diff options
author | Damien Miller <djm@mindrot.org> | 2000-06-26 11:31:33 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-06-26 11:31:33 +1000 |
commit | 1f335fb8d81a23c6ddce3062a4e2d4efe9d8a59e (patch) | |
tree | e0b2ff2cff12a83740f16bb7da48f592402bdcae | |
parent | c0fd17fdca5853c0c6bfdfc364d8c5418dcab86b (diff) |
- (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>
- (djm) Added password expiry checking (no password change support)
-rw-r--r-- | CREDITS | 5 | ||||
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | acconfig.h | 3 | ||||
-rw-r--r-- | auth.c | 24 | ||||
-rw-r--r-- | configure.in | 22 |
5 files changed, 54 insertions, 2 deletions
@@ -3,9 +3,10 @@ Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song - Creators of OpenSSH -Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes +Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support Andrew McGill <andrewm@datrix.co.za> - SCO fixes +Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes Andy Sloane <andy@guildsoftware.com> - bugfixes Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes Ben Lindstrom <mouring@pconline.com> - NeXT support @@ -35,7 +36,7 @@ IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes Jani Hakala <jahakala@cc.jyu.fi> - Patches Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes Jim Knoble <jmknoble@pobox.com> - Many patches -jonchen (email unknown) - the original author of PAM support of SSH +Jonchen (email unknown) - the original author of PAM support of SSH Juergen Keil <jk@tools.de> - scp bugfixing Kees Cook <cook@cpoint.net> - scp fixes Kenji Miyake <kenji@miyake.org> - Configure fixes @@ -1,5 +1,7 @@ 20000626 - (djm) Better fix to aclocal tests from Garrick James <garrick@james.net> + - (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de> + - (djm) Added password expiry checking (no password change support) - OpenBSD CVS update - provos@cvs.openbsd.org 2000/06/25 14:17:58 [channels.c] @@ -133,6 +133,9 @@ /* Define if you want to disable shadow passwords */ #undef DISABLE_SHADOW +/* Define if you want to use shadow password expire field */ +#undef HAS_SHADOW_EXPIRE + /* Define if you want have trusted HPUX */ #undef HAVE_HPUX_TRUSTED_SYSTEM_PW @@ -22,6 +22,9 @@ RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $"); #ifdef HAVE_LOGIN_H #include <login.h> #endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#include <shadow.h> +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ #include "bufaux.h" #include "ssh2.h" @@ -53,11 +56,32 @@ allowed_user(struct passwd * pw) #ifdef WITH_AIXAUTHENTICATE char *loginmsg; #endif /* WITH_AIXAUTHENTICATE */ +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ + defined(HAS_SHADOW_EXPIRE) + struct spwd *spw; /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) return 0; + spw = getspnam(pw->pw_name); + if (spw == NULL) + return 0; + + /* Check account expiry */ + if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire)) + return 0; + + /* Check password expiry */ + if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && + ((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact))) + return 0; +#else + /* Shouldn't be called if pw is NULL, but better safe than sorry... */ + if (!pw) + return 0; +#endif + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. diff --git a/configure.in b/configure.in index d9a87d8e..ca433e56 100644 --- a/configure.in +++ b/configure.in @@ -236,6 +236,8 @@ if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; t AC_CHECK_FUNCS(pam_getenvlist) + disable_shadow=yes + PAM_MSG="yes" # Check PAM strerror arguments (old PAM) @@ -933,10 +935,30 @@ AC_ARG_WITH(shadow, [ if test "x$withval" = "xno" ; then AC_DEFINE(DISABLE_SHADOW) + disable_shadow=yes fi ] ) +if test -z "$disable_shadow" ; then + AC_MSG_CHECKING([if the systems has expire shadow information]) + AC_TRY_COMPILE( + [ +#include <sys/types.h> +#include <shadow.h> + struct spwd sp; + ],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ], + [ sp_expire_available=yes ], [] + ) + + if test "x$sp_expire_available" = "xyes" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAS_SHADOW_EXPIRE) + else + AC_MSG_RESULT(no) + fi +fi + # Use ip address instead of hostname in $DISPLAY DISPLAY_HACK_MSG="no" AC_ARG_WITH(ipaddr-display, |