f335fb2000-06-26 11:31:33 +1000[diff] [blame]80#else
81 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
82 if (!pw)
83 return 0;
84#endif
85
Damien Milleref7df542000-05-19 00:03:23 +1000[diff] [blame]86 /*
87 * Get the shell from the password data. An empty shell field is
88 * legal, and means /bin/sh.
89 */
90 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
91
92 /* deny if shell does not exists or is not executable */
93 if (stat(shell, &st) != 0)
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]94 return 0;
95 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
96 return 0;
97
98 /* Return false if user is listed in DenyUsers */
99 if (options.num_deny_users > 0) {
100 if (!pw->pw_name)
101 return 0;
102 for (i = 0; i < options.num_deny_users; i++)
103 if (match_pattern(pw->pw_name, options.deny_users[i]))
104 return 0;
105 }
106 /* Return false if AllowUsers isn't empty and user isn't listed there */
107 if (options.num_allow_users > 0) {
108 if (!pw->pw_name)
109 return 0;
110 for (i = 0; i < options.num_allow_users; i++)
111 if (match_pattern(pw->pw_name, options.allow_users[i]))
112 break;
113 /* i < options.num_allow_users iff we break for loop */
114 if (i >= options.num_allow_users)
115 return 0;
116 }
117 /* Get the primary group name if we need it. Return false if it fails */
118 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
119 grp = getgrgid(pw->pw_gid);
120 if (!grp)
121 return 0;
122
123 /* Return false if user's group is listed in DenyGroups */
124 if (options.num_deny_groups > 0) {
125 if (!grp->gr_name)
126 return 0;
127 for (i = 0; i < options.num_deny_groups; i++)
128 if (match_pattern(grp->gr_name, options.deny_groups[i]))
129 return 0;
130 }
131 /*
132 * Return false if AllowGroups isn't empty and user's group
133 * isn't listed there
134 */
135 if (options.num_allow_groups > 0) {
136 if (!grp->gr_name)
137 return 0;
138 for (i = 0; i < options.num_allow_groups; i++)
139 if (match_pattern(grp->gr_name, options.allow_groups[i]))
140 break;
141 /* i < options.num_allow_groups iff we break for
142 loop */
143 if (i >= options.num_allow_groups)
144 return 0;
145 }
146 }
147
148#ifdef WITH_AIXAUTHENTICATE
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000[diff] [blame]149 if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]150 if (loginmsg && *loginmsg) {
151 /* Remove embedded newlines (if any) */
152 char *p;
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000[diff] [blame]153 for (p = loginmsg; *p; p++) {
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]154 if (*p == '\n')
155 *p = ' ';
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000[diff] [blame]156 }
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]157 /* Remove trailing newline */
158 *--p = '\0';
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000[diff] [blame]159 log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]160 }
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]161 return 0;
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]162 }
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]163#endif /* WITH_AIXAUTHENTICATE */
164
165 /* We found no reason not to let this user try to log on... */
166 return 1;
167}