1 |
< |
/* $OpenBSD: auth.c,v 1.115 2016/06/15 00:40:40 dtucker Exp $ */ |
1 |
> |
/* $OpenBSD: auth.c,v 1.119 2016/12/15 21:29:05 dtucker Exp $ */ |
2 |
|
/* |
3 |
|
* Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 |
|
* |
103 |
|
struct stat st; |
104 |
|
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; |
105 |
|
u_int i; |
106 |
+ |
int r; |
107 |
|
#ifdef USE_SHADOW |
108 |
|
struct spwd *spw = NULL; |
109 |
|
#endif |
192 |
|
|
193 |
|
/* Return false if user is listed in DenyUsers */ |
194 |
|
if (options.num_deny_users > 0) { |
195 |
< |
for (i = 0; i < options.num_deny_users; i++) |
196 |
< |
if (match_user(pw->pw_name, hostname, ipaddr, |
197 |
< |
options.deny_users[i])) { |
195 |
> |
for (i = 0; i < options.num_deny_users; i++) { |
196 |
> |
r = match_user(pw->pw_name, hostname, ipaddr, |
197 |
> |
options.deny_users[i]); |
198 |
> |
if (r < 0) { |
199 |
> |
fatal("Invalid DenyUsers pattern \"%.100s\"", |
200 |
> |
options.deny_users[i]); |
201 |
> |
} else if (r != 0) { |
202 |
|
logit("User %.100s from %.100s not allowed " |
203 |
|
"because listed in DenyUsers", |
204 |
|
pw->pw_name, hostname); |
205 |
|
return 0; |
206 |
|
} |
207 |
+ |
} |
208 |
|
} |
209 |
|
/* Return false if AllowUsers isn't empty and user isn't listed there */ |
210 |
|
if (options.num_allow_users > 0) { |
211 |
< |
for (i = 0; i < options.num_allow_users; i++) |
212 |
< |
if (match_user(pw->pw_name, hostname, ipaddr, |
213 |
< |
options.allow_users[i])) |
211 |
> |
for (i = 0; i < options.num_allow_users; i++) { |
212 |
> |
r = match_user(pw->pw_name, hostname, ipaddr, |
213 |
> |
options.allow_users[i]); |
214 |
> |
if (r < 0) { |
215 |
> |
fatal("Invalid AllowUsers pattern \"%.100s\"", |
216 |
> |
options.allow_users[i]); |
217 |
> |
} else if (r == 1) |
218 |
|
break; |
219 |
+ |
} |
220 |
|
/* i < options.num_allow_users iff we break for loop */ |
221 |
|
if (i >= options.num_allow_users) { |
222 |
|
logit("User %.100s from %.100s not allowed because " |
309 |
|
else |
310 |
|
authmsg = authenticated ? "Accepted" : "Failed"; |
311 |
|
|
312 |
< |
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", |
312 |
> |
authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", |
313 |
|
authmsg, |
314 |
|
method, |
315 |
|
submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, |
317 |
|
authctxt->user, |
318 |
|
ssh_remote_ipaddr(ssh), |
319 |
|
ssh_remote_port(ssh), |
309 |
– |
compat20 ? "ssh2" : "ssh1", |
320 |
|
authctxt->info != NULL ? ": " : "", |
321 |
|
authctxt->info != NULL ? authctxt->info : ""); |
322 |
|
free(authctxt->info); |
349 |
|
struct ssh *ssh = active_state; /* XXX */ |
350 |
|
|
351 |
|
error("maximum authentication attempts exceeded for " |
352 |
< |
"%s%.100s from %.200s port %d %s", |
352 |
> |
"%s%.100s from %.200s port %d ssh2", |
353 |
|
authctxt->valid ? "" : "invalid user ", |
354 |
|
authctxt->user, |
355 |
|
ssh_remote_ipaddr(ssh), |
356 |
< |
ssh_remote_port(ssh), |
347 |
< |
compat20 ? "ssh2" : "ssh1"); |
356 |
> |
ssh_remote_port(ssh)); |
357 |
|
packet_disconnect("Too many authentication failures"); |
358 |
|
/* NOTREACHED */ |
359 |
|
} |