- (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode.

diff --git a/ChangeLog b/ChangeLog
index d28dfc43768c746c7eccdb1ac63d21c372e7314d..e8b126ba20d8c9f7dc67de679874c5eb316e5f66 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,7 @@
  - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c
    openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always
    compiled in but disabled in config.
+ - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode.
 
 20031009
  - (dtucker) [sshd_config.5] UsePAM defaults to "no".  ok djm@

diff --git a/auth.c b/auth.c
index 029672877ab17c8ffe0b21945f33f7b7f6add6a5..fcafae86154c08484113cfd0e6df4cdf97d2e5bd 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -90,6 +90,7 @@ allowed_user(struct passwd * pw)
 #ifdef HAS_SHADOW_EXPIRE
 #define        DAY             (24L * 60 * 60) /* 1 day in seconds */
        if (!options.use_pam && spw != NULL) {
+               int disabled = 0;
                time_t today;
 
                today = time(NULL) / DAY;
@@ -106,13 +107,19 @@ allowed_user(struct passwd * pw)
                        return 0;
                }
 
-               if (spw->sp_lstchg == 0) {
+#if defined(__hpux) && !defined(HAVE_SECUREWARE)
+               if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
+                    spw->sp_warn == 0)
+                       disabled = 1;   /* Trusted Mode: expiry disabled */
+#endif
+
+               if (!disabled && spw->sp_lstchg == 0) {
                        logit("User %.100s password has expired (root forced)",
                            pw->pw_name);
                        return 0;
                }
 
-               if (spw->sp_max != -1 &&
+               if (!disabled && spw->sp_max != -1 &&
                    today > spw->sp_lstchg + spw->sp_max) {
                        logit("User %.100s password has expired (password aged)",
                            pw->pw_name);