expire checks

Kevin Steves kevin at atomicgears.com
Fri Apr 26 12:41:28 EST 2002


i'm working on this.  this is what i have now.  sp_inact is not handled
consistently across shadow platforms, so i'm going to not address that
right now.  the following is the predecessor to bug14.

what is the timeframe for 3.2.1p1?  markus suggested a few more weeks.

Index: auth.c
===================================================================
RCS file: /var/cvs/openssh/auth.c,v
retrieving revision 1.51
diff -u -r1.51 auth.c
--- auth.c	22 Mar 2002 03:08:31 -0000	1.51
+++ auth.c	24 Apr 2002 19:51:00 -0000
@@ -80,18 +80,35 @@
 	if (!pw || !pw->pw_name)
 		return 0;

+#define	DAY		(24L * 60 * 60) /* 1 day in seconds */
 	spw = getspnam(pw->pw_name);
 	if (spw != NULL) {
-		int days = time(NULL) / 86400;
+		time_t today = time(NULL) / DAY;
+		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
+		    " sp_max %d", (int)today, (int)spw->sp_expire,
+		    (int)spw->sp_lstchg, (int)spw->sp_max);

-		/* Check account expiry */
-		if ((spw->sp_expire >= 0) && (days > spw->sp_expire))
+		/*
+		 * We assume account and password expiration occurs the
+		 * day after the day specified.
+		 */
+		if (spw->sp_expire != -1 && today > spw->sp_expire) {
+			log("Account %.100s has expired", pw->pw_name);
 			return 0;
+		}

-		/* Check password expiry */
-		if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) &&
-		    (days > (spw->sp_lstchg + spw->sp_max)))
+		if (spw->sp_lstchg == 0) {
+			log("User %.100s password has expired (root forced)",
+			    pw->pw_name);
 			return 0;
+		}
+
+		if (spw->sp_max != -1 &&
+		    today > spw->sp_lstchg + spw->sp_max) {
+			log("User %.100s password has expired (password aged)",
+			    pw->pw_name);
+			return 0;
+		}
 	}
 #else
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */




More information about the openssh-unix-dev mailing list