*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.51 2003/11/21 11:57:02 djm Exp $");
+RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
#endif
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#ifdef USE_SHADOW
#include <shadow.h>
-#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+#endif
#ifdef HAVE_LIBGEN_H
#include <libgen.h>
#include "buffer.h"
#include "bufaux.h"
#include "uidswap.h"
-#include "tildexpand.h"
#include "misc.h"
#include "bufaux.h"
#include "packet.h"
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
char *shell;
int i;
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#ifdef USE_SHADOW
struct spwd *spw = NULL;
#endif
if (!pw || !pw->pw_name)
return 0;
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#ifdef USE_SHADOW
if (!options.use_pam)
spw = getspnam(pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE
-#define DAY (24L * 60 * 60) /* 1 day in seconds */
- if (!options.use_pam && spw != NULL) {
- int disabled = 0;
- time_t today;
-
- today = time(NULL) / DAY;
- debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
- " sp_max %d", (int)today, (int)spw->sp_expire,
- (int)spw->sp_lstchg, (int)spw->sp_max);
-
- /*
- * We assume account and password expiration occurs the
- * day after the day specified.
- */
- if (spw->sp_expire != -1 && today > spw->sp_expire) {
- logit("Account %.100s has expired", pw->pw_name);
- return 0;
- }
- }
+ if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
+ return 0;
#endif /* HAS_SHADOW_EXPIRE */
-#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+#endif /* USE_SHADOW */
/* grab passwd field for locked account check */
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#ifdef USE_SHADOW
if (spw != NULL)
passwd = spw->sp_pwdp;
#else
ga_free();
}
-#ifdef WITH_AIXAUTHENTICATE
- /*
- * Don't check loginrestrictions() for root account (use
- * PermitRootLogin to control logins via ssh), or if running as
- * non-root user (since loginrestrictions will always fail).
- */
- if ((pw->pw_uid != 0) && (geteuid() == 0)) {
- char *msg;
-
- if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
- int loginrestrict_errno = errno;
-
- if (msg && *msg) {
- buffer_append(&loginmsg, msg, strlen(msg));
- aix_remove_embedded_newlines(msg);
- logit("Login restricted for %s: %.100s",
- pw->pw_name, msg);
- }
- /* Don't fail if /etc/nologin set */
- if (!(loginrestrict_errno == EPERM &&
- stat(_PATH_NOLOGIN, &st) == 0))
- return 0;
- }
- }
-#endif /* WITH_AIXAUTHENTICATE */
+#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
+ if (!sys_auth_allowed_user(pw))
+ return 0;
+#endif
/* We found no reason not to let this user try to log on... */
return 1;
/* Raise logging level */
if (authenticated == 1 ||
!authctxt->valid ||
- authctxt->failures >= AUTH_FAIL_LOG ||
+ authctxt->failures >= options.max_authtries / 2 ||
strcmp(method, "password") == 0)
authlog = logit;
fake.pw_passwd =
"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
fake.pw_gecos = "NOUSER";
- fake.pw_uid = -1;
- fake.pw_gid = -1;
+ fake.pw_uid = (uid_t)-1;
+ fake.pw_gid = (gid_t)-1;
#ifdef HAVE_PW_CLASS_IN_PASSWD
fake.pw_class = "";
#endif