1a04a10f8SKris Kennaway /* 2a04a10f8SKris Kennaway * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3a04a10f8SKris Kennaway * All rights reserved 4c2d3a559SKris Kennaway * 5c2d3a559SKris Kennaway * As far as I am concerned, the code I have written for this software 6c2d3a559SKris Kennaway * can be used freely for any purpose. Any derived versions of this 7c2d3a559SKris Kennaway * software must be clearly marked as such, and if the derived work is 8c2d3a559SKris Kennaway * incompatible with the protocol description in the RFC file, it must be 9c2d3a559SKris Kennaway * called by a name other than "ssh" or "Secure Shell". 10c2d3a559SKris Kennaway * 11c2d3a559SKris Kennaway * 12a04a10f8SKris Kennaway * Copyright (c) 2000 Markus Friedl. All rights reserved. 13e8aafc91SKris Kennaway * 14c2d3a559SKris Kennaway * Redistribution and use in source and binary forms, with or without 15c2d3a559SKris Kennaway * modification, are permitted provided that the following conditions 16c2d3a559SKris Kennaway * are met: 17c2d3a559SKris Kennaway * 1. Redistributions of source code must retain the above copyright 18c2d3a559SKris Kennaway * notice, this list of conditions and the following disclaimer. 19c2d3a559SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright 20c2d3a559SKris Kennaway * notice, this list of conditions and the following disclaimer in the 21c2d3a559SKris Kennaway * documentation and/or other materials provided with the distribution. 22c2d3a559SKris Kennaway * 23c2d3a559SKris Kennaway * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24c2d3a559SKris Kennaway * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25c2d3a559SKris Kennaway * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26c2d3a559SKris Kennaway * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27c2d3a559SKris Kennaway * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28c2d3a559SKris Kennaway * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29c2d3a559SKris Kennaway * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30c2d3a559SKris Kennaway * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31c2d3a559SKris Kennaway * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32c2d3a559SKris Kennaway * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33a04a10f8SKris Kennaway */ 34a04a10f8SKris Kennaway 35a04a10f8SKris Kennaway #include "includes.h" 36c2d3a559SKris Kennaway RCSID("$OpenBSD: auth.c,v 1.10 2000/09/07 21:13:36 markus Exp $"); 37c2d3a559SKris Kennaway RCSID("$FreeBSD$"); 38a04a10f8SKris Kennaway 39a04a10f8SKris Kennaway #include "xmalloc.h" 40a04a10f8SKris Kennaway #include "rsa.h" 41a04a10f8SKris Kennaway #include "ssh.h" 42a04a10f8SKris Kennaway #include "pty.h" 43a04a10f8SKris Kennaway #include "packet.h" 44a04a10f8SKris Kennaway #include "buffer.h" 45a04a10f8SKris Kennaway #include "cipher.h" 46a04a10f8SKris Kennaway #include "mpaux.h" 47a04a10f8SKris Kennaway #include "servconf.h" 48a04a10f8SKris Kennaway #include "compat.h" 49a04a10f8SKris Kennaway #include "channels.h" 50a04a10f8SKris Kennaway #include "match.h" 51a04a10f8SKris Kennaway 52a04a10f8SKris Kennaway #include "bufaux.h" 53a04a10f8SKris Kennaway #include "ssh2.h" 54a04a10f8SKris Kennaway #include "auth.h" 55a04a10f8SKris Kennaway #include "session.h" 56a04a10f8SKris Kennaway 57a04a10f8SKris Kennaway /* import */ 58a04a10f8SKris Kennaway extern ServerOptions options; 59a04a10f8SKris Kennaway 60a04a10f8SKris Kennaway /* 61a04a10f8SKris Kennaway * Check if the user is allowed to log in via ssh. If user is listed in 62a04a10f8SKris Kennaway * DenyUsers or user's primary group is listed in DenyGroups, false will 63a04a10f8SKris Kennaway * be returned. If AllowUsers isn't empty and user isn't listed there, or 64a04a10f8SKris Kennaway * if AllowGroups isn't empty and user isn't listed there, false will be 65a04a10f8SKris Kennaway * returned. 66a04a10f8SKris Kennaway * If the user's shell is not executable, false will be returned. 