diff options
author | Darren Tucker <dtucker@zip.com.au> | 2004-02-10 12:50:19 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2004-02-10 12:50:19 +1100 |
commit | e3dba82dd44c165716ce2a81157b6c2f269fc0af (patch) | |
tree | 3fc23f29c9e5e13892fb2c103bf75a60ff77b75a | |
parent | 693f8a8aae5b79360f13f478c09235061aa59647 (diff) |
- (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
native password expiry.
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | auth-passwd.c | 14 | ||||
-rw-r--r-- | auth.h | 1 | ||||
-rw-r--r-- | openbsd-compat/port-aix.c | 39 | ||||
-rw-r--r-- | openbsd-compat/port-aix.h | 8 |
5 files changed, 50 insertions, 19 deletions
@@ -1,3 +1,8 @@ +20040210 + - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c + openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's + native password expiry. + 20040207 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 @@ -1820,4 +1825,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3217 2004/02/07 01:29:39 dtucker Exp $ +$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 5cc88155..a58dc042 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -43,14 +43,11 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); #include "servconf.h" #include "auth.h" #include "auth-options.h" -#ifdef WITH_AIXAUTHENTICATE -# include "canohost.h" -#endif extern ServerOptions options; int sys_auth_passwd(Authctxt *, const char *); -static void +void disable_forwarding(void) { no_port_forwarding_flag = 1; @@ -121,14 +118,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) return (auth_close(as)); } } -#elif defined(WITH_AIXAUTHENTICATE) -int -sys_auth_passwd(Authctxt *authctxt, const char *password) -{ - return (aix_authenticate(authctxt->pw->pw_name, password, - get_canonical_hostname(options.use_dns))); -} -#else +#elif !defined(CUSTOM_SYS_AUTH_PASSWD) int sys_auth_passwd(Authctxt *authctxt, const char *password) { @@ -123,6 +123,7 @@ void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ #include "auth-pam.h" +void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 6fc2ef77..a5511bbe 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -98,10 +98,10 @@ aix_remove_embedded_newlines(char *p) * returns 0. */ int -aix_authenticate(const char *name, const char *password, const char *host) +sys_auth_passwd(Authctxt *ctxt, const char *password) { - char *authmsg = NULL, *msg; - int authsuccess = 0, reenter, result; + char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name; + int authsuccess = 0, expired, reenter, result; do { result = authenticate((char *)name, (char *)password, &reenter, @@ -114,7 +114,12 @@ aix_authenticate(const char *name, const char *password, const char *host) if (result == 0) { authsuccess = 1; - /* No pty yet, so just label the line as "ssh" */ + host = (char *)get_canonical_hostname(options.use_dns); + + /* + * Record successful login. We don't have a pty yet, so just + * label the line as "ssh" + */ aix_setauthdb(name); if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) { if (msg != NULL) { @@ -123,6 +128,32 @@ aix_authenticate(const char *name, const char *password, const char *host) xfree(msg); } } + + /* + * Check if the user's password is expired. + */ + expired = passwdexpired(name, &msg); + if (msg && *msg) { + buffer_append(&loginmsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + } + debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); + + switch (expired) { + case 0: /* password not expired */ + break; + case 1: /* expired, password change required */ + ctxt->force_pwchange = 1; + disable_forwarding(); + break; + default: /* user can't change(2) or other error (-1) */ + logit("Password can't be changed for user %s: %.100s", + name, msg); + if (msg) + xfree(msg); + authsuccess = 0; + } + aix_restoreauthdb(); } diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 930b3f24..ef03661e 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.18 2004/02/10 01:50:20 dtucker Exp $ */ /* * @@ -36,6 +36,9 @@ # include <usersec.h> #endif +/* For Authctxt */ +#include "auth.h" + /* Some versions define r_type in the above headers, which causes a conflict */ #ifdef r_type # undef r_type @@ -62,11 +65,12 @@ void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE +# define CUSTOM_SYS_AUTH_PASSWD 1 +int sys_auth_passwd(Authctxt *, const char *); # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); #endif -int aix_authenticate(const char *, const char *, const char *); void aix_setauthdb(const char *); void aix_restoreauthdb(void); void aix_remove_embedded_newlines(char *); |