- (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h

defines.h] Bug #14: Use do_pwchange to support password expiry and force change for platforms using /etc/shadow. ok djm@
author: Darren Tucker <dtucker@zip.com.au> 2004-02-10 13:01:14 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2004-02-10 13:01:14 +1100
commit: 9df3defdbb122c406072760e07859a3b4ebf567e (patch)
tree: 53444d450b96ce33715e16374ee97e1b72ebbb6e
parent: e3dba82dd44c165716ce2a81157b6c2f269fc0af (diff)
8 files changed, 104 insertions, 25 deletions
diff --git a/ChangeLog b/ChangeLog
index 20f1ec089..2aa2d537f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,10 @@
 20040210
 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
-    openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
+   openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
-    native password expiry.
+   native password expiry.
+ - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
+   defines.h] Bug #14: Use do_pwchange to support password expiry and force
+   change for platforms using /etc/shadow.  ok djm@
 20040207
 - (dtucker) OpenBSD CVS Sync
@@ -1825,4 +1828,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $
+$Id: ChangeLog,v 1.3219 2004/02/10 02:01:14 dtucker Exp $
diff --git a/LICENCE b/LICENCE
index d7292998e..d8c157304 100644
--- a/LICENCE
+++ b/LICENCE
@@ -202,6 +202,7 @@ OpenSSH contains no GPL code.
        Todd C. Miller
        Wayne Schroeder
        William Jones
+        Darren Tucker
     * Redistribution and use in source and binary forms, with or without
     * modification, are permitted provided that the following conditions
diff --git a/Makefile.in b/Makefile.in
index 1f6a4d43f..2d7982312 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.254 2004/01/27 10:19:22 djm Exp $
+# $Id: Makefile.in,v 1.255 2004/02/10 02:01:14 dtucker Exp $
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        kexdhs.o kexgexs.o \
        auth-krb5.o \
        auth2-gss.o gss-serv.o gss-serv-krb5.o \
-        loginrec.o auth-pam.o auth-sia.o md5crypt.o
+        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
 MANPAGES        = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN     = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
diff --git a/auth-passwd.c b/auth-passwd.c
index a58dc042b..e434a21e3 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -97,6 +97,13 @@ auth_password(Authctxt *authctxt, const char *password)
                return ok;
        }
 #endif
+#ifdef USE_SHADOW
+        if (auth_shadow_pwexpired(authctxt)) {
+                disable_forwarding();
+                authctxt->force_pwchange = 1;
+        }
+#endif
+                
        return (sys_auth_passwd(authctxt, password) && ok);
 }
diff --git a/auth-shadow.c b/auth-shadow.c
new file mode 100644
index 000000000..604b13304
--- /dev/null
+++ b/auth-shadow.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2004 Darren Tucker.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$Id: auth-shadow.c,v 1.1 2004/02/10 02:01:14 dtucker Exp $");
+#ifdef USE_SHADOW
+#include <shadow.h>
+#include "auth.h"
+#include "auth-shadow.h"
+#include "buffer.h"
+#include "log.h"
+#define DAY     (24L * 60 * 60) /* 1 day in seconds */
+extern Buffer loginmsg;
+/*
+ * Checks password expiry for platforms that use shadow passwd files.
+ * Returns: 1 = password expired, 0 = password not expired
+ */
+int
+auth_shadow_pwexpired(Authctxt *ctxt)
+{
+        struct spwd *spw = NULL;
+        const char *user = ctxt->pw->pw_name;
+        time_t today;
+        if ((spw = getspnam(user)) == NULL) {
+                error("Could not get shadow information for %.100s", user);
+                return 0;
+        }
+        today = time(NULL) / DAY;
+        debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
+            (int)spw->sp_lstchg, (int)spw->sp_max);
+#if defined(__hpux) && !defined(HAVE_SECUREWARE)
+        if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
+            spw->sp_warn == 0)
+                return 0;       /* HP-UX Trusted Mode: expiry disabled */
+#endif
+        /* TODO: Add code to put expiry warnings into loginmsg */
+        if (spw->sp_lstchg == 0) {
+                logit("User %.100s password has expired (root forced)", user);
+                return 1;
+        }
+        if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) {
+                logit("User %.100s password has expired (password aged)", user);
+                return 1;
+        }
+        return 0;
+}
+#endif  /* USE_SHADOW */
diff --git a/auth.c b/auth.c
index 4b307dab3..c6e7c21c4 100644
--- a/auth.c
+++ b/auth.c
@@ -106,25 +106,6 @@ allowed_user(struct passwd * pw)
                        logit("Account %.100s has expired", pw->pw_name);
                        return 0;
                }
-#if defined(__hpux) && !defined(HAVE_SECUREWARE)
-                if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
-                     spw->sp_warn == 0)
-                        disabled = 1;   /* Trusted Mode: expiry disabled */
-#endif
-                if (!disabled && spw->sp_lstchg == 0) {
-                        logit("User %.100s password has expired (root forced)",
-                            pw->pw_name);
-                        return 0;
-                }
-                if (!disabled && spw->sp_max != -1 &&
-                    today > spw->sp_lstchg + spw->sp_max) {
-                        logit("User %.100s password has expired (password aged)",
-                            pw->pw_name);
-                        return 0;
-                }
        }
 #endif /* HAS_SHADOW_EXPIRE */
 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
diff --git a/auth.h b/auth.h
index b39e48d9a..b6a6a49a5 100644
--- a/auth.h
+++ b/auth.h
@@ -122,6 +122,10 @@ int	auth_krb5_password(Authctxt *authctxt, const char *password);
 void    krb5_cleanup_proc(Authctxt *authctxt);
 #endif /* KRB5 */
+#ifdef USE_SHADOW
+int auth_shadow_pwexpired(Authctxt *);
+#endif
 #include "auth-pam.h"
 void disable_forwarding(void);
diff --git a/defines.h b/defines.h
index 5e63198e0..5e1cac7bc 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
-/* $Id: defines.h,v 1.109 2004/01/27 05:40:35 tim Exp $ */
+/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */
 /* Constants */
@@ -585,6 +585,9 @@ struct winsize {
 #  endif
 #endif
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+# define USE_SHADOW
+#endif
 /* The login() library function in libutil is first choice */
 #if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)
author	Darren Tucker <dtucker@zip.com.au>	2004-02-10 13:01:14 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2004-02-10 13:01:14 +1100
commit	9df3defdbb122c406072760e07859a3b4ebf567e (patch)
tree	53444d450b96ce33715e16374ee97e1b72ebbb6e
parent	e3dba82dd44c165716ce2a81157b6c2f269fc0af (diff)

