From 2923d026e55998133c0f6e5186dca2a3c0fa5ff5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 26 Mar 2022 12:49:50 +1100 Subject: [PATCH] Factor out platform-specific locked account check. Also fixes an incorrect free on platforms with both libiaf and shadow passwords (probably only Unixware). Prompted by github PR#284, originally from @c3h2_ctf and stoeckmann@. --- auth.c | 50 +++----------------------------------------------- platform.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ platform.h | 1 + 3 files changed, 55 insertions(+), 47 deletions(-) diff --git a/auth.c b/auth.c index 560e8ecac..81d275895 100644 --- a/auth.c +++ b/auth.c @@ -104,59 +104,15 @@ allowed_user(struct ssh *ssh, struct passwd * pw) const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; u_int i; int r; -#ifdef USE_SHADOW - struct spwd *spw = NULL; -#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; -#ifdef USE_SHADOW - if (!options.use_pam) - spw = getspnam(pw->pw_name); -#ifdef HAS_SHADOW_EXPIRE - if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) + if (!options.use_pam && platform_locked_account(pw)) { + logit("User %.100s not allowed because account is locked", + pw->pw_name); return 0; -#endif /* HAS_SHADOW_EXPIRE */ -#endif /* USE_SHADOW */ - - /* grab passwd field for locked account check */ - passwd = pw->pw_passwd; -#ifdef USE_SHADOW - if (spw != NULL) -#ifdef USE_LIBIAF - passwd = get_iaf_password(pw); -#else - passwd = spw->sp_pwdp; -#endif /* USE_LIBIAF */ -#endif - - /* check for locked account */ - if (!options.use_pam && passwd && *passwd) { - int locked = 0; - -#ifdef LOCKED_PASSWD_STRING - if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) - locked = 1; -#endif -#ifdef LOCKED_PASSWD_PREFIX - if (strncmp(passwd, LOCKED_PASSWD_PREFIX, - strlen(LOCKED_PASSWD_PREFIX)) == 0) - locked = 1; -#endif -#ifdef LOCKED_PASSWD_SUBSTR - if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) - locked = 1; -#endif -#ifdef USE_LIBIAF - free((void *) passwd); -#endif /* USE_LIBIAF */ - if (locked) { - logit("User %.100s not allowed because account is locked", - pw->pw_name); - return 0; - } } /* diff --git a/platform.c b/platform.c index 44ba71dc5..4fe8744ee 100644 --- a/platform.c +++ b/platform.c @@ -18,6 +18,7 @@ #include #include +#include #include #include "log.h" @@ -197,3 +198,53 @@ platform_krb5_get_principal_name(const char *pw_name) return NULL; #endif } + +/* returns 1 if account is locked */ +int +platform_locked_account(struct passwd *pw) +{ + int locked = 0; + char *passwd = pw->pw_passwd; +#ifdef USE_SHADOW + struct spwd *spw = NULL; +#ifdef USE_LIBIAF + char *iaf_passwd = NULL; +#endif + + spw = getspnam(pw->pw_name); +#ifdef HAS_SHADOW_EXPIRE + if (spw != NULL && auth_shadow_acctexpired(spw)) + return 1; +#endif /* HAS_SHADOW_EXPIRE */ + + if (spw != NULL) +#ifdef USE_LIBIAF + iaf_passwd = passwd = get_iaf_password(pw); +#else + passwd = spw->sp_pwdp; +#endif /* USE_LIBIAF */ +#endif + + /* check for locked account */ + if (passwd && *passwd) { +#ifdef LOCKED_PASSWD_STRING + if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_PREFIX + if (strncmp(passwd, LOCKED_PASSWD_PREFIX, + strlen(LOCKED_PASSWD_PREFIX)) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_SUBSTR + if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) + locked = 1; +#endif + } +#ifdef USE_LIBIAF + if (iaf_passwd != NULL) + freezero(iaf_passwd, strlen(iaf_passwd)); +#endif /* USE_LIBIAF */ + + return locked; +} diff --git a/platform.h b/platform.h index ea4f9c584..98c48da40 100644 --- a/platform.h +++ b/platform.h @@ -28,6 +28,7 @@ void platform_setusercontext(struct passwd *); void platform_setusercontext_post_groups(struct passwd *); char *platform_get_krb5_client(const char *); char *platform_krb5_get_principal_name(const char *); +int platform_locked_account(struct passwd *) int platform_sys_dir_uid(uid_t); void platform_disable_tracing(int);