- (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c

    openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
    native password expiry.

2 files changed, 41 insertions, 6 deletions

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 6fc2ef771..a5511bbef 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -98,10 +98,10 @@ aix_remove_embedded_newlines(char *p)
  * returns 0.
  */
 int
-aix_authenticate(const char *name, const char *password, const char *host)
+sys_auth_passwd(Authctxt *ctxt, const char *password)
 {
-        char *authmsg = NULL, *msg;
-        int authsuccess = 0, reenter, result;
+        char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name;
+        int authsuccess = 0, expired, reenter, result;
 
         do {
                 result = authenticate((char *)name, (char *)password, &reenter,
@@ -114,7 +114,12 @@ aix_authenticate(const char *name, const char *password, const char *host)
         if (result == 0) {
                 authsuccess = 1;
 
-                /* No pty yet, so just label the line as "ssh" */
+                host = (char *)get_canonical_hostname(options.use_dns);
+
+                /*
+                 * Record successful login.  We don't have a pty yet, so just
+                 * label the line as "ssh"
+                 */
                 aix_setauthdb(name);
                 if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) {
                         if (msg != NULL) {
@@ -123,6 +128,32 @@ aix_authenticate(const char *name, const char *password, const char *host)
                                 xfree(msg);
                         }
                 }
+
+                /*
+                 * Check if the user's password is expired.
+                 */
+                expired = passwdexpired(name, &msg);
+                if (msg && *msg) {
+                        buffer_append(&loginmsg, msg, strlen(msg));
+                        aix_remove_embedded_newlines(msg);
+                }
+                debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
+
+                switch (expired) {
+                case 0: /* password not expired */
+                        break;
+                case 1: /* expired, password change required */
+                        ctxt->force_pwchange = 1;
+                        disable_forwarding();
+                        break;
+                default: /* user can't change(2) or other error (-1) */
+                        logit("Password can't be changed for user %s: %.100s",
+                            name, msg);
+                        if (msg)
+                                xfree(msg);
+                        authsuccess = 0;
+                }
+
                 aix_restoreauthdb();
         }
 
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 930b3f248..ef03661ed 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.18 2004/02/10 01:50:20 dtucker Exp $ */
 
 /*
  *
@@ -36,6 +36,9 @@
 # include <usersec.h>
 #endif
 
+/* For Authctxt */
+#include "auth.h"
+
 /* Some versions define r_type in the above headers, which causes a conflict */
 #ifdef r_type
 # undef r_type
@@ -62,11 +65,12 @@
 void aix_usrinfo(struct passwd *);
 
 #ifdef WITH_AIXAUTHENTICATE
+# define CUSTOM_SYS_AUTH_PASSWD 1
+int sys_auth_passwd(Authctxt *, const char *);
 # define CUSTOM_FAILED_LOGIN 1
 void record_failed_login(const char *, const char *);
 #endif
 
-int aix_authenticate(const char *, const char *, const char *);
 void aix_setauthdb(const char *);
 void aix_restoreauthdb(void);
 void aix_remove_embedded_newlines(char *);