From e41bba584737f028579961ddf6669b6a768e47e7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 25 Aug 2003 11:51:19 +1000 Subject: - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny any access to locked accounts. ok djm@ --- auth.c | 51 +++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 43 insertions(+), 8 deletions(-) (limited to 'auth.c') diff --git a/auth.c b/auth.c index d4768a15..9a59e270 100644 --- a/auth.c +++ b/auth.c @@ -73,23 +73,25 @@ int allowed_user(struct passwd * pw) { struct stat st; - const char *hostname = NULL, *ipaddr = NULL; + const char *hostname = NULL, *ipaddr = NULL, *passwd; char *shell; int i; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ - defined(HAS_SHADOW_EXPIRE) - struct spwd *spw; - time_t today; +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + struct spwd *spw = NULL; #endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ - defined(HAS_SHADOW_EXPIRE) +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + if (!options.use_pam) + spw = getspnam(pw->pw_name); +#ifdef HAS_SHADOW_EXPIRE #define DAY (24L * 60 * 60) /* 1 day in seconds */ - if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { + if (!options.use_pam && spw != NULL) { + time_t today; + today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" " sp_max %d", (int)today, (int)spw->sp_expire, @@ -117,8 +119,41 @@ allowed_user(struct passwd * pw) return 0; } } +#endif /* HAS_SHADOW_EXPIRE */ +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + + /* grab passwd field for locked account check */ +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + if (spw != NULL) + passwd = spw->sp_pwdp; +#else + passwd = pw->pw_passwd; #endif + /* check for locked account */ + if (passwd && *passwd) { + int locked = 0; + +#ifdef LOCKED_PASSWD_STRING + if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_PREFIX + if (strncmp(passwd, LOCKED_PASSWD_PREFIX, + strlen(LOCKED_PASSWD_PREFIX)) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_SUBSTR + if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) + locked = 1; +#endif + if (locked) { + logit("User %.100s not allowed because account is locked", + pw->pw_name); + return 0; + } + } + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. -- cgit v1.2.3