Attachment 540 Details for Bug 14 – Hook shadow expiry into do_pwchange

[patch] Hook shadow expiry into do_pwchange

openssh-shadow-expire.patch (text/plain), 7.71 KB, created by Darren Tucker on 2004-02-08 09:34:32 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2004-02-08 09:34:32 AEDT

Size: 7.71 KB

patch

obsolete

>Index: Makefile.in
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v
>retrieving revision 1.254
>diff -u -p -r1.254 Makefile.in
>--- Makefile.in	27 Jan 2004 10:19:22 -0000	1.254
>+++ Makefile.in	7 Feb 2004 13:36:00 -0000
>@@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
> 	kexdhs.o kexgexs.o \
> 	auth-krb5.o \
> 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
>-	loginrec.o auth-pam.o auth-sia.o md5crypt.o
>+	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
> 
> MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
> MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
>Index: auth-passwd.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v
>retrieving revision 1.68
>diff -u -p -r1.68 auth-passwd.c
>--- auth-passwd.c	6 Feb 2004 05:38:16 -0000	1.68
>+++ auth-passwd.c	7 Feb 2004 22:32:18 -0000
>@@ -46,6 +46,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.31 20
> #ifdef WITH_AIXAUTHENTICATE
> # include "canohost.h"
> #endif
>+#include "auth-shadow.h"
> 
> extern ServerOptions options;
> int sys_auth_passwd(Authctxt *, const char *);
>@@ -100,6 +101,13 @@ auth_password(Authctxt *authctxt, const 
> 		return ok;
> 	}
> #endif
>+#ifdef USE_SHADOW
>+	if (auth_shadow_pwexpired(authctxt)) {
>+		disable_forwarding();
>+		authctxt->force_pwchange = 1;
>+	}
>+#endif
>+		
> 	return (sys_auth_passwd(authctxt, password) && ok);
> }
> 
>Index: auth-shadow.c
>===================================================================
>RCS file: auth-shadow.c
>diff -N auth-shadow.c
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ auth-shadow.c	7 Feb 2004 14:40:19 -0000
>@@ -0,0 +1,80 @@
>+/*
>+ * Copyright (c) 2004 Darren Tucker.  All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ */
>+
>+#include "includes.h"
>+RCSID("$Id$");
>+
>+#ifdef USE_SHADOW
>+#include <shadow.h>
>+
>+#include "auth.h"
>+#include "auth-shadow.h"
>+#include "buffer.h"
>+#include "log.h"
>+
>+#define DAY	(24L * 60 * 60) /* 1 day in seconds */
>+
>+extern Buffer loginmsg;
>+
>+/*
>+ * Check shadow password expiry.
>+ * Returns: 1 = password expired, 0 = password not expired
>+ */
>+int
>+auth_shadow_pwexpired(Authctxt *ctxt)
>+{
>+	struct spwd *spw = NULL;
>+	const char *user = ctxt->pw->pw_name;
>+	time_t today;
>+
>+	if ((spw = getspnam(user)) == NULL) {
>+		error("Could not get shadow information for %.100s", user);
>+		return 0;
>+	}
>+
>+	today = time(NULL) / DAY;
>+	debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
>+	    (int)spw->sp_lstchg, (int)spw->sp_max);
>+
>+#if defined(__hpux) && !defined(HAVE_SECUREWARE)
>+	if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
>+	    spw->sp_warn == 0)
>+		return 0;	/* HP-UX Trusted Mode: expiry disabled */
>+#endif
>+
>+	/* TODO: Add code to put expiry warnings into loginmsg */
>+
>+	if (spw->sp_lstchg == 0) {
>+		logit("User %.100s password has expired (root forced)", user);
>+		return 1;
>+	}
>+
>+	if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) {
>+		logit("User %.100s password has expired (password aged)", user);
>+		return 1;
>+	}
>+
>+	return 0;
>+}
>+#endif	/* USE_SHADOW */
>Index: auth-shadow.h
>===================================================================
>RCS file: auth-shadow.h
>diff -N auth-shadow.h
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ auth-shadow.h	7 Feb 2004 14:02:38 -0000
>@@ -0,0 +1,28 @@
>+/* $Id$ */
>+
>+/*
>+ * Copyright (c) 2004 Darren Tucker.  All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ */
>+
>+int auth_shadow_pwexpired(Authctxt *);
>+
>Index: auth.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
>retrieving revision 1.81
>diff -u -p -r1.81 auth.c
>--- auth.c	21 Nov 2003 12:56:47 -0000	1.81
>+++ auth.c	7 Feb 2004 13:15:02 -0000
>@@ -106,25 +106,6 @@ allowed_user(struct passwd * pw)
> 			logit("Account %.100s has expired", pw->pw_name);
> 			return 0;
> 		}
>-
>-#if defined(__hpux) && !defined(HAVE_SECUREWARE)
>-		if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
>-		     spw->sp_warn == 0)
>-			disabled = 1;   /* Trusted Mode: expiry disabled */
>-#endif
>-
>-		if (!disabled && spw->sp_lstchg == 0) {
>-			logit("User %.100s password has expired (root forced)",
>-			    pw->pw_name);
>-			return 0;
>-		}
>-
>-		if (!disabled && spw->sp_max != -1 &&
>-		    today > spw->sp_lstchg + spw->sp_max) {
>-			logit("User %.100s password has expired (password aged)",
>-			    pw->pw_name);
>-			return 0;
>-		}
> 	}
> #endif /* HAS_SHADOW_EXPIRE */
> #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
>Index: defines.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/defines.h,v
>retrieving revision 1.109
>diff -u -p -r1.109 defines.h
>--- defines.h	27 Jan 2004 05:40:35 -0000	1.109
>+++ defines.h	7 Feb 2004 13:30:20 -0000
>@@ -585,6 +585,9 @@ struct winsize {
> #  endif
> #endif
> 
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>+# define USE_SHADOW
>+#endif
> 
> /* The login() library function in libutil is first choice */
> #if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)

Flags:

djm: ok+

Actions: View | Diff

Attachments on bug 14: 5 | 199 | 200 | 201 | 205 | 215 | 234 | 240 | 248 | 278 | 540 | 541 | 542 | 543 | 544