Adds login class support for local & nis passwords:

    - minpasswordlen=n         override minimum password length for class.
    - passwordperiod=n[smhdwy] auto-set next password change date.

3 files changed, 60 insertions, 16 deletions

diff --git a/usr.bin/passwd/Makefile b/usr.bin/passwd/Makefile
index 4f72ca1..89a3a0c 100644
--- a/usr.bin/passwd/Makefile
+++ b/usr.bin/passwd/Makefile
@@ -5,15 +5,18 @@ PROG=	passwd
 SRCS=	local_passwd.c yppasswd_private_xdr.c yppasswd_comm.c yp_passwd.c \
 	passwd.c pw_copy.c pw_util.c pw_yp.c
 
-DPADD=	${LIBCRYPT} ${LIBRPCSVC}
-LDADD=	-lcrypt -lrpcsvc
+DPADD=	${LIBCRYPT} ${LIBRPCSVC} ${LIBUTIL}
+LDADD=	-lcrypt -lrpcsvc -lutil
 .PATH:  ${.CURDIR}/../../usr.bin/chpass ${.CURDIR}/../../usr.sbin/vipw \
 	${.CURDIR}/../rlogin ${.CURDIR}/../../libexec/ypxfr \
 	${.CURDIR}/../../usr.sbin/rpc.yppasswdd
 
-CFLAGS+= -DCRYPT -DYP -I. -I${.CURDIR} -I${.CURDIR}/../../usr.sbin/vipw \
-	-I${.CURDIR}/../../usr.bin/chpass -I${.CURDIR}/../../libexec/ypxfr \
-	-I${.CURDIR}/../../usr.sbin/rpc.yppasswdd -Dyp_error=warnx -DLOGGING
+CFLAGS+= -DLOGIN_CAP -DCRYPT -DYP -I. -I${.CURDIR} \
+	-I${.CURDIR}/../../usr.sbin/vipw \
+	-I${.CURDIR}/../../usr.bin/chpass \
+	-I${.CURDIR}/../../libexec/ypxfr \
+	-I${.CURDIR}/../../usr.sbin/rpc.yppasswdd \
+	-Dyp_error=warnx -DLOGGING
 
 SRCS+= ypxfr_misc.c yp_clnt.c yppasswd_clnt.c
 
@@ -59,8 +62,8 @@ CFLAGS+=	-DKERBEROS \
 		-I${.CURDIR}/../../eBones/include \
 		-I${.CURDIR}/../../eBones/lib/libkadm
 # XXX not defined: ${LIBKADM}, ${LIBCOM_ERR}
-DPADD=	${LIBKADM} ${LIBKRB} ${LIBDES} ${LIBCRYPT} ${LIBRPCSVC} ${LIBCOM_ERR}
-LDADD=	-lkadm -lkrb -ldes -lcrypt -lrpcsvc -lcom_err
+DPADD=	${LIBKADM} ${LIBKRB} ${LIBDES} ${LIBCRYPT} ${LIBRPCSVC} ${LIBCOM_ERR} ${LIBUTIL}
+LDADD=	-lkadm -lkrb -ldes -lcrypt -lrpcsvc -lcom_err -lutil
 DISTRIBUTION=	krb
 .endif
 
diff --git a/usr.bin/passwd/local_passwd.c b/usr.bin/passwd/local_passwd.c
index 04b552f..48faf02 100644
--- a/usr.bin/passwd/local_passwd.c
+++ b/usr.bin/passwd/local_passwd.c
@@ -60,6 +60,13 @@ static const char sccsid[] = "@(#)local_passwd.c	8.3 (Berkeley) 4/2/94";
 #include <syslog.h>
 #endif
 
+#ifdef LOGIN_CAP
+#ifdef AUTH_NONE /* multiple defs :-( */
+#undef AUTH_NONE
+#endif
+#include <login_cap.h>
+#endif
+
 #include "extern.h"
 
 static uid_t uid;
@@ -86,8 +93,11 @@ getnewpasswd(pw, nis)
 	struct passwd *pw;
 	int nis;
 {
-	int tries;
+	int tries, min_length = 6;
 	char *p, *t;
+#ifdef LOGIN_CAP
+	login_cap_t * lc;
+#endif
 	char buf[_PASSWORD_LEN+1], salt[10];
 	struct timeval tv;
 
