From owner-freebsd-current Wed Mar 1 7:15:59 2000 Delivered-To: freebsd-current@freebsd.org Received: from nagual.pp.ru (hermes.dialup.ru [194.87.16.230]) by hub.freebsd.org (Postfix) with ESMTP id 8E9A237BB7C; Wed, 1 Mar 2000 07:15:42 -0800 (PST) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.9.3/8.9.3) id SAA02525; Wed, 1 Mar 2000 18:15:33 +0300 (MSK) (envelope-from ache) Date: Wed, 1 Mar 2000 18:15:33 +0300 From: "Andrey A. Chernov" To: markm@freebsd.org Cc: current@freebsd.org Subject: [PATCH] OpenSSH: login.access and more auth_* Message-ID: <20000301181533.A2397@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i Organization: Biomechanoid Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi. This patch implements login.access(5) mechanism in OpenSSH, add more auth_*() LOGIN_CAP functions for login(1) compatibility and use += to preserve CFLAGS from make.conf Please review and commit. --- secure/usr.sbin/sshd/Makefile.old Mon Feb 28 22:27:31 2000 +++ secure/usr.sbin/sshd/Makefile Wed Mar 1 18:11:32 2000 @@ -1,7 +1,8 @@ # $FreeBSD: src/secure/usr.sbin/sshd/Makefile,v 1.3 2000/02/28 19:27:31 markm Exp $ # -SSHSRC= ${.CURDIR}/../../../crypto/openssh +SSHSRC= ${.CURDIR}/../../../crypto/openssh +LOGINSRC= ${.CURDIR}/../../../usr.bin/login PROG= sshd BINOWN= root @@ -9,13 +10,14 @@ MAN8= sshd.8 SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - pty.c log-server.c login.c servconf.c serverloop.c + pty.c log-server.c login.c servconf.c serverloop.c \ + login_access.c -CFLAGS= -DLIBWRAP +CFLAGS+= -DLIBWRAP -DLOGIN_ACCESS -I${LOGINSRC} .include -.PATH: ${SSHSRC} +.PATH: ${SSHSRC} ${LOGINSRC} .if defined(MAKE_KERBEROS4) && \ ((${MAKE_KERBEROS4} == "yes") || (${MAKE_KERBEROS4} == "YES")) --- crypto/openssh/sshd.c.old Wed Mar 1 17:31:16 2000 +++ crypto/openssh/sshd.c Wed Mar 1 17:52:08 2000 @@ -1293,10 +1293,13 @@ char *user; #ifdef LOGIN_CAP login_cap_t *lc; - char *hosts; - const char *from_host, *from_ip; - int denied; #endif /* LOGIN_CAP */ +#if defined(LOGIN_CAP) || defined(LOGIN_ACCESS) + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(); + from_ip = get_remote_ipaddr(); +#endif /* LOGIN_CAP || LOGIN_ACCESS */ /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -1375,28 +1378,25 @@ lc = login_getpwclass(pw); if (lc == NULL) lc = login_getclassbyname(NULL, pw); - from_host = get_canonical_hostname(); - from_ip = get_remote_ipaddr(); - - denied = 0; - if ((hosts = login_getcapstr(lc, "host.deny", NULL, NULL)) != NULL) { - denied = match_hostname(from_host, hosts, strlen(hosts)); - if (!denied) - denied = match_hostname(from_ip, hosts, strlen(hosts)); + if (!auth_hostok(lc, from_host, from_ip)) { + log("Denied connection for %.200s from %.200s [%.200s].", + pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); } - if (!denied && - (hosts = login_getcapstr(lc, "host.allow", NULL, NULL)) != NULL) { - denied = !match_hostname(from_host, hosts, strlen(hosts)); - if (denied) - denied = !match_hostname(from_ip, hosts, strlen(hosts)); + if (!auth_timeok(lc, time(NULL))) { + log("LOGIN %.200s REFUSED (TIME) FROM %.200s", + pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); } login_close(lc); - if (denied) { +#endif /* LOGIN_CAP */ +#ifdef LOGIN_ACCESS + if (!login_access(pw->pw_name, from_host)) { log("Denied connection for %.200s from %.200s [%.200s].", pw->pw_name, from_host, from_ip); packet_disconnect("Sorry, you are not allowed to connect."); } -#endif /* LOGIN_CAP */ +#endif /* LOGIN_ACCESS */ if (pw->pw_uid == 0) log("ROOT LOGIN as '%.100s' from %.100s", @@ -2341,6 +2341,15 @@ ctime(&pw->pw_expire)); } #endif /* __FreeBSD__ */ +#ifdef LOGIN_CAP + if (!auth_ttyok(lc, ttyname)) { + (void)printf("Permission denied.\n"); + log( + "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", + pw->pw_name, hostname, ttyname); + exit(254); + } +#endif /* LOGIN_CAP */ /* * If the user has logged in before, display the time of last -- Andrey A. Chernov http://nagual.pp.ru/~ache/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message