comparison svr-runopts.c @ 1534:ed930fd6f60f

Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
author stellarpower <stellarpower@googlemail.com>
date Tue, 20 Feb 2018 02:11:55 +0000
parents 2d450c1056e3
children b918ad1c5b25
comparison
equal deleted inserted replaced
1522:47fcbdd12d9b 1534:ed930fd6f60f
28 #include "buffer.h" 28 #include "buffer.h"
29 #include "dbutil.h" 29 #include "dbutil.h"
30 #include "algo.h" 30 #include "algo.h"
31 #include "ecdsa.h" 31 #include "ecdsa.h"
32 32
33 #include <grp.h>
34
33 svr_runopts svr_opts; /* GLOBAL */ 35 svr_runopts svr_opts; /* GLOBAL */
34 36
35 static void printhelp(const char * progname); 37 static void printhelp(const char * progname);
36 static void addportandaddress(const char* spec); 38 static void addportandaddress(const char* spec);
37 static void loadhostkey(const char *keyfile, int fatal_duplicate); 39 static void loadhostkey(const char *keyfile, int fatal_duplicate);
66 #endif 68 #endif
67 #if DO_MOTD 69 #if DO_MOTD
68 "-m Don't display the motd on login\n" 70 "-m Don't display the motd on login\n"
69 #endif 71 #endif
70 "-w Disallow root logins\n" 72 "-w Disallow root logins\n"
73 "-G Restrict logins to members of specified group\n"
71 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH 74 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
72 "-s Disable password logins\n" 75 "-s Disable password logins\n"
73 "-g Disable password logins for root\n" 76 "-g Disable password logins for root\n"
74 "-B Allow blank password logins\n" 77 "-B Allow blank password logins\n"
75 #endif 78 #endif
130 svr_opts.bannerfile = NULL; 133 svr_opts.bannerfile = NULL;
131 svr_opts.banner = NULL; 134 svr_opts.banner = NULL;
132 svr_opts.forced_command = NULL; 135 svr_opts.forced_command = NULL;
133 svr_opts.forkbg = 1; 136 svr_opts.forkbg = 1;
134 svr_opts.norootlogin = 0; 137 svr_opts.norootlogin = 0;
138 svr_opts.grouploginname = NULL;
139 svr_opts.grouploginid = NULL;
135 svr_opts.noauthpass = 0; 140 svr_opts.noauthpass = 0;
136 svr_opts.norootpass = 0; 141 svr_opts.norootpass = 0;
137 svr_opts.allowblankpass = 0; 142 svr_opts.allowblankpass = 0;
138 svr_opts.maxauthtries = MAX_AUTH_TRIES; 143 svr_opts.maxauthtries = MAX_AUTH_TRIES;
139 svr_opts.inetdmode = 0; 144 svr_opts.inetdmode = 0;
228 break; 233 break;
229 #endif 234 #endif
230 case 'w': 235 case 'w':
231 svr_opts.norootlogin = 1; 236 svr_opts.norootlogin = 1;
232 break; 237 break;
238
239 case 'G':
240 next = &svr_opts.grouploginname;
241 break;
242
233 case 'W': 243 case 'W':
234 next = &recv_window_arg; 244 next = &recv_window_arg;
235 break; 245 break;
236 case 'K': 246 case 'K':
237 next = &keepalive_arg; 247 next = &keepalive_arg;
329 dropbear_exit("Error reading banner file '%s'", 339 dropbear_exit("Error reading banner file '%s'",
330 svr_opts.bannerfile); 340 svr_opts.bannerfile);
331 } 341 }
332 buf_setpos(svr_opts.banner, 0); 342 buf_setpos(svr_opts.banner, 0);
333 } 343 }
344
345 if (svr_opts.grouploginname) {
346 struct group *restrictedgroup = getgrnam(svr_opts.grouploginname);
347
348 if (restrictedgroup){
349 svr_opts.grouploginid = malloc(sizeof(gid_t));
350 *svr_opts.grouploginid = restrictedgroup->gr_gid;
351 } else {
352 dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.grouploginname);
353 }
354
355 }
334 356
335 if (recv_window_arg) { 357 if (recv_window_arg) {
336 opts.recv_window = atol(recv_window_arg); 358 opts.recv_window = atol(recv_window_arg);
337 if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) { 359 if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) {
338 dropbear_exit("Bad recv window '%s'", recv_window_arg); 360 dropbear_exit("Bad recv window '%s'", recv_window_arg);