blob: c3063e422ff0acd9dfa1381e86a73fa5a8c29566 [file] [log] [blame]
Damien Millerb38eff82000-04-01 11:09:21 +10001/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
Damien Millerefb4afe2000-04-12 18:45:05 +10004 * Copyright (c) 2000 Markus Friedl. All rights reserved.
Damien Millerb38eff82000-04-01 11:09:21 +10005 */
6
7#include "includes.h"
Damien Millereba71ba2000-04-29 23:57:08 +10008RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $");
Damien Millerb38eff82000-04-01 11:09:21 +10009
10#include "xmalloc.h"
11#include "rsa.h"
12#include "ssh.h"
13#include "pty.h"
14#include "packet.h"
15#include "buffer.h"
16#include "cipher.h"
17#include "mpaux.h"
18#include "servconf.h"
Damien Millerefb4afe2000-04-12 18:45:05 +100019#include "compat.h"
Damien Millerb38eff82000-04-01 11:09:21 +100020#include "channels.h"
21#include "match.h"
Damien Millerd2c208a2000-05-17 22:00:02 +100022#ifdef HAVE_LOGIN_H
23#include <login.h>
24#endif
Damien Millerb38eff82000-04-01 11:09:21 +100025
Damien Millerefb4afe2000-04-12 18:45:05 +100026#include "bufaux.h"
27#include "ssh2.h"
28#include "auth.h"
Damien Millerb38eff82000-04-01 11:09:21 +100029#include "session.h"
30#include "dispatch.h"
31
Damien Millerefb4afe2000-04-12 18:45:05 +100032
Damien Millerb38eff82000-04-01 11:09:21 +100033/* import */
34extern ServerOptions options;
35extern char *forced_command;
36
37/*
38 * Check if the user is allowed to log in via ssh. If user is listed in
39 * DenyUsers or user's primary group is listed in DenyGroups, false will
40 * be returned. If AllowUsers isn't empty and user isn't listed there, or
41 * if AllowGroups isn't empty and user isn't listed there, false will be
Damien Miller4af51302000-04-16 11:18:38 +100042 * returned.
Damien Millerb38eff82000-04-01 11:09:21 +100043 * If the user's shell is not executable, false will be returned.
Damien Miller4af51302000-04-16 11:18:38 +100044 * Otherwise true is returned.
Damien Millerb38eff82000-04-01 11:09:21 +100045 */
Damien Millereba71ba2000-04-29 23:57:08 +100046int
Damien Millerb38eff82000-04-01 11:09:21 +100047allowed_user(struct passwd * pw)
48{
49 struct stat st;
50 struct group *grp;
51 int i;
52#ifdef WITH_AIXAUTHENTICATE
53 char *loginmsg;
54#endif /* WITH_AIXAUTHENTICATE */
55
56 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
57 if (!pw)
58 return 0;
59
60 /* deny if shell does not exists or is not executable */
61 if (stat(pw->pw_shell, &st) != 0)
62 return 0;
63 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
64 return 0;
65
66 /* Return false if user is listed in DenyUsers */
67 if (options.num_deny_users > 0) {
68 if (!pw->pw_name)
69 return 0;
70 for (i = 0; i < options.num_deny_users; i++)
71 if (match_pattern(pw->pw_name, options.deny_users[i]))
72 return 0;
73 }
74 /* Return false if AllowUsers isn't empty and user isn't listed there */
75 if (options.num_allow_users > 0) {
76 if (!pw->pw_name)
77 return 0;
78 for (i = 0; i < options.num_allow_users; i++)
79 if (match_pattern(pw->pw_name, options.allow_users[i]))
80 break;
81 /* i < options.num_allow_users iff we break for loop */
82 if (i >= options.num_allow_users)
83 return 0;
84 }
85 /* Get the primary group name if we need it. Return false if it fails */
86 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
87 grp = getgrgid(pw->pw_gid);
88 if (!grp)
89 return 0;
90
91 /* Return false if user's group is listed in DenyGroups */
92 if (options.num_deny_groups > 0) {
93 if (!grp->gr_name)
94 return 0;
95 for (i = 0; i < options.num_deny_groups; i++)
96 if (match_pattern(grp->gr_name, options.deny_groups[i]))
97 return 0;
98 }
99 /*
100 * Return false if AllowGroups isn't empty and user's group
101 * isn't listed there
102 */
103 if (options.num_allow_groups > 0) {
104 if (!grp->gr_name)
105 return 0;
106 for (i = 0; i < options.num_allow_groups; i++)
107 if (match_pattern(grp->gr_name, options.allow_groups[i]))
108 break;
109 /* i < options.num_allow_groups iff we break for
110 loop */
111 if (i >= options.num_allow_groups)
112 return 0;
113 }
114 }
115
116#ifdef WITH_AIXAUTHENTICATE
Damien Millerd2c208a2000-05-17 22:00:02 +1000117 if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) {
118 if (loginmsg && *loginmsg) {
119 /* Remove embedded newlines (if any) */
120 char *p;
121 for (p = loginmsg; *p; p++)
122 if (*p == '\n')
123 *p = ' ';
124 /* Remove trailing newline */
125 *--p = '\0';
126 log("Login restricted for %s: %.100s",
127 pw->pw_name, loginmsg);
128 }
Damien Millerb38eff82000-04-01 11:09:21 +1000129 return 0;
Damien Millerd2c208a2000-05-17 22:00:02 +1000130 }
Damien Millerb38eff82000-04-01 11:09:21 +1000131#endif /* WITH_AIXAUTHENTICATE */
132
133 /* We found no reason not to let this user try to log on... */
134 return 1;
135}