password aging and account lock checks
Damien Miller
djm at mindrot.org
Sat Sep 23 14:25:35 EST 2000
On Wed, 20 Sep 2000, Kevin Steves wrote:
> I'm looking at the password aging and account lock checks in
> auth.c:allowed_user(), and specifically their behaviour on
> HP-UX.
>
> First, should this code be ifdef'd away if we're using PAM?
You are correct - done.
> Next:
>
> /* Check account expiry */
> if ((spw->sp_expire > 0) && (days > spw->sp_expire))
> return 0;
I have changed it to "spw->sp_expire >= 0".
> sp_lastchg is set to 0. The above code does not catch that. So
> it seems we want something like this (untested):
>
> /* Check password expiry */
> if (spw->sp_lstchg == 0 || (spw->sp_max > 0 &&
> days > spw->sp_lstchg + spw->sp_max)) {
> debug("Password for user \"%.200s\" expired",
> pw->pw_name);
> return 0;
> }
How about:
if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) &&
(days > (spw->sp_lstchg + spw->sp_max)))
return 0;
> I'd like to look at building a password abstraction layer where all the
> platform dependent password code resides. This includes various
> interfaces to shadow and protected password information, password aging,
> and password formats (crypt(), bigcrypt(), MD5). This will serve to
> clean up auth-passwd.c and auth.c and probably some other stuff.
>
> Is this a good direction?
I think so, this sort of abstraction (in the form of loginrec.c) has
already made life much simpler. It may be of use for other projects
as well.
-d
--
| ``The power of accurate observation is | Damien Miller <djm at mindrot.org>
| commonly called cynicism by those who | @Work <djm at ibs.com.au>
| have not got it'' - George Bernard Shaw | http://www.mindrot.org
More information about the openssh-unix-dev
mailing list