diff -dbwpr ../openssh-3.8.1p1.orig/auth.c ./auth.c
*** ../openssh-3.8.1p1.orig/auth.c Sat Feb 21 17:43:15 2004
--- ./auth.c Wed Jan 12 11:27:01 2005
*************** RCSID("$OpenBSD: auth.c,v 1.51 2003/11/2
*** 36,41 ****
--- 36,45 ----
#include <libgen.h>
#endif
+ #ifdef __APPLE_SACL__
+ #include <membershipPriv.h>
+ #endif
+
#include "xmalloc.h"
#include "match.h"
#include "groupaccess.h"
*************** allowed_user(struct passwd * pw)
*** 204,209 ****
--- 208,251 ----
ga_free();
}
+ if( options.sacl_support )
+ {
+ #ifdef __APPLE_SACL__
+ /*
+ * Here we check with memberd if the Service ACLs allow this user to
+ * use the ssh service.
+ */
+
+ debug("Checking with Service ACLs for ssh login restrictions");
+
+ uuid_t user_uuid;
+ int isMember = 0;
+ int mbrErr = 0;
+
+ // get the uuid
+ if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) )
+ {
+ debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name);
+ return 0;
+ }
+ debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name);
+
+ // check the sacl
+ if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember)))
+ {
+ debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr);
+ if(mbrErr == ENOENT) // no ACL exists
+ {
+ return 1;
+ } else {
+ return 0;
+ }
+ }
+ debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr);
+ return isMember;
+ #endif /* __APPLE_SACL__ */
+ }
+
#ifdef WITH_AIXAUTHENTICATE
/*
* Don't check loginrestrictions() for root account (use
diff -dbwpr ../openssh-3.8.1p1.orig/servconf.c ./servconf.c
*** ../openssh-3.8.1p1.orig/servconf.c Fri Jan 23 06:03:10 2004
--- ./servconf.c Wed Jan 12 11:31:01 2005
*************** initialize_server_options(ServerOptions
*** 81,86 ****
--- 81,87 ----
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
options->use_login = -1;
+ options->sacl_support = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
options->num_allow_users = 0;
*************** typedef enum {
*** 268,273 ****
--- 269,275 ----
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds,
sUsePrivilegeSeparation,
+ sSACLSupport,
sDeprecated, sUnsupported
} ServerOpCodes;
*************** static struct {
*** 366,371 ****
--- 368,374 ----
{ "authorizedkeysfile", sAuthorizedKeysFile },
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
{ "useprivilegeseparation", sUsePrivilegeSeparation},
+ { "saclsupport", sSACLSupport },
{ NULL, sBadOption }
};
*************** parse_flag:
*** 688,693 ****
--- 691,700 ----
charptr = &options->xauth_location;
goto parse_filename;
+ case sSACLSupport:
+ intptr = &options->sacl_support;
+ goto parse_flag;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
diff -dbwpr ../openssh-3.8.1p1.orig/servconf.h ./servconf.h
*** ../openssh-3.8.1p1.orig/servconf.h Tue Dec 30 19:37:34 2003
--- ./servconf.h Tue Jan 11 16:49:20 2005
*************** typedef struct {
*** 125,130 ****
--- 125,131 ----
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
int use_pam; /* Enable auth via PAM */
+ int sacl_support; /* Enable use of SACLs */
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff -dbwpr ../openssh-3.8.1p1.orig/sshd_config ./sshd_config
*** ../openssh-3.8.1p1.orig/sshd_config Tue Dec 30 19:38:32 2003
--- ./sshd_config Tue Jan 11 17:01:58 2005
***************
*** 54,59 ****
--- 54,62 ----
#PasswordAuthentication yes
#PermitEmptyPasswords no
+ # SACL options
+ #SACLSupport yes
+
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
syntax highlighted by Code2HTML, v. 0.9.1