- (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>
- (djm) Added password expiry checking (no password change support)
diff --git a/CREDITS b/CREDITS
index 0fd0049..c472261 100644
--- a/CREDITS
+++ b/CREDITS
@@ -3,9 +3,10 @@
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
Theo de Raadt, and Dug Song - Creators of OpenSSH
-Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
+Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
Andrew McGill <andrewm@datrix.co.za> - SCO fixes
+Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
Andy Sloane <andy@guildsoftware.com> - bugfixes
Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes
Ben Lindstrom <mouring@pconline.com> - NeXT support
@@ -35,7 +36,7 @@
Jani Hakala <jahakala@cc.jyu.fi> - Patches
Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes
Jim Knoble <jmknoble@pobox.com> - Many patches
-jonchen (email unknown) - the original author of PAM support of SSH
+Jonchen (email unknown) - the original author of PAM support of SSH
Juergen Keil <jk@tools.de> - scp bugfixing
Kees Cook <cook@cpoint.net> - scp fixes
Kenji Miyake <kenji@miyake.org> - Configure fixes
diff --git a/ChangeLog b/ChangeLog
index a5d6cd0..a418980 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
20000626
- (djm) Better fix to aclocal tests from Garrick James <garrick@james.net>
+ - (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>
+ - (djm) Added password expiry checking (no password change support)
- OpenBSD CVS update
- provos@cvs.openbsd.org 2000/06/25 14:17:58
[channels.c]
diff --git a/acconfig.h b/acconfig.h
index 9b8c3f2..20211a0 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -133,6 +133,9 @@
/* Define if you want to disable shadow passwords */
#undef DISABLE_SHADOW
+/* Define if you want to use shadow password expire field */
+#undef HAS_SHADOW_EXPIRE
+
/* Define if you want have trusted HPUX */
#undef HAVE_HPUX_TRUSTED_SYSTEM_PW
diff --git a/auth.c b/auth.c
index 685b8bb..bf5306b 100644
--- a/auth.c
+++ b/auth.c
@@ -22,6 +22,9 @@
#ifdef HAVE_LOGIN_H
#include <login.h>
#endif
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#include <shadow.h>
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
#include "bufaux.h"
#include "ssh2.h"
@@ -53,11 +56,32 @@
#ifdef WITH_AIXAUTHENTICATE
char *loginmsg;
#endif /* WITH_AIXAUTHENTICATE */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
+ defined(HAS_SHADOW_EXPIRE)
+ struct spwd *spw;
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw)
return 0;
+ spw = getspnam(pw->pw_name);
+ if (spw == NULL)
+ return 0;
+
+ /* Check account expiry */
+ if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire))
+ return 0;
+
+ /* Check password expiry */
+ if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) &&
+ ((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact)))
+ return 0;
+#else
+ /* Shouldn't be called if pw is NULL, but better safe than sorry... */
+ if (!pw)
+ return 0;
+#endif
+
/*
* Get the shell from the password data. An empty shell field is
* legal, and means /bin/sh.
diff --git a/configure.in b/configure.in
index d9a87d8..ca433e5 100644
--- a/configure.in
+++ b/configure.in
@@ -236,6 +236,8 @@
AC_CHECK_FUNCS(pam_getenvlist)
+ disable_shadow=yes
+
PAM_MSG="yes"
# Check PAM strerror arguments (old PAM)
@@ -933,10 +935,30 @@
[
if test "x$withval" = "xno" ; then
AC_DEFINE(DISABLE_SHADOW)
+ disable_shadow=yes
fi
]
)
+if test -z "$disable_shadow" ; then
+ AC_MSG_CHECKING([if the systems has expire shadow information])
+ AC_TRY_COMPILE(
+ [
+#include <sys/types.h>
+#include <shadow.h>
+ struct spwd sp;
+ ],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ],
+ [ sp_expire_available=yes ], []
+ )
+
+ if test "x$sp_expire_available" = "xyes" ; then
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAS_SHADOW_EXPIRE)
+ else
+ AC_MSG_RESULT(no)
+ fi
+fi
+
# Use ip address instead of hostname in $DISPLAY
DISPLAY_HACK_MSG="no"
AC_ARG_WITH(ipaddr-display,