blob: bf5306be497b96ac71b860509e901acc74de90e5 [file] [log] [blame]
Damien Millerb38eff82000-04-01 11:09:21 +10001/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
Damien Millerefb4afe2000-04-12 18:45:05 +10004 * Copyright (c) 2000 Markus Friedl. All rights reserved.
Damien Millerb38eff82000-04-01 11:09:21 +10005 */
6
7#include "includes.h"
Damien Milleref7df542000-05-19 00:03:23 +10008RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
Damien Millerb38eff82000-04-01 11:09:21 +10009
10#include "xmalloc.h"
11#include "rsa.h"
12#include "ssh.h"
13#include "pty.h"
14#include "packet.h"
15#include "buffer.h"
16#include "cipher.h"
17#include "mpaux.h"
18#include "servconf.h"
Damien Millerefb4afe2000-04-12 18:45:05 +100019#include "compat.h"
Damien Millerb38eff82000-04-01 11:09:21 +100020#include "channels.h"
21#include "match.h"
Damien Millerd2c208a2000-05-17 22:00:02 +100022#ifdef HAVE_LOGIN_H
23#include <login.h>
24#endif
Damien Miller1f335fb2000-06-26 11:31:33 +100025#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
26#include <shadow.h>
27#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
Damien Millerb38eff82000-04-01 11:09:21 +100028
Damien Millerefb4afe2000-04-12 18:45:05 +100029#include "bufaux.h"
30#include "ssh2.h"
31#include "auth.h"
Damien Millerb38eff82000-04-01 11:09:21 +100032#include "session.h"
33#include "dispatch.h"
34
Damien Millerefb4afe2000-04-12 18:45:05 +100035
Damien Millerb38eff82000-04-01 11:09:21 +100036/* import */
37extern ServerOptions options;
38extern char *forced_command;
39
40/*
41 * Check if the user is allowed to log in via ssh. If user is listed in
42 * DenyUsers or user's primary group is listed in DenyGroups, false will
43 * be returned. If AllowUsers isn't empty and user isn't listed there, or
44 * if AllowGroups isn't empty and user isn't listed there, false will be
Damien Miller4af51302000-04-16 11:18:38 +100045 * returned.
Damien Millerb38eff82000-04-01 11:09:21 +100046 * If the user's shell is not executable, false will be returned.
Damien Miller4af51302000-04-16 11:18:38 +100047 * Otherwise true is returned.
Damien Millerb38eff82000-04-01 11:09:21 +100048 */
Damien Millereba71ba2000-04-29 23:57:08 +100049int
Damien Millerb38eff82000-04-01 11:09:21 +100050allowed_user(struct passwd * pw)
51{
52 struct stat st;
53 struct group *grp;
Damien Milleref7df542000-05-19 00:03:23 +100054 char *shell;
Damien Millerb38eff82000-04-01 11:09:21 +100055 int i;
56#ifdef WITH_AIXAUTHENTICATE
57 char *loginmsg;
58#endif /* WITH_AIXAUTHENTICATE */
Damien Miller1f335fb2000-06-26 11:31:33 +100059#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
60 defined(HAS_SHADOW_EXPIRE)
61 struct spwd *spw;
Damien Millerb38eff82000-04-01 11:09:21 +100062
63 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
64 if (!pw)
65 return 0;
66
Damien Miller1f335fb2000-06-26 11:31:33 +100067 spw = getspnam(pw->pw_name);
68 if (spw == NULL)
69 return 0;
70
71 /* Check account expiry */
72 if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire))
73 return 0;
74
75 /* Check password expiry */
76 if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) &&
77 ((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact)))
78 return 0;
79#else
80 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
81 if (!pw)
82 return 0;
83#endif
84
Damien Milleref7df542000-05-19 00:03:23 +100085 /*
86 * Get the shell from the password data. An empty shell field is
87 * legal, and means /bin/sh.
88 */
89 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
90
91 /* deny if shell does not exists or is not executable */
92 if (stat(shell, &st) != 0)
Damien Millerb38eff82000-04-01 11:09:21 +100093 return 0;
94 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
95 return 0;
96
97 /* Return false if user is listed in DenyUsers */
98 if (options.num_deny_users > 0) {
99 if (!pw->pw_name)
100 return 0;
101 for (i = 0; i < options.num_deny_users; i++)
102 if (match_pattern(pw->pw_name, options.deny_users[i]))
103 return 0;
104 }
105 /* Return false if AllowUsers isn't empty and user isn't listed there */
106 if (options.num_allow_users > 0) {
107 if (!pw->pw_name)
108 return 0;
109 for (i = 0; i < options.num_allow_users; i++)
110 if (match_pattern(pw->pw_name, options.allow_users[i]))
111 break;
112 /* i < options.num_allow_users iff we break for loop */
113 if (i >= options.num_allow_users)
114 return 0;
115 }
116 /* Get the primary group name if we need it. Return false if it fails */
117 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
118 grp = getgrgid(pw->pw_gid);
119 if (!grp)
120 return 0;
121
122 /* Return false if user's group is listed in DenyGroups */
123 if (options.num_deny_groups > 0) {
124 if (!grp->gr_name)
125 return 0;
126 for (i = 0; i < options.num_deny_groups; i++)
127 if (match_pattern(grp->gr_name, options.deny_groups[i]))
128 return 0;
129 }
130 /*
131 * Return false if AllowGroups isn't empty and user's group
132 * isn't listed there
133 */
134 if (options.num_allow_groups > 0) {
135 if (!grp->gr_name)
136 return 0;
137 for (i = 0; i < options.num_allow_groups; i++)
138 if (match_pattern(grp->gr_name, options.allow_groups[i]))
139 break;
140 /* i < options.num_allow_groups iff we break for
141 loop */
142 if (i >= options.num_allow_groups)
143 return 0;
144 }
145 }
146
147#ifdef WITH_AIXAUTHENTICATE
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000148 if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
Damien Millerd2c208a2000-05-17 22:00:02 +1000149 if (loginmsg && *loginmsg) {
150 /* Remove embedded newlines (if any) */
151 char *p;
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000152 for (p = loginmsg; *p; p++) {
Damien Millerd2c208a2000-05-17 22:00:02 +1000153 if (*p == '\n')
154 *p = ' ';
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000155 }
Damien Millerd2c208a2000-05-17 22:00:02 +1000156 /* Remove trailing newline */
157 *--p = '\0';
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000158 log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
Damien Millerd2c208a2000-05-17 22:00:02 +1000159 }
Damien Millerb38eff82000-04-01 11:09:21 +1000160 return 0;
Damien Millerd2c208a2000-05-17 22:00:02 +1000161 }
Damien Millerb38eff82000-04-01 11:09:21 +1000162#endif /* WITH_AIXAUTHENTICATE */
163
164 /* We found no reason not to let this user try to log on... */
165 return 1;
166}