summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/auth.c')
-rw-r--r--crypto/openssh/auth.c70
1 files changed, 69 insertions, 1 deletions
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index fbd1361..066b50d 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -24,9 +24,17 @@
#include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.43 2002/05/17 14:27:55 millert Exp $");
-RCSID("$FreeBSD$");
+#ifdef HAVE_LOGIN_H
+#include <login.h>
+#endif
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#include <shadow.h>
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+
+#ifdef HAVE_LIBGEN_H
#include <libgen.h>
+#endif
#include "xmalloc.h"
#include "match.h"
@@ -67,10 +75,52 @@ allowed_user(struct passwd * pw)
const char *hostname = NULL, *ipaddr = NULL;
char *shell;
int i;
+#ifdef WITH_AIXAUTHENTICATE
+ char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
+#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
+ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+ struct spwd *spw;
+
+ /* Shouldn't be called if pw is NULL, but better safe than sorry... */
+ if (!pw || !pw->pw_name)
+ return 0;
+
+#define DAY (24L * 60 * 60) /* 1 day in seconds */
+ spw = getspnam(pw->pw_name);
+ if (spw != NULL) {
+ time_t today = time(NULL) / DAY;
+ debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
+ " sp_max %d", (int)today, (int)spw->sp_expire,
+ (int)spw->sp_lstchg, (int)spw->sp_max);
+
+ /*
+ * We assume account and password expiration occurs the
+ * day after the day specified.
+ */
+ if (spw->sp_expire != -1 && today > spw->sp_expire) {
+ log("Account %.100s has expired", pw->pw_name);
+ return 0;
+ }
+
+ if (spw->sp_lstchg == 0) {
+ log("User %.100s password has expired (root forced)",
+ pw->pw_name);
+ return 0;
+ }
+ if (spw->sp_max != -1 &&
+ today > spw->sp_lstchg + spw->sp_max) {
+ log("User %.100s password has expired (password aged)",
+ pw->pw_name);
+ return 0;
+ }
+ }
+#else
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw || !pw->pw_name)
return 0;
+#endif
/*
* Get the shell from the password data. An empty shell field is
@@ -150,6 +200,24 @@ allowed_user(struct passwd * pw)
}
ga_free();
}
+
+#ifdef WITH_AIXAUTHENTICATE
+ if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+ if (loginmsg && *loginmsg) {
+ /* Remove embedded newlines (if any) */
+ char *p;
+ for (p = loginmsg; *p; p++) {
+ if (*p == '\n')
+ *p = ' ';
+ }
+ /* Remove trailing newline */
+ *--p = '\0';
+ log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
+ }
+ return 0;
+ }
+#endif /* WITH_AIXAUTHENTICATE */
+
/* We found no reason not to let this user try to log on... */
return 1;
}
OpenPOWER on IntegriCloud