Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssh/auth-shadow.c
34677 views
1
/*

2
 * Copyright (c) 2004 Darren Tucker.  All rights reserved.

3
 *

4
 * Redistribution and use in source and binary forms, with or without

5
 * modification, are permitted provided that the following conditions

6
 * are met:

7
 * 1. Redistributions of source code must retain the above copyright

8
 *    notice, this list of conditions and the following disclaimer.

9
 * 2. Redistributions in binary form must reproduce the above copyright

10
 *    notice, this list of conditions and the following disclaimer in the

11
 *    documentation and/or other materials provided with the distribution.

12
 *

13
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

14
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

15
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

16
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

17
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

18
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

19
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

20
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

21
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

22
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

23
 */

24


25
#include "includes.h"

26


27
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)

28
#include <shadow.h>

29
#include <stdarg.h>

30
#include <string.h>

31
#include <time.h>

32


33
#include "hostfile.h"

34
#include "auth.h"

35
#include "sshbuf.h"

36
#include "ssherr.h"

37
#include "log.h"

38


39
#ifdef DAY

40
# undef DAY

41
#endif

42
#define DAY	(24L * 60 * 60) /* 1 day in seconds */

43


44
extern struct sshbuf *loginmsg;

45


46
/*

47
 * For the account and password expiration functions, we assume the expiry

48
 * occurs the day after the day specified.

49
 */

50


51
/*

52
 * Check if specified account is expired.  Returns 1 if account is expired,

53
 * 0 otherwise.

54
 */

55
int

56
auth_shadow_acctexpired(struct spwd *spw)

57
{

58
	time_t today;

59
	long long daysleft;

60
	int r;

61


62
	today = time(NULL) / DAY;

63
	daysleft = spw->sp_expire - today;

64
	debug3("%s: today %lld sp_expire %lld days left %lld", __func__,

65
	    (long long)today, (long long)spw->sp_expire, daysleft);

66


67
	if (spw->sp_expire == -1) {

68
		debug3("account expiration disabled");

69
	} else if (daysleft < 0) {

70
		logit("Account %.100s has expired", spw->sp_namp);

71
		return 1;

72
	} else if (daysleft <= spw->sp_warn) {

73
		debug3("account will expire in %lld days", daysleft);

74
		if ((r = sshbuf_putf(loginmsg, 

75
		    "Your account will expire in %lld day%s.\n", daysleft,

76
		    daysleft == 1 ? "" : "s")) != 0)

77
			fatal("%s: buffer error: %s", __func__, ssh_err(r));

78
	}

79


80
	return 0;

81
}

82


83
/*

84
 * Checks password expiry for platforms that use shadow passwd files.

85
 * Returns: 1 = password expired, 0 = password not expired

86
 */

87
int

88
auth_shadow_pwexpired(Authctxt *ctxt)

89
{

90
	struct spwd *spw = NULL;

91
	const char *user = ctxt->pw->pw_name;

92
	time_t today;

93
	int r, daysleft, disabled = 0;

94


95
	if ((spw = getspnam((char *)user)) == NULL) {

96
		error("Could not get shadow information for %.100s", user);

97
		return 0;

98
	}

99


100
	today = time(NULL) / DAY;

101
	debug3_f("today %lld sp_lstchg %lld sp_max %lld", (long long)today,

102
	    (long long)spw->sp_lstchg, (long long)spw->sp_max);

103


104
#if defined(__hpux) && !defined(HAVE_SECUREWARE)

105
	if (iscomsec()) {

106
		struct pr_passwd *pr;

107


108
		pr = getprpwnam((char *)user);

109


110
		/* Test for Trusted Mode expiry disabled */

111
		if (pr != NULL && pr->ufld.fd_min == 0 &&

112
		    pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 &&

113
		    pr->ufld.fd_pw_expire_warning == 0 &&

114
		    pr->ufld.fd_schange != 0)

115
			disabled = 1;

116
	}

117
#endif

118


119
	/* TODO: check sp_inact */

120
	daysleft = spw->sp_lstchg + spw->sp_max - today;

121
	if (disabled) {

122
		debug3("password expiration disabled");

123
	} else if (spw->sp_lstchg == 0) {

124
		logit("User %.100s password has expired (root forced)", user);

125
		return 1;

126
	} else if (spw->sp_max == -1) {

127
		debug3("password expiration disabled");

128
	} else if (daysleft < 0) {

129
		logit("User %.100s password has expired (password aged)", user);

130
		return 1;

131
	} else if (daysleft <= spw->sp_warn) {

132
		debug3("password will expire in %d days", daysleft);

133
		if ((r = sshbuf_putf(loginmsg, 

134
		    "Your password will expire in %d day%s.\n", daysleft,

135
		    daysleft == 1 ? "" : "s")) != 0)

136
			fatal("%s: buffer error: %s", __func__, ssh_err(r));

137
	}

138


139
	return 0;

140
}

141
#endif	/* USE_SHADOW && HAS_SHADOW_EXPIRE */

142


143