67a04a10f8SKris Kennaway * Otherwise true is returned. 68a04a10f8SKris Kennaway */ 69a04a10f8SKris Kennaway int 70a04a10f8SKris Kennaway allowed_user(struct passwd * pw) 71a04a10f8SKris Kennaway { 72a04a10f8SKris Kennaway struct stat st; 73a04a10f8SKris Kennaway struct group *grp; 74c322fe35SKris Kennaway char *shell; 75a04a10f8SKris Kennaway int i; 76a04a10f8SKris Kennaway 77a04a10f8SKris Kennaway /* Shouldn't be called if pw is NULL, but better safe than sorry... */ 78a04a10f8SKris Kennaway if (!pw) 79a04a10f8SKris Kennaway return 0; 80a04a10f8SKris Kennaway 81c322fe35SKris Kennaway /* 82c322fe35SKris Kennaway * Get the shell from the password data. An empty shell field is 83c322fe35SKris Kennaway * legal, and means /bin/sh. 84c322fe35SKris Kennaway */ 85c322fe35SKris Kennaway shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; 86c322fe35SKris Kennaway 87a04a10f8SKris Kennaway /* deny if shell does not exists or is not executable */ 88c322fe35SKris Kennaway if (stat(shell, &st) != 0) 89a04a10f8SKris Kennaway return 0; 90a04a10f8SKris Kennaway if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) 91a04a10f8SKris Kennaway return 0; 92a04a10f8SKris Kennaway 93a04a10f8SKris Kennaway /* Return false if user is listed in DenyUsers */ 94a04a10f8SKris Kennaway if (options.num_deny_users > 0) { 95a04a10f8SKris Kennaway if (!pw->pw_name) 96a04a10f8SKris Kennaway return 0; 97a04a10f8SKris Kennaway for (i = 0; i < options.num_deny_users; i++) 98a04a10f8SKris Kennaway if (match_pattern(pw->pw_name, options.deny_users[i])) 99a04a10f8SKris Kennaway return 0; 100a04a10f8SKris Kennaway } 101a04a10f8SKris Kennaway /* Return false if AllowUsers isn't empty and user isn't listed there */ 102a04a10f8SKris Kennaway if (options.num_allow_users > 0) { 103a04a10f8SKris Kennaway if (!pw->pw_name) 104a04a10f8SKris Kennaway return 0; 105a04a10f8SKris Kennaway for (i = 0; i < options.num_allow_users; i++) 106a04a10f8SKris Kennaway if (match_pattern(pw->pw_name, options.allow_users[i])) 107a04a10f8SKris Kennaway break; 108a04a10f8SKris Kennaway /* i < options.num_allow_users iff we break for loop */ 109a04a10f8SKris Kennaway if (i >= options.num_allow_users) 110a04a10f8SKris Kennaway return 0; 111a04a10f8SKris Kennaway } 112a04a10f8SKris Kennaway /* Get the primary group name if we need it. Return false if it fails */ 113a04a10f8SKris Kennaway if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { 114a04a10f8SKris Kennaway grp = getgrgid(pw->pw_gid); 115a04a10f8SKris Kennaway if (!grp) 116a04a10f8SKris Kennaway return 0; 117a04a10f8SKris Kennaway 118a04a10f8SKris Kennaway /* Return false if user's group is listed in DenyGroups */ 119a04a10f8SKris Kennaway if (options.num_deny_groups > 0) { 120a04a10f8SKris Kennaway if (!grp->gr_name) 121a04a10f8SKris Kennaway return 0; 122a04a10f8SKris Kennaway for (i = 0; i < options.num_deny_groups; i++) 123a04a10f8SKris Kennaway if (match_pattern(grp->gr_name, options.deny_groups[i])) 124a04a10f8SKris Kennaway return 0; 125a04a10f8SKris Kennaway } 126a04a10f8SKris Kennaway /* 127a04a10f8SKris Kennaway * Return false if AllowGroups isn't empty and user's group 128a04a10f8SKris Kennaway * isn't listed there 129a04a10f8SKris Kennaway */ 130a04a10f8SKris Kennaway if (options.num_allow_groups > 0) { 131a04a10f8SKris Kennaway if (!grp->gr_name) 132a04a10f8SKris Kennaway return 0; 133a04a10f8SKris Kennaway for (i = 0; i < options.num_allow_groups; i++) 134a04a10f8SKris Kennaway if (match_pattern(grp->gr_name, options.allow_groups[i])) 135a04a10f8SKris Kennaway break; 136a04a10f8SKris Kennaway /* i < options.num_allow_groups iff we break for 137a04a10f8SKris Kennaway loop */ 138a04a10f8SKris Kennaway if (i >= options.num_allow_groups) 139a04a10f8SKris Kennaway return 0; 140a04a10f8SKris Kennaway } 141a04a10f8SKris Kennaway } 142a04a10f8SKris Kennaway /* We found no reason not to let this user try to log on... */ 143a04a10f8SKris Kennaway return 1; 144a04a10f8SKris Kennaway } 145