diff --git a/ChangeLog b/ChangeLog index 20f1ec089..2aa2d537f 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,7 +1,10 @@
1	20040210	1	20040210
2	- (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c	2	- (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
3	openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's	3	openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
4	native password expiry.	4	native password expiry.
		5	- (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
		6	defines.h] Bug #14: Use do_pwchange to support password expiry and force
		7	change for platforms using /etc/shadow. ok djm@
5		8
6	20040207	9	20040207
7	- (dtucker) OpenBSD CVS Sync	10	- (dtucker) OpenBSD CVS Sync
@@ -1825,4 +1828,4 @@
1825	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.	1828	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
1826	Report from murple@murple.net, diagnosis from dtucker@zip.com.au	1829	Report from murple@murple.net, diagnosis from dtucker@zip.com.au
1827		1830
1828	$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $	1831	$Id: ChangeLog,v 1.3219 2004/02/10 02:01:14 dtucker Exp $


diff --git a/LICENCE b/LICENCE index d7292998e..d8c157304 100644 --- a/LICENCE +++ b/LICENCE
@@ -202,6 +202,7 @@ OpenSSH contains no GPL code.
202	Todd C. Miller	202	Todd C. Miller
203	Wayne Schroeder	203	Wayne Schroeder
204	William Jones	204	William Jones
		205	Darren Tucker
205		206
206	* Redistribution and use in source and binary forms, with or without	207	* Redistribution and use in source and binary forms, with or without
207	* modification, are permitted provided that the following conditions	208	* modification, are permitted provided that the following conditions


diff --git a/Makefile.in b/Makefile.in index 1f6a4d43f..2d7982312 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -1,4 +1,4 @@
1	# $Id: Makefile.in,v 1.254 2004/01/27 10:19:22 djm Exp $	1	# $Id: Makefile.in,v 1.255 2004/02/10 02:01:14 dtucker Exp $
2		2
3	# uncomment if you run a non bourne compatable shell. Ie. csh	3	# uncomment if you run a non bourne compatable shell. Ie. csh
4	#SHELL = @SH@	4	#SHELL = @SH@
@@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
85	kexdhs.o kexgexs.o \	85	kexdhs.o kexgexs.o \
86	auth-krb5.o \	86	auth-krb5.o \
87	auth2-gss.o gss-serv.o gss-serv-krb5.o \	87	auth2-gss.o gss-serv.o gss-serv-krb5.o \
88	loginrec.o auth-pam.o auth-sia.o md5crypt.o	88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
89		89
90	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out	90	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
91	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5	91	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5


diff --git a/auth-passwd.c b/auth-passwd.c index a58dc042b..e434a21e3 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -97,6 +97,13 @@ auth_password(Authctxt authctxt, const char password)
97	return ok;	97	return ok;
98	}	98	}
99	#endif	99	#endif
		100	#ifdef USE_SHADOW
		101	if (auth_shadow_pwexpired(authctxt)) {
		102	disable_forwarding();
		103	authctxt->force_pwchange = 1;
		104	}
		105	#endif
		106
100	return (sys_auth_passwd(authctxt, password) && ok);	107	return (sys_auth_passwd(authctxt, password) && ok);
101	}	108	}
102		109


