mirror of git://anongit.mindrot.org/openssh.git
- (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
defines.h] Bug #14: Use do_pwchange to support password expiry and force change for platforms using /etc/shadow. ok djm@
This commit is contained in:
Darren Tucker
parent
e3dba82dd4
commit
9df3defdbb
|
|
@ -1,7 +1,10 @@
|
|||
20040210
|
||||
- (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
|
||||
openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
|
||||
native password expiry.
|
||||
openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
|
||||
native password expiry.
|
||||
- (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
|
||||
defines.h] Bug #14: Use do_pwchange to support password expiry and force
|
||||
change for platforms using /etc/shadow. ok djm@
|
||||
|
||||
20040207
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
|
|
@ -1825,4 +1828,4 @@
|
|||
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
|
||||
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
|
||||
|
||||
$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.3219 2004/02/10 02:01:14 dtucker Exp $
|
||||
|
|
|
|||
1
LICENCE
1
LICENCE
|
|
@ -202,6 +202,7 @@ OpenSSH contains no GPL code.
|
|||
Todd C. Miller
|
||||
Wayne Schroeder
|
||||
William Jones
|
||||
Darren Tucker
|
||||
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# $Id: Makefile.in,v 1.254 2004/01/27 10:19:22 djm Exp $
|
||||
# $Id: Makefile.in,v 1.255 2004/02/10 02:01:14 dtucker Exp $
|
||||
|
||||
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
|
|
@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
|||
kexdhs.o kexgexs.o \
|
||||
auth-krb5.o \
|
||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
loginrec.o auth-pam.o auth-sia.o md5crypt.o
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
|
||||
|
||||
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
|
||||
MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
|
||||
|
|
|
|||
|
|
@ -97,6 +97,13 @@ auth_password(Authctxt *authctxt, const char *password)
|
|||
return ok;
|
||||
}
|
||||
#endif
|
||||
#ifdef USE_SHADOW
|
||||
if (auth_shadow_pwexpired(authctxt)) {
|
||||
disable_forwarding();
|
||||
authctxt->force_pwchange = 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
return (sys_auth_passwd(authctxt, password) && ok);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,80 @@
|
|||
/*
|
||||
* Copyright (c) 2004 Darren Tucker. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: auth-shadow.c,v 1.1 2004/02/10 02:01:14 dtucker Exp $");
|
||||
|
||||
#ifdef USE_SHADOW
|
||||
#include <shadow.h>
|
||||
|
||||
#include "auth.h"
|
||||
#include "auth-shadow.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
|
||||
#define DAY (24L * 60 * 60) /* 1 day in seconds */
|
||||
|
||||
extern Buffer loginmsg;
|
||||
|
||||
/*
|
||||
* Checks password expiry for platforms that use shadow passwd files.
|
||||
* Returns: 1 = password expired, 0 = password not expired
|
||||
*/
|
||||
int
|
||||
auth_shadow_pwexpired(Authctxt *ctxt)
|
||||
{
|
||||
struct spwd *spw = NULL;
|
||||
const char *user = ctxt->pw->pw_name;
|
||||
time_t today;
|
||||
|
||||
if ((spw = getspnam(user)) == NULL) {
|
||||
error("Could not get shadow information for %.100s", user);
|
||||
return 0;
|
||||
}
|
||||
|
||||
today = time(NULL) / DAY;
|
||||
debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
|
||||
(int)spw->sp_lstchg, (int)spw->sp_max);
|
||||
|
||||
#if defined(__hpux) && !defined(HAVE_SECUREWARE)
|
||||
if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
|
||||
spw->sp_warn == 0)
|
||||
return 0; /* HP-UX Trusted Mode: expiry disabled */
|
||||
#endif
|
||||
|
||||
/* TODO: Add code to put expiry warnings into loginmsg */
|
||||
|
||||
if (spw->sp_lstchg == 0) {
|
||||
logit("User %.100s password has expired (root forced)", user);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) {
|
||||
logit("User %.100s password has expired (password aged)", user);
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* USE_SHADOW */
|
||||
19
auth.c
19
auth.c
|
|
@ -106,25 +106,6 @@ allowed_user(struct passwd * pw)
|
|||
logit("Account %.100s has expired", pw->pw_name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if defined(__hpux) && !defined(HAVE_SECUREWARE)
|
||||
if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
|
||||
spw->sp_warn == 0)
|
||||
disabled = 1; /* Trusted Mode: expiry disabled */
|
||||
#endif
|
||||
|
||||
if (!disabled && spw->sp_lstchg == 0) {
|
||||
logit("User %.100s password has expired (root forced)",
|
||||
pw->pw_name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!disabled && spw->sp_max != -1 &&
|
||||
today > spw->sp_lstchg + spw->sp_max) {
|
||||
logit("User %.100s password has expired (password aged)",
|
||||
pw->pw_name);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif /* HAS_SHADOW_EXPIRE */
|
||||
#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
|
||||
|
|
|
|||
4
auth.h
4
auth.h
|
|
@ -122,6 +122,10 @@ int auth_krb5_password(Authctxt *authctxt, const char *password);
|
|||
void krb5_cleanup_proc(Authctxt *authctxt);
|
||||
#endif /* KRB5 */
|
||||
|
||||
#ifdef USE_SHADOW
|
||||
int auth_shadow_pwexpired(Authctxt *);
|
||||
#endif
|
||||
|
||||
#include "auth-pam.h"
|
||||
void disable_forwarding(void);
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
#ifndef _DEFINES_H
|
||||
#define _DEFINES_H
|
||||
|
||||
/* $Id: defines.h,v 1.109 2004/01/27 05:40:35 tim Exp $ */
|
||||
/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */
|
||||
|
||||
|
||||
/* Constants */
|
||||
|
|
@ -585,6 +585,9 @@ struct winsize {
|
|||
# endif
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
|
||||
# define USE_SHADOW
|
||||
#endif
|
||||
|
||||
/* The login() library function in libutil is first choice */
|
||||
#if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)
|
||||
|
|
|
|||
Loading…
Reference in New Issue