From 5a8bd0c38933ec8c531aad7b371a04e94c76ad99 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 10 Feb 2004 02:01:14 +0000 Subject: [PATCH] - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h defines.h] Bug #14: Use do_pwchange to support password expiry and force change for platforms using /etc/shadow. ok djm@ --- ChangeLog | 7 +++-- LICENCE | 1 + Makefile.in | 2 +- auth-passwd.c | 7 +++++ auth-shadow.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++ auth.c | 19 ------------ auth.h | 4 +++ defines.h | 3 ++ 8 files changed, 101 insertions(+), 22 deletions(-) create mode 100644 auth-shadow.c diff --git a/ChangeLog b/ChangeLog index 9ecb792a..3ab16da7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,10 @@ 20040210 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c - openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's - native password expiry. + openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's + native password expiry. + - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h + defines.h] Bug #14: Use do_pwchange to support password expiry and force + change for platforms using /etc/shadow. ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync diff --git a/LICENCE b/LICENCE index d7292998..d8c15730 100644 --- a/LICENCE +++ b/LICENCE @@ -202,6 +202,7 @@ OpenSSH contains no GPL code. Todd C. Miller Wayne Schroeder William Jones + Darren Tucker * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/Makefile.in b/Makefile.in index c76e63d3..fbaa6dca 100644 --- a/Makefile.in +++ b/Makefile.in @@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ kexdhs.o kexgexs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-sia.o md5crypt.o + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff --git a/auth-passwd.c b/auth-passwd.c index a58dc042..e434a21e 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -97,6 +97,13 @@ auth_password(Authctxt *authctxt, const char *password) return ok; } #endif +#ifdef USE_SHADOW + if (auth_shadow_pwexpired(authctxt)) { + disable_forwarding(); + authctxt->force_pwchange = 1; + } +#endif + return (sys_auth_passwd(authctxt, password) && ok); } diff --git a/auth-shadow.c b/auth-shadow.c new file mode 100644 index 00000000..ef4675c9 --- /dev/null +++ b/auth-shadow.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2004 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +RCSID("$Id$"); + +#ifdef USE_SHADOW +#include + +#include "auth.h" +#include "auth-shadow.h" +#include "buffer.h" +#include "log.h" + +#define DAY (24L * 60 * 60) /* 1 day in seconds */ + +extern Buffer loginmsg; + +/* + * Checks password expiry for platforms that use shadow passwd files. + * Returns: 1 = password expired, 0 = password not expired + */ +int +auth_shadow_pwexpired(Authctxt *ctxt) +{ + struct spwd *spw = NULL; + const char *user = ctxt->pw->pw_name; + time_t today; + + if ((spw = getspnam(user)) == NULL) { + error("Could not get shadow information for %.100s", user); + return 0; + } + + today = time(NULL) / DAY; + debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today, + (int)spw->sp_lstchg, (int)spw->sp_max); + +#if defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && + spw->sp_warn == 0) + return 0; /* HP-UX Trusted Mode: expiry disabled */ +#endif + + /* TODO: Add code to put expiry warnings into loginmsg */ + + if (spw->sp_lstchg == 0) { + logit("User %.100s password has expired (root forced)", user); + return 1; + } + + if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { + logit("User %.100s password has expired (password aged)", user); + return 1; + } + + return 0; +} +#endif /* USE_SHADOW */ diff --git a/auth.c b/auth.c index 4b307dab..c6e7c21c 100644 --- a/auth.c +++ b/auth.c @@ -106,25 +106,6 @@ allowed_user(struct passwd * pw) logit("Account %.100s has expired", pw->pw_name); return 0; } - -#if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && - spw->sp_warn == 0) - disabled = 1; /* Trusted Mode: expiry disabled */ -#endif - - if (!disabled && spw->sp_lstchg == 0) { - logit("User %.100s password has expired (root forced)", - pw->pw_name); - return 0; - } - - if (!disabled && spw->sp_max != -1 && - today > spw->sp_lstchg + spw->sp_max) { - logit("User %.100s password has expired (password aged)", - pw->pw_name); - return 0; - } } #endif /* HAS_SHADOW_EXPIRE */ #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ diff --git a/auth.h b/auth.h index b39e48d9..b6a6a49a 100644 --- a/auth.h +++ b/auth.h @@ -122,6 +122,10 @@ int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ +#ifdef USE_SHADOW +int auth_shadow_pwexpired(Authctxt *); +#endif + #include "auth-pam.h" void disable_forwarding(void); diff --git a/defines.h b/defines.h index 3865e34d..3d6b688f 100644 --- a/defines.h +++ b/defines.h @@ -585,6 +585,9 @@ struct winsize { # endif #endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# define USE_SHADOW +#endif /* The login() library function in libutil is first choice */ #if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN) -- 2.45.1