Mercurial > dropbear
comparison svr-runopts.c @ 1534:ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
author | stellarpower <stellarpower@googlemail.com> |
---|---|
date | Tue, 20 Feb 2018 02:11:55 +0000 |
parents | 2d450c1056e3 |
children | b918ad1c5b25 |
comparison
equal
deleted
inserted
replaced
1522:47fcbdd12d9b | 1534:ed930fd6f60f |
---|---|
28 #include "buffer.h" | 28 #include "buffer.h" |
29 #include "dbutil.h" | 29 #include "dbutil.h" |
30 #include "algo.h" | 30 #include "algo.h" |
31 #include "ecdsa.h" | 31 #include "ecdsa.h" |
32 | 32 |
33 #include <grp.h> | |
34 | |
33 svr_runopts svr_opts; /* GLOBAL */ | 35 svr_runopts svr_opts; /* GLOBAL */ |
34 | 36 |
35 static void printhelp(const char * progname); | 37 static void printhelp(const char * progname); |
36 static void addportandaddress(const char* spec); | 38 static void addportandaddress(const char* spec); |
37 static void loadhostkey(const char *keyfile, int fatal_duplicate); | 39 static void loadhostkey(const char *keyfile, int fatal_duplicate); |
66 #endif | 68 #endif |
67 #if DO_MOTD | 69 #if DO_MOTD |
68 "-m Don't display the motd on login\n" | 70 "-m Don't display the motd on login\n" |
69 #endif | 71 #endif |
70 "-w Disallow root logins\n" | 72 "-w Disallow root logins\n" |
73 "-G Restrict logins to members of specified group\n" | |
71 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH | 74 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH |
72 "-s Disable password logins\n" | 75 "-s Disable password logins\n" |
73 "-g Disable password logins for root\n" | 76 "-g Disable password logins for root\n" |
74 "-B Allow blank password logins\n" | 77 "-B Allow blank password logins\n" |
75 #endif | 78 #endif |
130 svr_opts.bannerfile = NULL; | 133 svr_opts.bannerfile = NULL; |
131 svr_opts.banner = NULL; | 134 svr_opts.banner = NULL; |
132 svr_opts.forced_command = NULL; | 135 svr_opts.forced_command = NULL; |
133 svr_opts.forkbg = 1; | 136 svr_opts.forkbg = 1; |
134 svr_opts.norootlogin = 0; | 137 svr_opts.norootlogin = 0; |
138 svr_opts.grouploginname = NULL; | |
139 svr_opts.grouploginid = NULL; | |
135 svr_opts.noauthpass = 0; | 140 svr_opts.noauthpass = 0; |
136 svr_opts.norootpass = 0; | 141 svr_opts.norootpass = 0; |
137 svr_opts.allowblankpass = 0; | 142 svr_opts.allowblankpass = 0; |
138 svr_opts.maxauthtries = MAX_AUTH_TRIES; | 143 svr_opts.maxauthtries = MAX_AUTH_TRIES; |
139 svr_opts.inetdmode = 0; | 144 svr_opts.inetdmode = 0; |
228 break; | 233 break; |
229 #endif | 234 #endif |
230 case 'w': | 235 case 'w': |
231 svr_opts.norootlogin = 1; | 236 svr_opts.norootlogin = 1; |
232 break; | 237 break; |
238 | |
239 case 'G': | |
240 next = &svr_opts.grouploginname; | |
241 break; | |
242 | |
233 case 'W': | 243 case 'W': |
234 next = &recv_window_arg; | 244 next = &recv_window_arg; |
235 break; | 245 break; |
236 case 'K': | 246 case 'K': |
237 next = &keepalive_arg; | 247 next = &keepalive_arg; |
329 dropbear_exit("Error reading banner file '%s'", | 339 dropbear_exit("Error reading banner file '%s'", |
330 svr_opts.bannerfile); | 340 svr_opts.bannerfile); |
331 } | 341 } |
332 buf_setpos(svr_opts.banner, 0); | 342 buf_setpos(svr_opts.banner, 0); |
333 } | 343 } |
344 | |
345 if (svr_opts.grouploginname) { | |
346 struct group *restrictedgroup = getgrnam(svr_opts.grouploginname); | |
347 | |
348 if (restrictedgroup){ | |
349 svr_opts.grouploginid = malloc(sizeof(gid_t)); | |
350 *svr_opts.grouploginid = restrictedgroup->gr_gid; | |
351 } else { | |
352 dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.grouploginname); | |
353 } | |
354 | |
355 } | |
334 | 356 |
335 if (recv_window_arg) { | 357 if (recv_window_arg) { |
336 opts.recv_window = atol(recv_window_arg); | 358 opts.recv_window = atol(recv_window_arg); |
337 if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) { | 359 if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) { |
338 dropbear_exit("Bad recv window '%s'", recv_window_arg); | 360 dropbear_exit("Bad recv window '%s'", recv_window_arg); |