From 916d83d208d751b9a3605165893370c8d429bba5 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Tue, 5 Mar 2002 01:35:23 +0000 Subject: [PATCH] - stevesk@cvs.openbsd.org 2002/02/28 19:36:28 [auth.c match.c match.h] delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@ --- ChangeLog | 6 +++++- auth.c | 12 +++--------- match.c | 9 ++++++--- match.h | 4 ++-- 4 files changed, 16 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7b0ed44ca..f595caff9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,10 @@ - markus@cvs.openbsd.org 2002/02/28 15:46:33 [authfile.c kex.c kexdh.c kexgex.c key.c ssh-dss.c] add some const EVP_MD for openssl-0.9.7 + - stevesk@cvs.openbsd.org 2002/02/28 19:36:28 + [auth.c match.c match.h] + delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers + for sshd -u0; ok markus@ 20020226 - (tim) Bug 12 [configure.ac] add sys/bitypes.h to int64_t tests @@ -7751,4 +7755,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1896 2002/03/05 01:33:36 mouring Exp $ +$Id: ChangeLog,v 1.1897 2002/03/05 01:35:23 mouring Exp $ diff --git a/auth.c b/auth.c index efa7ee28b..eae6a7bdf 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.32 2002/01/29 14:32:03 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.33 2002/02/28 19:36:28 stevesk Exp $"); #ifdef HAVE_LOGIN_H #include @@ -65,7 +65,6 @@ int allowed_user(struct passwd * pw) { struct stat st; - const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; #ifdef WITH_AIXAUTHENTICATE @@ -110,22 +109,17 @@ allowed_user(struct passwd * pw) if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; - if (options.num_deny_users > 0 || options.num_allow_users > 0) { - hostname = get_canonical_hostname(options.verify_reverse_mapping); - ipaddr = get_remote_ipaddr(); - } - /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) - if (match_user(pw->pw_name, hostname, ipaddr, + if (match_user(pw->pw_name, options.verify_reverse_mapping, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { for (i = 0; i < options.num_allow_users; i++) - if (match_user(pw->pw_name, hostname, ipaddr, + if (match_user(pw->pw_name, options.verify_reverse_mapping, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ diff --git a/match.c b/match.c index c82c28a8b..e73ed2aa2 100644 --- a/match.c +++ b/match.c @@ -35,9 +35,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: match.c,v 1.17 2002/02/11 16:21:42 markus Exp $"); +RCSID("$OpenBSD: match.c,v 1.18 2002/02/28 19:36:28 stevesk Exp $"); #include "match.h" +#include "canohost.h" #include "xmalloc.h" /* @@ -202,7 +203,7 @@ match_host_and_ip(const char *host, const char *ipaddr, * match user, user@host_or_ip, user@host_or_ip_list against pattern */ int -match_user(const char *user, const char *host, const char *ipaddr, +match_user(const char *user, int verify_reverse_mapping, const char *pattern) { char *p, *pat; @@ -216,7 +217,9 @@ match_user(const char *user, const char *host, const char *ipaddr, *p++ = '\0'; if ((ret = match_pattern(user, pat)) == 1) - ret = match_host_and_ip(host, ipaddr, p); + ret = match_host_and_ip( + get_canonical_hostname(verify_reverse_mapping), + get_remote_ipaddr(), p); xfree(pat); return ret; diff --git a/match.h b/match.h index 7b777de3d..a5e85a9d8 100644 --- a/match.h +++ b/match.h @@ -1,4 +1,4 @@ -/* $OpenBSD: match.h,v 1.10 2001/12/05 16:54:51 markus Exp $ */ +/* $OpenBSD: match.h,v 1.11 2002/02/28 19:36:28 stevesk Exp $ */ /* * Author: Tatu Ylonen @@ -18,7 +18,7 @@ int match_pattern(const char *, const char *); int match_pattern_list(const char *, const char *, u_int, int); int match_hostname(const char *, const char *, u_int); int match_host_and_ip(const char *, const char *, const char *); -int match_user(const char *, const char *, const char *, const char *); +int match_user(const char *, int, const char *); char *match_list(const char *, const char *, u_int *); #endif