Solaris 8 password inactivity with openssh
Darren Tucker
dtucker at zip.com.au
Thu Nov 10 08:37:12 EST 2005
On Wed, Nov 09, 2005 at 08:24:05AM -0800, Iain Morgan wrote:
> As I recall, support for the inactive field in OpenSSH's password aging was
> deliberately excluded due to inconsistent handling of that field on various
> OS's.
I dug through the archives and found this comment to that effect:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=101979007119723
but I'm not sure what platforms have which behaviour.
> There is a comment in auth-shadow.c indicating that this is a TODO itme.
I put that there when I converted the code from being imbedded in
auth-passwd.c when I noticed it wasn't handled. The attached patch adds
it (against post-4.2 tree but will probably apply to 4.2p1 and 4.1p1).
Tested only on Linux.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth-passwd.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v
retrieving revision 1.80
diff -u -p -r1.80 auth-passwd.c
--- auth-passwd.c 26 Jul 2005 11:54:12 -0000 1.80
+++ auth-passwd.c 9 Nov 2005 21:18:53 -0000
@@ -74,7 +74,7 @@ auth_password(Authctxt *authctxt, const
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
- static int expire_checked = 0;
+ static int expire_checked = -1;
#endif
#ifndef HAVE_CYGWIN
@@ -107,11 +107,12 @@ auth_password(Authctxt *authctxt, const
return (sshpam_auth_passwd(authctxt, password) && ok);
#endif
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
- if (!expire_checked) {
- expire_checked = 1;
- if (auth_shadow_pwexpired(authctxt))
- authctxt->force_pwchange = 1;
- }
+ if (expire_checked == -1)
+ expire_checked = auth_shadow_pwexpired(authctxt);
+ if (expire_checked == 1)
+ authctxt->force_pwchange = 1;
+ else if (expire_checked == 2)
+ ok = 0; /* expired too long */
#endif
result = sys_auth_passwd(authctxt, password);
if (authctxt->force_pwchange)
Index: auth-shadow.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-shadow.c,v
retrieving revision 1.7
diff -u -p -r1.7 auth-shadow.c
--- auth-shadow.c 17 Jul 2005 07:04:47 -0000 1.7
+++ auth-shadow.c 9 Nov 2005 21:15:22 -0000
@@ -78,7 +78,8 @@ auth_shadow_acctexpired(struct spwd *spw
/*
* Checks password expiry for platforms that use shadow passwd files.
- * Returns: 1 = password expired, 0 = password not expired
+ * Returns: 0 = password not expired, 1 = password expired,
+ * 2 = password expired too long to be changed.
*/
int
auth_shadow_pwexpired(Authctxt *ctxt)
@@ -95,8 +96,9 @@ auth_shadow_pwexpired(Authctxt *ctxt)
}
today = time(NULL) / DAY;
- debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
- (int)spw->sp_lstchg, (int)spw->sp_max);
+ debug3("%s: today %d sp_lstchg %d sp_max %d sp_inact %d", __func__,
+ (int)today, (int)spw->sp_lstchg, (int)spw->sp_max,
+ (int)spw->sp_inact);
#if defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec()) {
@@ -113,7 +115,6 @@ auth_shadow_pwexpired(Authctxt *ctxt)
}
#endif
- /* TODO: check sp_inact */
daysleft = spw->sp_lstchg + spw->sp_max - today;
if (disabled) {
debug3("password expiration disabled");
@@ -122,6 +123,9 @@ auth_shadow_pwexpired(Authctxt *ctxt)
return 1;
} else if (spw->sp_max == -1) {
debug3("password expiration disabled");
+ } else if (spw->sp_inact > 0 && daysleft - spw->sp_inact < 0) {
+ logit("User %.100s password expired too long", user);
+ return 2;
} else if (daysleft < 0) {
logit("User %.100s password has expired (password aged)", user);
return 1;
More information about the openssh-unix-dev
mailing list