X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/5a8bd0c38933ec8c531aad7b371a04e94c76ad99..HEAD:/auth-shadow.c diff --git a/auth-shadow.c b/auth-shadow.c index ef4675c9..21909167 100644 --- a/auth-shadow.c +++ b/auth-shadow.c @@ -23,20 +23,63 @@ */ #include "includes.h" -RCSID("$Id$"); -#ifdef USE_SHADOW +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #include +#include +#include +#include +#include "key.h" +#include "hostfile.h" #include "auth.h" -#include "auth-shadow.h" #include "buffer.h" #include "log.h" +#ifdef DAY +# undef DAY +#endif #define DAY (24L * 60 * 60) /* 1 day in seconds */ extern Buffer loginmsg; +/* + * For the account and password expiration functions, we assume the expiry + * occurs the day after the day specified. + */ + +/* + * Check if specified account is expired. Returns 1 if account is expired, + * 0 otherwise. + */ +int +auth_shadow_acctexpired(struct spwd *spw) +{ + time_t today; + int daysleft; + char buf[256]; + + today = time(NULL) / DAY; + daysleft = spw->sp_expire - today; + debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today, + (int)spw->sp_expire, daysleft); + + if (spw->sp_expire == -1) { + debug3("account expiration disabled"); + } else if (daysleft < 0) { + logit("Account %.100s has expired", spw->sp_namp); + return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("account will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your account will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } + + return 0; +} + /* * Checks password expiry for platforms that use shadow passwd files. * Returns: 1 = password expired, 0 = password not expired @@ -46,9 +89,11 @@ auth_shadow_pwexpired(Authctxt *ctxt) { struct spwd *spw = NULL; const char *user = ctxt->pw->pw_name; + char buf[256]; time_t today; + int daysleft, disabled = 0; - if ((spw = getspnam(user)) == NULL) { + if ((spw = getspnam((char *)user)) == NULL) { error("Could not get shadow information for %.100s", user); return 0; } @@ -58,23 +103,40 @@ auth_shadow_pwexpired(Authctxt *ctxt) (int)spw->sp_lstchg, (int)spw->sp_max); #if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && - spw->sp_warn == 0) - return 0; /* HP-UX Trusted Mode: expiry disabled */ -#endif + if (iscomsec()) { + struct pr_passwd *pr; - /* TODO: Add code to put expiry warnings into loginmsg */ + pr = getprpwnam((char *)user); - if (spw->sp_lstchg == 0) { - logit("User %.100s password has expired (root forced)", user); - return 1; + /* Test for Trusted Mode expiry disabled */ + if (pr != NULL && pr->ufld.fd_min == 0 && + pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 && + pr->ufld.fd_pw_expire_warning == 0 && + pr->ufld.fd_schange != 0) + disabled = 1; } +#endif - if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { + /* TODO: check sp_inact */ + daysleft = spw->sp_lstchg + spw->sp_max - today; + if (disabled) { + debug3("password expiration disabled"); + } else if (spw->sp_lstchg == 0) { + logit("User %.100s password has expired (root forced)", user); + return 1; + } else if (spw->sp_max == -1) { + debug3("password expiration disabled"); + } else if (daysleft < 0) { logit("User %.100s password has expired (password aged)", user); return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("password will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your password will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); } return 0; } -#endif /* USE_SHADOW */ +#endif /* USE_SHADOW && HAS_SHADOW_EXPIRE */