Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / ef7df540735d5ee8889f7f87cc74fc4ec5f4e260 / . / auth.c
blob: c3baa962f763121ee4cb89d2e3d3aa7b43602ec0 [file] [log] [blame]
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]5 */
6
7#include "includes.h"
Damien Milleref7df542000-05-19 00:03:23 +1000[diff] [blame^]8RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]9
10#include "xmalloc.h"
11#include "rsa.h"
12#include "ssh.h"
13#include "pty.h"
14#include "packet.h"
15#include "buffer.h"
16#include "cipher.h"
17#include "mpaux.h"
18#include "servconf.h"
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]19#include "compat.h"
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]20#include "channels.h"
21#include "match.h"
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]22#ifdef HAVE_LOGIN_H
23#include <login.h>
24#endif
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]25
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]26#include "bufaux.h"
27#include "ssh2.h"
28#include "auth.h"
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]29#include "session.h"
30#include "dispatch.h"
31
Damien Millerefb4afe2000-04-12 18:45:05 +1000[diff] [blame]32
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]33/* import */
34extern ServerOptions options;
35extern char *forced_command;
36
37/*
38 * Check if the user is allowed to log in via ssh. If user is listed in
39 * DenyUsers or user's primary group is listed in DenyGroups, false will
40 * be returned. If AllowUsers isn't empty and user isn't listed there, or
41 * if AllowGroups isn't empty and user isn't listed there, false will be
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]42 * returned.
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]43 * If the user's shell is not executable, false will be returned.
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]44 * Otherwise true is returned.
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]45 */
Damien Millereba71ba2000-04-29 23:57:08 +1000[diff] [blame]46int
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]47allowed_user(struct passwd * pw)
48{
49 struct stat st;
50 struct group *grp;
Damien Milleref7df542000-05-19 00:03:23 +1000[diff] [blame^]51 char *shell;
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]52 int i;
53#ifdef WITH_AIXAUTHENTICATE
54 char *loginmsg;
55#endif /* WITH_AIXAUTHENTICATE */
56
57 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
58 if (!pw)
59 return 0;
60
61 /* deny if shell does not exists or is not executable */
Damien Milleref7df542000-05-19 00:03:23 +1000[diff] [blame^]62 /*
63 * Get the shell from the password data. An empty shell field is
64 * legal, and means /bin/sh.
65 */
66 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
67
68 /* deny if shell does not exists or is not executable */
69 if (stat(shell, &st) != 0)
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]70 return 0;
71 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
72 return 0;
73
74 /* Return false if user is listed in DenyUsers */
75 if (options.num_deny_users > 0) {
76 if (!pw->pw_name)
77 return 0;
78 for (i = 0; i < options.num_deny_users; i++)
79 if (match_pattern(pw->pw_name, options.deny_users[i]))
80 return 0;
81 }
82 /* Return false if AllowUsers isn't empty and user isn't listed there */
83 if (options.num_allow_users > 0) {
84 if (!pw->pw_name)
85 return 0;
86 for (i = 0; i < options.num_allow_users; i++)
87 if (match_pattern(pw->pw_name, options.allow_users[i]))
88 break;
89 /* i < options.num_allow_users iff we break for loop */
90 if (i >= options.num_allow_users)
91 return 0;
92 }
93 /* Get the primary group name if we need it. Return false if it fails */
94 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
95 grp = getgrgid(pw->pw_gid);
96 if (!grp)
97 return 0;
98
99 /* Return false if user's group is listed in DenyGroups */
100 if (options.num_deny_groups > 0) {
101 if (!grp->gr_name)
102 return 0;
103 for (i = 0; i < options.num_deny_groups; i++)
104 if (match_pattern(grp->gr_name, options.deny_groups[i]))
105 return 0;
106 }
107 /*
108 * Return false if AllowGroups isn't empty and user's group
109 * isn't listed there
110 */
111 if (options.num_allow_groups > 0) {
112 if (!grp->gr_name)
113 return 0;
114 for (i = 0; i < options.num_allow_groups; i++)
115 if (match_pattern(grp->gr_name, options.allow_groups[i]))
116 break;
117 /* i < options.num_allow_groups iff we break for
118 loop */
119 if (i >= options.num_allow_groups)
120 return 0;
121 }
122 }
123
124#ifdef WITH_AIXAUTHENTICATE
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]125 if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) {
126 if (loginmsg && *loginmsg) {
127 /* Remove embedded newlines (if any) */
128 char *p;
129 for (p = loginmsg; *p; p++)
130 if (*p == '\n')
131 *p = ' ';
132 /* Remove trailing newline */
133 *--p = '\0';
134 log("Login restricted for %s: %.100s",
135 pw->pw_name, loginmsg);
136 }
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]137 return 0;
Damien Millerd2c208a2000-05-17 22:00:02 +1000[diff] [blame]138 }
Damien Millerb38eff82000-04-01 11:09:21 +1000[diff] [blame]139#endif /* WITH_AIXAUTHENTICATE */
140
141 /* We found no reason not to let this user try to log on... */
142 return 1;
143}