From 5c14c734295b9a30d71d110deb8307d5610d4c01 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 24 Jan 2005 21:55:49 +1100 Subject: - otto@cvs.openbsd.org 2005/01/21 08:32:02 [auth-passwd.c sshd.c] Warn in advance for password and account expiry; initialize loginmsg buffer earlier and clear it after privsep fork. ok and help dtucker@ markus@ --- auth-passwd.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) (limited to 'auth-passwd.c') diff --git a/auth-passwd.c b/auth-passwd.c index 7a68e0562..2e5fbc73a 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,17 +36,27 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.32 2005/01/21 08:32:02 otto Exp $"); #include "packet.h" +#include "buffer.h" #include "log.h" #include "servconf.h" #include "auth.h" #include "auth-options.h" +extern Buffer loginmsg; extern ServerOptions options; int sys_auth_passwd(Authctxt *, const char *); +#ifdef HAVE_LOGIN_CAP +extern login_cap_t *lc; +#endif + + +#define DAY (24L * 60 * 60) /* 1 day in seconds */ +#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ + void disable_forwarding(void) { @@ -111,11 +121,46 @@ auth_password(Authctxt *authctxt, const char *password) } #ifdef BSD_AUTH +static void +warn_expiry(Authctxt *authctxt, auth_session_t *as) +{ + char buf[256]; + quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime; + + pwwarntime = acwarntime = TWO_WEEKS; + + pwtimeleft = auth_check_change(as); + actimeleft = auth_check_expire(as); +#if HAVE_LOGIN_CAP + if (authctxt->valid) { + pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS, + TWO_WEEKS); + acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS, + TWO_WEEKS); + } +#endif + if (pwtimeleft != 0 && pwtimeleft < pwwarntime) { + daysleft = pwtimeleft / DAY + 1; + snprintf(buf, sizeof(buf), + "Your password will expire in %lld day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } + if (actimeleft != 0 && actimeleft < acwarntime) { + daysleft = actimeleft / DAY + 1; + snprintf(buf, sizeof(buf), + "Your account will expire in %lld day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } +} + int sys_auth_passwd(Authctxt *authctxt, const char *password) { struct passwd *pw = authctxt->pw; auth_session_t *as; + static int expire_checked = 0; as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", (char *)password); @@ -125,6 +170,10 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) authctxt->force_pwchange = 1; return (1); } else { + if (!expire_checked) { + expire_checked = 1; + warn_expiry(authctxt, as); + } return (auth_close(as)); } } -- cgit v1.2.3 From 218f178cb20c276027e972bff0208043fcf533a3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 24 Jan 2005 22:50:47 +1100 Subject: - dtucker@cvs.openbsd.org 2005/01/24 11:47:13 [auth-passwd.c] #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@ --- ChangeLog | 5 ++++- auth-passwd.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'auth-passwd.c') diff --git a/ChangeLog b/ChangeLog index 3fa91cf9c..703d8e670 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ - dtucker@cvs.openbsd.org 2005/01/24 10:29:06 [moduli] Import new moduli; requested by deraadt@ a week ago + - dtucker@cvs.openbsd.org 2005/01/24 11:47:13 + [auth-passwd.c] + #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@ 20050120 - (dtucker) OpenBSD CVS Sync @@ -2040,4 +2043,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3625 2005/01/24 11:00:40 dtucker Exp $ +$Id: ChangeLog,v 1.3626 2005/01/24 11:50:47 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 2e5fbc73a..fb14f5ce4 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.32 2005/01/21 08:32:02 otto Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $"); #include "packet.h" #include "buffer.h" @@ -131,7 +131,7 @@ warn_expiry(Authctxt *authctxt, auth_session_t *as) pwtimeleft = auth_check_change(as); actimeleft = auth_check_expire(as); -#if HAVE_LOGIN_CAP +#ifdef HAVE_LOGIN_CAP if (authctxt->valid) { pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS, TWO_WEEKS); -- cgit v1.2.3 From 92170a862634bf9ebe958cc75911658d18e30538 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 9 Feb 2005 17:08:23 +1100 Subject: - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call disable_forwarding() from compat library. Prevent linker errrors trying to resolve it for binaries other than sshd. ok djm@ --- ChangeLog | 7 ++++++- auth-passwd.c | 12 ++++++------ openbsd-compat/port-aix.c | 1 - 3 files changed, 12 insertions(+), 8 deletions(-) (limited to 'auth-passwd.c') diff --git a/ChangeLog b/ChangeLog index 98cdf96aa..633d70c36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,11 @@ - dtucker@cvs.openbsd.org 2005/02/08 22:24:57 [sshd.c] Provide reason in error message if getnameinfo fails; ok markus@ + - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call + disable_forwarding() from compat library. Prevent linker errrors trying + to resolve it for binaries other than sshd. ok djm@ + + when 20050208 - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the @@ -2107,4 +2112,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3644 2005/02/08 22:53:48 dtucker Exp $ +$Id: ChangeLog,v 1.3645 2005/02/09 06:08:23 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index fb14f5ce4..27ece3f72 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -73,7 +73,7 @@ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; - int ok = authctxt->valid; + int result, ok = authctxt->valid; #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) static int expire_checked = 0; #endif @@ -110,14 +110,14 @@ auth_password(Authctxt *authctxt, const char *password) #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) if (!expire_checked) { expire_checked = 1; - if (auth_shadow_pwexpired(authctxt)) { - disable_forwarding(); + if (auth_shadow_pwexpired(authctxt)) authctxt->force_pwchange = 1; - } } #endif - - return (sys_auth_passwd(authctxt, password) && ok); + result = sys_auth_passwd(authctxt, password); + if (authctxt->force_pwchange) + disable_forwarding(); + return (result && ok); } #ifdef BSD_AUTH diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 27ab06158..b16988543 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -196,7 +196,6 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) break; case 1: /* expired, password change required */ ctxt->force_pwchange = 1; - disable_forwarding(); break; default: /* user can't change(2) or other error (-1) */ logit("Password can't be changed for user %s: %.100s", -- cgit v1.2.3