← Back to branch summary

~ubuntu-branches/ubuntu/lucid/openssh/lucid

« back to all changes in this revision

Viewing changes to auth.c

  • Committer: Bazaar Package Importer
  • Author(s): Colin Watson
  • Date: 2005-10-10 20:10:01 UTC
  • mto: This revision was merged to the branch mainline in revision 4.
  • Revision ID: james.westby@ubuntu.com-20051010201001-rno2f5bno6e6wo6t
Tags: upstream-4.1p1
ImportĀ upstreamĀ versionĀ 4.1p1

Show diffs side-by-side

added added

removed removed

Lines of Context:
auth.c
23
23
 */
24
24
 
25
25
#include "includes.h"
26
 
RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
 
26
RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $");
27
27
 
28
28
#ifdef HAVE_LOGIN_H
29
29
#include <login.h>
50
50
#include "misc.h"
51
51
#include "bufaux.h"
52
52
#include "packet.h"
 
53
#include "loginrec.h"
 
54
#include "monitor_wrap.h"
53
55
 
54
56
/* import */
55
57
extern ServerOptions options;
143
145
                return 0;
144
146
        }
145
147
 
146
 
        if (options.num_deny_users > 0 || options.num_allow_users > 0) {
 
148
        if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
 
149
            options.num_deny_groups > 0 || options.num_allow_groups > 0) {
147
150
                hostname = get_canonical_hostname(options.use_dns);
148
151
                ipaddr = get_remote_ipaddr();
149
152
        }
153
156
                for (i = 0; i < options.num_deny_users; i++)
154
157
                        if (match_user(pw->pw_name, hostname, ipaddr,
155
158
                            options.deny_users[i])) {
156
 
                                logit("User %.100s not allowed because listed in DenyUsers",
157
 
                                    pw->pw_name);
 
159
                                logit("User %.100s from %.100s not allowed "
 
160
                                    "because listed in DenyUsers",
 
161
                                    pw->pw_name, hostname);
158
162
                                return 0;
159
163
                        }
160
164
        }
166
170
                                break;
167
171
                /* i < options.num_allow_users iff we break for loop */
168
172
                if (i >= options.num_allow_users) {
169
 
                        logit("User %.100s not allowed because not listed in AllowUsers",
170
 
                            pw->pw_name);
 
173
                        logit("User %.100s from %.100s not allowed because "
 
174
                            "not listed in AllowUsers", pw->pw_name, hostname);
171
175
                        return 0;
172
176
                }
173
177
        }
174
178
        if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
175
179
                /* Get the user's group access list (primary and supplementary) */
176
180
                if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
177
 
                        logit("User %.100s not allowed because not in any group",
178
 
                            pw->pw_name);
 
181
                        logit("User %.100s from %.100s not allowed because "
 
182
                            "not in any group", pw->pw_name, hostname);
179
183
                        return 0;
180
184
                }
181
185
 
184
188
                        if (ga_match(options.deny_groups,
185
189
                            options.num_deny_groups)) {
186
190
                                ga_free();
187
 
                                logit("User %.100s not allowed because a group is listed in DenyGroups",
188
 
                                    pw->pw_name);
 
191
                                logit("User %.100s from %.100s not allowed "
 
192
                                    "because a group is listed in DenyGroups",
 
193
                                    pw->pw_name, hostname);
189
194
                                return 0;
190
195
                        }
191
196
                /*
196
201
                        if (!ga_match(options.allow_groups,
197
202
                            options.num_allow_groups)) {
198
203
                                ga_free();
199
 
                                logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
200
 
                                    pw->pw_name);
 
204
                                logit("User %.100s from %.100s not allowed "
 
205
                                    "because none of user's groups are listed "
 
206
                                    "in AllowGroups", pw->pw_name, hostname);
201
207
                                return 0;
202
208
                        }
203
209
                ga_free();
204
210
        }
205
211
 
206
212
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
207
 
        if (!sys_auth_allowed_user(pw))
 
213
        if (!sys_auth_allowed_user(pw, &loginmsg))
208
214
                return 0;
209
215
#endif
210
216
 
240
246
            info);
241
247
 
242
248
#ifdef CUSTOM_FAILED_LOGIN
243
 
        if (authenticated == 0 && strcmp(method, "password") == 0)
244
 
                record_failed_login(authctxt->user, "ssh");
 
249
        if (authenticated == 0 && !authctxt->postponed &&
 
250
            (strcmp(method, "password") == 0 ||
 
251
            strncmp(method, "keyboard-interactive", 20) == 0 ||
 
252
            strcmp(method, "challenge-response") == 0))
 
253
                record_failed_login(authctxt->user,
 
254
                    get_canonical_hostname(options.use_dns), "ssh");
 
255
#endif
 
256
#ifdef SSH_AUDIT_EVENTS
 
257
        if (authenticated == 0 && !authctxt->postponed) {
 
258
                ssh_audit_event_t event;
 
259
 
 
260
                debug3("audit failed auth attempt, method %s euid %d",
 
261
                    method, (int)geteuid());
 
262
                /*
 
263
                 * Because the auth loop is used in both monitor and slave,
 
264
                 * we must be careful to send each event only once and with
 
265
                 * enough privs to write the event.
 
266
                 */
 
267
                event = audit_classify_auth(method);
 
268
                switch(event) {
 
269
                case SSH_AUTH_FAIL_NONE:
 
270
                case SSH_AUTH_FAIL_PASSWD:
 
271
                case SSH_AUTH_FAIL_KBDINT:
 
272
                        if (geteuid() == 0)
 
273
                                audit_event(event);
 
274
                        break;
 
275
                case SSH_AUTH_FAIL_PUBKEY:
 
276
                case SSH_AUTH_FAIL_HOSTBASED:
 
277
                case SSH_AUTH_FAIL_GSSAPI:
 
278
                        /*
 
279
                         * This is required to handle the case where privsep
 
280
                         * is enabled but it's root logging in, since
 
281
                         * use_privsep won't be cleared until after a
 
282
                         * successful login.
 
283
                         */
 
284
                        if (geteuid() == 0)
 
285
                                audit_event(event);
 
286
                        else
 
287
                                PRIVSEP(audit_event(event));
 
288
                        break;
 
289
                default:
 
290
                        error("unknown authentication audit event %d", event);
 
291
                }
 
292
        }
245
293
#endif
246
294
}
247
295
 
465
513
                logit("Invalid user %.100s from %.100s",
466
514
                    user, get_remote_ipaddr());
467
515
#ifdef CUSTOM_FAILED_LOGIN
468
 
                record_failed_login(user, "ssh");
 
516
                record_failed_login(user,
 
517
                    get_canonical_hostname(options.use_dns), "ssh");
469
518
#endif
 
519
#ifdef SSH_AUDIT_EVENTS
 
520
                audit_event(SSH_INVALID_USER);
 
521
#endif /* SSH_AUDIT_EVENTS */
470
522
                return (NULL);
471
523
        }
472
524
        if (!allowed_user(pw))