diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth.c | 72 |
2 files changed, 32 insertions, 45 deletions
@@ -1,3 +1,6 @@ | |||
1 | 20030118 | ||
2 | - (djm) Revert fix for Bug #442 for now. | ||
3 | |||
1 | 20030117 | 4 | 20030117 |
2 | - (djm) Bug #470: Detect strnvis, not strvis in configure. | 5 | - (djm) Bug #470: Detect strnvis, not strvis in configure. |
3 | From d_wllms@lanl.gov | 6 | From d_wllms@lanl.gov |
@@ -1031,4 +1034,4 @@ | |||
1031 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1034 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
1032 | ok provos@ | 1035 | ok provos@ |
1033 | 1036 | ||
1034 | $Id: ChangeLog,v 1.2574 2003/01/16 23:31:38 djm Exp $ | 1037 | $Id: ChangeLog,v 1.2575 2003/01/18 05:24:06 djm Exp $ |
@@ -72,68 +72,52 @@ int | |||
72 | allowed_user(struct passwd * pw) | 72 | allowed_user(struct passwd * pw) |
73 | { | 73 | { |
74 | struct stat st; | 74 | struct stat st; |
75 | const char *hostname = NULL, *ipaddr = NULL, *passwd; | 75 | const char *hostname = NULL, *ipaddr = NULL; |
76 | char *shell; | 76 | char *shell; |
77 | int i; | 77 | int i; |
78 | #ifdef WITH_AIXAUTHENTICATE | 78 | #ifdef WITH_AIXAUTHENTICATE |
79 | char *loginmsg; | 79 | char *loginmsg; |
80 | #endif /* WITH_AIXAUTHENTICATE */ | 80 | #endif /* WITH_AIXAUTHENTICATE */ |
81 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | 81 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ |
82 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | ||
82 | struct spwd *spw; | 83 | struct spwd *spw; |
83 | #if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE) | ||
84 | time_t today; | 84 | time_t today; |
85 | #endif | 85 | #endif |
86 | #endif | ||
87 | 86 | ||
88 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 87 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
89 | if (!pw || !pw->pw_name) | 88 | if (!pw || !pw->pw_name) |
90 | return 0; | 89 | return 0; |
91 | 90 | ||
92 | /* Grab the password for locked account checking */ | ||
93 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
94 | spw = getspnam(pw->pw_name); | ||
95 | if (!spw) | ||
96 | return 0; | ||
97 | passwd = spw->sp_pwdp; | ||
98 | #else | ||
99 | passwd = pw->pw_passwd; | ||
100 | #endif | ||
101 | |||
102 | /* check for locked account */ | ||
103 | if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') { | ||
104 | log("User %.100s not allowed because account is locked", | ||
105 | pw->pw_name); | ||
106 | return 0; | ||
107 | } | ||
108 | |||
109 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | 91 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ |
110 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 92 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) |
111 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ | 93 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ |
112 | today = time(NULL) / DAY; | 94 | if ((spw = getspnam(pw->pw_name)) != NULL) { |
113 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" | 95 | today = time(NULL) / DAY; |
114 | " sp_max %d", (int)today, (int)spw->sp_expire, | 96 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" |
115 | (int)spw->sp_lstchg, (int)spw->sp_max); | 97 | " sp_max %d", (int)today, (int)spw->sp_expire, |
98 | (int)spw->sp_lstchg, (int)spw->sp_max); | ||
116 | 99 | ||
117 | /* | 100 | /* |
118 | * We assume account and password expiration occurs the | 101 | * We assume account and password expiration occurs the |
119 | * day after the day specified. | 102 | * day after the day specified. |
120 | */ | 103 | */ |
121 | if (spw->sp_expire != -1 && today > spw->sp_expire) { | 104 | if (spw->sp_expire != -1 && today > spw->sp_expire) { |
122 | log("Account %.100s has expired", pw->pw_name); | 105 | log("Account %.100s has expired", pw->pw_name); |
123 | return 0; | 106 | return 0; |
124 | } | 107 | } |
125 | 108 | ||
126 | if (spw->sp_lstchg == 0) { | 109 | if (spw->sp_lstchg == 0) { |
127 | log("User %.100s password has expired (root forced)", | 110 | log("User %.100s password has expired (root forced)", |
128 | pw->pw_name); | 111 | pw->pw_name); |
129 | return 0; | 112 | return 0; |
130 | } | 113 | } |
131 | 114 | ||
132 | if (spw->sp_max != -1 && | 115 | if (spw->sp_max != -1 && |
133 | today > spw->sp_lstchg + spw->sp_max) { | 116 | today > spw->sp_lstchg + spw->sp_max) { |
134 | log("User %.100s password has expired (password aged)", | 117 | log("User %.100s password has expired (password aged)", |
135 | pw->pw_name); | 118 | pw->pw_name); |
136 | return 0; | 119 | return 0; |
120 | } | ||
137 | } | 121 | } |
138 | #endif | 122 | #endif |
139 | 123 | ||
@@ -222,7 +206,7 @@ allowed_user(struct passwd * pw) | |||
222 | * PermitRootLogin to control logins via ssh), or if running as | 206 | * PermitRootLogin to control logins via ssh), or if running as |
223 | * non-root user (since loginrestrictions will always fail). | 207 | * non-root user (since loginrestrictions will always fail). |
224 | */ | 208 | */ |
225 | if ( (pw->pw_uid != 0) && (geteuid() == 0) && | 209 | if ((pw->pw_uid != 0) && (geteuid() == 0) && |
226 | loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { | 210 | loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { |
227 | int loginrestrict_errno = errno; | 211 | int loginrestrict_errno = errno; |
228 | 212 | ||