password aging and account lock checks
Kevin Steves
stevesk at sweden.hp.com
Mon Sep 25 02:07:09 EST 2000
On Sat, 23 Sep 2000, Damien Miller wrote:
: > sp_lastchg is set to 0. The above code does not catch that. So
: > it seems we want something like this (untested):
: >
: > /* Check password expiry */
: > if (spw->sp_lstchg == 0 || (spw->sp_max > 0 &&
: > days > spw->sp_lstchg + spw->sp_max)) {
: > debug("Password for user \"%.200s\" expired",
: > pw->pw_name);
: > return 0;
: > }
:
: How about:
:
: if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) &&
: (days > (spw->sp_lstchg + spw->sp_max)))
: return 0;
I wrote it as an or because I thought it might be possible for sp_max to
be "undefined" or -1, and I still wanted lst_chg==0 to match for
password expired.
The HP-UX manpage claims getspent() is conformant is SVID3 so it seems
we'll have to examine that to answer some of these questions.
: > I'd like to look at building a password abstraction layer where all the
: > platform dependent password code resides. This includes various
: > interfaces to shadow and protected password information, password aging,
: > and password formats (crypt(), bigcrypt(), MD5). This will serve to
: > clean up auth-passwd.c and auth.c and probably some other stuff.
: >
: > Is this a good direction?
:
: I think so, this sort of abstraction (in the form of loginrec.c) has
: already made life much simpler. It may be of use for other projects
: as well.
I plan to work on this.
More information about the openssh-unix-dev
mailing list