xref: /freebsd/crypto/openssh/auth.c (revision 77a0943ded95b9e6438f7db70c4a28e4d93946d4) 
1 /*
2  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3  *                    All rights reserved
4  *
5  * As far as I am concerned, the code I have written for this software
6  * can be used freely for any purpose.  Any derived versions of this
7  * software must be clearly marked as such, and if the derived work is
8  * incompatible with the protocol description in the RFC file, it must be
9  * called by a name other than "ssh" or "Secure Shell".
10  *
11  *
12  * Copyright (c) 2000 Markus Friedl. All rights reserved.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 #include "includes.h"
36 RCSID("$OpenBSD: auth.c,v 1.10 2000/09/07 21:13:36 markus Exp $");
37 RCSID("$FreeBSD$");
38 
39 #include "xmalloc.h"
40 #include "rsa.h"
41 #include "ssh.h"
42 #include "pty.h"
43 #include "packet.h"
44 #include "buffer.h"
45 #include "cipher.h"
46 #include "mpaux.h"
47 #include "servconf.h"
48 #include "compat.h"
49 #include "channels.h"
50 #include "match.h"
51 
52 #include "bufaux.h"
53 #include "ssh2.h"
54 #include "auth.h"
55 #include "session.h"
56 
57 /* import */
58 extern ServerOptions options;
59 
60 /*
61  * Check if the user is allowed to log in via ssh. If user is listed in
62  * DenyUsers or user's primary group is listed in DenyGroups, false will
63  * be returned. If AllowUsers isn't empty and user isn't listed there, or
64  * if AllowGroups isn't empty and user isn't listed there, false will be
65  * returned.
66  * If the user's shell is not executable, false will be returned.
67  * Otherwise true is returned.
68  */
69 int
70 allowed_user(struct passwd * pw)
71 {
72 	struct stat st;
73 	struct group *grp;
74 	char *shell;
75 	int i;
76 
77 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
78 	if (!pw)
79 		return 0;
80 
81 	/*
82 	 * Get the shell from the password data.  An empty shell field is
83 	 * legal, and means /bin/sh.
84 	 */
85 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
86 
87 	/* deny if shell does not exists or is not executable */
88 	if (stat(shell, &st) != 0)
89 		return 0;
90 	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
91 		return 0;
92 
93 	/* Return false if user is listed in DenyUsers */
94 	if (options.num_deny_users > 0) {
95 		if (!pw->pw_name)
96 			return 0;
97 		for (i = 0; i < options.num_deny_users; i++)
98 			if (match_pattern(pw->pw_name, options.deny_users[i]))
99 				return 0;
100 	}
101 	/* Return false if AllowUsers isn't empty and user isn't listed there */
102 	if (options.num_allow_users > 0) {
103 		if (!pw->pw_name)
104 			return 0;
105 		for (i = 0; i < options.num_allow_users; i++)
106 			if (match_pattern(pw->pw_name, options.allow_users[i]))
107 				break;
108 		/* i < options.num_allow_users iff we break for loop */
109 		if (i >= options.num_allow_users)
110 			return 0;
111 	}
112 	/* Get the primary group name if we need it. Return false if it fails */
113 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
114 		grp = getgrgid(pw->pw_gid);
115 		if (!grp)
116 			return 0;
117 
118 		/* Return false if user's group is listed in DenyGroups */
119 		if (options.num_deny_groups > 0) {
120 			if (!grp->gr_name)
121 				return 0;
122 			for (i = 0; i < options.num_deny_groups; i++)
123 				if (match_pattern(grp->gr_name, options.deny_groups[i]))
124 					return 0;
125 		}
126 		/*
127 		 * Return false if AllowGroups isn't empty and user's group
128 		 * isn't listed there
129 		 */
130 		if (options.num_allow_groups > 0) {
131 			if (!grp->gr_name)
132 				return 0;
133 			for (i = 0; i < options.num_allow_groups; i++)
134 				if (match_pattern(grp->gr_name, options.allow_groups[i]))
135 					break;
136 			/* i < options.num_allow_groups iff we break for
137 			   loop */
138 			if (i >= options.num_allow_groups)
139 				return 0;
140 		}
141 	}
142 	/* We found no reason not to let this user try to log on... */
143 	return 1;
144 }
145