diff options
author | Darren Tucker <dtucker@zip.com.au> | 2003-08-25 11:51:19 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2003-08-25 11:51:19 +1000 |
commit | e41bba584737f028579961ddf6669b6a768e47e7 (patch) | |
tree | 65b6dba443b02b4ebfe6704162685e1f712643b4 /auth.c | |
parent | 5ade9abc37df3dacacbe20104877ca6dab61082a (diff) |
- (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny
any access to locked accounts. ok djm@
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 51 |
1 files changed, 43 insertions, 8 deletions
@@ -73,23 +73,25 @@ int allowed_user(struct passwd * pw) { struct stat st; - const char *hostname = NULL, *ipaddr = NULL; + const char *hostname = NULL, *ipaddr = NULL, *passwd; char *shell; int i; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ - defined(HAS_SHADOW_EXPIRE) - struct spwd *spw; - time_t today; +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + struct spwd *spw = NULL; #endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ - defined(HAS_SHADOW_EXPIRE) +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + if (!options.use_pam) + spw = getspnam(pw->pw_name); +#ifdef HAS_SHADOW_EXPIRE #define DAY (24L * 60 * 60) /* 1 day in seconds */ - if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { + if (!options.use_pam && spw != NULL) { + time_t today; + today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" " sp_max %d", (int)today, (int)spw->sp_expire, @@ -117,8 +119,41 @@ allowed_user(struct passwd * pw) return 0; } } +#endif /* HAS_SHADOW_EXPIRE */ +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + + /* grab passwd field for locked account check */ +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + if (spw != NULL) + passwd = spw->sp_pwdp; +#else + passwd = pw->pw_passwd; #endif + /* check for locked account */ + if (passwd && *passwd) { + int locked = 0; + +#ifdef LOCKED_PASSWD_STRING + if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_PREFIX + if (strncmp(passwd, LOCKED_PASSWD_PREFIX, + strlen(LOCKED_PASSWD_PREFIX)) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_SUBSTR + if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) + locked = 1; +#endif + if (locked) { + logit("User %.100s not allowed because account is locked", + pw->pw_name); + return 0; + } + } + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. |