Class-imposed login restrictions

If the following functions are available,
add an additional check if users are allowed to login imposed by login class.

* auth_hostok(3)
* auth_timeok(3)

These functions are implemented on FreeBSD.

auth.c

@@ -463,6 +463,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
 {
 #ifdef HAVE_LOGIN_CAP
  extern login_cap_t *lc;
+#ifdef HAVE_AUTH_HOSTOK
+ const char *from_host, *from_ip;
+#endif
 #ifdef BSD_AUTH
  auth_session_t *as;
 #endif
@@ -508,6 +511,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
  debug("unable to get login class: %s", user);
  return (NULL);
  }
+#ifdef HAVE_AUTH_HOSTOK
+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+ from_ip = ssh_remote_ipaddr(ssh);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ debug("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ return (NULL);
+ }
+#endif /* HAVE_AUTH_HOSTOK */
+#ifdef HAVE_AUTH_TIMEOK
+ if (!auth_timeok(lc, time(NULL))) {
+ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
+ return (NULL);
+ }
+#endif /* HAVE_AUTH_TIMEOK */
 #ifdef BSD_AUTH
  if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
  auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {

configure.ac

@@ -1886,6 +1886,8 @@ AC_SUBST([PICFLAG])
 
 dnl Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
+ auth_hostok \
+ auth_timeok \
  Blowfish_initstate \
  Blowfish_expandstate \
  Blowfish_expand0state \