Commit 0a9d43d7 authored by Darren Tucker's avatar Darren Tucker

- (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]

   Move loginrestrictions test to port-aix.c, replace with a generic hook.
parent ef8f8af8
......@@ -16,6 +16,8 @@
Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@
- (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match
-Wshadow change.
- (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
Move loginrestrictions test to port-aix.c, replace with a generic hook.
20040622
- (bal) [auth-passwd.c auth1.c] Clean up unused variables.
......@@ -1388,4 +1390,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3438 2004/06/23 03:21:54 mouring Exp $
$Id: ChangeLog,v 1.3439 2004/06/23 03:45:24 dtucker Exp $
......@@ -203,31 +203,10 @@ allowed_user(struct passwd * pw)
ga_free();
}
#ifdef WITH_AIXAUTHENTICATE
/*
* Don't check loginrestrictions() for root account (use
* PermitRootLogin to control logins via ssh), or if running as
* non-root user (since loginrestrictions will always fail).
*/
if ((pw->pw_uid != 0) && (geteuid() == 0)) {
char *msg;
if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
int loginrestrict_errno = errno;
if (msg && *msg) {
buffer_append(&loginmsg, msg, strlen(msg));
aix_remove_embedded_newlines(msg);
logit("Login restricted for %s: %.100s",
pw->pw_name, msg);
}
/* Don't fail if /etc/nologin set */
if (!(loginrestrict_errno == EPERM &&
stat(_PATH_NOLOGIN, &st) == 0))
return 0;
}
}
#endif /* WITH_AIXAUTHENTICATE */
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
if (!sys_auth_allowed_user(pw))
return 0;
#endif
/* We found no reason not to let this user try to log on... */
return 1;
......
......@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
return authsuccess;
}
/*
* Check if specified account is permitted to log in.
* Returns 1 if login is allowed, 0 if not allowed.
*/
int
sys_auth_allowed_user(struct passwd *pw)
{
char *msg = NULL;
int result, permitted = 0;
struct stat st;
/*
* Don't perform checks for root account (PermitRootLogin controls
* logins via * ssh) or if running as non-root user (since
* loginrestrictions will always fail due to insufficient privilege).
*/
if (pw->pw_uid == 0 || geteuid() != 0) {
debug3("%s: not checking");
return 1;
}
result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
if (result == 0)
permitted = 1;
/*
* If restricted because /etc/nologin exists, the login will be denied
* in session.c after the nologin message is sent, so allow for now
* and do not append the returned message.
*/
if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
permitted = 1;
else if (msg != NULL)
buffer_append(&loginmsg, msg, strlen(msg));
if (msg == NULL)
msg = xstrdup("(none)");
aix_remove_embedded_newlines(msg);
debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
if (!permitted)
logit("Login restricted for %s: %.100s", pw->pw_name, msg);
xfree(msg);
return permitted;
}
# ifdef CUSTOM_FAILED_LOGIN
/*
* record_failed_login: generic "login failed" interface function
......
/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */
/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */
/*
*
......@@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *);
#ifdef WITH_AIXAUTHENTICATE
# define CUSTOM_SYS_AUTH_PASSWD 1
# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
int sys_auth_allowed_user(struct passwd *);
# define CUSTOM_FAILED_LOGIN 1
void record_failed_login(const char *, const char *);
#endif
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment