- (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c

    openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
    native password expiry.

diff --git a/ChangeLog b/ChangeLog
index bf5071cd70a0502f63d0c2f3a5867a4b3f1c9fec..9ecb792a00fc584e2cf037594099642bbd9a4e7f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20040210
+ - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
+    openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
+    native password expiry.
+
 20040207
  - (dtucker) OpenBSD CVS Sync
    - dtucker@cvs.openbsd.org 2004/02/06 23:41:13

diff --git a/auth-passwd.c b/auth-passwd.c
index 5cc88155ca47dc6d870c4a0eaea0c4fc6c4b9535..a58dc042b666f804410689b60a84f795da34673c 100644 (file)
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -43,14 +43,11 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
 #include "servconf.h"
 #include "auth.h"
 #include "auth-options.h"
-#ifdef WITH_AIXAUTHENTICATE
-# include "canohost.h"
-#endif
 
 extern ServerOptions options;
 int sys_auth_passwd(Authctxt *, const char *);
 
-static void
+void
 disable_forwarding(void)
 {
        no_port_forwarding_flag = 1;
@@ -121,14 +118,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
                return (auth_close(as));
        }
 }
-#elif defined(WITH_AIXAUTHENTICATE)
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-       return (aix_authenticate(authctxt->pw->pw_name, password,
-           get_canonical_hostname(options.use_dns)));
-}
-#else
+#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
 int
 sys_auth_passwd(Authctxt *authctxt, const char *password)
 {

diff --git a/auth.h b/auth.h
index c51717f2cde22bc70cf82e144ae91a354a8f5070..b39e48d9aeb86349fa5387c99aa3d5ffdbc8ab89 100644 (file)
--- a/auth.h
+++ b/auth.h
@@ -123,6 +123,7 @@ void        krb5_cleanup_proc(Authctxt *authctxt);
 #endif /* KRB5 */
 
 #include "auth-pam.h"
+void disable_forwarding(void);
 
 void   do_authentication(Authctxt *);
 void   do_authentication2(Authctxt *);

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 6fc2ef771edba1fa8e18241e62a94f551374f02d..a5511bbeff1187108cfccbad5ad8381a5c5008ba 100644 (file)
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -98,10 +98,10 @@ aix_remove_embedded_newlines(char *p)
  * returns 0.
  */
 int
-aix_authenticate(const char *name, const char *password, const char *host)
+sys_auth_passwd(Authctxt *ctxt, const char *password)
 {
-       char *authmsg = NULL, *msg;
-       int authsuccess = 0, reenter, result;
+       char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name;
+       int authsuccess = 0, expired, reenter, result;
 
        do {
                result = authenticate((char *)name, (char *)password, &reenter,
@@ -114,7 +114,12 @@ aix_authenticate(const char *name, const char *password, const char *host)
        if (result == 0) {
                authsuccess = 1;
 
-               /* No pty yet, so just label the line as "ssh" */
+               host = (char *)get_canonical_hostname(options.use_dns);
+
+               /*
+                * Record successful login.  We don't have a pty yet, so just
+                * label the line as "ssh"
+                */
                aix_setauthdb(name);
                if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) {
                        if (msg != NULL) {
@@ -123,6 +128,32 @@ aix_authenticate(const char *name, const char *password, const char *host)
                                xfree(msg);
                        }
                }
+
+               /*
+                * Check if the user's password is expired.
+                */
+                expired = passwdexpired(name, &msg);
+                if (msg && *msg) {
+                        buffer_append(&loginmsg, msg, strlen(msg));
+                        aix_remove_embedded_newlines(msg);
+                }
+                debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
+
+               switch (expired) {
+               case 0: /* password not expired */
+                       break;
+               case 1: /* expired, password change required */
+                       ctxt->force_pwchange = 1;
+                       disable_forwarding();
+                       break;
+               default: /* user can't change(2) or other error (-1) */
+                       logit("Password can't be changed for user %s: %.100s",
+                           name, msg);
+                       if (msg)
+                               xfree(msg);
+                       authsuccess = 0;
+               }
+
                aix_restoreauthdb();
        }
 

diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 7c7fb90ba27bd30a8d230170c872f7d68589e9af..fa40d41bd7a2c3c82d2e1d95a148d155442f1544 100644 (file)
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -36,6 +36,9 @@
 # include <usersec.h>
 #endif
 
+/* For Authctxt */
+#include "auth.h"
+
 /* Some versions define r_type in the above headers, which causes a conflict */
 #ifdef r_type
 # undef r_type
@@ -62,11 +65,12 @@
 void aix_usrinfo(struct passwd *);
 
 #ifdef WITH_AIXAUTHENTICATE
+# define CUSTOM_SYS_AUTH_PASSWD 1
+int sys_auth_passwd(Authctxt *, const char *);
 # define CUSTOM_FAILED_LOGIN 1
 void record_failed_login(const char *, const char *);
 #endif
 
-int aix_authenticate(const char *, const char *, const char *);
 void aix_setauthdb(const char *);
 void aix_restoreauthdb(void);
 void aix_remove_embedded_newlines(char *);