1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
From 74c1a37dfeab8e9cc39e5bc76891d1d9d66b7638 Mon Sep 17 00:00:00 2001
From: wangqiang <wangqiang62@huawei.com>
Date: Thu, 16 Apr 2020 15:58:30 +0800
Subject: [PATCH] openssh: add option check username splash
add a check to inhibit username contains splash
add an option 'CheckUserSplash' so that user can turn off
this check
---
auth2.c | 4 +++-
servconf.c | 8 ++++++++
servconf.h | 1 +
sshd_config | 2 ++
4 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/auth2.c b/auth2.c
index 4adc502..956b9cf 100644
--- a/auth2.c
+++ b/auth2.c
@@ -282,11 +282,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+if (options.check_user_splash)
+{
#ifdef WITH_SELINUX
if ((role = strchr(user, '/')) != NULL)
*role++ = 0;
#endif
-
+}
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
diff --git a/servconf.c b/servconf.c
index 7001d56..76147f9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
+ options->check_user_splash = -1;
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
@@ -473,6 +474,8 @@ fill_default_server_options(ServerOptions *options)
options->ip_qos_bulk = IPTOS_DSCP_CS1;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
+ if (options->check_user_splash == -1)
+ options->check_user_splash = 1;
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -574,6 +577,7 @@ typedef enum {
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+ sCheckUserSplash,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -740,6 +744,7 @@ static struct {
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
+ { "checkusersplash", sCheckUserSplash, SSHCFG_GLOBAL },
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
@@ -1360,6 +1365,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
+ case sCheckUserSplash:
+ intptr = &options->check_user_splash;
+ goto parse_flag;
/* Standard Options */
case sBadOption:
diff --git a/servconf.h b/servconf.h
index a3827e5..2c16b5a 100644
--- a/servconf.h
+++ b/servconf.h
@@ -226,6 +226,7 @@ typedef struct {
int fingerprint_hash;
int expose_userauth_info;
u_int64_t timing_secret;
+ int check_user_splash; /* check whether splash exists in username, if exist, disable login */
char *sk_provider;
} ServerOptions;
diff --git a/sshd_config b/sshd_config
index ebc28b3..b121450 100644
--- a/sshd_config
+++ b/sshd_config
@@ -125,6 +125,8 @@ Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+#CheckUserSplash yes
+
--
2.23.0
|
