From 9df3defdbb122c406072760e07859a3b4ebf567e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 13:01:14 +1100 Subject: [PATCH] - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h defines.h] Bug #14: Use do_pwchange to support password expiry and force change for platforms using /etc/shadow. ok djm@ --- ChangeLog | 9 ++++-- LICENCE | 1 + Makefile.in | 4 +-- auth-passwd.c | 7 +++++ auth-shadow.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++ auth.c | 19 ------------ auth.h | 4 +++ defines.h | 5 +++- 8 files changed, 104 insertions(+), 25 deletions(-) create mode 100644 auth-shadow.c diff --git a/ChangeLog b/ChangeLog index 20f1ec089..2aa2d537f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,10 @@ 20040210 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c - openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's - native password expiry. + openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's + native password expiry. + - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h + defines.h] Bug #14: Use do_pwchange to support password expiry and force + change for platforms using /etc/shadow. ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1825,4 +1828,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $ +$Id: ChangeLog,v 1.3219 2004/02/10 02:01:14 dtucker Exp $ diff --git a/LICENCE b/LICENCE index d7292998e..d8c157304 100644 --- a/LICENCE +++ b/LICENCE @@ -202,6 +202,7 @@ OpenSSH contains no GPL code. Todd C. Miller Wayne Schroeder William Jones + Darren Tucker * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/Makefile.in b/Makefile.in index 1f6a4d43f..2d7982312 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.254 2004/01/27 10:19:22 djm Exp $ +# $Id: Makefile.in,v 1.255 2004/02/10 02:01:14 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ kexdhs.o kexgexs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-sia.o md5crypt.o + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff --git a/auth-passwd.c b/auth-passwd.c index a58dc042b..e434a21e3 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -97,6 +97,13 @@ auth_password(Authctxt *authctxt, const char *password) return ok; } #endif +#ifdef USE_SHADOW + if (auth_shadow_pwexpired(authctxt)) { + disable_forwarding(); + authctxt->force_pwchange = 1; + } +#endif + return (sys_auth_passwd(authctxt, password) && ok); } diff --git a/auth-shadow.c b/auth-shadow.c new file mode 100644 index 000000000..604b13304 --- /dev/null +++ b/auth-shadow.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2004 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +RCSID("$Id: auth-shadow.c,v 1.1 2004/02/10 02:01:14 dtucker Exp $"); + +#ifdef USE_SHADOW +#include + +#include "auth.h" +#include "auth-shadow.h" +#include "buffer.h" +#include "log.h" + +#define DAY (24L * 60 * 60) /* 1 day in seconds */ + +extern Buffer loginmsg; + +/* + * Checks password expiry for platforms that use shadow passwd files. + * Returns: 1 = password expired, 0 = password not expired + */ +int +auth_shadow_pwexpired(Authctxt *ctxt) +{ + struct spwd *spw = NULL; + const char *user = ctxt->pw->pw_name; + time_t today; + + if ((spw = getspnam(user)) == NULL) { + error("Could not get shadow information for %.100s", user); + return 0; + } + + today = time(NULL) / DAY; + debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today, + (int)spw->sp_lstchg, (int)spw->sp_max); + +#if defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && + spw->sp_warn == 0) + return 0; /* HP-UX Trusted Mode: expiry disabled */ +#endif + + /* TODO: Add code to put expiry warnings into loginmsg */ + + if (spw->sp_lstchg == 0) { + logit("User %.100s password has expired (root forced)", user); + return 1; + } + + if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { + logit("User %.100s password has expired (password aged)", user); + return 1; + } + + return 0; +} +#endif /* USE_SHADOW */ diff --git a/auth.c b/auth.c index 4b307dab3..c6e7c21c4 100644 --- a/auth.c +++ b/auth.c @@ -106,25 +106,6 @@ allowed_user(struct passwd * pw) logit("Account %.100s has expired", pw->pw_name); return 0; } - -#if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && - spw->sp_warn == 0) - disabled = 1; /* Trusted Mode: expiry disabled */ -#endif - - if (!disabled && spw->sp_lstchg == 0) { - logit("User %.100s password has expired (root forced)", - pw->pw_name); - return 0; - } - - if (!disabled && spw->sp_max != -1 && - today > spw->sp_lstchg + spw->sp_max) { - logit("User %.100s password has expired (password aged)", - pw->pw_name); - return 0; - } } #endif /* HAS_SHADOW_EXPIRE */ #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ diff --git a/auth.h b/auth.h index b39e48d9a..b6a6a49a5 100644 --- a/auth.h +++ b/auth.h @@ -122,6 +122,10 @@ int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ +#ifdef USE_SHADOW +int auth_shadow_pwexpired(Authctxt *); +#endif + #include "auth-pam.h" void disable_forwarding(void); diff --git a/defines.h b/defines.h index 5e63198e0..5e1cac7bc 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.109 2004/01/27 05:40:35 tim Exp $ */ +/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */ /* Constants */ @@ -585,6 +585,9 @@ struct winsize { # endif #endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# define USE_SHADOW +#endif /* The login() library function in libutil is first choice */ #if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)