diff --git a/auth-shadow.c b/auth-shadow.c new file mode 100644 index 000000000..604b13304 --- /dev/null +++ b/auth-shadow.c
@@ -0,0 +1,80 @@
		1	/*
		2	* Copyright (c) 2004 Darren Tucker. All rights reserved.
		3	*
		4	* Redistribution and use in source and binary forms, with or without
		5	* modification, are permitted provided that the following conditions
		6	* are met:
		7	* 1. Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* 2. Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	*
		13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		23	*/
		24
		25	#include "includes.h"
		26	RCSID("$Id: auth-shadow.c,v 1.1 2004/02/10 02:01:14 dtucker Exp $");
		27
		28	#ifdef USE_SHADOW
		29	#include <shadow.h>
		30
		31	#include "auth.h"
		32	#include "auth-shadow.h"
		33	#include "buffer.h"
		34	#include "log.h"
		35
		36	#define DAY (24L * 60 * 60) /* 1 day in seconds */
		37
		38	extern Buffer loginmsg;
		39
		40	/*
		41	* Checks password expiry for platforms that use shadow passwd files.
		42	* Returns: 1 = password expired, 0 = password not expired
		43	*/
		44	int
		45	auth_shadow_pwexpired(Authctxt *ctxt)
		46	{
		47	struct spwd *spw = NULL;
		48	const char *user = ctxt->pw->pw_name;
		49	time_t today;
		50
		51	if ((spw = getspnam(user)) == NULL) {
		52	error("Could not get shadow information for %.100s", user);
		53	return 0;
		54	}
		55
		56	today = time(NULL) / DAY;
		57	debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
		58	(int)spw->sp_lstchg, (int)spw->sp_max);
		59
		60	#if defined(__hpux) && !defined(HAVE_SECUREWARE)
		61	if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
		62	spw->sp_warn == 0)
		63	return 0; /* HP-UX Trusted Mode: expiry disabled */
		64	#endif
		65
		66	/* TODO: Add code to put expiry warnings into loginmsg */
		67
		68	if (spw->sp_lstchg == 0) {
		69	logit("User %.100s password has expired (root forced)", user);
		70	return 1;
		71	}
		72
		73	if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) {
		74	logit("User %.100s password has expired (password aged)", user);
		75	return 1;
		76	}
		77
		78	return 0;
		79	}
		80	#endif /* USE_SHADOW */


diff --git a/auth.c b/auth.c index 4b307dab3..c6e7c21c4 100644 --- a/auth.c +++ b/auth.c
@@ -106,25 +106,6 @@ allowed_user(struct passwd * pw)
106	logit("Account %.100s has expired", pw->pw_name);	106	logit("Account %.100s has expired", pw->pw_name);
107	return 0;	107	return 0;
108	}	108	}
109
110	#if defined(__hpux) && !defined(HAVE_SECUREWARE)
111	if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
112	spw->sp_warn == 0)
113	disabled = 1; /* Trusted Mode: expiry disabled */
114	#endif
115
116	if (!disabled && spw->sp_lstchg == 0) {
117	logit("User %.100s password has expired (root forced)",
118	pw->pw_name);
119	return 0;
120	}
121
122	if (!disabled && spw->sp_max != -1 &&
123	today > spw->sp_lstchg + spw->sp_max) {
124	logit("User %.100s password has expired (password aged)",
125	pw->pw_name);
126	return 0;
127	}
128	}	109	}
129	#endif /* HAS_SHADOW_EXPIRE */	110	#endif /* HAS_SHADOW_EXPIRE */
130	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */	111	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */


diff --git a/auth.h b/auth.h index b39e48d9a..b6a6a49a5 100644 --- a/auth.h +++ b/auth.h
@@ -122,6 +122,10 @@ int auth_krb5_password(Authctxt authctxt, const char password);
122	void krb5_cleanup_proc(Authctxt *authctxt);	122	void krb5_cleanup_proc(Authctxt *authctxt);
123	#endif /* KRB5 */	123	#endif /* KRB5 */
124		124
		125	#ifdef USE_SHADOW
		126	int auth_shadow_pwexpired(Authctxt *);
		127	#endif
		128
125	#include "auth-pam.h"	129	#include "auth-pam.h"
126	void disable_forwarding(void);	130	void disable_forwarding(void);
127		131


diff --git a/defines.h b/defines.h index 5e63198e0..5e1cac7bc 100644 --- a/defines.h +++ b/defines.h
@@ -25,7 +25,7 @@
25	#ifndef _DEFINES_H	25	#ifndef _DEFINES_H
26	#define _DEFINES_H	26	#define _DEFINES_H
27		27
28	/* $Id: defines.h,v 1.109 2004/01/27 05:40:35 tim Exp $ */	28	/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */
29		29
30		30
31	/* Constants */	31	/* Constants */
@@ -585,6 +585,9 @@ struct winsize {
585	# endif	585	# endif
586	#endif	586	#endif
587		587
		588	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
		589	# define USE_SHADOW
		590	#endif
588		591
589	/* The login() library function in libutil is first choice */	592	/* The login() library function in libutil is first choice */
590	#if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)	593	#if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)