diff -Naurdp ../openssh/auth.c ./auth.c --- ../openssh/auth.c 2005-09-28 16:11:01.000000000 -0700 +++ ./auth.c 2005-09-28 16:21:03.000000000 -0700 @@ -36,6 +37,10 @@ RCSID("$OpenBSD: auth.c,v 1.60 2005/06/1 #include #endif +#ifdef __APPLE_SACL__ +#include +#endif + #include "xmalloc.h" #include "match.h" #include "groupaccess.h" @@ -216,6 +221,46 @@ allowed_user(struct passwd * pw) ga_free(); } + if( options.sacl_support ) + { + #ifdef __APPLE_SACL__ + /* + * Here we check with memberd if the Service ACLs allow this user to + * use the ssh service. + */ + + debug("Checking with Service ACLs for ssh login restrictions"); + + uuid_t user_uuid; + int isMember = 0; + int mbrErr = 0; + + // get the uuid + if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) ) + { + debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name); + return 0; + } + debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name); + + // check the sacl + if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember))) + { + debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr); + if(mbrErr == ENOENT) // no ACL exists + { + return 1; + } else { + return 0; + } + } + debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr); + return isMember; + #endif /* __APPLE_SACL__ */ + } + + + #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER if (!sys_auth_allowed_user(pw, &loginmsg)) return 0; diff -Naurdp ../openssh/servconf.c ./servconf.c --- ../openssh/servconf.c 2005-09-28 16:11:01.000000000 -0700 +++ ./servconf.c 2005-09-28 16:21:10.000000000 -0700 @@ -80,6 +80,7 @@ initialize_server_options(ServerOptions options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; + options->sacl_support = -1; options->compression = -1; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; @@ -275,6 +276,7 @@ typedef enum { sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssKeyEx, sGssCleanupCreds, sAcceptEnv, sUsePrivilegeSeparation, + sSACLSupport, sDeprecated, sUnsupported } ServerOpCodes; @@ -377,6 +379,7 @@ static struct { { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, + { "saclsupport", sSACLSupport }, { "acceptenv", sAcceptEnv }, { NULL, sBadOption } }; @@ -718,6 +721,10 @@ parse_flag: charptr = &options->xauth_location; goto parse_filename; + case sSACLSupport: + intptr = &options->sacl_support; + goto parse_flag; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; diff -Naurdp ../openssh/servconf.h ./servconf.h --- ../openssh/servconf.h 2005-09-28 16:11:01.000000000 -0700 +++ ./servconf.h 2005-09-28 16:20:38.000000000 -0700 @@ -135,6 +135,7 @@ typedef struct { char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int use_pam; /* Enable auth via PAM */ + int sacl_support; /* Enable use of SACLs */ } ServerOptions; void initialize_server_options(ServerOptions *); diff -Naurdp ../openssh/sshd_config ./sshd_config --- ../openssh/sshd_config 2005-09-28 16:11:01.000000000 -0700 +++ ./sshd_config 2005-09-28 16:20:38.000000000 -0700 @@ -56,6 +56,9 @@ #PasswordAuthentication yes #PermitEmptyPasswords no +# SACL options +#SACLSupport yes + # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes