Factor out platform-specific locked account check.

Also fixes an incorrect free on platforms with both libiaf and shadow
passwords (probably only Unixware).  Prompted by github PR#284,
originally from @c3h2_ctf and stoeckmann@.

1 files changed, 3 insertions, 47 deletions

diff --git a/auth.c b/auth.c
index 560e8eca..81d27589 100644
--- a/auth.c
+++ b/auth.c
@@ -104,59 +104,15 @@ allowed_user(struct ssh *ssh, struct passwd * pw)
 	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
 	u_int i;
 	int r;
-#ifdef USE_SHADOW
-	struct spwd *spw = NULL;
-#endif
 
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
 	if (!pw || !pw->pw_name)
 		return 0;
 
-#ifdef USE_SHADOW
-	if (!options.use_pam)
-		spw = getspnam(pw->pw_name);
-#ifdef HAS_SHADOW_EXPIRE
-	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
+	if (!options.use_pam && platform_locked_account(pw)) {
+		logit("User %.100s not allowed because account is locked",
+		    pw->pw_name);
 		return 0;
-#endif /* HAS_SHADOW_EXPIRE */
-#endif /* USE_SHADOW */
-
-	/* grab passwd field for locked account check */
-	passwd = pw->pw_passwd;
-#ifdef USE_SHADOW
-	if (spw != NULL)
-#ifdef USE_LIBIAF
-		passwd = get_iaf_password(pw);
-#else
-		passwd = spw->sp_pwdp;
-#endif /* USE_LIBIAF */
-#endif
-
-	/* check for locked account */
-	if (!options.use_pam && passwd && *passwd) {
-		int locked = 0;
-
-#ifdef LOCKED_PASSWD_STRING
-		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
-			 locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_PREFIX
-		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
-		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
-			 locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_SUBSTR
-		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
-			locked = 1;
-#endif
-#ifdef USE_LIBIAF
-		free((void *) passwd);
-#endif /* USE_LIBIAF */
-		if (locked) {
-			logit("User %.100s not allowed because account is locked",
-			    pw->pw_name);
-			return 0;
-		}
 	}
 
 	/*