diff options
| author |   markus <markus@openbsd.org> | 2001-06-27 04:48:52 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2001-06-27 04:48:52 +0000 |
| commit | 89a901a2176bfdb00ec3b79703f1f87f117ef566 (patch) | |
| tree | bf9696dd447c5f880719a976c9b190bd46c87a6d | |
| parent | zap old vm (diff) | |
| download | wireguard-openbsd-89a901a2176bfdb00ec3b79703f1f87f117ef566.tar.xz wireguard-openbsd-89a901a2176bfdb00ec3b79703f1f87f117ef566.zip | |
tridge@samba.org
| -rw-r--r-- | usr.bin/ssh/auth.c | 14 | ||||
| -rw-r--r-- | usr.bin/ssh/match.c | 26 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd.8 | 5 |
3 files changed, 40 insertions, 5 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index d8dc7ed2974..7856591d115 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.25 2001/06/25 17:54:48 provos Exp $"); +RCSID("$OpenBSD: auth.c,v 1.26 2001/06/27 04:48:52 markus Exp $"); #include <libgen.h> @@ -56,6 +56,7 @@ int allowed_user(struct passwd * pw) { struct stat st; + const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; @@ -75,16 +76,23 @@ allowed_user(struct passwd * pw) if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; + if (options.num_deny_users > 0 || options.num_allow_users > 0) { + hostname = get_canonical_hostname(options.reverse_mapping_check); + ipaddr = get_remote_ipaddr(); + } + /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) - if (match_pattern(pw->pw_name, options.deny_users[i])) + if (match_user(pw->pw_name, hostname, ipaddr, + options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { for (i = 0; i < options.num_allow_users; i++) - if (match_pattern(pw->pw_name, options.allow_users[i])) + if (match_user(pw->pw_name, hostname, ipaddr, + options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ if (i >= options.num_allow_users) diff --git a/usr.bin/ssh/match.c b/usr.bin/ssh/match.c index 2e2d6309266..188b9a4169f 100644 --- a/usr.bin/ssh/match.c +++ b/usr.bin/ssh/match.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $"); +RCSID("$OpenBSD: match.c,v 1.14 2001/06/27 04:48:53 markus Exp $"); #include "match.h" #include "xmalloc.h" @@ -185,6 +185,30 @@ match_host_and_ip(const char *host, const char *ipaddr, } /* + * match user, user@host_or_ip, user@host_or_ip_list against pattern + */ +int +match_user(const char *user, const char *host, const char *ipaddr, + const char *pattern) +{ + char *p, *pat; + int ret; + + if ((p = strchr(pattern,'@')) == NULL) + return match_pattern(user, pattern); + + pat = xstrdup(pattern); + p = strchr(pat, '@'); + *p++ = '\0'; + + if ((ret = match_pattern(user, pat)) == 1) + ret = match_host_and_ip(host, ipaddr, p); + xfree(pat); + + return ret; +} + +/* * Returns first item from client-list that is also supported by server-list, * caller must xfree() returned string. */ diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8 index f10214ff97f..bd2d247c221 100644 --- a/usr.bin/ssh/sshd.8 +++ b/usr.bin/ssh/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.134 2001/06/26 05:48:07 mpech Exp $ +.\" $OpenBSD: sshd.8,v 1.135 2001/06/27 04:48:53 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -329,6 +329,9 @@ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. +If the pattern takes the form USER@HOST then USER and HOST +are separately checked, allowing you to restrict logins to particular +users from particular hosts. .Pp .It Cm AuthorizedKeysFile Specifies the file that contains the public RSA keys that can be used |