- otto@cvs.openbsd.org 2005/01/21 08:32:02

[auth-passwd.c sshd.c] Warn in advance for password and account expiry; initialize loginmsg buffer earlier and clear it after privsep fork. ok and help dtucker@ markus@
author: Darren Tucker <dtucker@zip.com.au> 2005-01-24 21:55:49 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2005-01-24 21:55:49 +1100
commit: 5c14c734295b9a30d71d110deb8307d5610d4c01 (patch)
tree: b85c556b9cbaddf752df3fb9e95592d652b3d357 /auth-passwd.c
parent: 3c66080aa26e5121805c80728a9c801b08a7870e (diff)
1 files changed, 50 insertions, 1 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index 7a68e0562..2e5fbc73a 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -36,17 +36,27 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.32 2005/01/21 08:32:02 otto Exp $");
 #include "packet.h"
+#include "buffer.h"
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
 #include "auth-options.h"
+extern Buffer loginmsg;
 extern ServerOptions options;
 int sys_auth_passwd(Authctxt *, const char *);
+#ifdef HAVE_LOGIN_CAP
+extern login_cap_t *lc;
+#endif
+#define DAY             (24L * 60 * 60) /* 1 day in seconds */
+#define TWO_WEEKS       (2L * 7 * DAY)  /* 2 weeks in seconds */
 void
 disable_forwarding(void)
 {
@@ -111,11 +121,46 @@ auth_password(Authctxt *authctxt, const char *password)
 }
 #ifdef BSD_AUTH
+static void
+warn_expiry(Authctxt *authctxt, auth_session_t *as)
+{
+        char buf[256];
+        quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
+        pwwarntime = acwarntime = TWO_WEEKS;
+        pwtimeleft = auth_check_change(as);
+        actimeleft = auth_check_expire(as);
+#if HAVE_LOGIN_CAP
+        if (authctxt->valid) {
+                pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
+                    TWO_WEEKS);
+                acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
+                    TWO_WEEKS);
+        }
+#endif
+        if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
+                daysleft = pwtimeleft / DAY + 1;
+                snprintf(buf, sizeof(buf),
+                    "Your password will expire in %lld day%s.\n",
+                    daysleft, daysleft == 1 ? "" : "s");
+                buffer_append(&loginmsg, buf, strlen(buf));
+        }
+        if (actimeleft != 0 && actimeleft < acwarntime) {
+                daysleft = actimeleft / DAY + 1;
+                snprintf(buf, sizeof(buf),
+                    "Your account will expire in %lld day%s.\n",
+                    daysleft, daysleft == 1 ? "" : "s");
+                buffer_append(&loginmsg, buf, strlen(buf));
+        }
+}
 int
 sys_auth_passwd(Authctxt *authctxt, const char *password)
 {
        struct passwd *pw = authctxt->pw;
        auth_session_t *as;
+        static int expire_checked = 0;
        as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
            (char *)password);
@@ -125,6 +170,10 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
                authctxt->force_pwchange = 1;
                return (1);
        } else {
+                if (!expire_checked) {
+                        expire_checked = 1;
+                        warn_expiry(authctxt, as);
+                }
                return (auth_close(as));
        }
 }
author	Darren Tucker <dtucker@zip.com.au>	2005-01-24 21:55:49 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2005-01-24 21:55:49 +1100
commit	5c14c734295b9a30d71d110deb8307d5610d4c01 (patch)
tree	b85c556b9cbaddf752df3fb9e95592d652b3d357 /auth-passwd.c
parent	3c66080aa26e5121805c80728a9c801b08a7870e (diff)

diff --git a/auth-passwd.c b/auth-passwd.c index 7a68e0562..2e5fbc73a 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -36,17 +36,27 @@
36	*/	36	*/
37		37
38	#include "includes.h"	38	#include "includes.h"
39	RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");	39	RCSID("$OpenBSD: auth-passwd.c,v 1.32 2005/01/21 08:32:02 otto Exp $");
40		40
41	#include "packet.h"	41	#include "packet.h"
		42	#include "buffer.h"
42	#include "log.h"	43	#include "log.h"
43	#include "servconf.h"	44	#include "servconf.h"
44	#include "auth.h"	45	#include "auth.h"
45	#include "auth-options.h"	46	#include "auth-options.h"
46		47
		48	extern Buffer loginmsg;
47	extern ServerOptions options;	49	extern ServerOptions options;
48	int sys_auth_passwd(Authctxt , const char );	50	int sys_auth_passwd(Authctxt , const char );
49		51
		52	#ifdef HAVE_LOGIN_CAP
		53	extern login_cap_t *lc;
		54	#endif
		55
		56
		57	#define DAY (24L * 60 * 60) /* 1 day in seconds */
		58	#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
		59
50	void	60	void
51	disable_forwarding(void)	61	disable_forwarding(void)
52	{	62	{
@@ -111,11 +121,46 @@ auth_password(Authctxt authctxt, const char password)
111	}	121	}
112		122
113	#ifdef BSD_AUTH	123	#ifdef BSD_AUTH
		124	static void
		125	warn_expiry(Authctxt authctxt, auth_session_t as)
		126	{
		127	char buf[256];
		128	quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
		129
		130	pwwarntime = acwarntime = TWO_WEEKS;
		131
		132	pwtimeleft = auth_check_change(as);
		133	actimeleft = auth_check_expire(as);
		134	#if HAVE_LOGIN_CAP
		135	if (authctxt->valid) {
		136	pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
		137	TWO_WEEKS);
		138	acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
		139	TWO_WEEKS);
		140	}
		141	#endif
		142	if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
		143	daysleft = pwtimeleft / DAY + 1;
		144	snprintf(buf, sizeof(buf),
		145	"Your password will expire in %lld day%s.\n",
		146	daysleft, daysleft == 1 ? "" : "s");
		147	buffer_append(&loginmsg, buf, strlen(buf));
		148	}
		149	if (actimeleft != 0 && actimeleft < acwarntime) {
		150	daysleft = actimeleft / DAY + 1;
		151	snprintf(buf, sizeof(buf),
		152	"Your account will expire in %lld day%s.\n",
		153	daysleft, daysleft == 1 ? "" : "s");
		154	buffer_append(&loginmsg, buf, strlen(buf));
		155	}
		156	}
		157
114	int	158	int
115	sys_auth_passwd(Authctxt authctxt, const char password)	159	sys_auth_passwd(Authctxt authctxt, const char password)
116	{	160	{
117	struct passwd *pw = authctxt->pw;	161	struct passwd *pw = authctxt->pw;
118	auth_session_t *as;	162	auth_session_t *as;
		163	static int expire_checked = 0;
119		164
120	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",	165	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
121	(char *)password);	166	(char *)password);
@@ -125,6 +170,10 @@ sys_auth_passwd(Authctxt authctxt, const char password)
125	authctxt->force_pwchange = 1;	170	authctxt->force_pwchange = 1;
126	return (1);	171	return (1);
127	} else {	172	} else {
		173	if (!expire_checked) {
		174	expire_checked = 1;
		175	warn_expiry(authctxt, as);
		176	}
128	return (auth_close(as));	177	return (auth_close(as));
129	}	178	}
130	}	179	}