From 48cb8aa935211ff95ff62267a799d3548df442d4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 7 Jan 2003 12:19:32 +1100 Subject: [PATCH] - (djm) Bug #442: Check for and deny access to accounts with locked passwords. Patch from dtucker@zip.com.au --- ChangeLog | 4 +++- auth.c | 23 +++++++++++++++++------ 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0c6e463f0..3be46f5cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20030107 - (djm) Bug #401: Work around Linux breakage with IPv6 mapped addresses. Based on fix from yoshfuji@linux-ipv6.org + - (djm) Bug #442: Check for and deny access to accounts with locked + passwords. Patch from dtucker@zip.com.au 20030103 - (djm) Bug #461: ssh-copy-id fails with no arguments. Patch from @@ -929,4 +931,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2541 2003/01/06 23:51:23 djm Exp $ +$Id: ChangeLog,v 1.2542 2003/01/07 01:19:32 djm Exp $ diff --git a/auth.c b/auth.c index ee001283f..0e7910943 100644 --- a/auth.c +++ b/auth.c @@ -72,20 +72,23 @@ int allowed_user(struct passwd * pw) { struct stat st; - const char *hostname = NULL, *ipaddr = NULL; + const char *hostname = NULL, *ipaddr = NULL, *passwd; char *shell; int i; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; #endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ - !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) + !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; +#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; +#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ + !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #define DAY (24L * 60 * 60) /* 1 day in seconds */ spw = getspnam(pw->pw_name); if (spw != NULL) { @@ -116,12 +119,20 @@ allowed_user(struct passwd * pw) return 0; } } -#else - /* Shouldn't be called if pw is NULL, but better safe than sorry... */ - if (!pw || !pw->pw_name) - return 0; #endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + passwd = spw->sp_pwdp; +#else + passwd = pw->pw_passwd; +#endif + /* check for locked account */ + if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') { + log("User %.100s not allowed because account is locked", + pw->pw_name); + return 0; + } + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh.