X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/96d0bf7425ca8150a1697abb8a7c4cef88b7b580..34f2baf0f5d9dad08aaed92f16ee660b9c150d65:/auth.c diff --git a/auth.c b/auth.c index 46e495ad..d9ee0362 100644 --- a/auth.c +++ b/auth.c @@ -23,14 +23,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.49 2003/08/26 09:58:43 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $"); #ifdef HAVE_LOGIN_H #include #endif -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#ifdef USE_SHADOW #include -#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#endif #ifdef HAVE_LIBGEN_H #include @@ -47,7 +47,6 @@ RCSID("$OpenBSD: auth.c,v 1.49 2003/08/26 09:58:43 markus Exp $"); #include "buffer.h" #include "bufaux.h" #include "uidswap.h" -#include "tildexpand.h" #include "misc.h" #include "bufaux.h" #include "packet.h" @@ -76,7 +75,7 @@ allowed_user(struct passwd * pw) const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; char *shell; int i; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#ifdef USE_SHADOW struct spwd *spw = NULL; #endif @@ -84,53 +83,24 @@ allowed_user(struct passwd * pw) if (!pw || !pw->pw_name) return 0; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#ifdef USE_SHADOW if (!options.use_pam) spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE -#define DAY (24L * 60 * 60) /* 1 day in seconds */ - if (!options.use_pam && spw != NULL) { - time_t today; - - today = time(NULL) / DAY; - debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" - " sp_max %d", (int)today, (int)spw->sp_expire, - (int)spw->sp_lstchg, (int)spw->sp_max); - - /* - * We assume account and password expiration occurs the - * day after the day specified. - */ - if (spw->sp_expire != -1 && today > spw->sp_expire) { - logit("Account %.100s has expired", pw->pw_name); - return 0; - } - - if (spw->sp_lstchg == 0) { - logit("User %.100s password has expired (root forced)", - pw->pw_name); - return 0; - } - - if (spw->sp_max != -1 && - today > spw->sp_lstchg + spw->sp_max) { - logit("User %.100s password has expired (password aged)", - pw->pw_name); - return 0; - } - } + if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) + return 0; #endif /* HAS_SHADOW_EXPIRE */ -#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#endif /* USE_SHADOW */ - /* grab passwd field for locked account check */ -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + /* grab passwd field for locked account check */ +#ifdef USE_SHADOW if (spw != NULL) passwd = spw->sp_pwdp; #else passwd = pw->pw_passwd; #endif - /* check for locked account */ + /* check for locked account */ if (!options.use_pam && passwd && *passwd) { int locked = 0; @@ -233,44 +203,15 @@ allowed_user(struct passwd * pw) ga_free(); } -#ifdef WITH_AIXAUTHENTICATE - /* - * Don't check loginrestrictions() for root account (use - * PermitRootLogin to control logins via ssh), or if running as - * non-root user (since loginrestrictions will always fail). - */ - if ((pw->pw_uid != 0) && (geteuid() == 0)) { - char *msg; - - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { - int loginrestrict_errno = errno; - - if (msg && *msg) { - buffer_append(&loginmsg, msg, strlen(msg)); - aix_remove_embedded_newlines(msg); - logit("Login restricted for %s: %.100s", - pw->pw_name, msg); - } - /* Don't fail if /etc/nologin set */ - if (!(loginrestrict_errno == EPERM && - stat(_PATH_NOLOGIN, &st) == 0)) - return 0; - } - } -#endif /* WITH_AIXAUTHENTICATE */ +#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER + if (!sys_auth_allowed_user(pw)) + return 0; +#endif /* We found no reason not to let this user try to log on... */ return 1; } -Authctxt * -authctxt_new(void) -{ - Authctxt *authctxt = xmalloc(sizeof(*authctxt)); - memset(authctxt, 0, sizeof(*authctxt)); - return authctxt; -} - void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) { @@ -280,7 +221,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) /* Raise logging level */ if (authenticated == 1 || !authctxt->valid || - authctxt->failures >= AUTH_FAIL_LOG || + authctxt->failures >= options.max_authtries / 2 || strcmp(method, "password") == 0) authlog = logit; @@ -598,10 +539,10 @@ fakepw(void) memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; fake.pw_passwd = - "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; + "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; - fake.pw_uid = -1; - fake.pw_gid = -1; + fake.pw_uid = (uid_t)-1; + fake.pw_gid = (gid_t)-1; #ifdef HAVE_PW_CLASS_IN_PASSWD fake.pw_class = ""; #endif