Hi.
This patch implements login.access(5) mechanism in OpenSSH,
add more auth_*() LOGIN_CAP functions for login(1) compatibility
and use += to preserve CFLAGS from make.conf
Please review and commit.
--- secure/usr.sbin/sshd/Makefile.old Mon Feb 28 22:27:31 2000
+++ secure/usr.sbin/sshd/Makefile Wed Mar 1 18:11:32 2000
@@ -1,7 +1,8 @@
# $FreeBSD: src/secure/usr.sbin/sshd/Makefile,v 1.3 2000/02/28 19:27:31 markm Exp $
#
-SSHSRC= ${.CURDIR}/../../../crypto/openssh
+SSHSRC= ${.CURDIR}/../../../crypto/openssh
+LOGINSRC= ${.CURDIR}/../../../usr.bin/login
PROG= sshd
BINOWN= root
@@ -9,13 +10,14 @@
MAN8= sshd.8
SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
- pty.c log-server.c login.c servconf.c serverloop.c
+ pty.c log-server.c login.c servconf.c serverloop.c \
+ login_access.c
-CFLAGS= -DLIBWRAP
+CFLAGS+= -DLIBWRAP -DLOGIN_ACCESS -I${LOGINSRC}
.include <bsd.own.mk>
-.PATH: ${SSHSRC}
+.PATH: ${SSHSRC} ${LOGINSRC}
.if defined(MAKE_KERBEROS4) && \
((${MAKE_KERBEROS4} == "yes") || (${MAKE_KERBEROS4} == "YES"))
--- crypto/openssh/sshd.c.old Wed Mar 1 17:31:16 2000
+++ crypto/openssh/sshd.c Wed Mar 1 17:52:08 2000
@@ -1293,10 +1293,13 @@
char *user;
#ifdef LOGIN_CAP
login_cap_t *lc;
- char *hosts;
- const char *from_host, *from_ip;
- int denied;
#endif /* LOGIN_CAP */
+#if defined(LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname();
+ from_ip = get_remote_ipaddr();
+#endif /* LOGIN_CAP || LOGIN_ACCESS */
/* Get the name of the user that we wish to log in as. */
packet_read_expect(&plen, SSH_CMSG_USER);
@@ -1375,28 +1378,25 @@
lc = login_getpwclass(pw);
if (lc == NULL)
lc = login_getclassbyname(NULL, pw);
- from_host = get_canonical_hostname();
- from_ip = get_remote_ipaddr();
-
- denied = 0;
- if ((hosts = login_getcapstr(lc, "host.deny", NULL, NULL)) != NULL) {
- denied = match_hostname(from_host, hosts, strlen(hosts));
- if (!denied)
- denied = match_hostname(from_ip, hosts, strlen(hosts));
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
}
- if (!denied &&
- (hosts = login_getcapstr(lc, "host.allow", NULL, NULL)) != NULL) {
- denied = !match_hostname(from_host, hosts, strlen(hosts));
- if (denied)
- denied = !match_hostname(from_ip, hosts, strlen(hosts));
+ if (!auth_timeok(lc, time(NULL))) {
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
}
login_close(lc);
- if (denied) {
+#endif /* LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+ if (!login_access(pw->pw_name, from_host)) {
log("Denied connection for %.200s from %.200s [%.200s].",
pw->pw_name, from_host, from_ip);
packet_disconnect("Sorry, you are not allowed to connect.");
}
-#endif /* LOGIN_CAP */
+#endif /* LOGIN_ACCESS */
if (pw->pw_uid == 0)
log("ROOT LOGIN as '%.100s' from %.100s",
@@ -2341,6 +2341,15 @@
ctime(&pw->pw_expire));
}
#endif /* __FreeBSD__ */
+#ifdef LOGIN_CAP
+ if (!auth_ttyok(lc, ttyname)) {
+ (void)printf("Permission denied.\n");
+ log(
+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+ pw->pw_name, hostname, ttyname);
+ exit(254);
+ }
+#endif /* LOGIN_CAP */
/*
* If the user has logged in before, display the time of last
--
Andrey A. Chernov
<[EMAIL PROTECTED]>
http://nagual.pp.ru/~ache/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
