xref: /freebsd/crypto/openssh/auth.c (revision c68159a6d8eede11766cf13896d0f7670dbd51aa) 
1 /*
2  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3  *                    All rights reserved
4  *
5  * As far as I am concerned, the code I have written for this software
6  * can be used freely for any purpose.  Any derived versions of this
7  * software must be clearly marked as such, and if the derived work is
8  * incompatible with the protocol description in the RFC file, it must be
9  * called by a name other than "ssh" or "Secure Shell".
10  *
11  *
12  * Copyright (c) 2000 Markus Friedl. All rights reserved.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 #include "includes.h"
36 RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $");
37 RCSID("$FreeBSD$");
38 
39 #include "xmalloc.h"
40 #include "rsa.h"
41 #include "ssh.h"
42 #include "pty.h"
43 #include "packet.h"
44 #include "buffer.h"
45 #include "mpaux.h"
46 #include "servconf.h"
47 #include "compat.h"
48 #include "channels.h"
49 #include "match.h"
50 
51 #include "bufaux.h"
52 #include "ssh2.h"
53 #include "auth.h"
54 #include "session.h"
55 
56 /* import */
57 extern ServerOptions options;
58 
59 /*
60  * Check if the user is allowed to log in via ssh. If user is listed in
61  * DenyUsers or user's primary group is listed in DenyGroups, false will
62  * be returned. If AllowUsers isn't empty and user isn't listed there, or
63  * if AllowGroups isn't empty and user isn't listed there, false will be
64  * returned.
65  * If the user's shell is not executable, false will be returned.
66  * Otherwise true is returned.
67  */
68 int
69 allowed_user(struct passwd * pw)
70 {
71 	struct stat st;
72 	struct group *grp;
73 	char *shell;
74 	int i;
75 
76 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
77 	if (!pw)
78 		return 0;
79 
80 	/*
81 	 * Get the shell from the password data.  An empty shell field is
82 	 * legal, and means /bin/sh.
83 	 */
84 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
85 
86 	/* deny if shell does not exists or is not executable */
87 	if (stat(shell, &st) != 0)
88 		return 0;
89 	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
90 		return 0;
91 
92 	/* Return false if user is listed in DenyUsers */
93 	if (options.num_deny_users > 0) {
94 		if (!pw->pw_name)
95 			return 0;
96 		for (i = 0; i < options.num_deny_users; i++)
97 			if (match_pattern(pw->pw_name, options.deny_users[i]))
98 				return 0;
99 	}
100 	/* Return false if AllowUsers isn't empty and user isn't listed there */
101 	if (options.num_allow_users > 0) {
102 		if (!pw->pw_name)
103 			return 0;
104 		for (i = 0; i < options.num_allow_users; i++)
105 			if (match_pattern(pw->pw_name, options.allow_users[i]))
106 				break;
107 		/* i < options.num_allow_users iff we break for loop */
108 		if (i >= options.num_allow_users)
109 			return 0;
110 	}
111 	/* Get the primary group name if we need it. Return false if it fails */
112 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
113 		grp = getgrgid(pw->pw_gid);
114 		if (!grp)
115 			return 0;
116 
117 		/* Return false if user's group is listed in DenyGroups */
118 		if (options.num_deny_groups > 0) {
119 			if (!grp->gr_name)
120 				return 0;
121 			for (i = 0; i < options.num_deny_groups; i++)
122 				if (match_pattern(grp->gr_name, options.deny_groups[i]))
123 					return 0;
124 		}
125 		/*
126 		 * Return false if AllowGroups isn't empty and user's group
127 		 * isn't listed there
128 		 */
129 		if (options.num_allow_groups > 0) {
130 			if (!grp->gr_name)
131 				return 0;
132 			for (i = 0; i < options.num_allow_groups; i++)
133 				if (match_pattern(grp->gr_name, options.allow_groups[i]))
134 					break;
135 			/* i < options.num_allow_groups iff we break for
136 			   loop */
137 			if (i >= options.num_allow_groups)
138 				return 0;
139 		}
140 	}
141 	/* We found no reason not to let this user try to log on... */
142 	return 1;
143 }
144