password aging and account lock checks

Kevin Steves stevesk at sweden.hp.com
Thu Sep 21 03:05:29 EST 2000 

I'm looking at the password aging and account lock checks in
auth.c:allowed_user(), and specifically their behaviour on
HP-UX.

First, should this code be ifdef'd away if we're using PAM?

Next:

		/* Check account expiry */
		if ((spw->sp_expire > 0) && (days > spw->sp_expire))
			return 0;

If I lock an account by entering too many incorrect passwords,
sp_expire does not change (it stays at -1).  From the comment in the
man page, I would expect it to be set to 0, but even then the code
above would not catch it.

    long  sp_expire; /* # of days from 1/1/70 when account is locked */

If I lock at account with passwd -l sp_expire is still -1.  I tried
this on Solaris as well and it seems sp_expire is only for account
expiration.

The solution on HP-UX 10.20 and 11.0 is to use the getprpw(3)
interface.

And:

	/* Check password expiry */
		if ((spw->sp_lstchg > 0) && (spw->sp_max > 0) && 
		    (days > (spw->sp_lstchg + spw->sp_max)))
			return 0;

If I expire a password with passwd -f:

     -f             Force user to change password upon next login by
                     expiring the current password.

sp_lastchg is set to 0.  The above code does not catch that.  So
it seems we want something like this (untested): 

	/* Check password expiry */
		if (spw->sp_lstchg == 0 || (spw->sp_max > 0 && 
			days > spw->sp_lstchg + spw->sp_max)) {
			debug("Password for user \"%.200s\" expired",
				pw->pw_name);
			return 0;
		}

And there are no aging checks if you're not shadow/trusted.  On HP-UX at
least, you can also age passwords without being configured as a trusted
system.

And we need to provide a way to change an expired password.

I'd like to look at building a password abstraction layer where all the
platform dependent password code resides.  This includes various
interfaces to shadow and protected password information, password aging,
and password formats (crypt(), bigcrypt(), MD5).  This will serve to
clean up auth-passwd.c and auth.c and probably some other stuff.

Is this a good direction?

More information about the openssh-unix-dev mailing list