Attachment #249 for bug #442

Lines 374-379 Link Here

(-)acconfig.h (+5 lines)
374	/* Some systems put this outside of libc */	374	/* Some systems put this outside of libc */
375	#undef HAVE_NANOSLEEP	375	#undef HAVE_NANOSLEEP
376		376
		377	/* Strings used in /etc/passwd to denote locked account */
		378	#undef LOCKED_PASSWD_STRING
		379	#undef LOCKED_PASSWD_PREFIX
		380	#undef LOCKED_PASSWD_SUBSTR
		381
377	/* Pushing STREAMS modules incorrectly acquires a controlling TTY */	382	/* Pushing STREAMS modules incorrectly acquires a controlling TTY */
378	#undef STREAMS_PUSH_ACQUIRES_CTTY	383	#undef STREAMS_PUSH_ACQUIRES_CTTY
379		384




allowed_user(struct passwd * pw)
{
	struct stat st;
	const char *hostname = NULL, *ipaddr = NULL, *passwd;
	char *shell;
	int i;
#ifdef WITH_AIXAUTHENTICATE
	char *loginmsg;
#endif /* WITH_AIXAUTHENTICATE */
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
	struct spwd *spw;
	time_t today;
#endif

	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
	if (!pw || !pw->pw_name)
		return 0;

#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	spw = getspnam(pw->pw_name);
#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)
#define	DAY		(24L * 60 * 60) /* 1 day in seconds */
	if (spw != NULL) {
		time_t today;

		today = time(NULL) / DAY;
		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
		    " sp_max %d", (int)today, (int)spw->sp_expire,

			return 0;
		}
	}
#endif /* !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE) */
#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */

    	/* grab passwd field for locked account check */
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	if (spw != NULL)
		passwd = spw->sp_pwdp;
#else
	passwd = pw->pw_passwd;
#endif

	/* check for locked account */ 
	if (passwd && *passwd) {
		int locked = 0;

#ifdef LOCKED_PASSWD_STRING
		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
			 locked = 1;
#endif
#ifdef LOCKED_PASSWD_PREFIX
		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
			 locked = 1;
#endif
#ifdef LOCKED_PASSWD_SUBSTR
		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
			locked = 1;
#endif
		if (locked) {
			log("User %.100s not allowed because account is locked",
			    pw->pw_name);
			return 0;
		}
	}

	/*
	 * Get the shell from the password data.  An empty shell field is




	AC_DEFINE(DISABLE_SHADOW)
	AC_DEFINE(DISABLE_UTMP)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
	LIBS="$LIBS -lsec -lsecpw"
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
	disable_ptmx_check=yes

	AC_DEFINE(DISABLE_SHADOW)
	AC_DEFINE(DISABLE_UTMP)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
	LIBS="$LIBS -lsec"
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
	;;

	AC_DEFINE(DISABLE_SHADOW)
	AC_DEFINE(DISABLE_UTMP)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
	LIBS="$LIBS -lsec"
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
	;;

	PATH="$PATH:/usr/etc"
	AC_DEFINE(BROKEN_INET_NTOA)
	AC_DEFINE(WITH_ABBREV_NO_TTY)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
	;;
*-*-irix6*)
	CPPFLAGS="$CPPFLAGS -I/usr/local/include"

	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
	AC_DEFINE(BROKEN_INET_NTOA)
	AC_DEFINE(WITH_ABBREV_NO_TTY)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
	;;
*-*-linux*)
	no_dev_ptmx=1

	AC_DEFINE(PAM_TTY_KLUDGE)
	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
	inet6_default_4in6=yes
	;;
mips-sony-bsd|mips-sony-newsos4)

	AC_DEFINE(LOGIN_NEEDS_UTMPX)
	AC_DEFINE(LOGIN_NEEDS_TERM)
	AC_DEFINE(PAM_TTY_KLUDGE)
	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
	AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY)
	# hardwire lastlog location (can't detect it on some versions)
	conf_lastlog_location="/var/adm/lastlog"

		fi
	fi
	AC_DEFINE(DISABLE_FD_PASSING)
	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
	;;

*-*-nto-qnx)




authentication, RSA challenge-response authentication, or password
based authentication.
.Pp
Regardless of the authentication type, the account is checked to
ensure that it is accessible.  An account is not accessible if it is
locked, listed in
.Cm DenyUsers
or its group is listed in
.Cm DenyGroups
\&.  The definition of a locked account is system dependant. Some platforms
have their own account database (eg AIX) and some modify the passwd field (
.Ql \&*LK\&*
on Solaris,
.Ql \&*
on HP-UX, containing
.Ql Nologin
on Tru64 and a leading
.Ql \&!!
on Linux).  If there is a requirement to disable password authentication
for the account while allowing still public-key, then the passwd field
should be set to something other than these values (eg
.Ql NP
or
.Ql \&*NP\&*
).
.Pp
Rhosts authentication is normally disabled
because it is fundamentally insecure, but can be enabled in the server
configuration file if desired.

