From c6020651bae65dc5f8e1533c56871aed2c5883f3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 17:48:20 +1000 Subject: - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. --- ChangeLog | 3 ++- auth.c | 11 +++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index da3331b36..699402a79 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,7 @@ - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always compiled in but disabled in config. + - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1359,4 +1360,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3080 2003/10/15 06:57:57 dtucker Exp $ +$Id: ChangeLog,v 1.3081 2003/10/15 07:48:20 dtucker Exp $ diff --git a/auth.c b/auth.c index 029672877..fcafae861 100644 --- a/auth.c +++ b/auth.c @@ -90,6 +90,7 @@ allowed_user(struct passwd * pw) #ifdef HAS_SHADOW_EXPIRE #define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && spw != NULL) { + int disabled = 0; time_t today; today = time(NULL) / DAY; @@ -106,13 +107,19 @@ allowed_user(struct passwd * pw) return 0; } - if (spw->sp_lstchg == 0) { +#if defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && + spw->sp_warn == 0) + disabled = 1; /* Trusted Mode: expiry disabled */ +#endif + + if (!disabled && spw->sp_lstchg == 0) { logit("User %.100s password has expired (root forced)", pw->pw_name); return 0; } - if (spw->sp_max != -1 && + if (!disabled && spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { logit("User %.100s password has expired (password aged)", pw->pw_name); -- cgit v1.2.3