diff options
| -rw-r--r-- | usr.bin/ssh/auth.c | 26 | ||||
| -rw-r--r-- | usr.bin/ssh/session.c | 16 |
2 files changed, 25 insertions, 17 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index 61de90b272f..6f2f98df3a2 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.37 2002/03/17 20:25:56 provos Exp $"); +RCSID("$OpenBSD: auth.c,v 1.38 2002/03/18 03:41:08 provos Exp $"); #include <libgen.h> @@ -391,11 +391,31 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, struct passwd * getpwnamallow(const char *user) { +#ifdef HAVE_LOGIN_CAP + extern login_cap_t *lc; +#ifdef BSD_AUTH + auth_session_t *as; +#endif +#endif struct passwd *pw; pw = getpwnam(user); - if (pw != NULL && !allowed_user(pw)) + if (pw == NULL || !allowed_user(pw)) + return (NULL); +#ifdef HAVE_LOGIN_CAP + if ((lc = login_getclass(pw->pw_class)) == NULL) { + debug("unable to get login class: %s", user); + return (NULL); + } +#ifdef BSD_AUTH + if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || + auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) { + debug("Approval failure for %s", user); pw = NULL; - + } + if (as != NULL) + auth_close(as); +#endif +#endif return (pw); } diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index 7a127583e87..ce5e3910ff9 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.128 2002/02/16 00:51:44 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.129 2002/03/18 03:41:08 provos Exp $"); #include "ssh.h" #include "ssh1.h" @@ -123,7 +123,7 @@ const char *original_command = NULL; Session sessions[MAX_SESSIONS]; #ifdef HAVE_LOGIN_CAP -static login_cap_t *lc; +login_cap_t *lc; #endif void @@ -138,18 +138,6 @@ do_authenticated(Authctxt *authctxt) close(startup_pipe); startup_pipe = -1; } -#ifdef HAVE_LOGIN_CAP - if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) { - error("unable to get login class"); - return; - } -#ifdef BSD_AUTH - if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) { - packet_disconnect("Approval failure for %s", - authctxt->pw->pw_name); - } -#endif -#endif /* setup the channel layer */ if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); |