From 5c14c734295b9a30d71d110deb8307d5610d4c01 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 24 Jan 2005 21:55:49 +1100 Subject: [PATCH] - otto@cvs.openbsd.org 2005/01/21 08:32:02 [auth-passwd.c sshd.c] Warn in advance for password and account expiry; initialize loginmsg buffer earlier and clear it after privsep fork. ok and help dtucker@ markus@ --- ChangeLog | 10 +++++++++- auth-passwd.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- sshd.c | 11 ++++------- 3 files changed, 63 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8af4ea5f7..f33f2c242 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20050124 + - (dtucker) OpenBSD CVS Sync + - otto@cvs.openbsd.org 2005/01/21 08:32:02 + [auth-passwd.c sshd.c] + Warn in advance for password and account expiry; initialize loginmsg + buffer earlier and clear it after privsep fork. ok and help dtucker@ + markus@ + 20050120 - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2004/12/23 17:35:48 @@ -2015,4 +2023,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3620 2005/01/20 11:20:50 dtucker Exp $ +$Id: ChangeLog,v 1.3621 2005/01/24 10:55:49 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 7a68e0562..2e5fbc73a 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,17 +36,27 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.32 2005/01/21 08:32:02 otto Exp $"); #include "packet.h" +#include "buffer.h" #include "log.h" #include "servconf.h" #include "auth.h" #include "auth-options.h" +extern Buffer loginmsg; extern ServerOptions options; int sys_auth_passwd(Authctxt *, const char *); +#ifdef HAVE_LOGIN_CAP +extern login_cap_t *lc; +#endif + + +#define DAY (24L * 60 * 60) /* 1 day in seconds */ +#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ + void disable_forwarding(void) { @@ -111,11 +121,46 @@ auth_password(Authctxt *authctxt, const char *password) } #ifdef BSD_AUTH +static void +warn_expiry(Authctxt *authctxt, auth_session_t *as) +{ + char buf[256]; + quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime; + + pwwarntime = acwarntime = TWO_WEEKS; + + pwtimeleft = auth_check_change(as); + actimeleft = auth_check_expire(as); +#if HAVE_LOGIN_CAP + if (authctxt->valid) { + pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS, + TWO_WEEKS); + acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS, + TWO_WEEKS); + } +#endif + if (pwtimeleft != 0 && pwtimeleft < pwwarntime) { + daysleft = pwtimeleft / DAY + 1; + snprintf(buf, sizeof(buf), + "Your password will expire in %lld day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } + if (actimeleft != 0 && actimeleft < acwarntime) { + daysleft = actimeleft / DAY + 1; + snprintf(buf, sizeof(buf), + "Your account will expire in %lld day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } +} + int sys_auth_passwd(Authctxt *authctxt, const char *password) { struct passwd *pw = authctxt->pw; auth_session_t *as; + static int expire_checked = 0; as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", (char *)password); @@ -125,6 +170,10 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) authctxt->force_pwchange = 1; return (1); } else { + if (!expire_checked) { + expire_checked = 1; + warn_expiry(authctxt, as); + } return (auth_close(as)); } } diff --git a/sshd.c b/sshd.c index 76aec80b0..7f268526f 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.306 2005/01/17 22:48:39 dtucker Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.307 2005/01/21 08:32:02 otto Exp $"); #include #include @@ -1664,9 +1664,6 @@ main(int ac, char **av) packet_set_nonblocking(); - /* prepare buffers to collect authentication messages */ - buffer_init(&loginmsg); - /* allocate authentication context */ authctxt = xmalloc(sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt)); @@ -1674,13 +1671,13 @@ main(int ac, char **av) /* XXX global for cleanup, access from other modules */ the_authctxt = authctxt; + /* prepare buffer to collect messages to display to user after login */ + buffer_init(&loginmsg); + if (use_privsep) if (privsep_preauth(authctxt) == 1) goto authenticated; - /* prepare buffer to collect messages to display to user after login */ - buffer_init(&loginmsg); - /* perform the key exchange */ /* authenticate user and start session */ if (compat20) {