diff -dbwpr ../openssh-3.8.1p1.orig/auth.c ./auth.c *** ../openssh-3.8.1p1.orig/auth.c Sat Feb 21 17:43:15 2004 --- ./auth.c Wed Jan 12 11:27:01 2005 *************** RCSID("$OpenBSD: auth.c,v 1.51 2003/11/2 *** 36,41 **** --- 36,45 ---- #include #endif + #ifdef __APPLE_SACL__ + #include + #endif + #include "xmalloc.h" #include "match.h" #include "groupaccess.h" *************** allowed_user(struct passwd * pw) *** 204,209 **** --- 208,251 ---- ga_free(); } + if( options.sacl_support ) + { + #ifdef __APPLE_SACL__ + /* + * Here we check with memberd if the Service ACLs allow this user to + * use the ssh service. + */ + + debug("Checking with Service ACLs for ssh login restrictions"); + + uuid_t user_uuid; + int isMember = 0; + int mbrErr = 0; + + // get the uuid + if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) ) + { + debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name); + return 0; + } + debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name); + + // check the sacl + if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember))) + { + debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr); + if(mbrErr == ENOENT) // no ACL exists + { + return 1; + } else { + return 0; + } + } + debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr); + return isMember; + #endif /* __APPLE_SACL__ */ + } + #ifdef WITH_AIXAUTHENTICATE /* * Don't check loginrestrictions() for root account (use diff -dbwpr ../openssh-3.8.1p1.orig/servconf.c ./servconf.c *** ../openssh-3.8.1p1.orig/servconf.c Fri Jan 23 06:03:10 2004 --- ./servconf.c Wed Jan 12 11:31:01 2005 *************** initialize_server_options(ServerOptions *** 81,86 **** --- 81,87 ---- options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; + options->sacl_support = -1; options->compression = -1; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; *************** typedef enum { *** 268,273 **** --- 269,275 ---- sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sUsePrivilegeSeparation, + sSACLSupport, sDeprecated, sUnsupported } ServerOpCodes; *************** static struct { *** 366,371 **** --- 368,374 ---- { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, + { "saclsupport", sSACLSupport }, { NULL, sBadOption } }; *************** parse_flag: *** 688,693 **** --- 691,700 ---- charptr = &options->xauth_location; goto parse_filename; + case sSACLSupport: + intptr = &options->sacl_support; + goto parse_flag; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; diff -dbwpr ../openssh-3.8.1p1.orig/servconf.h ./servconf.h *** ../openssh-3.8.1p1.orig/servconf.h Tue Dec 30 19:37:34 2003 --- ./servconf.h Tue Jan 11 16:49:20 2005 *************** typedef struct { *** 125,130 **** --- 125,131 ---- char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int use_pam; /* Enable auth via PAM */ + int sacl_support; /* Enable use of SACLs */ } ServerOptions; void initialize_server_options(ServerOptions *); diff -dbwpr ../openssh-3.8.1p1.orig/sshd_config ./sshd_config *** ../openssh-3.8.1p1.orig/sshd_config Tue Dec 30 19:38:32 2003 --- ./sshd_config Tue Jan 11 17:01:58 2005 *************** *** 54,59 **** --- 54,62 ---- #PasswordAuthentication yes #PermitEmptyPasswords no + # SACL options + #SACLSupport yes + # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes