Switch over to using pam_login_access(8) module in sshd(8).

(Fixes static compilation.  Reduces diffs to OpenSSH.)

Reviewed by:	bde
This commit is contained in:
Ruslan Ermilov 2002-03-26 12:52:28 +00:00
parent 70f8353a04
commit 2735cfee64
4 changed files with 8 additions and 24 deletions

View File

@ -88,12 +88,12 @@ do_authloop(Authctxt *authctxt)
#ifdef USE_PAM
struct inverted_pam_cookie *pam_cookie;
#endif /* USE_PAM */
#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
#if defined(HAVE_LOGIN_CAP)
const char *from_host, *from_ip;
from_host = get_canonical_hostname(options.verify_reverse_mapping);
from_ip = get_remote_ipaddr();
#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
#endif /* HAVE_LOGIN_CAP */
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "illegal user ", authctxt->user);
@ -369,13 +369,6 @@ do_authloop(Authctxt *authctxt)
lc = NULL;
}
#endif /* HAVE_LOGIN_CAP */
#ifdef LOGIN_ACCESS
if (pw != NULL && !login_access(pw->pw_name, from_host)) {
log("Denied connection for %.200s from %.200s [%.200s].",
pw->pw_name, from_host, from_ip);
packet_disconnect("Sorry, you are not allowed to connect.");
}
#endif /* LOGIN_ACCESS */
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);

View File

@ -174,12 +174,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
#ifdef HAVE_LOGIN_CAP
login_cap_t *lc;
#endif /* HAVE_LOGIN_CAP */
#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
#if defined(HAVE_LOGIN_CAP)
const char *from_host, *from_ip;
from_host = get_canonical_hostname(options.verify_reverse_mapping);
from_ip = get_remote_ipaddr();
#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
#endif /* HAVE_LOGIN_CAP */
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@ -238,14 +238,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
lc = NULL;
}
#endif /* HAVE_LOGIN_CAP */
#ifdef LOGIN_ACCESS
if (authctxt->pw != NULL &&
!login_access(authctxt->pw->pw_name, from_host)) {
log("Denied connection for %.200s from %.200s [%.200s].",
authctxt->pw->pw_name, from_host, from_ip);
packet_disconnect("Sorry, you are not allowed to connect.");
}
#endif /* LOGIN_ACCESS */
/* reset state */
auth2_challenge_stop(authctxt);
authctxt->postponed = 0;

View File

@ -9,6 +9,7 @@ auth required pam_nologin.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_login_access.so
account required pam_unix.so
# session

View File

@ -1,17 +1,15 @@
# $FreeBSD$
#
LOGINSRC= ${.CURDIR}/../../../usr.bin/login
PROG= sshd
SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
sshpty.c sshlogin.c servconf.c serverloop.c \
auth.c auth1.c auth2.c auth-options.c session.c \
auth-chall.c auth2-chall.c auth-skey.c auth-pam.c auth2-pam.c \
groupaccess.c login_access.c
groupaccess.c
MAN= sshd.8
CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DLOGIN_ACCESS -I${LOGINSRC} -DUSE_PAM -DHAVE_PAM_GETENVLIST
CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DUSE_PAM -DHAVE_PAM_GETENVLIST
.if defined(MAKE_KERBEROS4) && \
((${MAKE_KERBEROS4} == "yes") || (${MAKE_KERBEROS4} == "YES"))
@ -44,4 +42,4 @@ DPADD+= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPA
.include <bsd.prog.mk>
.PATH: ${SSHDIR} ${LOGINSRC}
.PATH: ${SSHDIR}