auth.c revision 60573
1/* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 5 */ 6 7#include "includes.h" 8RCSID("$OpenBSD: auth.c,v 1.6 2000/04/26 21:28:31 markus Exp $"); 9 10#include "xmalloc.h" 11#include "rsa.h" 12#include "ssh.h" 13#include "pty.h" 14#include "packet.h" 15#include "buffer.h" 16#include "cipher.h" 17#include "mpaux.h" 18#include "servconf.h" 19#include "compat.h" 20#include "channels.h" 21#include "match.h" 22 23#include "bufaux.h" 24#include "ssh2.h" 25#include "auth.h" 26#include "session.h" 27#include "dispatch.h" 28 29 30/* import */ 31extern ServerOptions options; 32extern char *forced_command; 33 34/* 35 * Check if the user is allowed to log in via ssh. If user is listed in 36 * DenyUsers or user's primary group is listed in DenyGroups, false will 37 * be returned. If AllowUsers isn't empty and user isn't listed there, or 38 * if AllowGroups isn't empty and user isn't listed there, false will be 39 * returned. 40 * If the user's shell is not executable, false will be returned. 41 * Otherwise true is returned. 42 */ 43int 44allowed_user(struct passwd * pw) 45{ 46 struct stat st; 47 struct group *grp; 48 int i; 49 50 /* Shouldn't be called if pw is NULL, but better safe than sorry... */ 51 if (!pw) 52 return 0; 53 54 /* deny if shell does not exists or is not executable */ 55 if (stat(pw->pw_shell, &st) != 0) 56 return 0; 57 if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) 58 return 0; 59 60 /* Return false if user is listed in DenyUsers */ 61 if (options.num_deny_users > 0) { 62 if (!pw->pw_name) 63 return 0; 64 for (i = 0; i < options.num_deny_users; i++) 65 if (match_pattern(pw->pw_name, options.deny_users[i])) 66 return 0; 67 } 68 /* Return false if AllowUsers isn't empty and user isn't listed there */ 69 if (options.num_allow_users > 0) { 70 if (!pw->pw_name) 71 return 0; 72 for (i = 0; i < options.num_allow_users; i++) 73 if (match_pattern(pw->pw_name, options.allow_users[i])) 74 break; 75 /* i < options.num_allow_users iff we break for loop */ 76 if (i >= options.num_allow_users) 77 return 0; 78 } 79 /* Get the primary group name if we need it. Return false if it fails */ 80 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { 81 grp = getgrgid(pw->pw_gid); 82 if (!grp) 83 return 0; 84 85 /* Return false if user's group is listed in DenyGroups */ 86 if (options.num_deny_groups > 0) { 87 if (!grp->gr_name) 88 return 0; 89 for (i = 0; i < options.num_deny_groups; i++) 90 if (match_pattern(grp->gr_name, options.deny_groups[i])) 91 return 0; 92 } 93 /* 94 * Return false if AllowGroups isn't empty and user's group 95 * isn't listed there 96 */ 97 if (options.num_allow_groups > 0) { 98 if (!grp->gr_name) 99 return 0; 100 for (i = 0; i < options.num_allow_groups; i++) 101 if (match_pattern(grp->gr_name, options.allow_groups[i])) 102 break; 103 /* i < options.num_allow_groups iff we break for 104 loop */ 105 if (i >= options.num_allow_groups) 106 return 0; 107 } 108 } 109 /* We found no reason not to let this user try to log on... */ 110 return 1; 111} 112