diff -Naurdp ../openssh/auth.c ./auth.c
--- ../openssh/auth.c 2005-09-28 16:11:01.000000000 -0700
+++ ./auth.c 2005-09-28 16:21:03.000000000 -0700
@@ -36,6 +37,10 @@ RCSID("$OpenBSD: auth.c,v 1.60 2005/06/1
#include <libgen.h>
#endif
+#ifdef __APPLE_SACL__
+#include <membershipPriv.h>
+#endif
+
#include "xmalloc.h"
#include "match.h"
#include "groupaccess.h"
@@ -216,6 +221,46 @@ allowed_user(struct passwd * pw)
ga_free();
}
+ if( options.sacl_support )
+ {
+ #ifdef __APPLE_SACL__
+ /*
+ * Here we check with memberd if the Service ACLs allow this user to
+ * use the ssh service.
+ */
+
+ debug("Checking with Service ACLs for ssh login restrictions");
+
+ uuid_t user_uuid;
+ int isMember = 0;
+ int mbrErr = 0;
+
+ // get the uuid
+ if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) )
+ {
+ debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name);
+ return 0;
+ }
+ debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name);
+
+ // check the sacl
+ if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember)))
+ {
+ debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr);
+ if(mbrErr == ENOENT) // no ACL exists
+ {
+ return 1;
+ } else {
+ return 0;
+ }
+ }
+ debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr);
+ return isMember;
+ #endif /* __APPLE_SACL__ */
+ }
+
+
+
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
if (!sys_auth_allowed_user(pw, &loginmsg))
return 0;
diff -Naurdp ../openssh/servconf.c ./servconf.c
--- ../openssh/servconf.c 2005-09-28 16:11:01.000000000 -0700
+++ ./servconf.c 2005-09-28 16:21:10.000000000 -0700
@@ -80,6 +80,7 @@ initialize_server_options(ServerOptions
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
options->use_login = -1;
+ options->sacl_support = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
options->num_allow_users = 0;
@@ -275,6 +276,7 @@ typedef enum {
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssKeyEx, sGssCleanupCreds, sAcceptEnv,
sUsePrivilegeSeparation,
+ sSACLSupport,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -377,6 +379,7 @@ static struct {
{ "authorizedkeysfile", sAuthorizedKeysFile },
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
{ "useprivilegeseparation", sUsePrivilegeSeparation},
+ { "saclsupport", sSACLSupport },
{ "acceptenv", sAcceptEnv },
{ NULL, sBadOption }
};
@@ -718,6 +721,10 @@ parse_flag:
charptr = &options->xauth_location;
goto parse_filename;
+ case sSACLSupport:
+ intptr = &options->sacl_support;
+ goto parse_flag;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
diff -Naurdp ../openssh/servconf.h ./servconf.h
--- ../openssh/servconf.h 2005-09-28 16:11:01.000000000 -0700
+++ ./servconf.h 2005-09-28 16:20:38.000000000 -0700
@@ -135,6 +135,7 @@ typedef struct {
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
int use_pam; /* Enable auth via PAM */
+ int sacl_support; /* Enable use of SACLs */
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff -Naurdp ../openssh/sshd_config ./sshd_config
--- ../openssh/sshd_config 2005-09-28 16:11:01.000000000 -0700
+++ ./sshd_config 2005-09-28 16:20:38.000000000 -0700
@@ -56,6 +56,9 @@
#PasswordAuthentication yes
#PermitEmptyPasswords no
+# SACL options
+#SACLSupport yes
+
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
syntax highlighted by Code2HTML, v. 0.9.1