View | Details | Raw Unified | Return to bug 442 | Differences between
and this patch

Collapse All | Expand All

(-)acconfig.h (+5 lines)
Lines 398-403 Link Here
398 
/* Define if cmsg_type is not passed correctly */
 398 
/* Define if cmsg_type is not passed correctly */
399 
#undef BROKEN_CMSG_TYPE
 399 
#undef BROKEN_CMSG_TYPE
400 

          400
          

        

            

              
              
              401
              
/* Strings used in /etc/passwd to denote locked account */

            

            

              402
              
#undef LOCKED_PASSWD_STRING

            

            

              403
              
#undef LOCKED_PASSWD_PREFIX

            

            

              404
              
#undef LOCKED_PASSWD_SUBSTR

            

            

              405
              

            

        

          401
          
/* Define if DNS support is to be activated */

          406
          
/* Define if DNS support is to be activated */

        

        

          402
          
#undef DNS

          407
          
#undef DNS

        

        

          403
          

          408
          

        



(-)auth.c
      (-8 / +43 lines)




  

    
      
            Lines 73-95
          int
      
      
        Link Here
      
    
  

        

          73
          
allowed_user(struct passwd * pw)

          73
          
allowed_user(struct passwd * pw)

        

        

          74
          
{

          74
          
{

        

        

          75
          
	struct stat st;

          75
          
	struct stat st;

        

          
            

              76
              
	const char *hostname = NULL, *ipaddr = NULL;


              76
              
	const char *hostname = NULL, *ipaddr = NULL, *passwd;

            

        

          77
          
	char *shell;

          77
          
	char *shell;

        

        

          78
          
	int i;

          78
          
	int i;

        

          
            

              79
              
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \


              79
              
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)

            

            

              80
              
    defined(HAS_SHADOW_EXPIRE)


              80
              
	struct spwd *spw = NULL;

            

            

              81
              
	struct spwd *spw;


              
              
            

            

              82
              
	time_t today;


            

        

          83
          
#endif

          81
          
#endif

        

        

          84
          

          82
          

        

        

          85
          
	/* Shouldn't be called if pw is NULL, but better safe than sorry... */

          83
          
	/* Shouldn't be called if pw is NULL, but better safe than sorry... */

        

        

          86
          
	if (!pw || !pw->pw_name)

          84
          
	if (!pw || !pw->pw_name)

        

        

          87
          
		return 0;

          85
          
		return 0;

        

        

          88
          

          86
          

        

          
            

              89
              
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \


              87
              
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)

            

            

              90
              
    defined(HAS_SHADOW_EXPIRE)


              88
              
	if (!options.use_pam)

            

            

              
              

              89
              
		spw = getspnam(pw->pw_name);

            

            


              90
              
#ifdef HAS_SHADOW_EXPIRE

            

        

          91
          
#define	DAY		(24L * 60 * 60) /* 1 day in seconds */

          91
          
#define	DAY		(24L * 60 * 60) /* 1 day in seconds */

        

          
            

              92
              
	if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) {


              92
              
	if (!options.use_pam && spw != NULL) {

            

            

              
              

              93
              
		time_t today;

            

            


              94
              

            

        

          93
          
		today = time(NULL) / DAY;

          95
          
		today = time(NULL) / DAY;

        

        

          94
          
		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"

          96
          
		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"

        

        

          95
          
		    " sp_max %d", (int)today, (int)spw->sp_expire,

          97
          
		    " sp_max %d", (int)today, (int)spw->sp_expire,

        

  

    
      
            Lines 117-123
          allowed_user(struct passwd * pw)
      
      
        Link Here
      
    
  

        

          117
          
			return 0;

          119
          
			return 0;

        

        

          118
          
		}

          120
          
		}

        

        

          119
          
	}

          121
          
	}

        

            

              
              
              122
              
#endif /* !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE) */

            

            

              123
              
#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */

            

            

              124
              

            

            

              125
              
    	/* grab passwd field for locked account check */

            

            

              126
              
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)

            

            

              127
              
	if (spw != NULL)

            

            

              128
              
		passwd = spw->sp_pwdp;

            

            

              129
              
#else

            

            

              130
              
	passwd = pw->pw_passwd;

            

            

              131
              
#endif

            

            

              132
              

            

            

              133
              
	/* check for locked account */ 

            

            

              134
              
	if (passwd && *passwd) {

            

            

              135
              
		int locked = 0;

            

            

              136
              

            

            

              137
              
#ifdef LOCKED_PASSWD_STRING

            

            

              138
              
		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)

            

            

              139
              
			 locked = 1;

            

            

              140
              
#endif

            

            

              141
              
#ifdef LOCKED_PASSWD_PREFIX

            

            

              142
              
		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,

            

            

              143
              
		    strlen(LOCKED_PASSWD_PREFIX)) == 0)

            

            

              144
              
			 locked = 1;

            

        

