Patches for improved logging of allowed_user() failures

Dave Dykstra dwd at bell-labs.com
Sat Oct 13 06:59:39 EST 2001


On Fri, Oct 12, 2001 at 11:47:38AM +1000, Damien Miller wrote:
> Subject: Re: Please test snapshots for 3.0 release
>
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
> 
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.

I originally included these changes with my patch for changing expired
passwords, but to simplify that submission I left them out.  Attachment #1
contains the patch against the openbsd CVS, and attachment #2 contains the
patch aginst the portable CVS apply after applying my patch for changing
expired passwords.  They could be applied independently, but for
consistency through the function it would make sense for both to be
applied.

- Dave Dykstra
-------------- next part --------------
--- auth.c.O	Fri Oct 12 15:43:11 2001
+++ auth.c	Fri Oct 12 15:43:15 2001
@@ -71,10 +71,16 @@
 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
 
 	/* deny if shell does not exists or is not executable */
-	if (stat(shell, &st) != 0)
+	if (stat(shell, &st) != 0) {
+		log("User %.100s not allowed because shell %.100s does not exist",
+			pw->pw_name, shell);
 		return 0;
-	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
+	}
+	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) {
+		log("User %.100s not allowed because shell %.100s is not executable",
+			pw->pw_name, shell);
 		return 0;
+	}
 
 	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
 		hostname = get_canonical_hostname(options.reverse_mapping_check);
@@ -85,8 +91,11 @@
 	if (options.num_deny_users > 0) {
 		for (i = 0; i < options.num_deny_users; i++)
 			if (match_user(pw->pw_name, hostname, ipaddr,
-			    options.deny_users[i]))
+			    options.deny_users[i])) {
+				log("User %.100s not allowed because listed in DenyUsers",
+					pw->pw_name);
 				return 0;
+			}
 	}
 	/* Return false if AllowUsers isn't empty and user isn't listed there */
 	if (options.num_allow_users > 0) {
@@ -95,19 +104,27 @@
 			    options.allow_users[i]))
 				break;
 		/* i < options.num_allow_users iff we break for loop */
-		if (i >= options.num_allow_users)
+		if (i >= options.num_allow_users) {
+			log("User %.100s not allowed because not listed in AllowUsers",
+				pw->pw_name);
 			return 0;
+		}
 	}
 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
 		/* Get the user's group access list (primary and supplementary) */
-		if (ga_init(pw->pw_name, pw->pw_gid) == 0)
+		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
+			log("User %.100s not allowed because not in any group",
+				pw->pw_name);
 			return 0;
+		}
 
 		/* Return false if one of user's groups is listed in DenyGroups */
 		if (options.num_deny_groups > 0)
 			if (ga_match(options.deny_groups,
 			    options.num_deny_groups)) {
 				ga_free();
+				log("User %.100s not allowed because a group is listed in DenyGroups",
+					pw->pw_name);
 				return 0;
 			}
 		/*
@@ -118,6 +135,8 @@
 			if (!ga_match(options.allow_groups,
 			    options.num_allow_groups)) {
 				ga_free();
+				log("User %.100s not allowed because none of user's group are listed in AllowGroups",
+					pw->pw_name);
 				return 0;
 			}
 		ga_free();
-------------- next part --------------
--- auth.c.N	Fri Oct 12 15:54:56 2001
+++ auth.c	Fri Oct 12 15:56:50 2001
@@ -87,14 +87,20 @@
 		int days = time(NULL) / 86400;
 
 		/* Check account expiry */
-		if ((spw->sp_expire >= 0) && (days > spw->sp_expire))
+		if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) {
+			log("User %.100s not allowed because account expired",
+				pw->pw_name);
 			return 0;
+		}
 
 		/* Check password expiry */
 		if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) &&
 		    (days > (spw->sp_lstchg + spw->sp_max))) {
-			if ((pw->pw_uid == 0))
+			if ((pw->pw_uid == 0)) {
+				log("User %.100s not allowed because password expired",
+					pw->pw_name);
 				return 0;
+			}
 
 			forced_passwd_change = 1;
 		}


More information about the openssh-unix-dev mailing list