packetstorm sync

author: SkyperTHC 2026-03-03 06:28:55 +0000
committer: SkyperTHC 2026-03-03 06:28:55 +0000
commit: 5d3573ef7a109ee70416fe94db098fe6a769a798 (patch)
tree: dc2d5b294c9db8ab2db7433511f94e1c4bb8b698 /other/openssh-reverse/auth.c
parent: c6c59dc73cc4586357f93ab38ecf459e98675cc5 (diff)
1 files changed, 167 insertions, 0 deletions
diff --git a/other/openssh-reverse/auth.c b/other/openssh-reverse/auth.c
new file mode 100644
index 0000000..5aeeec6
--- /dev/null
+++ b/other/openssh-reverse/auth.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh.h"
+#include "pty.h"
+#include "packet.h"
+#include "buffer.h"
+#include "cipher.h"
+#include "mpaux.h"
+#include "servconf.h"
+#include "compat.h"
+#include "channels.h"
+#include "match.h"
+#ifdef HAVE_LOGIN_H
+#include <login.h>
+#endif
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#include <shadow.h>
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+#include "bufaux.h"
+#include "ssh2.h"
+#include "auth.h"
+#include "session.h"
+#include "dispatch.h"
+/* import */
+extern ServerOptions options;
+extern char *forced_command;
+/*
+ * Check if the user is allowed to log in via ssh. If user is listed in
+ * DenyUsers or user's primary group is listed in DenyGroups, false will
+ * be returned. If AllowUsers isn't empty and user isn't listed there, or
+ * if AllowGroups isn't empty and user isn't listed there, false will be
+ * returned.
+ * If the user's shell is not executable, false will be returned.
+ * Otherwise true is returned.
+ */
+int
+allowed_user(struct passwd * pw)
+{
+        struct stat st;
+        struct group *grp;
+        char *shell;
+        int i;
+#ifdef WITH_AIXAUTHENTICATE
+        char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
+        defined(HAS_SHADOW_EXPIRE)
+  struct spwd *spw;
+        /* Shouldn't be called if pw is NULL, but better safe than sorry... */
+        if (!pw)
+                return 0;
+        spw = getspnam(pw->pw_name);
+        if (spw != NULL) {
+                int days = time(NULL) / 86400;
+                /* Check account expiry */
+                if ((spw->sp_expire > 0) && (days > spw->sp_expire))
+                        return 0;
+                /* Check password expiry */
+                if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && 
+                        (days > (spw->sp_lstchg + spw->sp_inact)))
+                        return 0;
+        }
+#else
+        /* Shouldn't be called if pw is NULL, but better safe than sorry... */
+        if (!pw)
+                return 0;
+#endif
+        /*
+         * Get the shell from the password data.  An empty shell field is
+         * legal, and means /bin/sh.
+         */
+        shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
+        /* deny if shell does not exists or is not executable */
+        if (stat(shell, &st) != 0)
+                return 0;
+        if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
+                return 0;
+        /* Return false if user is listed in DenyUsers */
+        if (options.num_deny_users > 0) {
+                if (!pw->pw_name)
+                        return 0;
+                for (i = 0; i < options.num_deny_users; i++)
+                        if (match_pattern(pw->pw_name, options.deny_users[i]))
+                                return 0;
+        }
+        /* Return false if AllowUsers isn't empty and user isn't listed there */
+        if (options.num_allow_users > 0) {
+                if (!pw->pw_name)
+                        return 0;
+                for (i = 0; i < options.num_allow_users; i++)
+                        if (match_pattern(pw->pw_name, options.allow_users[i]))
+                                break;
+                /* i < options.num_allow_users iff we break for loop */
+                if (i >= options.num_allow_users)
+                        return 0;
+        }
+        /* Get the primary group name if we need it. Return false if it fails */
+        if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
+                grp = getgrgid(pw->pw_gid);
+                if (!grp)
+                        return 0;
+                /* Return false if user's group is listed in DenyGroups */
+                if (options.num_deny_groups > 0) {
+                        if (!grp->gr_name)
+                                return 0;
+                        for (i = 0; i < options.num_deny_groups; i++)
+                                if (match_pattern(grp->gr_name, options.deny_groups[i]))
+                                        return 0;
+                }
+                /*
+                 * Return false if AllowGroups isn't empty and user's group
+                 * isn't listed there
+                 */
+                if (options.num_allow_groups > 0) {
+                        if (!grp->gr_name)
+                                return 0;
+                        for (i = 0; i < options.num_allow_groups; i++)
+                                if (match_pattern(grp->gr_name, options.allow_groups[i]))
+                                        break;
+                        /* i < options.num_allow_groups iff we break for
+                           loop */
+                        if (i >= options.num_allow_groups)
+                                return 0;
+                }
+        }
+#ifdef WITH_AIXAUTHENTICATE
+        if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+                if (loginmsg && *loginmsg) {
+                        /* Remove embedded newlines (if any) */
+                        char *p;
+                        for (p = loginmsg; *p; p++) {
+                                if (*p == '\n')
+                                        *p = ' ';
+                        }
+                        /* Remove trailing newline */
+                        *--p = '\0';
+                        log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
+                }
+                return 0;
+        }
+#endif /* WITH_AIXAUTHENTICATE */
+        /* We found no reason not to let this user try to log on... */
+        return 1;
+}
author	SkyperTHC	2026-03-03 06:28:55 +0000
committer	SkyperTHC	2026-03-03 06:28:55 +0000
commit	5d3573ef7a109ee70416fe94db098fe6a769a798 (patch)
tree	dc2d5b294c9db8ab2db7433511f94e1c4bb8b698 /other/openssh-reverse/auth.c
parent	c6c59dc73cc4586357f93ab38ecf459e98675cc5 (diff)

diff --git a/other/openssh-reverse/auth.c b/other/openssh-reverse/auth.c new file mode 100644 index 0000000..5aeeec6 --- /dev/null +++ b/other/openssh-reverse/auth.c
@@ -0,0 +1,167 @@
	1	/*
	2	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	3	* All rights reserved
	4	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	5	*/
	6
	7	#include "includes.h"
	8	RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
	9
	10	#include "xmalloc.h"
	11	#include "rsa.h"
	12	#include "ssh.h"
	13	#include "pty.h"
	14	#include "packet.h"
	15	#include "buffer.h"
	16	#include "cipher.h"
	17	#include "mpaux.h"
	18	#include "servconf.h"
	19	#include "compat.h"
	20	#include "channels.h"
	21	#include "match.h"
	22	#ifdef HAVE_LOGIN_H
	23	#include <login.h>
	24	#endif
	25	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	26	#include <shadow.h>
	27	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
	28
	29	#include "bufaux.h"
	30	#include "ssh2.h"
	31	#include "auth.h"
	32	#include "session.h"
	33	#include "dispatch.h"
	34
	35
	36	/* import */
	37	extern ServerOptions options;
	38	extern char *forced_command;
	39
	40	/*
	41	* Check if the user is allowed to log in via ssh. If user is listed in
	42	* DenyUsers or user's primary group is listed in DenyGroups, false will
	43	* be returned. If AllowUsers isn't empty and user isn't listed there, or
	44	* if AllowGroups isn't empty and user isn't listed there, false will be
	45	* returned.
