(Allow|Deny)Users patch against 1.2.20 from Steve Kann <stevek@SteveK.COM>

(Allow|Deny)Users patch against 1.2.20 from Steve Kann <[email protected]>
----------------------------------------------------------------------
diff -ru ./servconf.c /opt/ssh/v1.2.20/src/servconf.c
--- ./servconf.c Tue Apr 22 20:40:08 1997
+++ /opt/ssh/v1.2.20/src/servconf.c Thu Apr 24 12:13:34 1997
@@ -94,6 +94,8 @@
options->forced_passwd_change = -1;
options->num_allow_hosts = 0;
options->num_deny_hosts = 0;
+ options->num_allow_users = 0;
+ options->num_deny_users = 0;
options->umask = -1;
options->idle_timeout = -1;
}
@@ -190,11 +192,11 @@
sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
- sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
- sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sPidFile,
- sForcedPasswd, sUmask, sSilentDeny, sIdleTimeout, sUseLogin,
- sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTgtPassing,
- sAllowTcpForwarding
+ sAllowUsers, sDenyUsers, sListenAddress, sPrintMotd, sIgnoreRhosts,
+ sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd,
+ sRandomSeedFile, sKeepAlives, sPidFile, sForcedPasswd, sUmask,
+ sSilentDeny, sIdleTimeout, sUseLogin, sKerberosAuthentication,
+ sKerberosOrLocalPasswd, sKerberosTgtPassing, sAllowTcpForwarding
} ServerOpCodes;

/* Textual representation of the tokens. */
@@ -221,6 +223,8 @@
{ "uselogin", sUseLogin },
{ "allowhosts", sAllowHosts },
{ "denyhosts", sDenyHosts },
+ { "allowusers", sAllowUsers },
+ { "denyusers", sDenyUsers },
{ "listenaddress", sListenAddress },
{ "printmotd", sPrintMotd },
{ "ignorerhosts", sIgnoreRhosts },
@@ -630,6 +634,32 @@
exit(1);
}
options->deny_hosts[options->num_deny_hosts++] = xstrdup(cp);
+ }
+ break;
+
+ case sAllowUsers:
+ while ((cp = strtok(NULL, WHITESPACE)))
+ {
+ if (options->num_allow_users >= MAX_ALLOW_USERS)
+ {
+ fprintf(stderr, "%s line %d: too many allow users.\n",
+ filename, linenum);
+ exit(1);
+ }
+ options->allow_users[options->num_allow_users++] = xstrdup(cp);
+ }
+ break;
+
+ case sDenyUsers:
+ while ((cp = strtok(NULL, WHITESPACE)))
+ {
+ if (options->num_deny_users >= MAX_DENY_USERS)
+ {
+ fprintf(stderr, "%s line %d: too many deny users.\n",
+ filename, linenum);
+ exit(1);
+ }
+ options->deny_users[options->num_deny_users++] = xstrdup(cp);
}
break;

diff -ru ./servconf.h /opt/ssh/v1.2.20/src/servconf.h
--- ./servconf.h Tue Apr 22 20:40:16 1997
+++ /opt/ssh/v1.2.20/src/servconf.h Thu Apr 24 12:10:13 1997
@@ -46,6 +46,8 @@

#define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
#define MAX_DENY_HOSTS 256 /* Max # hosts on deny list. */
+#define MAX_ALLOW_USERS 256 /* Max # users on allow list. */
+#define MAX_DENY_USERS 256 /* Max # users on deny list. */

typedef struct
{
@@ -90,6 +92,10 @@
char *allow_hosts[MAX_ALLOW_HOSTS];
unsigned int num_deny_hosts;
char *deny_hosts[MAX_DENY_HOSTS];
+ unsigned int num_allow_users;
+ char *allow_users[MAX_ALLOW_USERS];
+ unsigned int num_deny_users;
+ char *deny_users[MAX_DENY_USERS];
} ServerOptions;

/* Initializes the server options to special values that indicate that they
diff -ru ./sshd.8.in /opt/ssh/v1.2.20/src/sshd.8.in
--- ./sshd.8.in Tue Apr 22 20:40:07 1997
+++ /opt/ssh/v1.2.20/src/sshd.8.in Thu Apr 24 12:39:39 1997
@@ -274,9 +274,24 @@
can also be configured to use tcp_wrappers using the --with-libwrap
compile-time configuration option.
.TP
+.B AllowUsers
+This keyword can be followed by any number of user name patterns,
+separated by spaces. If specified, login is allowed only as users whose
+name matches one of the patterns. '*' and '?' can be used as wildcards
+in the patterns. By default, logins as all users are allowed.
+
+Note that the all other login authentication steps must still be
+sucessfully completed. AllowUsers and DenyUsers are additional
+restrictions.
+.TP
.B DenyHosts
This keyword can be followed by any number of host name patterns,
separated by spaces. If specified, login is disallowed from the hosts
+whose name matches any of the patterns.
+.TP
+.B DenyUsers
+This keyword can be followed by any number of user name patterns,
+separated by spaces. If specified, login is disallowed as users
whose name matches any of the patterns.
.TP
.B FascistLogging
diff -ru ./sshd.c /opt/ssh/v1.2.20/src/sshd.c
--- ./sshd.c Tue Apr 22 20:40:08 1997
+++ /opt/ssh/v1.2.20/src/sshd.c Thu Apr 24 12:19:12 1997
@@ -1572,6 +1572,36 @@
}
}
#endif /* CHECK_ETC_SHELLS */
+
+ /* here we check the AllowUser and DenyUser config options - SteveK */
+ /* Check whether logins are permitted for this user. */
+ if (options.num_allow_users > 0)
+ {
+ int i;
+ for (i = 0; i < options.num_allow_users; i++)
+ if (match_pattern(user, options.allow_users[i]))
+ break;
+ if (i >= options.num_allow_users)
+ {
+ log_msg("Connection for %.200s not allowed from %s\n",
+ user, get_canonical_hostname());
+ return 0;
+ }
+ }
+
+ /* Check whether logins are denied for this user. */
+ if (options.num_deny_users > 0)
+ {
+ int i;
+ for (i = 0; i < options.num_deny_users; i++)
+ if (match_pattern(user, options.deny_users[i]))
+ {
+ log_msg("Connection for %.200s denied from %s\n",
+ user, get_canonical_hostname());
+ return 0;
+ }
+ }
+
return 1;
}