diff options
Diffstat (limited to 'auth-passwd.c')
-rw-r--r-- | auth-passwd.c | 63 |
1 files changed, 56 insertions, 7 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index 7a68e0562..27ece3f72 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -36,17 +36,27 @@ | |||
36 | */ | 36 | */ |
37 | 37 | ||
38 | #include "includes.h" | 38 | #include "includes.h" |
39 | RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); | 39 | RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $"); |
40 | 40 | ||
41 | #include "packet.h" | 41 | #include "packet.h" |
42 | #include "buffer.h" | ||
42 | #include "log.h" | 43 | #include "log.h" |
43 | #include "servconf.h" | 44 | #include "servconf.h" |
44 | #include "auth.h" | 45 | #include "auth.h" |
45 | #include "auth-options.h" | 46 | #include "auth-options.h" |
46 | 47 | ||
48 | extern Buffer loginmsg; | ||
47 | extern ServerOptions options; | 49 | extern ServerOptions options; |
48 | int sys_auth_passwd(Authctxt *, const char *); | 50 | int sys_auth_passwd(Authctxt *, const char *); |
49 | 51 | ||
52 | #ifdef HAVE_LOGIN_CAP | ||
53 | extern login_cap_t *lc; | ||
54 | #endif | ||
55 | |||
56 | |||
57 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ | ||
58 | #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ | ||
59 | |||
50 | void | 60 | void |
51 | disable_forwarding(void) | 61 | disable_forwarding(void) |
52 | { | 62 | { |
@@ -63,7 +73,7 @@ int | |||
63 | auth_password(Authctxt *authctxt, const char *password) | 73 | auth_password(Authctxt *authctxt, const char *password) |
64 | { | 74 | { |
65 | struct passwd * pw = authctxt->pw; | 75 | struct passwd * pw = authctxt->pw; |
66 | int ok = authctxt->valid; | 76 | int result, ok = authctxt->valid; |
67 | #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 77 | #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) |
68 | static int expire_checked = 0; | 78 | static int expire_checked = 0; |
69 | #endif | 79 | #endif |
@@ -100,22 +110,57 @@ auth_password(Authctxt *authctxt, const char *password) | |||
100 | #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 110 | #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) |
101 | if (!expire_checked) { | 111 | if (!expire_checked) { |
102 | expire_checked = 1; | 112 | expire_checked = 1; |
103 | if (auth_shadow_pwexpired(authctxt)) { | 113 | if (auth_shadow_pwexpired(authctxt)) |
104 | disable_forwarding(); | ||
105 | authctxt->force_pwchange = 1; | 114 | authctxt->force_pwchange = 1; |
106 | } | ||
107 | } | 115 | } |
108 | #endif | 116 | #endif |
109 | 117 | result = sys_auth_passwd(authctxt, password); | |
110 | return (sys_auth_passwd(authctxt, password) && ok); | 118 | if (authctxt->force_pwchange) |
119 | disable_forwarding(); | ||
120 | return (result && ok); | ||
111 | } | 121 | } |
112 | 122 | ||
113 | #ifdef BSD_AUTH | 123 | #ifdef BSD_AUTH |
124 | static void | ||
125 | warn_expiry(Authctxt *authctxt, auth_session_t *as) | ||
126 | { | ||
127 | char buf[256]; | ||
128 | quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime; | ||
129 | |||
130 | pwwarntime = acwarntime = TWO_WEEKS; | ||
131 | |||
132 | pwtimeleft = auth_check_change(as); | ||
133 | actimeleft = auth_check_expire(as); | ||
134 | #ifdef HAVE_LOGIN_CAP | ||
135 | if (authctxt->valid) { | ||
136 | pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS, | ||
137 | TWO_WEEKS); | ||
138 | acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS, | ||
139 | TWO_WEEKS); | ||
140 | } | ||
141 | #endif | ||
142 | if (pwtimeleft != 0 && pwtimeleft < pwwarntime) { | ||
143 | daysleft = pwtimeleft / DAY + 1; | ||
144 | snprintf(buf, sizeof(buf), | ||
145 | "Your password will expire in %lld day%s.\n", | ||
146 | daysleft, daysleft == 1 ? "" : "s"); | ||
147 | buffer_append(&loginmsg, buf, strlen(buf)); | ||
148 | } | ||
149 | if (actimeleft != 0 && actimeleft < acwarntime) { | ||
150 | daysleft = actimeleft / DAY + 1; | ||
151 | snprintf(buf, sizeof(buf), | ||
152 | "Your account will expire in %lld day%s.\n", | ||
153 | daysleft, daysleft == 1 ? "" : "s"); | ||
154 | buffer_append(&loginmsg, buf, strlen(buf)); | ||
155 | } | ||
156 | } | ||
157 | |||
114 | int | 158 | int |
115 | sys_auth_passwd(Authctxt *authctxt, const char *password) | 159 | sys_auth_passwd(Authctxt *authctxt, const char *password) |
116 | { | 160 | { |
117 | struct passwd *pw = authctxt->pw; | 161 | struct passwd *pw = authctxt->pw; |
118 | auth_session_t *as; | 162 | auth_session_t *as; |
163 | static int expire_checked = 0; | ||
119 | 164 | ||
120 | as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", | 165 | as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", |
121 | (char *)password); | 166 | (char *)password); |
@@ -125,6 +170,10 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) | |||
125 | authctxt->force_pwchange = 1; | 170 | authctxt->force_pwchange = 1; |
126 | return (1); | 171 | return (1); |
127 | } else { | 172 | } else { |
173 | if (!expire_checked) { | ||
174 | expire_checked = 1; | ||
175 | warn_expiry(authctxt, as); | ||
176 | } | ||
128 | return (auth_close(as)); | 177 | return (auth_close(as)); |
129 | } | 178 | } |
130 | } | 179 | } |