@@ -101,14 +111,34 @@ getnewpasswd(pw, nis)
 		pw_error(NULL, 1, 1);
 	}
 
+#ifdef LOGIN_CAP
+	/*
+	 * Determine minimum password length and next password change date.
+	 * Note that even for NIS passwords, login_cap is still used.
+	 */
+	if ((lc = login_getclass(pw)) != NULL) {
+		time_t	period;
+
+		/* minpasswordlen capablity */
+		min_length = (int)login_getcapnum(lc, "minpasswordlen",
+				min_length, min_length);
+		/* passwordperiod capability */
+		period = login_getcaptime(lc, "passwordperiod", 0, 0);
+		if (period > (time_t)0) {
+			pw->pw_change = time(NULL) + period;
+		}
+		login_close(lc);
+	}
+#endif
+
 	for (buf[0] = '\0', tries = 0;;) {
 		p = getpass("New password:");
 		if (!*p) {
 			(void)printf("Password unchanged.\n");
 			pw_error(NULL, 0, 0);
 		}
-		if (strlen(p) <= 5 && (uid != 0 || ++tries < 2)) {
-			(void)printf("Please enter a longer password.\n");
+		if (strlen(p) < min_length && (uid != 0 || ++tries < 2)) {
+			(void)printf("Please enter a password at least %d characters in length.\n", min_length);
 			continue;
 		}
 		for (t = p; *t && islower(*t); ++t);
@@ -172,12 +202,14 @@ local_passwd(uname)
 	tfd = pw_tmp();
 
 	/*
-	 * Get the new password.  Reset passwd change time to zero; when
-	 * classes are implemented, go and get the "offset" value for this
-	 * class and reset the timer.
+	 * Get the new password.  Reset passwd change time to zero by
+	 * default. If the user has a valid login class (or the default
+	 * fallback exists), then the next password change date is set
+	 * by getnewpasswd() according to the "passwordperiod" capability
+	 * if one has been specified.
 	 */
-	pw->pw_passwd = getnewpasswd(pw, 0);
 	pw->pw_change = 0;
+	pw->pw_passwd = getnewpasswd(pw, 0);
 	pw_copy(pfd, tfd, pw);
 
 	if (!pw_mkdb(uname))
diff --git a/usr.bin/passwd/passwd.1 b/usr.bin/passwd/passwd.1
index 1451416..a595bfa 100644
--- a/usr.bin/passwd/passwd.1
+++ b/usr.bin/passwd/passwd.1
@@ -55,8 +55,10 @@ If the current password is correctly typed, a new password is
 requested.
 The new password must be entered twice to avoid typing errors.
 .Pp
-The new password should be at least six characters long and not
-purely alphabetic.
+The new password should be at least six characters long (which
+may be overridden using the
+.Xr login.cap 5
+"minpasswordlen" setting for a user's login class) and not purely alphabetic.
 Its total length must be less than
 .Dv _PASSWORD_LEN
 (currently 128 characters).
@@ -74,7 +76,11 @@ password file, and not with the Kerberos database.
 When changing only the local password,
 .Xr pwd_mkdb  8
 is used to update the password databases.
+.Pp
 .El
+When changing local or NIS password, the next password change date
+is set according to "passwordperiod" capability in the user's
+login class.
 .Pp
 To change another user's Kerberos password, one must first
 run
@@ -174,12 +180,15 @@ The user database
 A Version 7 format password file
 .It Pa /etc/passwd.XXXXXX
 Temporary copy of the password file
+.It Pa /etc/login.conf
+Login class capabilities database
 .El
 .Sh SEE ALSO
 .Xr chpass 1 ,
 .Xr kerberos 1 ,
 .Xr kinit 1 ,
 .Xr login 1 ,
+.Xr login.conf 5 ,
 .Xr passwd 5 ,
 .Xr kpasswdd 8 ,
 .Xr pwd_mkdb 8 ,