packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openssh/bugfix-openssh-add-option-check-username-splash.patch

108 lines
3.1 KiB
Diff
Raw Normal View History

Package init
2019-09-30 11:10:51 -04:00
From a28e7321bbb42cf6e8734a297c07dd9467662151 Mon Sep 17 00:00:00 2001
From: wangqiang <wangqiang62@huawei.com>
Date: Thu, 9 Aug 2018 14:27:55 +0800
Subject: [PATCH] openssh: add option check username splash
add a check to inhibit username contains splash
add an option 'CheckUserSplash' so that user can turn off
this check
---
auth2.c | 3 +++
servconf.c | 8 ++++++++
servconf.h | 2 ++
sshd_config | 2 ++
4 files changed, 15 insertions(+)
diff --git a/auth2.c b/auth2.c
index 6591a8b..be7f829 100644
--- a/auth2.c
+++ b/auth2.c
@@ -231,10 +231,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+if (options.check_user_splash)
+{
#ifdef WITH_SELINUX
if ((role = strchr(user, '/')) != NULL)
*role++ = 0;
#endif
+}
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
diff --git a/servconf.c b/servconf.c
index 08e5d70..85c9238 100644
--- a/servconf.c
+++ b/servconf.c
@@ -185,6 +185,7 @@
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
+ options->check_user_splash = -1;
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
@@ -425,6 +426,8 @@
options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
options->show_patchlevel = 0;
+ if (options->check_user_splash == -1)
+ options->check_user_splash = 1;
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -522,6 +525,7 @@
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain,
+ sCheckUserSplash,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -684,6 +688,7 @@
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
+ { "checkusersplash", sCheckUserSplash, SSHCFG_GLOBAL },
{ "rdomain", sRDomain, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -1295,6 +1300,9 @@
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
+ case sCheckUserSplash:
+ intptr = &options->check_user_splash;
+ goto parse_flag;
/* Standard Options */
case sBadOption:
diff --git a/servconf.h b/servconf.h
index 8318a74..be86374 100644
--- a/servconf.h
+++ b/servconf.h
@@ -219,6 +219,8 @@
int fingerprint_hash;
int expose_userauth_info;
u_int64_t timing_secret;
+
+ int check_user_splash; /* check whether splash exists in username, if exist, disable login */
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/sshd_config b/sshd_config
index 6bbb86b..cc90a90 100644
--- a/sshd_config
+++ b/sshd_config
@@ -137,3 +137,5 @@ Subsystem sftp /usr/libexec/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+
+#CheckUserSplash yes
--
1.8.3.1
Reference in New Issue Copy Permalink