SSHD 3.7.1p2 on HP-UX

Michael Steffens michael.steffens at hp.com
Tue Oct 7 16:26:24 EST 2003 

Hi Darren,

looks fine besides one little detail, see below

Darren Tucker wrote:
> Hi All.
> 	Attached is a smallish patch against -current to prevent the
> expires-every-day behaviour on Trusted HP-UX systems.  Credit goes to
> Micheal for figuring this one out.
> 
> 	That section of code will need to be tidied up when the password expiry
> patches go in anyway, currently I'm interested in making the snapshots
> work for people using HP-UX.  Is this patch OK until then?
> 
> 	For those of you using 3.7.1p2 on HP-UX, I have a patch that contains
> only HP-UX fixes against 3.7.1p2.  It patches configure too so you don't
> need autoconf, just apply it to 3.7.1p2 and you should be good to go.
> 
> http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Index: auth.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
> retrieving revision 1.78
> diff -u -p -r1.78 auth.c
> --- auth.c	2 Oct 2003 06:12:36 -0000	1.78
> +++ auth.c	7 Oct 2003 05:42:42 -0000
> @@ -90,6 +90,7 @@ allowed_user(struct passwd * pw)
>  #ifdef HAS_SHADOW_EXPIRE
>  #define	DAY		(24L * 60 * 60) /* 1 day in seconds */
>  	if (!options.use_pam && spw != NULL) {
> +		int disabled = 0;
>  		time_t today;
>  
>  		today = time(NULL) / DAY;
> @@ -106,13 +107,19 @@ allowed_user(struct passwd * pw)
>  			return 0;
>  		}
>  
> -		if (spw->sp_lstchg == 0) {
> +#if defined(__hpux) && !defined(HAVE_SECUREWARE)
> +		if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 &&
> +		    spw->sp_warn == 0)
> +			disabled = 1;	/* Trusted Mode: expiry disabled */
> +#endif
> +
> +		if (!disabled && spw->sp_lstchg == 0) {
>  			logit("User %.100s password has expired (root forced)",
>  			    pw->pw_name);
>  			return 0;
>  		}
>  
> -		if (spw->sp_max != -1 &&
> +		if (!disabled && spw->sp_max != -1 && spw->sp_max != 0 &&

The test sp_max != 0 is not required here for trusted systems
any more, as the "disabled" flag already catches it.  But it changes
behaviour for other shadow setups.  I would suggest to remove it.

>  		    today > spw->sp_lstchg + spw->sp_max) {
>  			logit("User %.100s password has expired (password aged)",
>  			    pw->pw_name);

More information about the openssh-unix-dev mailing list