xref: /freebsd/crypto/openssh/auth.c (revision c322fe352dd76b81299a0331e94d99f2b5ca30ed) 
1a04a10f8SKris Kennaway /*
2a04a10f8SKris Kennaway  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3a04a10f8SKris Kennaway  *                    All rights reserved
4a04a10f8SKris Kennaway  * Copyright (c) 2000 Markus Friedl. All rights reserved.
5e8aafc91SKris Kennaway  *
6e8aafc91SKris Kennaway  * $FreeBSD$
7a04a10f8SKris Kennaway  */
8a04a10f8SKris Kennaway 
9a04a10f8SKris Kennaway #include "includes.h"
10c322fe35SKris Kennaway RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
11a04a10f8SKris Kennaway 
12a04a10f8SKris Kennaway #include "xmalloc.h"
13a04a10f8SKris Kennaway #include "rsa.h"
14a04a10f8SKris Kennaway #include "ssh.h"
15a04a10f8SKris Kennaway #include "pty.h"
16a04a10f8SKris Kennaway #include "packet.h"
17a04a10f8SKris Kennaway #include "buffer.h"
18a04a10f8SKris Kennaway #include "cipher.h"
19a04a10f8SKris Kennaway #include "mpaux.h"
20a04a10f8SKris Kennaway #include "servconf.h"
21a04a10f8SKris Kennaway #include "compat.h"
22a04a10f8SKris Kennaway #include "channels.h"
23a04a10f8SKris Kennaway #include "match.h"
24a04a10f8SKris Kennaway 
25a04a10f8SKris Kennaway #include "bufaux.h"
26a04a10f8SKris Kennaway #include "ssh2.h"
27a04a10f8SKris Kennaway #include "auth.h"
28a04a10f8SKris Kennaway #include "session.h"
29a04a10f8SKris Kennaway #include "dispatch.h"
30a04a10f8SKris Kennaway 
31a04a10f8SKris Kennaway 
32a04a10f8SKris Kennaway /* import */
33a04a10f8SKris Kennaway extern ServerOptions options;
34a04a10f8SKris Kennaway extern char *forced_command;
35a04a10f8SKris Kennaway 
36a04a10f8SKris Kennaway /*
37a04a10f8SKris Kennaway  * Check if the user is allowed to log in via ssh. If user is listed in
38a04a10f8SKris Kennaway  * DenyUsers or user's primary group is listed in DenyGroups, false will
39a04a10f8SKris Kennaway  * be returned. If AllowUsers isn't empty and user isn't listed there, or
40a04a10f8SKris Kennaway  * if AllowGroups isn't empty and user isn't listed there, false will be
41a04a10f8SKris Kennaway  * returned.
42a04a10f8SKris Kennaway  * If the user's shell is not executable, false will be returned.
43a04a10f8SKris Kennaway  * Otherwise true is returned.
44a04a10f8SKris Kennaway  */
45a04a10f8SKris Kennaway int
46a04a10f8SKris Kennaway allowed_user(struct passwd * pw)
47a04a10f8SKris Kennaway {
48a04a10f8SKris Kennaway 	struct stat st;
49a04a10f8SKris Kennaway 	struct group *grp;
50c322fe35SKris Kennaway 	char *shell;
51a04a10f8SKris Kennaway 	int i;
52a04a10f8SKris Kennaway 
53a04a10f8SKris Kennaway 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
54a04a10f8SKris Kennaway 	if (!pw)
55a04a10f8SKris Kennaway 		return 0;
56a04a10f8SKris Kennaway 
57c322fe35SKris Kennaway 	/*
58c322fe35SKris Kennaway 	 * Get the shell from the password data.  An empty shell field is
59c322fe35SKris Kennaway 	 * legal, and means /bin/sh.
