1 files changed, 106 insertions, 0 deletions

diff --git a/bugfix-openssh-add-option-check-username-splash.patch b/bugfix-openssh-add-option-check-username-splash.patch
new file mode 100644
index 0000000..1c8af38
--- /dev/null
+++ b/bugfix-openssh-add-option-check-username-splash.patch
@@ -0,0 +1,106 @@
+From 74c1a37dfeab8e9cc39e5bc76891d1d9d66b7638 Mon Sep 17 00:00:00 2001
+From: wangqiang <wangqiang62@huawei.com>
+Date: Thu, 16 Apr 2020 15:58:30 +0800
+Subject: [PATCH] openssh: add option check username splash
+
+add a check to inhibit username contains splash
+add an option 'CheckUserSplash' so that user can turn off
+this check
+---
+ auth2.c     | 4 +++-
+ servconf.c  | 8 ++++++++
+ servconf.h  | 1 +
+ sshd_config | 2 ++
+ 4 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/auth2.c b/auth2.c
+index 4d574bb..c480aab 100644
+--- a/auth2.c
++++ b/auth2.c
+@@ -278,11 +278,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+ 	debug("userauth-request for user %s service %s method %s", user, service, method);
+ 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
++if (options.check_user_splash)
++{
+ #ifdef WITH_SELINUX
+ 	if ((role = strchr(user, '/')) != NULL)
+ 		*role++ = 0;
+ #endif
+-
++}
+ 	if ((style = strchr(user, ':')) != NULL)
+ 		*style++ = 0;
+ 
+diff --git a/servconf.c b/servconf.c
+index bcf69fd..b8340d8 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -199,6 +199,7 @@ initialize_server_options(ServerOptions *options)
+ 	options->ip_qos_interactive = -1;
+ 	options->ip_qos_bulk = -1;
+ 	options->version_addendum = NULL;
++	options->check_user_splash = -1;
+ 	options->fingerprint_hash = -1;
+ 	options->disable_forwarding = -1;
+ 	options->expose_userauth_info = -1;
+@@ -456,6 +457,8 @@ fill_default_server_options(ServerOptions *options)
+ 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ 	if (options->version_addendum == NULL)
+ 		options->version_addendum = xstrdup("");
++	if (options->check_user_splash == -1)
++		options->check_user_splash = 1;
+ 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+ 		options->fwd_opts.streamlocal_bind_mask = 0177;
+ 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
+@@ -557,6 +560,7 @@ typedef enum {
+ 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+ 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+ 	sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
++    sCheckUserSplash,
+ 	sDeprecated, sIgnore, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -730,6 +734,7 @@ static struct {
+ 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+ 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+ 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
++	{ "checkusersplash", sCheckUserSplash, SSHCFG_GLOBAL },
+ 	{ "rdomain", sRDomain, SSHCFG_ALL },
+ 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
+ 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+@@ -1443,6 +1448,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ 	case sUsePAM:
+ 		intptr = &options->use_pam;
+ 		goto parse_flag;
++	case sCheckUserSplash:
++		intptr = &options->check_user_splash;
++		goto parse_flag;
+ 
+ 	/* Standard Options */
+ 	case sBadOption:
+diff --git a/servconf.h b/servconf.h
+index ccc0181..cb57dac 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -237,6 +237,7 @@ typedef struct {
+ 	int	fingerprint_hash;
+ 	int	expose_userauth_info;
+ 	u_int64_t timing_secret;
++    int check_user_splash;  /* check whether splash exists in username, if exist, disable login */
+ 	char   *sk_provider;
+ 	int	required_rsa_size;	/* minimum size of RSA keys */
+ 
+diff --git a/sshd_config b/sshd_config
+index 9851748..d57f11d 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -128,3 +128,5 @@ Subsystem	sftp	/usr/libexec/sftp-server
+ #	AllowTcpForwarding no
+ #	PermitTTY no
+ #	ForceCommand cvs server
++#CheckUserSplash yes
++
+-- 
+2.23.0
+