Class-imposed login restrictions

If the following functions are available,
add an additional check if users are allowed to login imposed by login class.

* auth_hostok(3)
* auth_timeok(3)

These functions are implemented on FreeBSD.

diff --git a/auth.c b/auth.c
index 2e4cbef0717068ac2b394d96edda6a8973472e2e..c4a3d2f29795d0bd4be435ee6275e6796769be14 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -463,6 +463,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
 {
 #ifdef HAVE_LOGIN_CAP
        extern login_cap_t *lc;
+#ifdef HAVE_AUTH_HOSTOK
+       const char *from_host, *from_ip;
+#endif
 #ifdef BSD_AUTH
        auth_session_t *as;
 #endif
@@ -508,6 +511,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
                debug("unable to get login class: %s", user);
                return (NULL);
        }
+#ifdef HAVE_AUTH_HOSTOK
+       from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+       from_ip = ssh_remote_ipaddr(ssh);
+       if (!auth_hostok(lc, from_host, from_ip)) {
+               debug("Denied connection for %.200s from %.200s [%.200s].",
+                     pw->pw_name, from_host, from_ip);
+               return (NULL);
+       }
+#endif /* HAVE_AUTH_HOSTOK */
+#ifdef HAVE_AUTH_TIMEOK
+       if (!auth_timeok(lc, time(NULL))) {
+               debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
+               return (NULL);
+       }
+#endif /* HAVE_AUTH_TIMEOK */
 #ifdef BSD_AUTH
        if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
            auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {

diff --git a/configure.ac b/configure.ac
index 2eede34c3cf952bd60308b6123d2ee265ed25d90..016c96472d15e25b5d3bb8cfe6417097c03f3c2d 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1886,6 +1886,8 @@ AC_SUBST([PICFLAG])
 
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
+       auth_hostok \
+       auth_timeok \
        Blowfish_initstate \
        Blowfish_expandstate \
        Blowfish_expand0state \