- (djm) Fix my fix of the fix for the Bug #442 for PAM case. Spotted by

   dtucker@zip.com.au. Reorder for clarity too.

diff --git a/ChangeLog b/ChangeLog
index e1d752dbdb30f0a7cd08b800f4fe282591218a77..62c972dd2aac71d1062c70914de0bf10102d3437 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,8 @@
    nasties. Report from peak@argo.troja.mff.cuni.cz
  - (djm) Bug #178: On AIX /etc/nologin wasnt't shown to users. Fix from 
    Ralf.Wenk@fh-karlsruhe.de and dtucker@zip.com.au
+ - (djm) Fix my fix of the fix for the Bug #442 for PAM case. Spotted by 
+   dtucker@zip.com.au. Reorder for clarity too.
 
 20030103
  - (djm) Bug #461: ssh-copy-id fails with no arguments. Patch from 

diff --git a/auth.c b/auth.c
index 7deded205cf890a995db740b6819ddb2db63531d..48586cc5d693e038297d508019daaa060e40a13a 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -78,8 +78,7 @@ allowed_user(struct passwd * pw)
 #ifdef WITH_AIXAUTHENTICATE
        char *loginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
        struct spwd *spw;
 #endif
 
@@ -87,38 +86,11 @@ allowed_user(struct passwd * pw)
        if (!pw || !pw->pw_name)
                return 0;
 
-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#define        DAY             (24L * 60 * 60) /* 1 day in seconds */
+       /* Grab the password for locked account checking */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
        spw = getspnam(pw->pw_name);
-       if (spw != NULL) {
-               time_t today = time(NULL) / DAY;
-               debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
-                   " sp_max %d", (int)today, (int)spw->sp_expire,
-                   (int)spw->sp_lstchg, (int)spw->sp_max);
-
-               /*
-                * We assume account and password expiration occurs the
-                * day after the day specified.
-                */
-               if (spw->sp_expire != -1 && today > spw->sp_expire) {
-                       log("Account %.100s has expired", pw->pw_name);
-                       return 0;
-               }
-
-               if (spw->sp_lstchg == 0) {
-                       log("User %.100s password has expired (root forced)",
-                           pw->pw_name);
-                       return 0;
-               }
-
-               if (spw->sp_max != -1 &&
-                   today > spw->sp_lstchg + spw->sp_max) {
-                       log("User %.100s password has expired (password aged)",
-                           pw->pw_name);
-                       return 0;
-               }
-       }
+       if (!spw)
+               return 0;
        passwd = spw->sp_pwdp;
 #else
        passwd = pw->pw_passwd;
@@ -131,6 +103,37 @@ allowed_user(struct passwd * pw)
                return 0;
        }
 
+#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
+    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+#define        DAY             (24L * 60 * 60) /* 1 day in seconds */
+       time_t today = time(NULL) / DAY;
+       debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
+           " sp_max %d", (int)today, (int)spw->sp_expire,
+           (int)spw->sp_lstchg, (int)spw->sp_max);
+
+       /*
+        * We assume account and password expiration occurs the
+        * day after the day specified.
+        */
+       if (spw->sp_expire != -1 && today > spw->sp_expire) {
+               log("Account %.100s has expired", pw->pw_name);
+               return 0;
+       }
+
+       if (spw->sp_lstchg == 0) {
+               log("User %.100s password has expired (root forced)",
+                   pw->pw_name);
+               return 0;
+       }
+
+       if (spw->sp_max != -1 &&
+           today > spw->sp_lstchg + spw->sp_max) {
+               log("User %.100s password has expired (password aged)",
+                   pw->pw_name);
+               return 0;
+       }
+#endif
+
        /*
         * Get the shell from the password data.  An empty shell field is
         * legal, and means /bin/sh.