summaryrefslogtreecommitdiff
path: root/openbsd-compat
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2004-06-23 13:45:24 +1000
committerDarren Tucker <dtucker@zip.com.au>2004-06-23 13:45:24 +1000
commit0a9d43d7264ff0a74c4f9493be238e35ef04c952 (patch)
tree5734ef5253ba9f4dac817c7987a00671c77d9fc6 /openbsd-compat
parentef8f8af86c3df4d769892baeca5d18a7a8599908 (diff)
- (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
Move loginrestrictions test to port-aix.c, replace with a generic hook.
Diffstat (limited to 'openbsd-compat')
-rw-r--r--openbsd-compat/port-aix.c46
-rw-r--r--openbsd-compat/port-aix.h4
2 files changed, 48 insertions, 2 deletions
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 5ba6819d..bf7e9865 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
return authsuccess;
}
-
+
+/*
+ * Check if specified account is permitted to log in.
+ * Returns 1 if login is allowed, 0 if not allowed.
+ */
+int
+sys_auth_allowed_user(struct passwd *pw)
+{
+ char *msg = NULL;
+ int result, permitted = 0;
+ struct stat st;
+
+ /*
+ * Don't perform checks for root account (PermitRootLogin controls
+ * logins via * ssh) or if running as non-root user (since
+ * loginrestrictions will always fail due to insufficient privilege).
+ */
+ if (pw->pw_uid == 0 || geteuid() != 0) {
+ debug3("%s: not checking");
+ return 1;
+ }
+
+ result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
+ if (result == 0)
+ permitted = 1;
+ /*
+ * If restricted because /etc/nologin exists, the login will be denied
+ * in session.c after the nologin message is sent, so allow for now
+ * and do not append the returned message.
+ */
+ if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
+ permitted = 1;
+ else if (msg != NULL)
+ buffer_append(&loginmsg, msg, strlen(msg));
+ if (msg == NULL)
+ msg = xstrdup("(none)");
+ aix_remove_embedded_newlines(msg);
+ debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
+
+ if (!permitted)
+ logit("Login restricted for %s: %.100s", pw->pw_name, msg);
+ xfree(msg);
+ return permitted;
+}
+
# ifdef CUSTOM_FAILED_LOGIN
/*
* record_failed_login: generic "login failed" interface function
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 3118af9a..3b82652d 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.20 2004/06/23 03:45:24 dtucker Exp $ */
/*
*
@@ -63,6 +63,8 @@ void aix_usrinfo(struct passwd *);
#ifdef WITH_AIXAUTHENTICATE
# define CUSTOM_SYS_AUTH_PASSWD 1
+# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
+int sys_auth_allowed_user(struct passwd *);
# define CUSTOM_FAILED_LOGIN 1
void record_failed_login(const char *, const char *);
#endif