Switch over to using pam_login_access(8) module in sshd(8).

(Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde
2002-03-26 12:52:28 +00:00 · 2002-03-26 12:52:28 +00:00 · 2735cfee64
commit 2735cfee64
parent 70f8353a04
4 changed files with 8 additions and 24 deletions
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@ -88,12 +88,12 @@ do_authloop(Authctxt *authctxt)
 #ifdef USE_PAM
 	struct inverted_pam_cookie *pam_cookie;
 #endif /* USE_PAM */
-#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+#if defined(HAVE_LOGIN_CAP)
 	const char *from_host, *from_ip;

 	from_host = get_canonical_hostname(options.verify_reverse_mapping);
 	from_ip = get_remote_ipaddr();
-#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif /* HAVE_LOGIN_CAP */

 	debug("Attempting authentication for %s%.100s.",
 	    authctxt->valid ? "" : "illegal user ", authctxt->user);
@ -369,13 +369,6 @@ do_authloop(Authctxt *authctxt)
 		  lc = NULL;
 		}
 #endif  /* HAVE_LOGIN_CAP */
-#ifdef LOGIN_ACCESS
-		if (pw != NULL && !login_access(pw->pw_name, from_host)) {
-		  log("Denied connection for %.200s from %.200s [%.200s].",
-		      pw->pw_name, from_host, from_ip);
-		  packet_disconnect("Sorry, you are not allowed to connect.");
-		}
-#endif /* LOGIN_ACCESS */
 #ifdef BSD_AUTH
 		if (authctxt->as) {
 			auth_close(authctxt->as);
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@ -174,12 +174,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #ifdef HAVE_LOGIN_CAP
 	login_cap_t *lc;
 #endif /* HAVE_LOGIN_CAP */
-#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+#if defined(HAVE_LOGIN_CAP)
 	const char *from_host, *from_ip;

 	from_host = get_canonical_hostname(options.verify_reverse_mapping);
 	from_ip = get_remote_ipaddr();
-#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#endif /* HAVE_LOGIN_CAP */

 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
@ -238,14 +238,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		lc = NULL;
 	}
 #endif  /* HAVE_LOGIN_CAP */
-#ifdef LOGIN_ACCESS
-	if (authctxt->pw != NULL &&
-	    !login_access(authctxt->pw->pw_name, from_host)) {
-		log("Denied connection for %.200s from %.200s [%.200s].",
-		    authctxt->pw->pw_name, from_host, from_ip);
-		packet_disconnect("Sorry, you are not allowed to connect.");
-	}
-#endif /* LOGIN_ACCESS */
 	/* reset state */
 	auth2_challenge_stop(authctxt);
 	authctxt->postponed = 0;
--- a/etc/pam.d/sshd
+++ b/etc/pam.d/sshd
@ -9,6 +9,7 @@ auth		required	pam_nologin.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass

 # account
+account		required	pam_login_access.so
 account		required	pam_unix.so

 # session
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@ -1,17 +1,15 @@
 # $FreeBSD$
 #

-LOGINSRC= ${.CURDIR}/../../../usr.bin/login
-
 PROG=	sshd
 SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
 	sshpty.c sshlogin.c servconf.c serverloop.c \
 	auth.c auth1.c auth2.c auth-options.c session.c \
 	auth-chall.c auth2-chall.c auth-skey.c auth-pam.c auth2-pam.c \
-	groupaccess.c login_access.c
+	groupaccess.c
 MAN=	sshd.8

-CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DLOGIN_ACCESS -I${LOGINSRC} -DUSE_PAM -DHAVE_PAM_GETENVLIST
+CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DUSE_PAM -DHAVE_PAM_GETENVLIST

 .if defined(MAKE_KERBEROS4) && \
 	((${MAKE_KERBEROS4} == "yes") || (${MAKE_KERBEROS4} == "YES"))
@ -44,4 +42,4 @@ DPADD+=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPA

 .include <bsd.prog.mk>

-.PATH:	${SSHDIR} ${LOGINSRC}
+.PATH:	${SSHDIR}