diff -uNr ../openssh-5.1p1.orig/auth.c ./auth.c
--- ../openssh-5.1p1.orig/auth.c 2008-07-09 03:54:51.000000000 -0700
+++ ./auth.c 2008-08-04 10:55:43.000000000 -0700
@@ -71,6 +72,12 @@
#endif
#include "monitor_wrap.h"
+#ifdef __APPLE_SACL__
+/* Our membershipPriv.h is not yet API, so I will define the prototypes that I need here. */
+int mbr_user_name_to_uuid(const char *name, uuid_t uu);
+int mbr_check_service_membership(const uuid_t user, const char *servicename, int *ismember);
+#endif
+
/* import */
extern ServerOptions options;
extern int use_privsep;
@@ -234,6 +239,46 @@
}
ga_free();
}
+
+ if( options.sacl_support )
+ {
+#ifdef __APPLE_SACL__
+ /*
+ * Here we check with memberd if the Service ACLs allow this user to
+ * use the ssh service.
+ */
+
+ debug("Checking with Service ACLs for ssh login restrictions");
+
+ uuid_t user_uuid;
+ int isMember = 0;
+ int mbrErr = 0;
+
+ // get the uuid
+ if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) )
+ {
+ debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name);
+ return 0;
+ }
+ debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name);
+
+ // check the sacl
+ if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember)))
+ {
+ debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr);
+ if(mbrErr == ENOENT) // no ACL exists
+ {
+ return 1;
+ } else {
+ return 0;
+ }
+ }
+ debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr);
+ return isMember;
+#endif /* __APPLE_SACL__ */
+ }
+
+
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
if (!sys_auth_allowed_user(pw, &loginmsg))
diff -uNr ../openssh-5.1p1.orig/servconf.c ./servconf.c
--- ../openssh-5.1p1.orig/servconf.c 2008-07-03 20:51:12.000000000 -0700
+++ ./servconf.c 2008-08-04 10:56:41.000000000 -0700
@@ -99,6 +99,7 @@
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
options->use_login = -1;
+ options->sacl_support = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
options->allow_agent_forwarding = -1;
@@ -302,6 +303,7 @@
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sSACLSupport,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -409,6 +411,7 @@
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
+ { "saclsupport", sSACLSupport },
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
{ "match", sMatch, SSHCFG_ALL },
@@ -922,6 +925,10 @@
charptr = &options->xauth_location;
goto parse_filename;
+ case sSACLSupport:
+ intptr = &options->sacl_support;
+ goto parse_flag;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
diff -uNr ../openssh-5.1p1.orig/servconf.h ./servconf.h
--- ../openssh-5.1p1.orig/servconf.h 2008-06-10 06:01:51.000000000 -0700
+++ ./servconf.h 2008-08-04 10:57:02.000000000 -0700
@@ -143,6 +143,7 @@
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
+ int sacl_support; /* Enable use of SACLs */
int permit_tun;
diff -uNr ../openssh-5.1p1.orig/sshd_config ./sshd_config
--- ../openssh-5.1p1.orig/sshd_config 2008-07-02 05:35:43.000000000 -0700
+++ ./sshd_config 2008-08-04 10:58:34.000000000 -0700
@@ -61,6 +61,9 @@
#PasswordAuthentication yes
#PermitEmptyPasswords no
+# SACL options
+#SACLSupport yes
+
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes