locking accounts when non-password authentication

Thu Nov 25 21:37:23 EST 1999

Markus Friedl <Markus.Friedl at informatik.uni-erlangen.de> writes:

> On Tue, Nov 23, 1999 at 11:47:47PM +0000, Philip Hands wrote:
> > Failing that, it looks like we need to put some code in sshd.c or some
> > of the auth-*.c files to deal with /etc/shadow passwords, and check
> > them to see if they start with ``*LK*''.
> 
> don't mess with auth-*.c, sshd.c:allowed_user() is the place to add
> things like this.

I thought that was probably be the case, in which case this patch
seems to do the trick:

--- openssh-1.2pre14.orig/sshd.c
+++ openssh-1.2pre14/sshd.c
@@ -36,6 +36,10 @@
 # include <maillock.h>
 #endif
 
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif /* HAVE_SHADOW_H */
+
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
@@ -1100,13 +1104,49 @@
 {
   struct group *grp;
   int i;
+#ifdef HAVE_SHADOW_H
+  struct spwd *spw = NULL;
+#endif /* HAVE_SHADOW_H */
 
   /* Shouldn't be called if pw is NULL, but better safe than sorry... */
   if (!pw)
     return 0;
 
+#ifdef HAVE_SHADOW_H
+  if (!strcmp(pw->pw_passwd, "x")) {
+    spw = getspnam(pw->pw_name);
+  }
+  if (spw != NULL) { /* we have a shadow entry, let's check it */
+    /* perhaps we should be checking all the expired acount stuff here,
+       but I'd have thought that only applies to the password.
+       I wonder how an admin is supposed to expire an RSA key... */
+
+    /* check for either of the symptoms of a locked account */
+    if (spw->sp_pwdp[0] == '!' || !strncmp(spw->sp_pwdp, "*LK*", 4)) {
+      debug("account for \"%.200s\" locked by admin, bailing out",
+            pw->pw_name);
+      return 0;
+    }
+  } else {
+#endif /* HAVE_SHADOW_H */
+    /* In the case of shadow passwords, this is checked only if the shadow
+     * entry doesn't exist. Without shadow passwords, we simply check it
+     * all the time.
+     */

+    if (pw->pw_passwd[0] == '!' || !strncmp(pw->pw_passwd, "*LK*", 4)) {
+      debug("account for \"%.200s\" locked by admin, bailing out",
+            pw->pw_name);
+      return 0;
+    }
+#ifdef HAVE_SHADOW_H
+  }
+  debug("completed shadow checks in allowed_user");
+
+#endif /* HAVE_SHADOW_H */
+
   /* XXX Should check for valid login shell */
 
+
   /* Return false if user is listed in DenyUsers */
   if (options.num_deny_users > 0)
     {

=-=-=-=-=-=-=-

The only problem with this is that it makes RSA authentication fall
back to password authentication, which seems a bit pointless to me,
given that they are all going to fail as well.

Cheers, Phil.