          120
          
#endif

          145
          
#endif

        

            

              
              
              146
              
#ifdef LOCKED_PASSWD_SUBSTR

            

            

              147
              
		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))

            

            

              148
              
			locked = 1;

            

            

              149
              
#endif

            

            

              150
              
		if (locked) {

            

            

              151
              
			logit("User %.100s not allowed because account is locked",

            

            

              152
              
			    pw->pw_name);

            

            

              153
              
			return 0;

            

            

              154
              
		}

            

            

              155
              
	}

            

        

          121
          

          156
          

        

        

          122
          
	/*

          157
          
	/*

        

        

          123
          
	 * Get the shell from the password data.  An empty shell field is

          158
          
	 * Get the shell from the password data.  An empty shell field is

        



(-)configure.ac
      (+8 lines)




  

    
      
            Lines 141-146
          main() { if (NSVersionOfRunTimeLibrary("
      
      
        Link Here
      
    
  

        

          141
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

          141
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

        

        

          142
          
	AC_DEFINE(DISABLE_SHADOW)

          142
          
	AC_DEFINE(DISABLE_SHADOW)

        

        

          143
          
	AC_DEFINE(DISABLE_UTMP)

          143
          
	AC_DEFINE(DISABLE_UTMP)

        

            

              
              
              144
              
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")

            

        

          144
          
	AC_DEFINE(SPT_TYPE,SPT_PSTAT)

          145
          
	AC_DEFINE(SPT_TYPE,SPT_PSTAT)

        

        

          145
          
	LIBS="$LIBS -lsec -lsecpw"

          146
          
	LIBS="$LIBS -lsec -lsecpw"

        

        

          146
          
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))

          147
          
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))

        

  

    
      
            Lines 157-162
          main() { if (NSVersionOfRunTimeLibrary("
      
      
        Link Here
      
    
  

        

          157
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

          158
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

        

        

          158
          
	AC_DEFINE(DISABLE_SHADOW)

          159
          
	AC_DEFINE(DISABLE_SHADOW)

        

        

          159
          
	AC_DEFINE(DISABLE_UTMP)

          160
          
	AC_DEFINE(DISABLE_UTMP)

        

            

              
              
              161
              
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")

            

        

          160
          
	AC_DEFINE(SPT_TYPE,SPT_PSTAT)

          162
          
	AC_DEFINE(SPT_TYPE,SPT_PSTAT)

        

        

          161
          
	LIBS="$LIBS -lsec"

          163
          
	LIBS="$LIBS -lsec"

        

        

          162
          
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))

          164
          
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))

        

  

    
      
            Lines 170-175
          main() { if (NSVersionOfRunTimeLibrary("
      
      
        Link Here
      
    
  

        

          170
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

          172
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

        

        

          171
          
	AC_DEFINE(DISABLE_SHADOW)

          173
          
	AC_DEFINE(DISABLE_SHADOW)

        

        

          172
          
	AC_DEFINE(DISABLE_UTMP)

          174
          
	AC_DEFINE(DISABLE_UTMP)

        

            

              
              
              175
              
	AC_DEFINE(LOCKED_PASSWD_STRING, "*")

            

        

          173
          
	AC_DEFINE(SPT_TYPE,SPT_PSTAT)

          176
          
	AC_DEFINE(SPT_TYPE,SPT_PSTAT)

        

        

          174
          
	LIBS="$LIBS -lsec"

          177
          
	LIBS="$LIBS -lsec"

        

        

          175
          
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))

          178
          
	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))

        

  

    
      
            Lines 180-185
          main() { if (NSVersionOfRunTimeLibrary("
      
      
        Link Here
      
    
  

        

          180
          
	PATH="$PATH:/usr/etc"

          183
          
	PATH="$PATH:/usr/etc"

        

        

          181
          
	AC_DEFINE(BROKEN_INET_NTOA)

          184
          
	AC_DEFINE(BROKEN_INET_NTOA)

        

        

          182
          
	AC_DEFINE(WITH_ABBREV_NO_TTY)

          185
          
	AC_DEFINE(WITH_ABBREV_NO_TTY)

        

            

              
              
              186
              
	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")

            

        

          183
          
	;;

          187
          
	;;

        

        

          184
          
*-*-irix6*)

          188
          
*-*-irix6*)

        

        

          185
          
	CPPFLAGS="$CPPFLAGS -I/usr/local/include"

          189
          
	CPPFLAGS="$CPPFLAGS -I/usr/local/include"

        

  

    
      
            Lines 191-196
          main() { if (NSVersionOfRunTimeLibrary("
      
      
        Link Here
      
    
  

        

          191
          
	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])

          195
          
	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])

        

        

          192
          
	AC_DEFINE(BROKEN_INET_NTOA)

          196
          
	AC_DEFINE(BROKEN_INET_NTOA)

        

        

          193
          
	AC_DEFINE(WITH_ABBREV_NO_TTY)

