[auth.c match.c sshd.8]
     tridge@samba.org
This commit is contained in:
Ben Lindstrom 2001-07-04 04:56:44 +00:00
parent bddd551e11
commit 60260022ee
4 changed files with 44 additions and 6 deletions

View File

@ -83,6 +83,9 @@
- markus@cvs.openbsd.org 2001/06/27 02:12:54 - markus@cvs.openbsd.org 2001/06/27 02:12:54
[serverloop.c serverloop.h session.c session.h] [serverloop.c serverloop.h session.c session.h]
quick hack to make ssh2 work again. quick hack to make ssh2 work again.
- markus@cvs.openbsd.org 2001/06/27 04:48:53
[auth.c match.c sshd.8]
tridge@samba.org
20010629 20010629
- (bal) Removed net_aton() since we don't use it any more - (bal) Removed net_aton() since we don't use it any more
@ -5910,4 +5913,4 @@
- Wrote replacements for strlcpy and mkdtemp - Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1 - Released 1.0pre1
$Id: ChangeLog,v 1.1362 2001/07/04 04:53:53 mouring Exp $ $Id: ChangeLog,v 1.1363 2001/07/04 04:56:44 mouring Exp $

14
auth.c
View File

@ -23,7 +23,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.25 2001/06/25 17:54:48 provos Exp $"); RCSID("$OpenBSD: auth.c,v 1.26 2001/06/27 04:48:52 markus Exp $");
#ifdef HAVE_LOGIN_H #ifdef HAVE_LOGIN_H
#include <login.h> #include <login.h>
@ -65,6 +65,7 @@ int
allowed_user(struct passwd * pw) allowed_user(struct passwd * pw)
{ {
struct stat st; struct stat st;
const char *hostname = NULL, *ipaddr = NULL;
char *shell; char *shell;
int i; int i;
#ifdef WITH_AIXAUTHENTICATE #ifdef WITH_AIXAUTHENTICATE
@ -109,16 +110,23 @@ allowed_user(struct passwd * pw)
if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
return 0; return 0;
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
hostname = get_canonical_hostname(options.reverse_mapping_check);
ipaddr = get_remote_ipaddr();
}
/* Return false if user is listed in DenyUsers */ /* Return false if user is listed in DenyUsers */
if (options.num_deny_users > 0) { if (options.num_deny_users > 0) {
for (i = 0; i < options.num_deny_users; i++) for (i = 0; i < options.num_deny_users; i++)
if (match_pattern(pw->pw_name, options.deny_users[i])) if (match_user(pw->pw_name, hostname, ipaddr,
options.deny_users[i]))
return 0; return 0;
} }
/* Return false if AllowUsers isn't empty and user isn't listed there */ /* Return false if AllowUsers isn't empty and user isn't listed there */
if (options.num_allow_users > 0) { if (options.num_allow_users > 0) {
for (i = 0; i < options.num_allow_users; i++) for (i = 0; i < options.num_allow_users; i++)
if (match_pattern(pw->pw_name, options.allow_users[i])) if (match_user(pw->pw_name, hostname, ipaddr,
options.allow_users[i]))
break; break;
/* i < options.num_allow_users iff we break for loop */ /* i < options.num_allow_users iff we break for loop */
if (i >= options.num_allow_users) if (i >= options.num_allow_users)

26
match.c
View File

@ -35,7 +35,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $"); RCSID("$OpenBSD: match.c,v 1.14 2001/06/27 04:48:53 markus Exp $");
#include "match.h" #include "match.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -184,6 +184,30 @@ match_host_and_ip(const char *host, const char *ipaddr,
return 1; return 1;
} }
/*
* match user, user@host_or_ip, user@host_or_ip_list against pattern
*/
int
match_user(const char *user, const char *host, const char *ipaddr,
const char *pattern)
{
char *p, *pat;
int ret;
if ((p = strchr(pattern,'@')) == NULL)
return match_pattern(user, pattern);
pat = xstrdup(pattern);
p = strchr(pat, '@');
*p++ = '\0';
if ((ret = match_pattern(user, pat)) == 1)
ret = match_host_and_ip(host, ipaddr, p);
xfree(pat);
return ret;
}
/* /*
* Returns first item from client-list that is also supported by server-list, * Returns first item from client-list that is also supported by server-list,
* caller must xfree() returned string. * caller must xfree() returned string.

5
sshd.8
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd.8,v 1.134 2001/06/26 05:48:07 mpech Exp $ .\" $OpenBSD: sshd.8,v 1.135 2001/06/27 04:48:53 markus Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSHD 8 .Dt SSHD 8
.Os .Os
@ -329,6 +329,9 @@ can be used as
wildcards in the patterns. wildcards in the patterns.
Only user names are valid; a numerical user ID isn't recognized. Only user names are valid; a numerical user ID isn't recognized.
By default login is allowed regardless of the user name. By default login is allowed regardless of the user name.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, allowing you to restrict logins to particular
users from particular hosts.
.Pp .Pp
.It Cm AuthorizedKeysFile .It Cm AuthorizedKeysFile
Specifies the file that contains the public RSA keys that can be used Specifies the file that contains the public RSA keys that can be used