146
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
148
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
149
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
147
150
hostname = get_canonical_hostname(options.use_dns);
148
151
ipaddr = get_remote_ipaddr();
153
156
for (i = 0; i < options.num_deny_users; i++)
154
157
if (match_user(pw->pw_name, hostname, ipaddr,
155
158
options.deny_users[i])) {
156
logit("User %.100s not allowed because listed in DenyUsers",
159
logit("User %.100s from %.100s not allowed "
160
"because listed in DenyUsers",
161
pw->pw_name, hostname);
167
171
/* i < options.num_allow_users iff we break for loop */
168
172
if (i >= options.num_allow_users) {
169
logit("User %.100s not allowed because not listed in AllowUsers",
173
logit("User %.100s from %.100s not allowed because "
174
"not listed in AllowUsers", pw->pw_name, hostname);
174
178
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
175
179
/* Get the user's group access list (primary and supplementary) */
176
180
if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
177
logit("User %.100s not allowed because not in any group",
181
logit("User %.100s from %.100s not allowed because "
182
"not in any group", pw->pw_name, hostname);
184
188
if (ga_match(options.deny_groups,
185
189
options.num_deny_groups)) {
187
logit("User %.100s not allowed because a group is listed in DenyGroups",
191
logit("User %.100s from %.100s not allowed "
192
"because a group is listed in DenyGroups",
193
pw->pw_name, hostname);
196
201
if (!ga_match(options.allow_groups,
197
202
options.num_allow_groups)) {
199
logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
204
logit("User %.100s from %.100s not allowed "
205
"because none of user's groups are listed "
206
"in AllowGroups", pw->pw_name, hostname);
206
212
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
207
if (!sys_auth_allowed_user(pw))
213
if (!sys_auth_allowed_user(pw, &loginmsg))
242
248
#ifdef CUSTOM_FAILED_LOGIN
243
if (authenticated == 0 && strcmp(method, "password") == 0)
244
record_failed_login(authctxt->user, "ssh");
249
if (authenticated == 0 && !authctxt->postponed &&
250
(strcmp(method, "password") == 0 ||
251
strncmp(method, "keyboard-interactive", 20) == 0 ||
252
strcmp(method, "challenge-response") == 0))
253
record_failed_login(authctxt->user,
254
get_canonical_hostname(options.use_dns), "ssh");
256
#ifdef SSH_AUDIT_EVENTS
257
if (authenticated == 0 && !authctxt->postponed) {
258
ssh_audit_event_t event;
260
debug3("audit failed auth attempt, method %s euid %d",
261
method, (int)geteuid());
263
* Because the auth loop is used in both monitor and slave,
264
* we must be careful to send each event only once and with
265
* enough privs to write the event.
267
event = audit_classify_auth(method);
269
case SSH_AUTH_FAIL_NONE:
270
case SSH_AUTH_FAIL_PASSWD:
271
case SSH_AUTH_FAIL_KBDINT:
275
case SSH_AUTH_FAIL_PUBKEY:
276
case SSH_AUTH_FAIL_HOSTBASED:
277
case SSH_AUTH_FAIL_GSSAPI:
279
* This is required to handle the case where privsep
280
* is enabled but it's root logging in, since
281
* use_privsep won't be cleared until after a
287
PRIVSEP(audit_event(event));
290
error("unknown authentication audit event %d", event);
465
513
logit("Invalid user %.100s from %.100s",
466
514
user, get_remote_ipaddr());
467
515
#ifdef CUSTOM_FAILED_LOGIN
468
record_failed_login(user, "ssh");
516
record_failed_login(user,
517
get_canonical_hostname(options.use_dns), "ssh");
519
#ifdef SSH_AUDIT_EVENTS
520
audit_event(SSH_INVALID_USER);
521
#endif /* SSH_AUDIT_EVENTS */
472
524
if (!allowed_user(pw))