From: Yuichiro Naito <naito.yuichiro@xxxxxxxxx> If the following functions are available, add an additional check if users are allowed to login imposed by login class. * auth_hostok(3) * auth_timeok(3) These functions are implemented on FreeBSD. --- >From GitHub pull request https://github.com/openssh/openssh-portable/pull/262 auth.c | 18 ++++++++++++++++++ configure.ac | 2 ++ 2 files changed, 20 insertions(+) diff --git a/auth.c b/auth.c index 13e8d7998..da0af66d4 100644 --- a/auth.c +++ b/auth.c @@ -465,6 +465,9 @@ getpwnamallow(struct ssh *ssh, const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; +#ifdef HAVE_AUTH_HOSTOK + const char *from_host, *from_ip; +#endif #ifdef BSD_AUTH auth_session_t *as; #endif @@ -510,6 +513,21 @@ getpwnamallow(struct ssh *ssh, const char *user) debug("unable to get login class: %s", user); return (NULL); } +#ifdef HAVE_AUTH_HOSTOK + from_host = auth_get_canonical_hostname(ssh, options.use_dns); + from_ip = ssh_remote_ipaddr(ssh); + if (!auth_hostok(lc, from_host, from_ip)) { + debug("Denied connection for %.200s from %.200s [%.200s].", + pw->pw_name, from_host, from_ip); + return (NULL); + } +#endif /* HAVE_AUTH_HOSTOK */ +#ifdef HAVE_AUTH_TIMEOK + if (!auth_timeok(lc, time(NULL))) { + debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); + return (NULL); + } +#endif /* HAVE_AUTH_TIMEOK */ #ifdef BSD_AUTH if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { diff --git a/configure.ac b/configure.ac index 1e77ecfc3..365a60969 100644 --- a/configure.ac +++ b/configure.ac @@ -1839,6 +1839,8 @@ AC_SUBST([PICFLAG]) dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ + auth_hostok \ + auth_timeok \ Blowfish_initstate \ Blowfish_expandstate \ Blowfish_expand0state \ -- 2.37.2 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
