src - OpenBSD base system

diff options


context:
space:
mode:

author	Markus Friedl <markus@cvs.openbsd.org>	2001-01-13 18:56:49 +0000
committer	Markus Friedl <markus@cvs.openbsd.org>	2001-01-13 18:56:49 +0000
commit	1d0e931edf475482d3ef0f7c46a5f8564d2823e2 (patch)
tree	15f4310ac6e46c0440ad244c60612987c680cf33 /usr.bin
parent	943e6d47590b5b9bb7f58f9e645291b89ed252c7 (diff)

support supplementary group in {Allow,Deny}Groups

from stevesk@pobox.com

Diffstat (limited to 'usr.bin')

-rw-r--r--

usr.bin/ssh/auth.c

-rw-r--r--

usr.bin/ssh/auth2.c

-rw-r--r--

usr.bin/ssh/sshd.8

-rw-r--r--

usr.bin/ssh/sshd/Makefile

-rw-r--r--

usr.bin/ssh/sshd_config

5 files changed, 34 insertions, 42 deletions

diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c
index 182d6464922..957b93db4c1 100644
--- a/usr.bin/ssh/auth.c
+++ b/usr.bin/ssh/auth.c

@@ -33,7 +33,7 @@

#include "includes.h"

-RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $");

+RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $");

#include "xmalloc.h"

#include "rsa.h"

@@ -46,6 +46,7 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $");

#include "compat.h"

#include "channels.h"

#include "match.h"

+#include "groupaccess.h"

#include "bufaux.h"

#include "ssh2.h"

@@ -56,11 +57,11 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $");

extern ServerOptions options;

- * Check if the user is allowed to log in via ssh. If user is listed in

- * DenyUsers or user's primary group is listed in DenyGroups, false will

- * be returned. If AllowUsers isn't empty and user isn't listed there, or

- * if AllowGroups isn't empty and user isn't listed there, false will be

- * returned.

+ * Check if the user is allowed to log in via ssh. If user is listed

+ * in DenyUsers or one of user's groups is listed in DenyGroups, false

+ * will be returned. If AllowUsers isn't empty and user isn't listed

+ * there, or if AllowGroups isn't empty and one of user's groups isn't

+ * listed there, false will be returned.

* If the user's shell is not executable, false will be returned.

* Otherwise true is returned.

@@ -68,12 +69,11 @@ int

allowed_user(struct passwd * pw)

{

struct stat st;

- struct group *grp;

char *shell;

int i;

/* Shouldn't be called if pw is NULL, but better safe than sorry... */

- if (!pw)

+ if (!pw || !pw->pw_name)

return 0;

@@ -90,16 +90,12 @@ allowed_user(struct passwd * pw)

/* Return false if user is listed in DenyUsers */

if (options.num_deny_users > 0) {

- if (!pw->pw_name)

- return 0;

for (i = 0; i < options.num_deny_users; i++)

if (match_pattern(pw->pw_name, options.deny_users[i]))

return 0;

}

/* Return false if AllowUsers isn't empty and user isn't listed there */

if (options.num_allow_users > 0) {

- if (!pw->pw_name)

- return 0;

for (i = 0; i < options.num_allow_users; i++)

if (match_pattern(pw->pw_name, options.allow_users[i]))

break;

@@ -107,35 +103,29 @@ allowed_user(struct passwd * pw)

if (i >= options.num_allow_users)

return 0;

}

- /* Get the primary group name if we need it. Return false if it fails */

if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {

- grp = getgrgid(pw->pw_gid);

- if (!grp)

+ /* Get the user's group access list (primary and supplementary) */

+ if (ga_init(pw->pw_name, pw->pw_gid) == 0)

return 0;

- /* Return false if user's group is listed in DenyGroups */

- if (options.num_deny_groups > 0) {

- if (!grp->gr_name)

+ /* Return false if one of user's groups is listed in DenyGroups */

+ if (options.num_deny_groups > 0)

+ if (ga_match(options.deny_groups,

+ options.num_deny_groups)) {

+ ga_free();

return 0;

- for (i = 0; i < options.num_deny_groups; i++)

- if (match_pattern(grp->gr_name, options.deny_groups[i]))

- return 0;

- }

+ }

- * Return false if AllowGroups isn't empty and user's group

+ * Return false if AllowGroups isn't empty and one of user's groups

* isn't listed there

- if (options.num_allow_groups > 0) {

- if (!grp->gr_name)

- return 0;

- for (i = 0; i < options.num_allow_groups; i++)

- if (match_pattern(grp->gr_name, options.allow_groups[i]))

- break;

- /* i < options.num_allow_groups iff we break for

- loop */

- if (i >= options.num_allow_groups)

+ if (options.num_allow_groups > 0)

+ if (!ga_match(options.allow_groups,

+ options.num_allow_groups)) {

+ ga_free();

return 0;

- }

+ }

+ ga_free();

}

/* We found no reason not to let this user try to log on... */

return 1;

diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 3edde42f850..8ac9aa0868b 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c

@@ -23,7 +23,7 @@

#include "includes.h"

-RCSID("$OpenBSD: auth2.c,v 1.26 2001/01/13 18:21:48 markus Exp $");

+RCSID("$OpenBSD: auth2.c,v 1.27 2001/01/13 18:56:48 markus Exp $");

#include <openssl/dsa.h>

#include <openssl/rsa.h>

@@ -298,7 +298,7 @@ userauth_log(Authctxt *authctxt, int authenticated, char *method)

if (authctxt->valid) {

user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user;

} else {

- user = "NOUSER";

+ user = authctxt->user ? authctxt->user : "NOUSER";

}

authlog("%s %s for %.200s from %.200s port %d ssh2",

diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index fef26b50bc6..a513978d950 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8

@@ -34,7 +34,7 @@

.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

.\"

-.\" $OpenBSD: sshd.8,v 1.80 2001/01/08 22:29:05 markus Exp $

+.\" $OpenBSD: sshd.8,v 1.81 2001/01/13 18:56:48 markus Exp $

.Dd September 25, 1999

.Dt SSHD 8

.Os

@@ -303,14 +303,14 @@ Default is

This keyword can be followed by a number of group names, separated

by spaces.

If specified, login is allowed only for users whose primary

-group matches one of the patterns.

+group or supplementary group list matches one of the patterns.

.Ql \&*

and

.Ql ?

can be used as

wildcards in the patterns.

Only group names are valid; a numerical group ID isn't recognized.

-By default login is allowed regardless of the primary group.

+By default login is allowed regardless of the group list.

.Pp

.It Cm AllowTcpForwarding

Specifies whether TCP forwarding is permitted.

@@ -354,15 +354,15 @@ The default is

.It Cm DenyGroups

This keyword can be followed by a number of group names, separated

by spaces.

-Users whose primary group matches one of the patterns

-aren't allowed to log in.

+Users whose primary group or supplementary group list matches

+one of the patterns aren't allowed to log in.

.Ql \&*

and

.Ql ?

can be used as

wildcards in the patterns.

Only group names are valid; a numerical group ID isn't recognized.

-By default login is allowed regardless of the primary group.

+By default login is allowed regardless of the group list.

.Pp

.It Cm DenyUsers

This keyword can be followed by a number of user names, separated

diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile
index 0a9fba8e052..6e4b3fe8637 100644
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile

@@ -9,7 +9,8 @@ CFLAGS+=-DHAVE_LOGIN_CAP

SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \

pty.c log-server.c login.c servconf.c serverloop.c \

- auth.c auth1.c auth2.c auth-options.c session.c dh.c

+ auth.c auth1.c auth2.c auth-options.c session.c dh.c \

+ groupaccess.c

.include <bsd.own.mk> # for KERBEROS and AFS

diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config
index ad8db2746cf..fb5dc7b2b48 100644
--- a/usr.bin/ssh/sshd_config
+++ b/usr.bin/ssh/sshd_config

@@ -57,3 +57,4 @@ PermitEmptyPasswords no

#Subsystem sftp /usr/libexec/sftp-server

#MaxStartups 10:30:60

#Banner /etc/issue.net

+DenyGroups nossh