- (djm) Bug #442: Check for and deny access to accounts with locked

   passwords. Patch from dtucker@zip.com.au

1 files changed, 16 insertions, 5 deletions

diff --git a/auth.c b/auth.c
index ee001283f..0e7910943 100644
--- a/auth.c
+++ b/auth.c
@@ -72,20 +72,23 @@ int
 allowed_user(struct passwd * pw)
 {
         struct stat st;
-        const char *hostname = NULL, *ipaddr = NULL;
+        const char *hostname = NULL, *ipaddr = NULL, *passwd;
         char *shell;
         int i;
 #ifdef WITH_AIXAUTHENTICATE
         char *loginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
 #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-        !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
         struct spwd *spw;
+#endif
 
         /* Shouldn't be called if pw is NULL, but better safe than sorry... */
         if (!pw || !pw->pw_name)
                 return 0;
 
+#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
+    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 #define DAY             (24L * 60 * 60) /* 1 day in seconds */
         spw = getspnam(pw->pw_name);
         if (spw != NULL) {
@@ -116,11 +119,19 @@ allowed_user(struct passwd * pw)
                         return 0;
                 }
         }
+#endif
+
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+        passwd = spw->sp_pwdp;
 #else
-        /* Shouldn't be called if pw is NULL, but better safe than sorry... */
-        if (!pw || !pw->pw_name)
-                return 0;
+        passwd = pw->pw_passwd;
 #endif
+        /* check for locked account */
+        if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
+                log("User %.100s not allowed because account is locked",
+                    pw->pw_name);
+                return 0;
+        }
 
         /*
          * Get the shell from the password data.  An empty shell field is