[openssh-commits] [openssh] branch master updated: Class-imposed login restrictions

git+noreply at mindrot.org git+noreply at mindrot.org
Sat Jul 20 11:08:40 AEST 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new c276672f Class-imposed login restrictions
c276672f is described below

commit c276672fc0e99f0c4389988d54a84c203ce325b6
Author: Yuichiro Naito <naito.yuichiro at gmail.com>
AuthorDate: Wed Sep 1 10:19:32 2021 +0900

    Class-imposed login restrictions
    
    If the following functions are available,
    add an additional check if users are allowed to login imposed by login class.
    
    * auth_hostok(3)
    * auth_timeok(3)
    
    These functions are implemented on FreeBSD.
---
 auth.c       | 18 ++++++++++++++++++
 configure.ac |  2 ++
 2 files changed, 20 insertions(+)

diff --git a/auth.c b/auth.c
index 2e4cbef0..c4a3d2f2 100644
--- a/auth.c
+++ b/auth.c
@@ -463,6 +463,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
 {
 #ifdef HAVE_LOGIN_CAP
 	extern login_cap_t *lc;
+#ifdef HAVE_AUTH_HOSTOK
+	const char *from_host, *from_ip;
+#endif
 #ifdef BSD_AUTH
 	auth_session_t *as;
 #endif
@@ -508,6 +511,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
 		debug("unable to get login class: %s", user);
 		return (NULL);
 	}
+#ifdef HAVE_AUTH_HOSTOK
+	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+	from_ip = ssh_remote_ipaddr(ssh);
+	if (!auth_hostok(lc, from_host, from_ip)) {
+		debug("Denied connection for %.200s from %.200s [%.200s].",
+		      pw->pw_name, from_host, from_ip);
+		return (NULL);
+	}
+#endif /* HAVE_AUTH_HOSTOK */
+#ifdef HAVE_AUTH_TIMEOK
+	if (!auth_timeok(lc, time(NULL))) {
+		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
+		return (NULL);
+	}
+#endif /* HAVE_AUTH_TIMEOK */
 #ifdef BSD_AUTH
 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
diff --git a/configure.ac b/configure.ac
index 2eede34c..016c9647 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1886,6 +1886,8 @@ AC_SUBST([PICFLAG])
 
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
+	auth_hostok \
+	auth_timeok \
 	Blowfish_initstate \
 	Blowfish_expandstate \
 	Blowfish_expand0state \

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list