- (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c …

…auth.h

   defines.h] Bug #14: Use do_pwchange to support password expiry and force
   change for platforms using /etc/shadow.  ok djm@

ChangeLog

@@ -1,7 +1,10 @@
 20040210
  - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
-    openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
-    native password expiry.
+   openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
+   native password expiry.
+ - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
+   defines.h] Bug #14: Use do_pwchange to support password expiry and force
+   change for platforms using /etc/shadow.  ok djm@
 
 20040207
  - (dtucker) OpenBSD CVS Sync
@@ -1825,4 +1828,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from [email protected], diagnosis from [email protected]
 
-$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $
+$Id: ChangeLog,v 1.3219 2004/02/10 02:01:14 dtucker Exp $

LICENCE

@@ -202,6 +202,7 @@ OpenSSH contains no GPL code.
 	Todd C. Miller
 	Wayne Schroeder
 	William Jones
+	Darren Tucker
 
      * Redistribution and use in source and binary forms, with or without
      * modification, are permitted provided that the following conditions

Makefile.in

@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.254 2004/01/27 10:19:22 djm Exp $
+# $Id: Makefile.in,v 1.255 2004/02/10 02:01:14 dtucker Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	kexdhs.o kexgexs.o \
 	auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
-	loginrec.o auth-pam.o auth-sia.o md5crypt.o
+	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5

auth-passwd.c

@@ -97,6 +97,13 @@ auth_password(Authctxt *authctxt, const char *password)
 		return ok;
 	}
 #endif
+#ifdef USE_SHADOW
+	if (auth_shadow_pwexpired(authctxt)) {
+		disable_forwarding();
+		authctxt->force_pwchange = 1;
+	}
+#endif
+
 	return (sys_auth_passwd(authctxt, password) && ok);
 }
 

auth-shadow.c

@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2004 Darren Tucker.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: auth-shadow.c,v 1.1 2004/02/10 02:01:14 dtucker Exp $");
+
+#ifdef USE_SHADOW
+#include <shadow.h>
+
+#include "auth.h"
+#include "auth-shadow.h"
+#include "buffer.h"
+#include "log.h"
+
+#define DAY	(24L * 60 * 60) /* 1 day in seconds */
+
+extern Buffer loginmsg;
+
+/*
+ * Checks password expiry for platforms that use shadow passwd files.
+ * Returns: 1 = password expired, 0 = password not expired
+ */
+int
+auth_shadow_pwexpired(Authctxt *ctxt)
+{
+	struct spwd *spw = NULL;
+	const char *user = ctxt->pw->pw_name;
+	time_t today;
+
+	if ((spw = getspnam(user)) == NULL) {
+		error("Could not get shadow information for %.100s", user);
+		return 0;
+	}
+
+	today = time(NULL) / DAY;
+	debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
+	    (int)spw->sp_lstchg, (int)spw->sp_max);
+
+#if defined(__hpux) && !defined(HAVE_SECUREWARE)
+	if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
+	    spw->sp_warn == 0)
+		return 0;	/* HP-UX Trusted Mode: expiry disabled */
+#endif
+
+	/* TODO: Add code to put expiry warnings into loginmsg */
+
+	if (spw->sp_lstchg == 0) {
+		logit("User %.100s password has expired (root forced)", user);
+		return 1;
+	}
+
+	if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) {
+		logit("User %.100s password has expired (password aged)", user);
+		return 1;
+	}
+
+	return 0;
+}
+#endif	/* USE_SHADOW */

auth.c

@@ -106,25 +106,6 @@ allowed_user(struct passwd * pw)
 			logit("Account %.100s has expired", pw->pw_name);
 			return 0;
 		}
-
-#if defined(__hpux) && !defined(HAVE_SECUREWARE)
-		if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
-		     spw->sp_warn == 0)
-			disabled = 1;   /* Trusted Mode: expiry disabled */
-#endif
-
-		if (!disabled && spw->sp_lstchg == 0) {
-			logit("User %.100s password has expired (root forced)",
-			    pw->pw_name);
-			return 0;
-		}
-
-		if (!disabled && spw->sp_max != -1 &&
-		    today > spw->sp_lstchg + spw->sp_max) {
-			logit("User %.100s password has expired (password aged)",
-			    pw->pw_name);
-			return 0;
-		}
 	}
 #endif /* HAS_SHADOW_EXPIRE */
 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */

auth.h

@@ -122,6 +122,10 @@ int	auth_krb5_password(Authctxt *authctxt, const char *password);
 void	krb5_cleanup_proc(Authctxt *authctxt);
 #endif /* KRB5 */
 
+#ifdef USE_SHADOW
+int auth_shadow_pwexpired(Authctxt *);
+#endif
+
 #include "auth-pam.h"
 void disable_forwarding(void);
 

defines.h

@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.109 2004/01/27 05:40:35 tim Exp $ */
+/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */
 
 
 /* Constants */
@@ -585,6 +585,9 @@ struct winsize {
 #  endif
 #endif
 
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+# define USE_SHADOW
+#endif
 
 /* The login() library function in libutil is first choice */
 #if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)