-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
- !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#define DAY (24L * 60 * 60) /* 1 day in seconds */
- spw = getspnam(pw->pw_name);
- if (spw != NULL) {
- time_t today = time(NULL) / DAY;
- debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
- " sp_max %d", (int)today, (int)spw->sp_expire,
- (int)spw->sp_lstchg, (int)spw->sp_max);
-
- /*
- * We assume account and password expiration occurs the
- * day after the day specified.
- */
- if (spw->sp_expire != -1 && today > spw->sp_expire) {
- log("Account %.100s has expired", pw->pw_name);
- return 0;
- }
-
- if (spw->sp_lstchg == 0) {
- log("User %.100s password has expired (root forced)",
- pw->pw_name);
- return 0;
- }
-
- if (spw->sp_max != -1 &&
- today > spw->sp_lstchg + spw->sp_max) {
- log("User %.100s password has expired (password aged)",
- pw->pw_name);
- return 0;
- }
- }
- passwd = spw->sp_pwdp;
+#ifdef USE_SHADOW
+ if (!options.use_pam)
+ spw = getspnam(pw->pw_name);
+#ifdef HAS_SHADOW_EXPIRE
+ if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
+ return 0;
+#endif /* HAS_SHADOW_EXPIRE */
+#endif /* USE_SHADOW */
+
+ /* grab passwd field for locked account check */
+#ifdef USE_SHADOW
+ if (spw != NULL)
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+ passwd = get_iaf_password(pw);
+#else
+ passwd = spw->sp_pwdp;
+#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */