diff options
| author | Damien Miller <djm@mindrot.org> | 2000-06-26 11:31:33 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-06-26 11:31:33 +1000 |
| commit | 1f335fb8d81a23c6ddce3062a4e2d4efe9d8a59e (patch) | |
| tree | e0b2ff2cff12a83740f16bb7da48f592402bdcae | |
| parent | c0fd17fdca5853c0c6bfdfc364d8c5418dcab86b (diff) | |
- (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>
- (djm) Added password expiry checking (no password change support)
| -rw-r--r-- | CREDITS | 5 | ||||
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | acconfig.h | 3 | ||||
| -rw-r--r-- | auth.c | 24 | ||||
| -rw-r--r-- | configure.in | 22 |
5 files changed, 54 insertions, 2 deletions
| @@ -3,9 +3,10 @@ Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH | |||
| 3 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, | 3 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
| 4 | Theo de Raadt, and Dug Song - Creators of OpenSSH | 4 | Theo de Raadt, and Dug Song - Creators of OpenSSH |
| 5 | 5 | ||
| 6 | Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes | ||
| 7 | Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes | 6 | Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes |
| 7 | Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support | ||
| 8 | Andrew McGill <andrewm@datrix.co.za> - SCO fixes | 8 | Andrew McGill <andrewm@datrix.co.za> - SCO fixes |
| 9 | Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes | ||
| 9 | Andy Sloane <andy@guildsoftware.com> - bugfixes | 10 | Andy Sloane <andy@guildsoftware.com> - bugfixes |
| 10 | Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes | 11 | Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes |
| 11 | Ben Lindstrom <mouring@pconline.com> - NeXT support | 12 | Ben Lindstrom <mouring@pconline.com> - NeXT support |
| @@ -35,7 +36,7 @@ IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes | |||
| 35 | Jani Hakala <jahakala@cc.jyu.fi> - Patches | 36 | Jani Hakala <jahakala@cc.jyu.fi> - Patches |
| 36 | Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes | 37 | Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes |
| 37 | Jim Knoble <jmknoble@pobox.com> - Many patches | 38 | Jim Knoble <jmknoble@pobox.com> - Many patches |
| 38 | jonchen (email unknown) - the original author of PAM support of SSH | 39 | Jonchen (email unknown) - the original author of PAM support of SSH |
| 39 | Juergen Keil <jk@tools.de> - scp bugfixing | 40 | Juergen Keil <jk@tools.de> - scp bugfixing |
| 40 | Kees Cook <cook@cpoint.net> - scp fixes | 41 | Kees Cook <cook@cpoint.net> - scp fixes |
| 41 | Kenji Miyake <kenji@miyake.org> - Configure fixes | 42 | Kenji Miyake <kenji@miyake.org> - Configure fixes |
| @@ -1,5 +1,7 @@ | |||
| 1 | 20000626 | 1 | 20000626 |
| 2 | - (djm) Better fix to aclocal tests from Garrick James <garrick@james.net> | 2 | - (djm) Better fix to aclocal tests from Garrick James <garrick@james.net> |
| 3 | - (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de> | ||
| 4 | - (djm) Added password expiry checking (no password change support) | ||
| 3 | - OpenBSD CVS update | 5 | - OpenBSD CVS update |
| 4 | - provos@cvs.openbsd.org 2000/06/25 14:17:58 | 6 | - provos@cvs.openbsd.org 2000/06/25 14:17:58 |
| 5 | [channels.c] | 7 | [channels.c] |
diff --git a/acconfig.h b/acconfig.h index 9b8c3f234..20211a0af 100644 --- a/acconfig.h +++ b/acconfig.h | |||
| @@ -133,6 +133,9 @@ | |||
| 133 | /* Define if you want to disable shadow passwords */ | 133 | /* Define if you want to disable shadow passwords */ |
| 134 | #undef DISABLE_SHADOW | 134 | #undef DISABLE_SHADOW |
| 135 | 135 | ||
| 136 | /* Define if you want to use shadow password expire field */ | ||
| 137 | #undef HAS_SHADOW_EXPIRE | ||
| 138 | |||
| 136 | /* Define if you want have trusted HPUX */ | 139 | /* Define if you want have trusted HPUX */ |
