[PATCH] Class-imposed login restrictions
Ed Maste
emaste at FreeBSD.org
Sun Nov 6 05:39:34 AEDT 2022
From: Yuichiro Naito <naito.yuichiro at gmail.com>
If the following functions are available,
add an additional check if users are allowed to login imposed by login class.
* auth_hostok(3)
* auth_timeok(3)
These functions are implemented on FreeBSD.
---
>From GitHub pull request https://github.com/openssh/openssh-portable/pull/262
auth.c | 18 ++++++++++++++++++
configure.ac | 2 ++
2 files changed, 20 insertions(+)
diff --git a/auth.c b/auth.c
index 13e8d7998..da0af66d4 100644
--- a/auth.c
+++ b/auth.c
@@ -465,6 +465,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
{
#ifdef HAVE_LOGIN_CAP
extern login_cap_t *lc;
+#ifdef HAVE_AUTH_HOSTOK
+ const char *from_host, *from_ip;
+#endif
#ifdef BSD_AUTH
auth_session_t *as;
#endif
@@ -510,6 +513,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
debug("unable to get login class: %s", user);
return (NULL);
}
+#ifdef HAVE_AUTH_HOSTOK
+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+ from_ip = ssh_remote_ipaddr(ssh);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ debug("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ return (NULL);
+ }
+#endif /* HAVE_AUTH_HOSTOK */
+#ifdef HAVE_AUTH_TIMEOK
+ if (!auth_timeok(lc, time(NULL))) {
+ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
+ return (NULL);
+ }
+#endif /* HAVE_AUTH_TIMEOK */
#ifdef BSD_AUTH
if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
diff --git a/configure.ac b/configure.ac
index 1e77ecfc3..365a60969 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1839,6 +1839,8 @@ AC_SUBST([PICFLAG])
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \
+ auth_hostok \
+ auth_timeok \
Blowfish_initstate \
Blowfish_expandstate \
Blowfish_expand0state \
--
2.37.2
More information about the openssh-unix-dev
mailing list