comparison svr-auth.c @ 1534:ed930fd6f60f

Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
author stellarpower <stellarpower@googlemail.com>
date Tue, 20 Feb 2018 02:11:55 +0000
parents 06d52bcb8094
children 6a83b1944432
comparison
equal deleted inserted replaced
1522:47fcbdd12d9b 1534:ed930fd6f60f
23 * SOFTWARE. */ 23 * SOFTWARE. */
24 24
25 /* This file (auth.c) handles authentication requests, passing it to the 25 /* This file (auth.c) handles authentication requests, passing it to the
26 * particular type (auth-passwd, auth-pubkey). */ 26 * particular type (auth-passwd, auth-pubkey). */
27 27
28 #include <limits.h>
29
28 #include "includes.h" 30 #include "includes.h"
29 #include "dbutil.h" 31 #include "dbutil.h"
30 #include "session.h" 32 #include "session.h"
31 #include "buffer.h" 33 #include "buffer.h"
32 #include "ssh.h" 34 #include "ssh.h"
230 static int checkusername(char *username, unsigned int userlen) { 232 static int checkusername(char *username, unsigned int userlen) {
231 233
232 char* listshell = NULL; 234 char* listshell = NULL;
233 char* usershell = NULL; 235 char* usershell = NULL;
234 uid_t uid; 236 uid_t uid;
237 int ngroups = 32, ret;
238 gid_t *grouplist;
239
240
235 TRACE(("enter checkusername")) 241 TRACE(("enter checkusername"))
236 if (userlen > MAX_USERNAME_LEN) { 242 if (userlen > MAX_USERNAME_LEN) {
237 return DROPBEAR_FAILURE; 243 return DROPBEAR_FAILURE;
238 } 244 }
239 245
276 TRACE(("leave checkusername: root login disabled")) 282 TRACE(("leave checkusername: root login disabled"))
277 dropbear_log(LOG_WARNING, "root login rejected"); 283 dropbear_log(LOG_WARNING, "root login rejected");
278 return DROPBEAR_FAILURE; 284 return DROPBEAR_FAILURE;
279 } 285 }
280 286
287 /* check for login restricted to certain group if desired */
288 if (svr_opts.grouploginid) {
289
290 for ( ; (ngroups <= NGROUPS_MAX) && (ngroups <= INT_MAX / 8); ngroups *= 2){
291
292 grouplist = malloc(sizeof(gid_t) * ngroups);
293
294 ret = getgrouplist(ses.authstate.pw_name, ses.authstate.pw_gid, grouplist, &ngroups);
295
296 if (ret != -1){
297 break;
298 }
299
300 free(grouplist);
301 ngroups *= 2;
302 }
303
304 if ((ngroups > NGROUPS_MAX / 8) || (ngroups > INT_MAX / 8)){
305
306 TRACE(("Cannot walk group structure for current user, too many groups"))
307 dropbear_log(LOG_ERR, "Cannot walk group structure for current user, too many groups");
308 return DROPBEAR_FAILURE;
309 }
310
311 ngroups = 0;
312 for (int i = 0; i < ret; i++){
313 if (grouplist[i] == *svr_opts.grouploginid){
314 ngroups = 1; //Just used as a flag to indicate success;
315 break;
316 }
317
318 }
319
320 if (!ngroups){
321 TRACE(("leave checkusername: user not in permitted group"))
322 dropbear_log(LOG_WARNING, "logins are restricted to the group %s but user %s is not a member", svr_opts.grouploginname, ses.authstate.pw_name);
323 return DROPBEAR_FAILURE;
324 }
325 }
326
281 TRACE(("shell is %s", ses.authstate.pw_shell)) 327 TRACE(("shell is %s", ses.authstate.pw_shell))
282 328
283 /* check that the shell is set */ 329 /* check that the shell is set */
284 usershell = ses.authstate.pw_shell; 330 usershell = ses.authstate.pw_shell;
285 if (usershell[0] == '\0') { 331 if (usershell[0] == '\0') {