	46	* If the user's shell is not executable, false will be returned.
	47	* Otherwise true is returned.
	48	*/
	49	int
	50	allowed_user(struct passwd * pw)
	51	{
	52	struct stat st;
	53	struct group *grp;
	54	char *shell;
	55	int i;
	56	#ifdef WITH_AIXAUTHENTICATE
	57	char *loginmsg;
	58	#endif /* WITH_AIXAUTHENTICATE */
	59	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
	60	defined(HAS_SHADOW_EXPIRE)
	61	struct spwd *spw;
	62
	63	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
	64	if (!pw)
	65	return 0;
	66
	67	spw = getspnam(pw->pw_name);
	68	if (spw != NULL) {
	69	int days = time(NULL) / 86400;
	70
	71	/* Check account expiry */
	72	if ((spw->sp_expire > 0) && (days > spw->sp_expire))
	73	return 0;
	74
	75	/* Check password expiry */
	76	if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) &&
	77	(days > (spw->sp_lstchg + spw->sp_inact)))
	78	return 0;
	79	}
	80	#else
	81	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
	82	if (!pw)
	83	return 0;
	84	#endif
	85
	86	/*
	87	* Get the shell from the password data. An empty shell field is
	88	* legal, and means /bin/sh.
	89	*/
	90	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
	91
	92	/* deny if shell does not exists or is not executable */
	93	if (stat(shell, &st) != 0)
	94	return 0;
	95	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH\|S_IXUSR\|S_IXGRP))))
	96	return 0;
	97
	98	/* Return false if user is listed in DenyUsers */
	99	if (options.num_deny_users > 0) {
	100	if (!pw->pw_name)
	101	return 0;
	102	for (i = 0; i < options.num_deny_users; i++)
	103	if (match_pattern(pw->pw_name, options.deny_users[i]))
	104	return 0;
	105	}
	106	/* Return false if AllowUsers isn't empty and user isn't listed there */
	107	if (options.num_allow_users > 0) {
	108	if (!pw->pw_name)
	109	return 0;
	110	for (i = 0; i < options.num_allow_users; i++)
	111	if (match_pattern(pw->pw_name, options.allow_users[i]))
	112	break;
	113	/* i < options.num_allow_users iff we break for loop */
	114	if (i >= options.num_allow_users)
	115	return 0;
	116	}
	117	/* Get the primary group name if we need it. Return false if it fails */
	118	if (options.num_deny_groups > 0 \|\| options.num_allow_groups > 0) {
	119	grp = getgrgid(pw->pw_gid);
	120	if (!grp)
	121	return 0;
	122
	123	/* Return false if user's group is listed in DenyGroups */
	124	if (options.num_deny_groups > 0) {
	125	if (!grp->gr_name)
	126	return 0;
	127	for (i = 0; i < options.num_deny_groups; i++)
	128	if (match_pattern(grp->gr_name, options.deny_groups[i]))
	129	return 0;
	130	}
	131	/*
	132	* Return false if AllowGroups isn't empty and user's group
	133	* isn't listed there
	134	*/
	135	if (options.num_allow_groups > 0) {
	136	if (!grp->gr_name)
	137	return 0;
	138	for (i = 0; i < options.num_allow_groups; i++)
	139	if (match_pattern(grp->gr_name, options.allow_groups[i]))
	140	break;
	141	/* i < options.num_allow_groups iff we break for
	142	loop */
	143	if (i >= options.num_allow_groups)
	144	return 0;
	145	}
	146	}
	147
	148	#ifdef WITH_AIXAUTHENTICATE
	149	if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
	150	if (loginmsg && *loginmsg) {
	151	/* Remove embedded newlines (if any) */
	152	char *p;
	153	for (p = loginmsg; *p; p++) {
	154	if (*p == '\n')
	155	*p = ' ';
	156	}
	157	/* Remove trailing newline */
	158	*--p = '\0';
	159	log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
	160	}
	161	return 0;
	162	}
	163	#endif /* WITH_AIXAUTHENTICATE */
	164
	165	/* We found no reason not to let this user try to log on... */
	166	return 1;
	167	}