Return to bug 442

Lines 126-131 Link Here

(-)configure.ac (+8 lines)
126	AC_DEFINE(DISABLE_SHADOW)	126	AC_DEFINE(DISABLE_SHADOW)
127	AC_DEFINE(DISABLE_UTMP)	127	AC_DEFINE(DISABLE_UTMP)
128	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)	128	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
		129	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
129	LIBS="$LIBS -lsec -lsecpw"	130	LIBS="$LIBS -lsec -lsecpw"
130	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))	131	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))
131	disable_ptmx_check=yes	132	disable_ptmx_check=yes
Lines 142-147 Link Here
142	AC_DEFINE(DISABLE_SHADOW)	143	AC_DEFINE(DISABLE_SHADOW)
143	AC_DEFINE(DISABLE_UTMP)	144	AC_DEFINE(DISABLE_UTMP)
144	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)	145	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
		146	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
145	LIBS="$LIBS -lsec"	147	LIBS="$LIBS -lsec"
146	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))	148	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))
147	;;	149	;;
Lines 155-160 Link Here
155	AC_DEFINE(DISABLE_SHADOW)	157	AC_DEFINE(DISABLE_SHADOW)
156	AC_DEFINE(DISABLE_UTMP)	158	AC_DEFINE(DISABLE_UTMP)
157	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)	159	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
		160	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
158	LIBS="$LIBS -lsec"	161	LIBS="$LIBS -lsec"
159	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))	162	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([* -lxnet needed on HP-UX - check config.log *]))
160	;;	163	;;
Lines 164-169 Link Here
164	PATH="$PATH:/usr/etc"	167	PATH="$PATH:/usr/etc"
165	AC_DEFINE(BROKEN_INET_NTOA)	168	AC_DEFINE(BROKEN_INET_NTOA)
166	AC_DEFINE(WITH_ABBREV_NO_TTY)	169	AC_DEFINE(WITH_ABBREV_NO_TTY)
		170	AC_DEFINE(LOCKED_PASSWD_STRING, "LK")
167	;;	171	;;
168	--irix6*)	172	--irix6*)
169	CPPFLAGS="$CPPFLAGS -I/usr/local/include"	173	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
Lines 175-180 Link Here
175	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])	179	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
176	AC_DEFINE(BROKEN_INET_NTOA)	180	AC_DEFINE(BROKEN_INET_NTOA)
177	AC_DEFINE(WITH_ABBREV_NO_TTY)	181	AC_DEFINE(WITH_ABBREV_NO_TTY)
		182	AC_DEFINE(LOCKED_PASSWD_STRING, "LK")
178	;;	183	;;
179	--linux*)	184	--linux*)
180	no_dev_ptmx=1	185	no_dev_ptmx=1
Lines 183-188 Link Here
183	AC_DEFINE(PAM_TTY_KLUDGE)	188	AC_DEFINE(PAM_TTY_KLUDGE)
184	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)	189	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
185	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')	190	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
		191	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
186	inet6_default_4in6=yes	192	inet6_default_4in6=yes
187	;;	193	;;
188	mips-sony-bsd\|mips-sony-newsos4)	194	mips-sony-bsd\|mips-sony-newsos4)
Lines 216-221 Link Here
216	AC_DEFINE(LOGIN_NEEDS_UTMPX)	222	AC_DEFINE(LOGIN_NEEDS_UTMPX)
217	AC_DEFINE(LOGIN_NEEDS_TERM)	223	AC_DEFINE(LOGIN_NEEDS_TERM)
218	AC_DEFINE(PAM_TTY_KLUDGE)	224	AC_DEFINE(PAM_TTY_KLUDGE)
		225	AC_DEFINE(LOCKED_PASSWD_STRING, "LK")
219	AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY)	226	AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY)
220	# hardwire lastlog location (can't detect it on some versions)	227	# hardwire lastlog location (can't detect it on some versions)
221	conf_lastlog_location="/var/adm/lastlog"	228	conf_lastlog_location="/var/adm/lastlog"
Lines 337-342 Link Here
337	fi	344	fi
338	fi	345	fi
339	AC_DEFINE(DISABLE_FD_PASSING)	346	AC_DEFINE(DISABLE_FD_PASSING)
		347	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
340	;;	348	;;
341		349
342	--nto-qnx)	350	--nto-qnx)

