1c1
< /* $OpenBSD: auth.c,v 1.80 2008/11/04 07:58:09 djm Exp $ */
---
> /* $OpenBSD: auth.c,v 1.86 2010/03/05 02:58:11 djm Exp $ */
27c27
< __RCSID("$FreeBSD: head/crypto/openssh/auth.c 192595 2009-05-22 18:46:28Z des $");
---
> __RCSID("$FreeBSD: head/crypto/openssh/auth.c 204917 2010-03-09 19:16:43Z des $");
72a73
> #include "authfile.h"
99d99
< char *shell;
157,158c157,158
< * Get the shell from the password data. An empty shell field is
< * legal, and means /bin/sh.
---
> * Deny if shell does not exist or is not executable unless we
> * are chrooting.
160c160,163
< shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
---
> if (options.chroot_directory == NULL ||
> strcasecmp(options.chroot_directory, "none") == 0) {
> char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
> _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */
162,166c165,178
< /* deny if shell does not exists or is not executable */
< if (stat(shell, &st) != 0) {
< logit("User %.100s not allowed because shell %.100s does not exist",
< pw->pw_name, shell);
< return 0;
---
> if (stat(shell, &st) != 0) {
> logit("User %.100s not allowed because shell %.100s "
> "does not exist", pw->pw_name, shell);
> xfree(shell);
> return 0;
> }
> if (S_ISREG(st.st_mode) == 0 ||
> (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
> logit("User %.100s not allowed because shell %.100s "
> "is not executable", pw->pw_name, shell);
> xfree(shell);
> return 0;
> }
> xfree(shell);
168,173d179
< if (S_ISREG(st.st_mode) == 0 ||
< (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
< logit("User %.100s not allowed because shell %.100s is not executable",
< pw->pw_name, shell);
< return 0;
< }
459c465
< /* If are passed the homedir then we can stop */
---
> /* If are past the homedir then we can stop */
487c493,496
< if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1)
---
> if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
> if (errno != ENOENT)
> debug("Could not open keyfile '%s': %s", file,
> strerror(errno));
488a498
> }
528a539,542
> #if defined(_AIX) && defined(HAVE_SETAUTHDB)
> aix_setauthdb(user);
> #endif
>
529a544,560
>
> #if defined(_AIX) && defined(HAVE_SETAUTHDB)
> aix_restoreauthdb();
> #endif
> #ifdef HAVE_CYGWIN
> /*
> * Windows usernames are case-insensitive. To avoid later problems
> * when trying to match the username, the user is only allowed to
> * login if the username is given in the same case as stored in the
> * user database.
> */
> if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
> logit("Login name %.100s does not match stored username %.100s",
> user, pw->pw_name);
> pw = NULL;
> }
> #endif
563a595,623
> /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
> int
> auth_key_is_revoked(Key *key)
> {
> char *key_fp;
>
> if (options.revoked_keys_file == NULL)
> return 0;
>
> switch (key_in_file(key, options.revoked_keys_file, 0)) {
> case 0:
> /* key not revoked */
> return 0;
> case -1:
> /* Error opening revoked_keys_file: refuse all keys */
> error("Revoked keys file is unreadable: refusing public key "
> "authentication");
> return 1;
> case 1:
> /* Key revoked */
> key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
> error("WARNING: authentication attempt with a revoked "
> "%s key %s ", key_type(key), key_fp);
> xfree(key_fp);
> return 1;
> }
> fatal("key_in_file returned junk");
> }
>