From a28e7321bbb42cf6e8734a297c07dd9467662151 Mon Sep 17 00:00:00 2001
From: wangqiang <wangqiang62@huawei.com>
Date: Thu, 9 Aug 2018 14:27:55 +0800
Subject: [PATCH] openssh: add option check username splash

add a check to inhibit username contains splash
add an option 'CheckUserSplash' so that user can turn off
this check

---
 auth2.c     | 3 +++
 servconf.c  | 8 ++++++++
 servconf.h  | 2 ++
 sshd_config | 2 ++
 4 files changed, 15 insertions(+)

diff --git a/auth2.c b/auth2.c
index 6591a8b..be7f829 100644
--- a/auth2.c
+++ b/auth2.c
@@ -231,10 +231,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
+if (options.check_user_splash)
+{
 #ifdef WITH_SELINUX
 	if ((role = strchr(user, '/')) != NULL)
 		*role++ = 0;
 #endif
+}
 
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
diff --git a/servconf.c b/servconf.c
index 08e5d70..85c9238 100644
--- a/servconf.c
+++ b/servconf.c
@@ -185,6 +185,7 @@
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
+	options->check_user_splash = -1;
 	options->fingerprint_hash = -1;
 	options->disable_forwarding = -1;
 	options->expose_userauth_info = -1;
@@ -425,6 +426,8 @@
 		options->version_addendum = xstrdup("");
 	if (options->show_patchlevel == -1)
 		options->show_patchlevel = 0;
+	if (options->check_user_splash == -1)
+		options->check_user_splash = 1;
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 		options->fwd_opts.streamlocal_bind_mask = 0177;
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -522,6 +525,7 @@
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
 	sExposeAuthInfo, sRDomain,
+	sCheckUserSplash,
 	sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
 
@@ -684,6 +688,7 @@
 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
+	{ "checkusersplash", sCheckUserSplash, SSHCFG_GLOBAL },
 	{ "rdomain", sRDomain, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
@@ -1295,6 +1300,9 @@
 	case sUsePAM:
 		intptr = &options->use_pam;
 		goto parse_flag;
+	case sCheckUserSplash:
+        	intptr = &options->check_user_splash;
+		goto parse_flag;        
 
 	/* Standard Options */
 	case sBadOption:
diff --git a/servconf.h b/servconf.h
index 8318a74..be86374 100644
--- a/servconf.h
+++ b/servconf.h
@@ -219,6 +219,8 @@
 	int	fingerprint_hash;
 	int	expose_userauth_info;
 	u_int64_t timing_secret;
+
+	int check_user_splash;      /* check whether splash exists in username, if exist, disable login */
 }       ServerOptions;
 
 /* Information about the incoming connection as used by Match */
diff --git a/sshd_config b/sshd_config
index 6bbb86b..cc90a90 100644
--- a/sshd_config
+++ b/sshd_config
@@ -137,3 +137,5 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+
+#CheckUserSplash yes
-- 
1.8.3.1