108 lines
3.1 KiB
Diff
108 lines
3.1 KiB
Diff
From a28e7321bbb42cf6e8734a297c07dd9467662151 Mon Sep 17 00:00:00 2001
|
|
From: wangqiang <wangqiang62@huawei.com>
|
|
Date: Thu, 9 Aug 2018 14:27:55 +0800
|
|
Subject: [PATCH] openssh: add option check username splash
|
|
|
|
add a check to inhibit username contains splash
|
|
add an option 'CheckUserSplash' so that user can turn off
|
|
this check
|
|
|
|
---
|
|
auth2.c | 3 +++
|
|
servconf.c | 8 ++++++++
|
|
servconf.h | 2 ++
|
|
sshd_config | 2 ++
|
|
4 files changed, 15 insertions(+)
|
|
|
|
diff --git a/auth2.c b/auth2.c
|
|
index 6591a8b..be7f829 100644
|
|
--- a/auth2.c
|
|
+++ b/auth2.c
|
|
@@ -231,10 +231,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
|
debug("userauth-request for user %s service %s method %s", user, service, method);
|
|
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
|
|
|
+if (options.check_user_splash)
|
|
+{
|
|
#ifdef WITH_SELINUX
|
|
if ((role = strchr(user, '/')) != NULL)
|
|
*role++ = 0;
|
|
#endif
|
|
+}
|
|
|
|
if ((style = strchr(user, ':')) != NULL)
|
|
*style++ = 0;
|
|
diff --git a/servconf.c b/servconf.c
|
|
index 08e5d70..85c9238 100644
|
|
--- a/servconf.c
|
|
+++ b/servconf.c
|
|
@@ -185,6 +185,7 @@
|
|
options->ip_qos_interactive = -1;
|
|
options->ip_qos_bulk = -1;
|
|
options->version_addendum = NULL;
|
|
+ options->check_user_splash = -1;
|
|
options->fingerprint_hash = -1;
|
|
options->disable_forwarding = -1;
|
|
options->expose_userauth_info = -1;
|
|
@@ -425,6 +426,8 @@
|
|
options->version_addendum = xstrdup("");
|
|
if (options->show_patchlevel == -1)
|
|
options->show_patchlevel = 0;
|
|
+ if (options->check_user_splash == -1)
|
|
+ options->check_user_splash = 1;
|
|
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
|
options->fwd_opts.streamlocal_bind_mask = 0177;
|
|
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
|
@@ -522,6 +525,7 @@
|
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
|
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
|
sExposeAuthInfo, sRDomain,
|
|
+ sCheckUserSplash,
|
|
sDeprecated, sIgnore, sUnsupported
|
|
} ServerOpCodes;
|
|
|
|
@@ -684,6 +688,7 @@
|
|
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
|
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
|
|
{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
|
|
+ { "checkusersplash", sCheckUserSplash, SSHCFG_GLOBAL },
|
|
{ "rdomain", sRDomain, SSHCFG_ALL },
|
|
{ NULL, sBadOption, 0 }
|
|
};
|
|
@@ -1295,6 +1300,9 @@
|
|
case sUsePAM:
|
|
intptr = &options->use_pam;
|
|
goto parse_flag;
|
|
+ case sCheckUserSplash:
|
|
+ intptr = &options->check_user_splash;
|
|
+ goto parse_flag;
|
|
|
|
/* Standard Options */
|
|
case sBadOption:
|
|
diff --git a/servconf.h b/servconf.h
|
|
index 8318a74..be86374 100644
|
|
--- a/servconf.h
|
|
+++ b/servconf.h
|
|
@@ -219,6 +219,8 @@
|
|
int fingerprint_hash;
|
|
int expose_userauth_info;
|
|
u_int64_t timing_secret;
|
|
+
|
|
+ int check_user_splash; /* check whether splash exists in username, if exist, disable login */
|
|
} ServerOptions;
|
|
|
|
/* Information about the incoming connection as used by Match */
|
|
diff --git a/sshd_config b/sshd_config
|
|
index 6bbb86b..cc90a90 100644
|
|
--- a/sshd_config
|
|
+++ b/sshd_config
|
|
@@ -137,3 +137,5 @@ Subsystem sftp /usr/libexec/sftp-server
|
|
# AllowTcpForwarding no
|
|
# PermitTTY no
|
|
# ForceCommand cvs server
|
|
+
|
|
+#CheckUserSplash yes
|
|
--
|
|
1.8.3.1
|
|
|