          197
          
	AC_DEFINE(WITH_ABBREV_NO_TTY)

        

            

              
              
              198
              
	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")

            

        

          194
          
	;;

          199
          
	;;

        

        

          195
          
*-*-linux*)

          200
          
*-*-linux*)

        

        

          196
          
	no_dev_ptmx=1

          201
          
	no_dev_ptmx=1

        

  

    
      
            Lines 198-203
          main() { if (NSVersionOfRunTimeLibrary("
      
      
        Link Here
      
    
  

        

          198
          
	check_for_openpty_ctty_bug=1

          203
          
	check_for_openpty_ctty_bug=1

        

        

          199
          
	AC_DEFINE(DONT_TRY_OTHER_AF)

          204
          
	AC_DEFINE(DONT_TRY_OTHER_AF)

        

        

          200
          
	AC_DEFINE(PAM_TTY_KLUDGE)

          205
          
	AC_DEFINE(PAM_TTY_KLUDGE)

        

            

              
              
              206
              
	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")

            

        

          201
          
	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)

          207
          
	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)

        

        

          202
          
	inet6_default_4in6=yes

          208
          
	inet6_default_4in6=yes

        

        

          203
          
	case `uname -r` in

          209
          
	case `uname -r` in

        

  

    
      
            Lines 237-242
          mips-sony-bsd|mips-sony-newsos4)
      
      
        Link Here
      
    
  

        

          237
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

          243
          
	AC_DEFINE(LOGIN_NEEDS_UTMPX)

        

        

          238
          
	AC_DEFINE(LOGIN_NEEDS_TERM)

          244
          
	AC_DEFINE(LOGIN_NEEDS_TERM)

        

        

          239
          
	AC_DEFINE(PAM_TTY_KLUDGE)

          245
          
	AC_DEFINE(PAM_TTY_KLUDGE)

        

            

              
              
              246
              
	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")

            

        

          240
          
	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.

          247
          
	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.

        

        

          241
          
	AC_DEFINE(SSHD_ACQUIRES_CTTY)

          248
          
	AC_DEFINE(SSHD_ACQUIRES_CTTY)

        

        

          242
          
	# hardwire lastlog location (can't detect it on some versions)

          249
          
	# hardwire lastlog location (can't detect it on some versions)

        

  

    
      
            Lines 362-367
          mips-sony-bsd|mips-sony-newsos4)
      
      
        Link Here
      
    
  

        

          362
          
		fi

          369
          
		fi

        

        

          363
          
	fi

          370
          
	fi

        

        

          364
          
	AC_DEFINE(DISABLE_FD_PASSING)

          371
          
	AC_DEFINE(DISABLE_FD_PASSING)

        

            

              
              
              372
              
	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")

            

        

          365
          
	;;

          373
          
	;;

        

        

          366
          

          374
          

        

        

          367
          
*-*-nto-qnx)

          375
          
*-*-nto-qnx)

        



(-)sshd.8
      (+23 lines)




  

    
      
            Lines 114-119
          authentication combined with RSA host
      
      
        Link Here
      
    
  

        

          114
          
authentication, RSA challenge-response authentication, or password

          114
          
authentication, RSA challenge-response authentication, or password

        

        

          115
          
based authentication.

          115
          
based authentication.

        

        

          116
          
.Pp

          116
          
.Pp

        

            

              
              
              117
              
Regardless of the authentication type, the account is checked to

            

            

              118
              
ensure that it is accessible.  An account is not accessible if it is

            

            

              119
              
locked, listed in

            

            

              120
              
.Cm DenyUsers

            

            

              121
              
or its group is listed in

            

            

              122
              
.Cm DenyGroups

            

            

              123
              
\&.  The definition of a locked account is system dependant. Some platforms

            

            

              124
              
have their own account database (eg AIX) and some modify the passwd field (

            

            

              125
              
.Ql \&*LK\&*

            

            

              126
              
on Solaris,

            

            

              127
              
.Ql \&*

            

            

              128
              
on HP-UX, containing

            

            

              129
              
.Ql Nologin

            

            

              130
              
on Tru64 and a leading

            

            

              131
              
.Ql \&!!

            

            

              132
              
on Linux).  If there is a requirement to disable password authentication

            

            

              133
              
for the account while allowing still public-key, then the passwd field

            

            

              134
              
should be set to something other than these values (eg

            

            

              135
              
.Ql NP

            

            

              136
              
or

            

            

              137
              
.Ql \&*NP\&*

            

            

              138
              
).

            

            

              139
              
.Pp

            

        

          117
          
Rhosts authentication is normally disabled

          140
          
Rhosts authentication is normally disabled

        

        

          118
          
because it is fundamentally insecure, but can be enabled in the server

          141
          
because it is fundamentally insecure, but can be enabled in the server

        

        

          119
          
configuration file if desired.

          142
          
configuration file if desired.

        






  

  Return to bug 442