Switch over to using pam_login_access(8) module in sshd(8).

(Fixes static compilation.  Reduces diffs to OpenSSH.)

Reviewed by:	bde

crypto/openssh/auth1.c

@@ -88,12 +88,12 @@ do_authloop(Authctxt *authctxt)
 #ifdef USE_PAM
 	struct inverted_pam_cookie *pam_cookie;
 #endif /* USE_PAM */
-#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+#if defined(HAVE_LOGIN_CAP)
 	const char *from_host, *from_ip;
 
 	from_host = get_canonical_hostname(options.verify_reverse_mapping);
 	from_ip = get_remote_ipaddr();
-#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif /* HAVE_LOGIN_CAP */
 
 	debug("Attempting authentication for %s%.100s.",
 	    authctxt->valid ? "" : "illegal user ", authctxt->user);
@@ -369,13 +369,6 @@ do_authloop(Authctxt *authctxt)
 		  lc = NULL;
 		}
 #endif  /* HAVE_LOGIN_CAP */
-#ifdef LOGIN_ACCESS
-		if (pw != NULL && !login_access(pw->pw_name, from_host)) {
-		  log("Denied connection for %.200s from %.200s [%.200s].",
-		      pw->pw_name, from_host, from_ip);
-		  packet_disconnect("Sorry, you are not allowed to connect.");
-		}
-#endif /* LOGIN_ACCESS */
 #ifdef BSD_AUTH
 		if (authctxt->as) {
 			auth_close(authctxt->as);

crypto/openssh/auth2.c

@@ -174,12 +174,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #ifdef HAVE_LOGIN_CAP
 	login_cap_t *lc;
 #endif /* HAVE_LOGIN_CAP */
-#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+#if defined(HAVE_LOGIN_CAP)
 	const char *from_host, *from_ip;
 
 	from_host = get_canonical_hostname(options.verify_reverse_mapping);
 	from_ip = get_remote_ipaddr();
-#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif /* HAVE_LOGIN_CAP */
 
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
@@ -238,14 +238,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		lc = NULL;
 	}
 #endif  /* HAVE_LOGIN_CAP */
-#ifdef LOGIN_ACCESS
-	if (authctxt->pw != NULL &&
-	    !login_access(authctxt->pw->pw_name, from_host)) {
-		log("Denied connection for %.200s from %.200s [%.200s].",
-		    authctxt->pw->pw_name, from_host, from_ip);
-		packet_disconnect("Sorry, you are not allowed to connect.");
-	}
-#endif /* LOGIN_ACCESS */
 	/* reset state */
 	auth2_challenge_stop(authctxt);
 	authctxt->postponed = 0;

etc/pam.d/sshd

@@ -9,6 +9,7 @@ auth		required	pam_nologin.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass
 
 # account
+account		required	pam_login_access.so
 account		required	pam_unix.so
 
 # session

secure/usr.sbin/sshd/Makefile

@@ -1,17 +1,15 @@
 # $FreeBSD$
 #
 
-LOGINSRC= ${.CURDIR}/../../../usr.bin/login
-
 PROG=	sshd
 SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
 	sshpty.c sshlogin.c servconf.c serverloop.c \
 	auth.c auth1.c auth2.c auth-options.c session.c \
 	auth-chall.c auth2-chall.c auth-skey.c auth-pam.c auth2-pam.c \
-	groupaccess.c login_access.c
+	groupaccess.c
 MAN=	sshd.8
 
-CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DLOGIN_ACCESS -I${LOGINSRC} -DUSE_PAM -DHAVE_PAM_GETENVLIST
+CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DUSE_PAM -DHAVE_PAM_GETENVLIST
 
 .if defined(MAKE_KERBEROS4) && \
 	((${MAKE_KERBEROS4} == "yes") || (${MAKE_KERBEROS4} == "YES"))
@@ -44,4 +42,4 @@ DPADD+=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPA
 
 .include <bsd.prog.mk>
 
-.PATH:	${SSHDIR} ${LOGINSRC}
+.PATH:	${SSHDIR}