Mercurial > dropbear
comparison svr-auth.c @ 1534:ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
| author | stellarpower <stellarpower@googlemail.com> |
|---|---|
| date | Tue, 20 Feb 2018 02:11:55 +0000 |
| parents | 06d52bcb8094 |
| children | 6a83b1944432 |
comparison
equal
deleted
inserted
replaced
| 1522:47fcbdd12d9b | 1534:ed930fd6f60f |
|---|---|
| 23 * SOFTWARE. */ | 23 * SOFTWARE. */ |
| 24 | 24 |
| 25 /* This file (auth.c) handles authentication requests, passing it to the | 25 /* This file (auth.c) handles authentication requests, passing it to the |
| 26 * particular type (auth-passwd, auth-pubkey). */ | 26 * particular type (auth-passwd, auth-pubkey). */ |
| 27 | 27 |
| 28 #include <limits.h> | |
| 29 | |
| 28 #include "includes.h" | 30 #include "includes.h" |
| 29 #include "dbutil.h" | 31 #include "dbutil.h" |
| 30 #include "session.h" | 32 #include "session.h" |
| 31 #include "buffer.h" | 33 #include "buffer.h" |
| 32 #include "ssh.h" | 34 #include "ssh.h" |
| 230 static int checkusername(char *username, unsigned int userlen) { | 232 static int checkusername(char *username, unsigned int userlen) { |
| 231 | 233 |
| 232 char* listshell = NULL; | 234 char* listshell = NULL; |
| 233 char* usershell = NULL; | 235 char* usershell = NULL; |
| 234 uid_t uid; | 236 uid_t uid; |
| 237 int ngroups = 32, ret; | |
| 238 gid_t *grouplist; | |
| 239 | |
| 240 | |
| 235 TRACE(("enter checkusername")) | 241 TRACE(("enter checkusername")) |
| 236 if (userlen > MAX_USERNAME_LEN) { | 242 if (userlen > MAX_USERNAME_LEN) { |
| 237 return DROPBEAR_FAILURE; | 243 return DROPBEAR_FAILURE; |
| 238 } | 244 } |
| 239 | 245 |
| 276 TRACE(("leave checkusername: root login disabled")) | 282 TRACE(("leave checkusername: root login disabled")) |
| 277 dropbear_log(LOG_WARNING, "root login rejected"); | 283 dropbear_log(LOG_WARNING, "root login rejected"); |
| 278 return DROPBEAR_FAILURE; | 284 return DROPBEAR_FAILURE; |
| 279 } | 285 } |
| 280 | 286 |
| 287 /* check for login restricted to certain group if desired */ | |
| 288 if (svr_opts.grouploginid) { | |
| 289 | |
| 290 for ( ; (ngroups <= NGROUPS_MAX) && (ngroups <= INT_MAX / 8); ngroups *= 2){ | |
| 291 | |
| 292 grouplist = malloc(sizeof(gid_t) * ngroups); | |
| 293 | |
| 294 ret = getgrouplist(ses.authstate.pw_name, ses.authstate.pw_gid, grouplist, &ngroups); | |
| 295 | |
| 296 if (ret != -1){ | |
| 297 break; | |
| 298 } | |
| 299 | |
| 300 free(grouplist); | |
| 301 ngroups *= 2; | |
| 302 } | |
| 303 | |
| 304 if ((ngroups > NGROUPS_MAX / 8) || (ngroups > INT_MAX / 8)){ | |
| 305 | |
| 306 TRACE(("Cannot walk group structure for current user, too many groups")) | |
| 307 dropbear_log(LOG_ERR, "Cannot walk group structure for current user, too many groups"); | |
| 308 return DROPBEAR_FAILURE; | |
| 309 } | |
| 310 | |
| 311 ngroups = 0; | |
| 312 for (int i = 0; i < ret; i++){ | |
| 313 if (grouplist[i] == *svr_opts.grouploginid){ | |
| 314 ngroups = 1; //Just used as a flag to indicate success; | |
| 315 break; | |
| 316 } | |
| 317 | |
| 318 } | |
| 319 | |
| 320 if (!ngroups){ | |
| 321 TRACE(("leave checkusername: user not in permitted group")) | |
| 322 dropbear_log(LOG_WARNING, "logins are restricted to the group %s but user %s is not a member", svr_opts.grouploginname, ses.authstate.pw_name); | |
| 323 return DROPBEAR_FAILURE; | |
| 324 } | |
| 325 } | |
| 326 | |
| 281 TRACE(("shell is %s", ses.authstate.pw_shell)) | 327 TRACE(("shell is %s", ses.authstate.pw_shell)) |
| 282 | 328 |
| 283 /* check that the shell is set */ | 329 /* check that the shell is set */ |
| 284 usershell = ses.authstate.pw_shell; | 330 usershell = ses.authstate.pw_shell; |
| 285 if (usershell[0] == '\0') { | 331 if (usershell[0] == '\0') { |