diff options
| author | Damien Miller <djm@mindrot.org> | 2003-01-18 16:24:06 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-01-18 16:24:06 +1100 |
| commit | e443e9398eb95f95bee82009cfae30951646c6e9 (patch) | |
| tree | 19a2c2c59cc1bdec141a9a1480fe1ebc95a90ba9 | |
| parent | 9715bb1833947456dc4fa1cf536fbd32a129979f (diff) | |
- (djm) Revert fix for Bug #442 for now.
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | auth.c | 72 |
2 files changed, 32 insertions, 45 deletions
| @@ -1,3 +1,6 @@ | |||
| 1 | 20030118 | ||
| 2 | - (djm) Revert fix for Bug #442 for now. | ||
| 3 | |||
| 1 | 20030117 | 4 | 20030117 |
| 2 | - (djm) Bug #470: Detect strnvis, not strvis in configure. | 5 | - (djm) Bug #470: Detect strnvis, not strvis in configure. |
| 3 | From d_wllms@lanl.gov | 6 | From d_wllms@lanl.gov |
| @@ -1031,4 +1034,4 @@ | |||
| 1031 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1034 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
| 1032 | ok provos@ | 1035 | ok provos@ |
| 1033 | 1036 | ||
| 1034 | $Id: ChangeLog,v 1.2574 2003/01/16 23:31:38 djm Exp $ | 1037 | $Id: ChangeLog,v 1.2575 2003/01/18 05:24:06 djm Exp $ |
| @@ -72,68 +72,52 @@ int | |||
| 72 | allowed_user(struct passwd * pw) | 72 | allowed_user(struct passwd * pw) |
| 73 | { | 73 | { |
| 74 | struct stat st; | 74 | struct stat st; |
| 75 | const char *hostname = NULL, *ipaddr = NULL, *passwd; | 75 | const char *hostname = NULL, *ipaddr = NULL; |
| 76 | char *shell; | 76 | char *shell; |
| 77 | int i; | 77 | int i; |
| 78 | #ifdef WITH_AIXAUTHENTICATE | 78 | #ifdef WITH_AIXAUTHENTICATE |
| 79 | char *loginmsg; | 79 | char *loginmsg; |
| 80 | #endif /* WITH_AIXAUTHENTICATE */ | 80 | #endif /* WITH_AIXAUTHENTICATE */ |
| 81 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | 81 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ |
| 82 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | ||
| 82 | struct spwd *spw; | 83 | struct spwd *spw; |
| 83 | #if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE) | ||
| 84 | time_t today; | 84 | time_t today; |
| 85 | #endif | 85 | #endif |
| 86 | #endif | ||
| 87 | 86 | ||
| 88 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 87 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
| 89 | if (!pw || !pw->pw_name) | 88 | if (!pw || !pw->pw_name) |
| 90 | return 0; | 89 | return 0; |
| 91 | 90 | ||
| 92 | /* Grab the password for locked account checking */ | ||
| 93 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
| 94 | spw = getspnam(pw->pw_name); | ||
| 95 | if (!spw) | ||
| 96 | return 0; | ||
| 97 | passwd = spw->sp_pwdp; | ||
| 98 | #else | ||
| 99 | passwd = pw->pw_passwd; | ||
| 100 | #endif | ||
| 101 | |||
| 102 | /* check for locked account */ | ||
| 103 | if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') { | ||
| 104 | log("User %.100s not allowed because account is locked", | ||
| 105 | pw->pw_name); | ||
| 106 | return 0; | ||
| 107 | } | ||
| 108 | |||
| 109 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | 91 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ |
| 110 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 92 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) |
| 111 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ | 93 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ |
| 112 | today = time(NULL) / DAY; | 94 | if ((spw = getspnam(pw->pw_name)) != NULL) { |
| 113 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" | 95 | today = time(NULL) / DAY; |
| 114 | " sp_max %d", (int)today, (int)spw->sp_expire, | 96 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" |
| 115 | (int)spw->sp_lstchg, (int)spw->sp_max); | 97 | " sp_max %d", (int)today, (int)spw->sp_expire, |
| 98 | (int)spw->sp_lstchg, (int)spw->sp_max); | ||
| 116 | 99 | ||
| 117 | /* | 100 | /* |
| 118 | * We assume account and password expiration occurs the | 101 | * We assume account and password expiration occurs the |
| 119 | * day after the day specified. | 102 | * day after the day specified. |
| 120 | */ | 103 | */ |
| 121 | if (spw->sp_expire != -1 && today > spw->sp_expire) { | 104 | if (spw->sp_expire != -1 && today > spw->sp_expire) { |
| 122 | log("Account %.100s has expired", pw->pw_name); | 105 | log("Account %.100s has expired", pw->pw_name); |
| 123 | return 0; | 106 | return 0; |
| 124 | } | 107 | } |
| 125 | 108 | ||
| 126 | if (spw->sp_lstchg == 0) { | 109 | if (spw->sp_lstchg == 0) { |
| 127 | log("User %.100s password has expired (root forced)", | 110 | log("User %.100s password has expired (root forced)", |
| 128 | pw->pw_name); | 111 | pw->pw_name); |
| 129 | return 0; | 112 | return 0; |
| 130 | } | 113 | } |
| 131 | 114 | ||
| 132 | if (spw->sp_max != -1 && | 115 | if (spw->sp_max != -1 && |
| 133 | today > spw->sp_lstchg + spw->sp_max) { | 116 | today > spw->sp_lstchg + spw->sp_max) { |
| 134 | log("User %.100s password has expired (password aged)", | 117 | log("User %.100s password has expired (password aged)", |
| 135 | pw->pw_name); | 118 | pw->pw_name); |
| 136 | return 0; | 119 | return 0; |
| 120 | } | ||
| 137 | } | 121 | } |
| 138 | #endif | 122 | #endif |
| 139 | 123 | ||
| @@ -222,7 +206,7 @@ allowed_user(struct passwd * pw) | |||
| 222 | * PermitRootLogin to control logins via ssh), or if running as | 206 | * PermitRootLogin to control logins via ssh), or if running as |
| 223 | * non-root user (since loginrestrictions will always fail). | 207 | * non-root user (since loginrestrictions will always fail). |
| 224 | */ | 208 | */ |
| 225 | if ( (pw->pw_uid != 0) && (geteuid() == 0) && | 209 | if ((pw->pw_uid != 0) && (geteuid() == 0) && |
| 226 | loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { | 210 | loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { |
| 227 | int loginrestrict_errno = errno; | 211 | int loginrestrict_errno = errno; |
| 228 | 212 | ||