- stevesk@cvs.openbsd.org 2008/12/09 22:37:33

[openssh.git] / auth-sia.c

diff --git a/auth-sia.c b/auth-sia.c
index 05cf47c40f514db43532679cdffb4103d2b97053..debf30201b73fe182419c63ae6f08735516ad9df 100644 (file)
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -25,13 +25,6 @@
 #include "includes.h"
 
 #ifdef HAVE_OSF_SIA
-#include "ssh.h"
-#include "auth.h"
-#include "auth-sia.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-
 #include <sia.h>
 #include <siad.h>
 #include <pwd.h>
@@ -39,20 +32,81 @@
 #include <setjmp.h>
 #include <sys/resource.h>
 #include <unistd.h>
+#include <stdarg.h>
 #include <string.h>
+#include <sys/types.h>
+#include <sys/security.h>
+#include <prot.h>
+#include <time.h>
+
+#include "ssh.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "auth-sia.h"
+#include "log.h"
+#include "servconf.h"
+#include "canohost.h"
+#include "uidswap.h"
 
 extern ServerOptions options;
 extern int saved_argc;
 extern char **saved_argv;
 
+static int
+sia_password_change_required(const char *user)
+{
+       struct es_passwd *acct;
+       time_t pw_life;
+       time_t pw_date;
+
+       set_auth_parameters(saved_argc, saved_argv);
+
+       if ((acct = getespwnam(user)) == NULL) {
+               error("Couldn't access protected database entry for %s", user);
+               endprpwent();
+               return (0);
+       }
+
+       /* If forced password change flag is set, honor it */
+       if (acct->uflg->fg_psw_chg_reqd && acct->ufld->fd_psw_chg_reqd) {
+               endprpwent();
+               return (1);
+       }
+
+       /* Obtain password lifetime; if none, it can't have expired */
+       if (acct->uflg->fg_expire)
+               pw_life = acct->ufld->fd_expire;
+       else if (acct->sflg->fg_expire)
+               pw_life = acct->sfld->fd_expire;
+       else {
+               endprpwent();
+               return (0);
+       }
+
+       /* Offset from last change; if none, it must be expired */
+       if (acct->uflg->fg_schange)
+               pw_date = acct->ufld->fd_schange + pw_life;
+       else {
+               endprpwent();
+               return (1);
+       }
+
+       endprpwent();
+
+       /* If expiration date is prior to now, change password */
+       
+       return (pw_date <= time((time_t *) NULL));
+}
+
 int
-auth_sia_password(Authctxt *authctxt, char *pass)
+sys_auth_passwd(Authctxt *authctxt, const char *pass)
 {
        int ret;
        SIAENTITY *ent = NULL;
        const char *host;
 
-       host = get_canonical_hostname(options.verify_reverse_mapping);
+       host = get_canonical_hostname(options.use_dns);
 
        if (!authctxt->user || pass == NULL || pass[0] == '\0')
                return (0);
@@ -72,6 +126,9 @@ auth_sia_password(Authctxt *authctxt, char *pass)
 
        sia_ses_release(&ent);
 
+       authctxt->force_pwchange = sia_password_change_required(
+               authctxt->user);
+
        return (1);
 }
 
@@ -81,9 +138,9 @@ session_setup_sia(struct passwd *pw, char *tty)
        SIAENTITY *ent = NULL;
        const char *host;
 
-       host = get_canonical_hostname(options.verify_reverse_mapping);
+       host = get_canonical_hostname(options.use_dns);
 
-       if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, 
+       if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
            tty, 0, NULL) != SIASUCCESS)
                fatal("sia_ses_init failed");
 
@@ -100,11 +157,11 @@ session_setup_sia(struct passwd *pw, char *tty)
        if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
                fatal("Couldn't launch session for %s from %s",
                    pw->pw_name, host);
-       
+
        sia_ses_release(&ent);
 
-       if (setreuid(geteuid(), geteuid()) < 0)
-               fatal("setreuid: %s", strerror(errno));
+       setuid(0);
+       permanently_set_uid(pw);
 }
 
 #endif /* HAVE_OSF_SIA */