blob: 204903fe049702e303ce5c9e0959ba8be605157e [file] [log] [blame]
Damien Millerb38eff82000-04-01 11:09:21 +10001/*
Damien Millerefb4afe2000-04-12 18:45:05 +10002 * Copyright (c) 2000 Markus Friedl. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +11003 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Millerb38eff82000-04-01 11:09:21 +100023 */
24
25#include "includes.h"
Kevin Steves2b725a02001-02-05 18:16:28 +000026RCSID("$OpenBSD: auth.c,v 1.16 2001/02/04 15:32:22 stevesk Exp $");
Damien Millerb38eff82000-04-01 11:09:21 +100027
Damien Millerd2c208a2000-05-17 22:00:02 +100028#ifdef HAVE_LOGIN_H
29#include <login.h>
30#endif
Damien Miller1f335fb2000-06-26 11:31:33 +100031#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
32#include <shadow.h>
33#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
Damien Millerb38eff82000-04-01 11:09:21 +100034
Ben Lindstrom226cfa02001-01-22 05:34:40 +000035#include "xmalloc.h"
36#include "match.h"
37#include "groupaccess.h"
38#include "log.h"
39#include "servconf.h"
Damien Millerefb4afe2000-04-12 18:45:05 +100040#include "auth.h"
Ben Lindstromdb65e8f2001-01-19 04:26:52 +000041#include "auth-options.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000042#include "canohost.h"
Damien Millerefb4afe2000-04-12 18:45:05 +100043
Damien Millerb38eff82000-04-01 11:09:21 +100044/* import */
45extern ServerOptions options;
Damien Millerb38eff82000-04-01 11:09:21 +100046
47/*
Kevin Steves7b61cfa2001-01-14 19:11:00 +000048 * Check if the user is allowed to log in via ssh. If user is listed
49 * in DenyUsers or one of user's groups is listed in DenyGroups, false
50 * will be returned. If AllowUsers isn't empty and user isn't listed
51 * there, or if AllowGroups isn't empty and one of user's groups isn't
52 * listed there, false will be returned.
Damien Millerb38eff82000-04-01 11:09:21 +100053 * If the user's shell is not executable, false will be returned.
Damien Miller4af51302000-04-16 11:18:38 +100054 * Otherwise true is returned.
Damien Millerb38eff82000-04-01 11:09:21 +100055 */
Damien Millereba71ba2000-04-29 23:57:08 +100056int
Damien Millerb38eff82000-04-01 11:09:21 +100057allowed_user(struct passwd * pw)
58{
59 struct stat st;
Damien Milleref7df542000-05-19 00:03:23 +100060 char *shell;
Damien Millerb38eff82000-04-01 11:09:21 +100061 int i;
62#ifdef WITH_AIXAUTHENTICATE
63 char *loginmsg;
64#endif /* WITH_AIXAUTHENTICATE */
Kevin Stevesa58e0af2000-10-29 14:38:55 +000065#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
Damien Miller62dd94b2000-09-23 14:26:32 +110066 !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
Kevin Steves7b61cfa2001-01-14 19:11:00 +000067 struct spwd *spw;
Damien Millerb38eff82000-04-01 11:09:21 +100068
69 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
Kevin Steves7b61cfa2001-01-14 19:11:00 +000070 if (!pw || !pw->pw_name)
Damien Millerb38eff82000-04-01 11:09:21 +100071 return 0;
72
Damien Miller1f335fb2000-06-26 11:31:33 +100073 spw = getspnam(pw->pw_name);
Damien Millerc7088432000-07-02 18:44:54 +100074 if (spw != NULL) {
75 int days = time(NULL) / 86400;
Damien Miller1f335fb2000-06-26 11:31:33 +100076
Damien Millerc7088432000-07-02 18:44:54 +100077 /* Check account expiry */
Damien Miller62dd94b2000-09-23 14:26:32 +110078 if ((spw->sp_expire >= 0) && (days > spw->sp_expire))
Damien Millerc7088432000-07-02 18:44:54 +100079 return 0;
80
81 /* Check password expiry */
Kevin Stevesef4eea92001-02-05 12:42:17 +000082 if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) &&
Damien Miller606f8802000-09-16 15:39:56 +110083 (days > (spw->sp_lstchg + spw->sp_max)))
Damien Millerc7088432000-07-02 18:44:54 +100084 return 0;
85 }
Damien Miller1f335fb2000-06-26 11:31:33 +100086#else
87 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
Kevin Steves7b61cfa2001-01-14 19:11:00 +000088 if (!pw || !pw->pw_name)
Damien Miller1f335fb2000-06-26 11:31:33 +100089 return 0;
90#endif
91
Damien Milleref7df542000-05-19 00:03:23 +100092 /*
93 * Get the shell from the password data. An empty shell field is
94 * legal, and means /bin/sh.
95 */
96 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
97
98 /* deny if shell does not exists or is not executable */
99 if (stat(shell, &st) != 0)
Damien Millerb38eff82000-04-01 11:09:21 +1000100 return 0;
101 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
102 return 0;
103
104 /* Return false if user is listed in DenyUsers */
105 if (options.num_deny_users > 0) {
Damien Millerb38eff82000-04-01 11:09:21 +1000106 for (i = 0; i < options.num_deny_users; i++)
107 if (match_pattern(pw->pw_name, options.deny_users[i]))
108 return 0;
109 }
110 /* Return false if AllowUsers isn't empty and user isn't listed there */
111 if (options.num_allow_users > 0) {
Damien Millerb38eff82000-04-01 11:09:21 +1000112 for (i = 0; i < options.num_allow_users; i++)
113 if (match_pattern(pw->pw_name, options.allow_users[i]))
114 break;
115 /* i < options.num_allow_users iff we break for loop */
116 if (i >= options.num_allow_users)
117 return 0;
118 }
Damien Millerb38eff82000-04-01 11:09:21 +1000119 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
Kevin Steves7b61cfa2001-01-14 19:11:00 +0000120 /* Get the user's group access list (primary and supplementary) */
121 if (ga_init(pw->pw_name, pw->pw_gid) == 0)
Damien Millerb38eff82000-04-01 11:09:21 +1000122 return 0;
123
Kevin Steves7b61cfa2001-01-14 19:11:00 +0000124 /* Return false if one of user's groups is listed in DenyGroups */
125 if (options.num_deny_groups > 0)
126 if (ga_match(options.deny_groups,
127 options.num_deny_groups)) {
128 ga_free();
Damien Millerb38eff82000-04-01 11:09:21 +1000129 return 0;
Kevin Steves7b61cfa2001-01-14 19:11:00 +0000130 }
Damien Millerb38eff82000-04-01 11:09:21 +1000131 /*
Kevin Steves7b61cfa2001-01-14 19:11:00 +0000132 * Return false if AllowGroups isn't empty and one of user's groups
Damien Millerb38eff82000-04-01 11:09:21 +1000133 * isn't listed there
134 */
Kevin Steves7b61cfa2001-01-14 19:11:00 +0000135 if (options.num_allow_groups > 0)
136 if (!ga_match(options.allow_groups,
137 options.num_allow_groups)) {
138 ga_free();
Damien Millerb38eff82000-04-01 11:09:21 +1000139 return 0;
Kevin Steves7b61cfa2001-01-14 19:11:00 +0000140 }
141 ga_free();
Damien Millerb38eff82000-04-01 11:09:21 +1000142 }
143
144#ifdef WITH_AIXAUTHENTICATE
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000145 if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
Damien Millerd2c208a2000-05-17 22:00:02 +1000146 if (loginmsg && *loginmsg) {
147 /* Remove embedded newlines (if any) */
148 char *p;
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000149 for (p = loginmsg; *p; p++) {
Damien Millerd2c208a2000-05-17 22:00:02 +1000150 if (*p == '\n')
151 *p = ' ';
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000152 }
Damien Millerd2c208a2000-05-17 22:00:02 +1000153 /* Remove trailing newline */
154 *--p = '\0';
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000155 log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
Damien Millerd2c208a2000-05-17 22:00:02 +1000156 }
Damien Millerb38eff82000-04-01 11:09:21 +1000157 return 0;
Damien Millerd2c208a2000-05-17 22:00:02 +1000158 }
Damien Millerb38eff82000-04-01 11:09:21 +1000159#endif /* WITH_AIXAUTHENTICATE */
160
161 /* We found no reason not to let this user try to log on... */
162 return 1;
163}
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000164
165Authctxt *
166authctxt_new(void)
167{
Kevin Stevesef4eea92001-02-05 12:42:17 +0000168 Authctxt *authctxt = xmalloc(sizeof(*authctxt));
169 memset(authctxt, 0, sizeof(*authctxt));
170 return authctxt;
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000171}
172
173struct passwd *
174pwcopy(struct passwd *pw)
175{
176 struct passwd *copy = xmalloc(sizeof(*copy));
177 memset(copy, 0, sizeof(*copy));
178 copy->pw_name = xstrdup(pw->pw_name);
179 copy->pw_passwd = xstrdup(pw->pw_passwd);
180 copy->pw_uid = pw->pw_uid;
181 copy->pw_gid = pw->pw_gid;
182#ifdef HAVE_PW_CLASS_IN_PASSWD
183 copy->pw_class = xstrdup(pw->pw_class);
184#endif
185 copy->pw_dir = xstrdup(pw->pw_dir);
186 copy->pw_shell = xstrdup(pw->pw_shell);
187 return copy;
188}
189
190void
191auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
192{
193 void (*authlog) (const char *fmt,...) = verbose;
194 char *authmsg;
195
196 /* Raise logging level */
197 if (authenticated == 1 ||
198 !authctxt->valid ||
199 authctxt->failures >= AUTH_FAIL_LOG ||
200 strcmp(method, "password") == 0)
201 authlog = log;
202
203 if (authctxt->postponed)
204 authmsg = "Postponed";
205 else
206 authmsg = authenticated ? "Accepted" : "Failed";
207
208 authlog("%s %s for %s%.100s from %.200s port %d%s",
209 authmsg,
210 method,
211 authctxt->valid ? "" : "illegal user ",
212 authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user,
213 get_remote_ipaddr(),
214 get_remote_port(),
215 info);
216}
217
218/*
219 * Check if the user is logging in as root and root logins are disallowed.
220 * Note that root login is _allways_ allowed for forced commands.
221 */
222int
223auth_root_allowed(void)
224{
225 if (options.permit_root_login)
226 return 1;
227 if (forced_command) {
228 log("Root login accepted for forced command.");
229 return 1;
230 } else {
Damien Miller33804262001-02-04 23:20:18 +1100231 log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000232 return 0;
233 }
234}