diff --git a/ChangeLog b/ChangeLog index cc1f240cb..fb250af5f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -83,6 +83,9 @@ - markus@cvs.openbsd.org 2001/06/27 02:12:54 [serverloop.c serverloop.h session.c session.h] quick hack to make ssh2 work again. + - markus@cvs.openbsd.org 2001/06/27 04:48:53 + [auth.c match.c sshd.8] + tridge@samba.org 20010629 - (bal) Removed net_aton() since we don't use it any more @@ -5910,4 +5913,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1362 2001/07/04 04:53:53 mouring Exp $ +$Id: ChangeLog,v 1.1363 2001/07/04 04:56:44 mouring Exp $ diff --git a/auth.c b/auth.c index 892bb261a..84e0be761 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.25 2001/06/25 17:54:48 provos Exp $"); +RCSID("$OpenBSD: auth.c,v 1.26 2001/06/27 04:48:52 markus Exp $"); #ifdef HAVE_LOGIN_H #include @@ -65,6 +65,7 @@ int allowed_user(struct passwd * pw) { struct stat st; + const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; #ifdef WITH_AIXAUTHENTICATE @@ -109,16 +110,23 @@ allowed_user(struct passwd * pw) if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; + if (options.num_deny_users > 0 || options.num_allow_users > 0) { + hostname = get_canonical_hostname(options.reverse_mapping_check); + ipaddr = get_remote_ipaddr(); + } + /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) - if (match_pattern(pw->pw_name, options.deny_users[i])) + if (match_user(pw->pw_name, hostname, ipaddr, + options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { for (i = 0; i < options.num_allow_users; i++) - if (match_pattern(pw->pw_name, options.allow_users[i])) + if (match_user(pw->pw_name, hostname, ipaddr, + options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ if (i >= options.num_allow_users) diff --git a/match.c b/match.c index 2e2d63092..188b9a416 100644 --- a/match.c +++ b/match.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $"); +RCSID("$OpenBSD: match.c,v 1.14 2001/06/27 04:48:53 markus Exp $"); #include "match.h" #include "xmalloc.h" @@ -184,6 +184,30 @@ match_host_and_ip(const char *host, const char *ipaddr, return 1; } +/* + * match user, user@host_or_ip, user@host_or_ip_list against pattern + */ +int +match_user(const char *user, const char *host, const char *ipaddr, + const char *pattern) +{ + char *p, *pat; + int ret; + + if ((p = strchr(pattern,'@')) == NULL) + return match_pattern(user, pattern); + + pat = xstrdup(pattern); + p = strchr(pat, '@'); + *p++ = '\0'; + + if ((ret = match_pattern(user, pat)) == 1) + ret = match_host_and_ip(host, ipaddr, p); + xfree(pat); + + return ret; +} + /* * Returns first item from client-list that is also supported by server-list, * caller must xfree() returned string. diff --git a/sshd.8 b/sshd.8 index d0b7cb612..314d863ed 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.134 2001/06/26 05:48:07 mpech Exp $ +.\" $OpenBSD: sshd.8,v 1.135 2001/06/27 04:48:53 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -329,6 +329,9 @@ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. +If the pattern takes the form USER@HOST then USER and HOST +are separately checked, allowing you to restrict logins to particular +users from particular hosts. .Pp .It Cm AuthorizedKeysFile Specifies the file that contains the public RSA keys that can be used