Mercurial > dropbear
diff svr-runopts.c @ 1534:ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
| author | stellarpower <stellarpower@googlemail.com> |
|---|---|
| date | Tue, 20 Feb 2018 02:11:55 +0000 |
| parents | 2d450c1056e3 |
| children | b918ad1c5b25 |
line wrap: on
line diff
--- a/svr-runopts.c Mon Feb 19 23:04:46 2018 +0800 +++ b/svr-runopts.c Tue Feb 20 02:11:55 2018 +0000 @@ -30,6 +30,8 @@ #include "algo.h" #include "ecdsa.h" +#include <grp.h> + svr_runopts svr_opts; /* GLOBAL */ static void printhelp(const char * progname); @@ -68,6 +70,7 @@ "-m Don't display the motd on login\n" #endif "-w Disallow root logins\n" + "-G Restrict logins to members of specified group\n" #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH "-s Disable password logins\n" "-g Disable password logins for root\n" @@ -132,6 +135,8 @@ svr_opts.forced_command = NULL; svr_opts.forkbg = 1; svr_opts.norootlogin = 0; + svr_opts.grouploginname = NULL; + svr_opts.grouploginid = NULL; svr_opts.noauthpass = 0; svr_opts.norootpass = 0; svr_opts.allowblankpass = 0; @@ -230,6 +235,11 @@ case 'w': svr_opts.norootlogin = 1; break; + + case 'G': + next = &svr_opts.grouploginname; + break; + case 'W': next = &recv_window_arg; break; @@ -331,6 +341,18 @@ } buf_setpos(svr_opts.banner, 0); } + + if (svr_opts.grouploginname) { + struct group *restrictedgroup = getgrnam(svr_opts.grouploginname); + + if (restrictedgroup){ + svr_opts.grouploginid = malloc(sizeof(gid_t)); + *svr_opts.grouploginid = restrictedgroup->gr_gid; + } else { + dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.grouploginname); + } + + } if (recv_window_arg) { opts.recv_window = atol(recv_window_arg);