60c322fe35SKris Kennaway 	 */
61c322fe35SKris Kennaway 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
62c322fe35SKris Kennaway 
63a04a10f8SKris Kennaway 	/* deny if shell does not exists or is not executable */
64c322fe35SKris Kennaway 	if (stat(shell, &st) != 0)
65a04a10f8SKris Kennaway 		return 0;
66a04a10f8SKris Kennaway 	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
67a04a10f8SKris Kennaway 		return 0;
68a04a10f8SKris Kennaway 
69a04a10f8SKris Kennaway 	/* Return false if user is listed in DenyUsers */
70a04a10f8SKris Kennaway 	if (options.num_deny_users > 0) {
71a04a10f8SKris Kennaway 		if (!pw->pw_name)
72a04a10f8SKris Kennaway 			return 0;
73a04a10f8SKris Kennaway 		for (i = 0; i < options.num_deny_users; i++)
74a04a10f8SKris Kennaway 			if (match_pattern(pw->pw_name, options.deny_users[i]))
75a04a10f8SKris Kennaway 				return 0;
76a04a10f8SKris Kennaway 	}
77a04a10f8SKris Kennaway 	/* Return false if AllowUsers isn't empty and user isn't listed there */
78a04a10f8SKris Kennaway 	if (options.num_allow_users > 0) {
79a04a10f8SKris Kennaway 		if (!pw->pw_name)
80a04a10f8SKris Kennaway 			return 0;
81a04a10f8SKris Kennaway 		for (i = 0; i < options.num_allow_users; i++)
82a04a10f8SKris Kennaway 			if (match_pattern(pw->pw_name, options.allow_users[i]))
83a04a10f8SKris Kennaway 				break;
84a04a10f8SKris Kennaway 		/* i < options.num_allow_users iff we break for loop */
85a04a10f8SKris Kennaway 		if (i >= options.num_allow_users)
86a04a10f8SKris Kennaway 			return 0;
87a04a10f8SKris Kennaway 	}
88a04a10f8SKris Kennaway 	/* Get the primary group name if we need it. Return false if it fails */
89a04a10f8SKris Kennaway 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
90a04a10f8SKris Kennaway 		grp = getgrgid(pw->pw_gid);
91a04a10f8SKris Kennaway 		if (!grp)
92a04a10f8SKris Kennaway 			return 0;
93a04a10f8SKris Kennaway 
94a04a10f8SKris Kennaway 		/* Return false if user's group is listed in DenyGroups */
95a04a10f8SKris Kennaway 		if (options.num_deny_groups > 0) {
96a04a10f8SKris Kennaway 			if (!grp->gr_name)
97a04a10f8SKris Kennaway 				return 0;
98a04a10f8SKris Kennaway 			for (i = 0; i < options.num_deny_groups; i++)
99a04a10f8SKris Kennaway 				if (match_pattern(grp->gr_name, options.deny_groups[i]))
100a04a10f8SKris Kennaway 					return 0;
101a04a10f8SKris Kennaway 		}
102a04a10f8SKris Kennaway 		/*
103a04a10f8SKris Kennaway 		 * Return false if AllowGroups isn't empty and user's group
104a04a10f8SKris Kennaway 		 * isn't listed there
105a04a10f8SKris Kennaway 		 */
106a04a10f8SKris Kennaway 		if (options.num_allow_groups > 0) {
107a04a10f8SKris Kennaway 			if (!grp->gr_name)
108a04a10f8SKris Kennaway 				return 0;
109a04a10f8SKris Kennaway 			for (i = 0; i < options.num_allow_groups; i++)
110a04a10f8SKris Kennaway 				if (match_pattern(grp->gr_name, options.allow_groups[i]))
111a04a10f8SKris Kennaway 					break;
112a04a10f8SKris Kennaway 			/* i < options.num_allow_groups iff we break for
113a04a10f8SKris Kennaway 			   loop */
114a04a10f8SKris Kennaway 			if (i >= options.num_allow_groups)
115a04a10f8SKris Kennaway 				return 0;
116a04a10f8SKris Kennaway 		}
117a04a10f8SKris Kennaway 	}
118e8aafc91SKris Kennaway #ifndef __FreeBSD__     /* FreeBSD handle it later */
119e8aafc91SKris Kennaway 	/* Fail if the account's expiration time has passed. */
120e8aafc91SKris Kennaway 	if (pw->pw_expire != 0) {
121e8aafc91SKris Kennaway 		struct timeval tv;
122e8aafc91SKris Kennaway 
123e8aafc91SKris Kennaway 		(void)gettimeofday(&tv, NULL);
124e8aafc91SKris Kennaway 		if (tv.tv_sec >= pw->pw_expire)
125e8aafc91SKris Kennaway 			return 0;
126e8aafc91SKris Kennaway 	}
127e8aafc91SKris Kennaway #endif /* !__FreeBSD__ */
128a04a10f8SKris Kennaway 	/* We found no reason not to let this user try to log on... */
129a04a10f8SKris Kennaway 	return 1;
130a04a10f8SKris Kennaway }
131