Lines 114-119 Link Here

(-)sshd.8 (+23 lines)
114	authentication, RSA challenge-response authentication, or password	114	authentication, RSA challenge-response authentication, or password
115	based authentication.	115	based authentication.
116	.Pp	116	.Pp
		117	Regardless of the authentication type, the account is checked to
		118	ensure that it is accessible. An account is not accessible if it is
		119	locked, listed in
		120	.Cm DenyUsers
		121	or its group is listed in
		122	.Cm DenyGroups
		123	\&. The definition of a locked account is system dependant. Some platforms
		124	have their own account database (eg AIX) and some modify the passwd field (
		125	.Ql \&LK\&
		126	on Solaris,
		127	.Ql \&*
		128	on HP-UX, containing
		129	.Ql Nologin
		130	on Tru64 and a leading
		131	.Ql \&!!
		132	on Linux). If there is a requirement to disable password authentication
		133	for the account while allowing still public-key, then the passwd field
		134	should be set to something other than these values (eg
		135	.Ql NP
		136	or
		137	.Ql \&NP\&
		138	).
		139	.Pp
117	Rhosts authentication is normally disabled	140	Rhosts authentication is normally disabled
118	because it is fundamentally insecure, but can be enabled in the server	141	because it is fundamentally insecure, but can be enabled in the server
119	configuration file if desired.	142	configuration file if desired.

Lines 72-97 Link Here

(-)auth.c (-7 / +41 lines)
72	allowed_user(struct passwd * pw)	72	allowed_user(struct passwd * pw)
73	{	73	{
74	struct stat st;	74	struct stat st;
75	const char hostname = NULL, ipaddr = NULL;	75	const char hostname = NULL, ipaddr = NULL, *passwd;
76	char *shell;	76	char *shell;
77	int i;	77	int i;
78	#ifdef WITH_AIXAUTHENTICATE	78	#ifdef WITH_AIXAUTHENTICATE
79	char *loginmsg;	79	char *loginmsg;
80	#endif /* WITH_AIXAUTHENTICATE */	80	#endif /* WITH_AIXAUTHENTICATE */
81	#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \	81	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
82	!defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
83	struct spwd *spw;	82	struct spwd *spw;
84	time_t today;
85	#endif	83	#endif
86		84
87	/* Shouldn't be called if pw is NULL, but better safe than sorry... */	85	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
88	if (!pw \|\| !pw->pw_name)	86	if (!pw \|\| !pw->pw_name)
89	return 0;	87	return 0;
90		88
91	#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \	89	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
92	!defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)	90	spw = getspnam(pw->pw_name);
		91	#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)
93	#define DAY (24L * 60 * 60) /* 1 day in seconds */	92	#define DAY (24L * 60 * 60) /* 1 day in seconds */
94	if ((spw = getspnam(pw->pw_name)) != NULL) {	93	if (spw != NULL) {
		94	time_t today;
		95
95	today = time(NULL) / DAY;	96	today = time(NULL) / DAY;
96	debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"	97	debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
97	" sp_max %d", (int)today, (int)spw->sp_expire,	98	" sp_max %d", (int)today, (int)spw->sp_expire,
Lines 119-125 Link Here
119	return 0;	120	return 0;
120	}	121	}
121	}	122	}
		123	#endif /* !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE) */
		124	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
		125
		126	/* grab passwd field for locked account check */
		127	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
		128	if (spw != NULL)
		129	passwd = spw->sp_pwdp;
		130	#else
		131	passwd = pw->pw_passwd;
		132	#endif
		133
		134	/* check for locked account */
		135	if (passwd && *passwd) {
		136	int locked = 0;
		137
		138	#ifdef LOCKED_PASSWD_STRING
		139	if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
		140	locked = 1;
		141	#endif
		142	#ifdef LOCKED_PASSWD_PREFIX
		143	if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
		144	strlen(LOCKED_PASSWD_PREFIX)) == 0)
		145	locked = 1;
122	#endif	146	#endif
		147	#ifdef LOCKED_PASSWD_SUBSTR
		148	if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
		149	locked = 1;
		150	#endif
		151	if (locked) {
		152	log("User %.100s not allowed because account is locked",
		153	pw->pw_name);
		154	return 0;
		155	}
		156	}
123		157
124	/*	158	/*
125	* Get the shell from the password data. An empty shell field is	159	* Get the shell from the password data. An empty shell field is