| 137 | #undef HAVE_HPUX_TRUSTED_SYSTEM_PW | 140 | #undef HAVE_HPUX_TRUSTED_SYSTEM_PW |
| 138 | 141 | ||
| @@ -22,6 +22,9 @@ RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $"); | |||
| 22 | #ifdef HAVE_LOGIN_H | 22 | #ifdef HAVE_LOGIN_H |
| 23 | #include <login.h> | 23 | #include <login.h> |
| 24 | #endif | 24 | #endif |
| 25 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
| 26 | #include <shadow.h> | ||
| 27 | #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ | ||
| 25 | 28 | ||
| 26 | #include "bufaux.h" | 29 | #include "bufaux.h" |
| 27 | #include "ssh2.h" | 30 | #include "ssh2.h" |
| @@ -53,11 +56,32 @@ allowed_user(struct passwd * pw) | |||
| 53 | #ifdef WITH_AIXAUTHENTICATE | 56 | #ifdef WITH_AIXAUTHENTICATE |
| 54 | char *loginmsg; | 57 | char *loginmsg; |
| 55 | #endif /* WITH_AIXAUTHENTICATE */ | 58 | #endif /* WITH_AIXAUTHENTICATE */ |
| 59 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ | ||
| 60 | defined(HAS_SHADOW_EXPIRE) | ||
| 61 | struct spwd *spw; | ||
| 56 | 62 | ||
| 57 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 63 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
| 58 | if (!pw) | 64 | if (!pw) |
| 59 | return 0; | 65 | return 0; |
| 60 | 66 | ||
| 67 | spw = getspnam(pw->pw_name); | ||
| 68 | if (spw == NULL) | ||
| 69 | return 0; | ||
| 70 | |||
| 71 | /* Check account expiry */ | ||
| 72 | if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire)) | ||
| 73 | return 0; | ||
| 74 | |||
| 75 | /* Check password expiry */ | ||
| 76 | if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && | ||
| 77 | ((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact))) | ||
| 78 | return 0; | ||
| 79 | #else | ||
| 80 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | ||
| 81 | if (!pw) | ||
| 82 | return 0; | ||
| 83 | #endif | ||
| 84 | |||
| 61 | /* | 85 | /* |
| 62 | * Get the shell from the password data. An empty shell field is | 86 | * Get the shell from the password data. An empty shell field is |
| 63 | * legal, and means /bin/sh. | 87 | * legal, and means /bin/sh. |
diff --git a/configure.in b/configure.in index d9a87d8e6..ca433e569 100644 --- a/configure.in +++ b/configure.in | |||
| @@ -236,6 +236,8 @@ if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; t | |||
| 236 | 236 | ||
| 237 | AC_CHECK_FUNCS(pam_getenvlist) | 237 | AC_CHECK_FUNCS(pam_getenvlist) |
| 238 | 238 | ||
| 239 | disable_shadow=yes | ||
| 240 | |||
| 239 | PAM_MSG="yes" | 241 | PAM_MSG="yes" |
| 240 | 242 | ||
| 241 | # Check PAM strerror arguments (old PAM) | 243 | # Check PAM strerror arguments (old PAM) |
| @@ -933,10 +935,30 @@ AC_ARG_WITH(shadow, | |||
| 933 | [ | 935 | [ |
| 934 | if test "x$withval" = "xno" ; then | 936 | if test "x$withval" = "xno" ; then |
| 935 | AC_DEFINE(DISABLE_SHADOW) | 937 | AC_DEFINE(DISABLE_SHADOW) |
| 938 | disable_shadow=yes | ||
| 936 | fi | 939 | fi |
| 937 | ] | 940 | ] |
| 938 | ) | 941 | ) |
| 939 | 942 | ||
| 943 | if test -z "$disable_shadow" ; then | ||
| 944 | AC_MSG_CHECKING([if the systems has expire shadow information]) | ||
| 945 | AC_TRY_COMPILE( | ||
| 946 | [ | ||
| 947 | #include <sys/types.h> | ||
| 948 | #include <shadow.h> | ||
| 949 | struct spwd sp; | ||
| 950 | ],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ], | ||
| 951 | [ sp_expire_available=yes ], [] | ||
| 952 | ) | ||
| 953 | |||
| 954 | if test "x$sp_expire_available" = "xyes" ; then | ||
| 955 | AC_MSG_RESULT(yes) | ||
| 956 | AC_DEFINE(HAS_SHADOW_EXPIRE) | ||
| 957 | else | ||
| 958 | AC_MSG_RESULT(no) | ||
| 959 | fi | ||
| 960 | fi | ||
| 961 | |||
| 940 | # Use ip address instead of hostname in $DISPLAY | 962 | # Use ip address instead of hostname in $DISPLAY |
| 941 | DISPLAY_HACK_MSG="no" | 963 | DISPLAY_HACK_MSG="no" |
| 942 | AC_ARG_WITH(ipaddr-display, | 964 | AC_ARG_WITH(ipaddr-display, |