X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/d78480be9f049f1c78df9c6ed66accb81bec1f94..c12cf250eb723e0bd7e34a539887e42f03939023:/auth-shadow.c diff --git a/auth-shadow.c b/auth-shadow.c index 4b3a514f..21909167 100644 --- a/auth-shadow.c +++ b/auth-shadow.c @@ -23,19 +23,63 @@ */ #include "includes.h" -RCSID("$Id$"); #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #include +#include +#include +#include +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "buffer.h" #include "log.h" +#ifdef DAY +# undef DAY +#endif #define DAY (24L * 60 * 60) /* 1 day in seconds */ extern Buffer loginmsg; +/* + * For the account and password expiration functions, we assume the expiry + * occurs the day after the day specified. + */ + +/* + * Check if specified account is expired. Returns 1 if account is expired, + * 0 otherwise. + */ +int +auth_shadow_acctexpired(struct spwd *spw) +{ + time_t today; + int daysleft; + char buf[256]; + + today = time(NULL) / DAY; + daysleft = spw->sp_expire - today; + debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today, + (int)spw->sp_expire, daysleft); + + if (spw->sp_expire == -1) { + debug3("account expiration disabled"); + } else if (daysleft < 0) { + logit("Account %.100s has expired", spw->sp_namp); + return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("account will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your account will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } + + return 0; +} + /* * Checks password expiry for platforms that use shadow passwd files. * Returns: 1 = password expired, 0 = password not expired @@ -45,9 +89,11 @@ auth_shadow_pwexpired(Authctxt *ctxt) { struct spwd *spw = NULL; const char *user = ctxt->pw->pw_name; + char buf[256]; time_t today; + int daysleft, disabled = 0; - if ((spw = getspnam(user)) == NULL) { + if ((spw = getspnam((char *)user)) == NULL) { error("Could not get shadow information for %.100s", user); return 0; } @@ -57,21 +103,38 @@ auth_shadow_pwexpired(Authctxt *ctxt) (int)spw->sp_lstchg, (int)spw->sp_max); #if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && - spw->sp_warn == 0) - return 0; /* HP-UX Trusted Mode: expiry disabled */ -#endif + if (iscomsec()) { + struct pr_passwd *pr; - /* TODO: Add code to put expiry warnings into loginmsg */ + pr = getprpwnam((char *)user); - if (spw->sp_lstchg == 0) { - logit("User %.100s password has expired (root forced)", user); - return 1; + /* Test for Trusted Mode expiry disabled */ + if (pr != NULL && pr->ufld.fd_min == 0 && + pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 && + pr->ufld.fd_pw_expire_warning == 0 && + pr->ufld.fd_schange != 0) + disabled = 1; } +#endif - if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { + /* TODO: check sp_inact */ + daysleft = spw->sp_lstchg + spw->sp_max - today; + if (disabled) { + debug3("password expiration disabled"); + } else if (spw->sp_lstchg == 0) { + logit("User %.100s password has expired (root forced)", user); + return 1; + } else if (spw->sp_max == -1) { + debug3("password expiration disabled"); + } else if (daysleft < 0) { logit("User %.100s password has expired (password aged)", user); return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("password will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your password will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); } return 0;