diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 21 |
1 files changed, 20 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -463,6 +463,9 @@ getpwnamallow(struct ssh *ssh, const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; +#ifdef HAVE_AUTH_HOSTOK + const char *from_host, *from_ip; +#endif #ifdef BSD_AUTH auth_session_t *as; #endif @@ -473,6 +476,7 @@ getpwnamallow(struct ssh *ssh, const char *user) ci = server_get_connection_info(ssh, 1, options.use_dns); ci->user = user; + ci->user_invalid = getpwnam(user) == NULL; parse_server_match_config(&options, &includes, ci); log_change_level(options.log_level); log_verbose_reset(); @@ -508,6 +512,21 @@ getpwnamallow(struct ssh *ssh, const char *user) debug("unable to get login class: %s", user); return (NULL); } +#ifdef HAVE_AUTH_HOSTOK + from_host = auth_get_canonical_hostname(ssh, options.use_dns); + from_ip = ssh_remote_ipaddr(ssh); + if (!auth_hostok(lc, from_host, from_ip)) { + debug("Denied connection for %.200s from %.200s [%.200s].", + pw->pw_name, from_host, from_ip); + return (NULL); + } +#endif /* HAVE_AUTH_HOSTOK */ +#ifdef HAVE_AUTH_TIMEOK + if (!auth_timeok(lc, time(NULL))) { + debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); + return (NULL); + } +#endif /* HAVE_AUTH_TIMEOK */ #ifdef BSD_AUTH if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { |