diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2004-06-23 13:45:24 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2004-06-23 13:45:24 +1000 |
| commit | 0a9d43d7264ff0a74c4f9493be238e35ef04c952 (patch) | |
| tree | 5734ef5253ba9f4dac817c7987a00671c77d9fc6 | |
| parent | ef8f8af86c3df4d769892baeca5d18a7a8599908 (diff) | |
- (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
Move loginrestrictions test to port-aix.c, replace with a generic hook.
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | auth.c | 29 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.c | 46 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.h | 4 |
4 files changed, 55 insertions, 28 deletions
@@ -16,6 +16,8 @@ Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@ - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match -Wshadow change. + - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Move loginrestrictions test to port-aix.c, replace with a generic hook. 20040622 - (bal) [auth-passwd.c auth1.c] Clean up unused variables. @@ -1388,4 +1390,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3438 2004/06/23 03:21:54 mouring Exp $ +$Id: ChangeLog,v 1.3439 2004/06/23 03:45:24 dtucker Exp $ @@ -203,31 +203,10 @@ allowed_user(struct passwd * pw) ga_free(); } -#ifdef WITH_AIXAUTHENTICATE - /* - * Don't check loginrestrictions() for root account (use - * PermitRootLogin to control logins via ssh), or if running as - * non-root user (since loginrestrictions will always fail). - */ - if ((pw->pw_uid != 0) && (geteuid() == 0)) { - char *msg; - - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { - int loginrestrict_errno = errno; - - if (msg && *msg) { - buffer_append(&loginmsg, msg, strlen(msg)); - aix_remove_embedded_newlines(msg); - logit("Login restricted for %s: %.100s", - pw->pw_name, msg); - } - /* Don't fail if /etc/nologin set */ - if (!(loginrestrict_errno == EPERM && - stat(_PATH_NOLOGIN, &st) == 0)) - return 0; - } - } -#endif /* WITH_AIXAUTHENTICATE */ +#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER + if (!sys_auth_allowed_user(pw)) + return 0; +#endif /* We found no reason not to let this user try to log on... */ return 1; diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 5ba6819d..bf7e9865 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) return authsuccess; } - + +/* + * Check if specified account is permitted to log in. + * Returns 1 if login is allowed, 0 if not allowed. + */ +int +sys_auth_allowed_user(struct passwd *pw) +{ + char *msg = NULL; + int result, permitted = 0; + struct stat st; + + /* + * Don't perform checks for root account (PermitRootLogin controls + * logins via * ssh) or if running as non-root user (since + * loginrestrictions will always fail due to insufficient privilege). + */ + if (pw->pw_uid == 0 || geteuid() != 0) { + debug3("%s: not checking"); + return 1; + } + + result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg); + if (result == 0) + permitted = 1; + /* + * If restricted because /etc/nologin exists, the login will be denied + * in session.c after the nologin message is sent, so allow for now + * and do not append the returned message. + */ + if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0) + permitted = 1; + else if (msg != NULL) + buffer_append(&loginmsg, msg, strlen(msg)); + if (msg == NULL) + msg = xstrdup("(none)"); + aix_remove_embedded_newlines(msg); + debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg); + + if (!permitted) + logit("Login restricted for %s: %.100s", pw->pw_name, msg); + xfree(msg); + return permitted; +} + # ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 3118af9a..3b82652d 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */ /* * @@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_SYS_AUTH_PASSWD 1 +# define CUSTOM_SYS_AUTH_ALLOWED_USER 1 +int sys_auth_allowed_user(struct passwd *); # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); #endif |