- (djm) Bug #442: Check for and deny access to accounts with locked
passwords. Patch from dtucker@zip.com.au
diff --git a/ChangeLog b/ChangeLog
index 0c6e463..3be46f5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
20030107
- (djm) Bug #401: Work around Linux breakage with IPv6 mapped addresses.
Based on fix from yoshfuji@linux-ipv6.org
+ - (djm) Bug #442: Check for and deny access to accounts with locked
+ passwords. Patch from dtucker@zip.com.au
20030103
- (djm) Bug #461: ssh-copy-id fails with no arguments. Patch from
@@ -929,4 +931,4 @@
save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@
-$Id: ChangeLog,v 1.2541 2003/01/06 23:51:23 djm Exp $
+$Id: ChangeLog,v 1.2542 2003/01/07 01:19:32 djm Exp $
diff --git a/auth.c b/auth.c
index ee00128..0e79109 100644
--- a/auth.c
+++ b/auth.c
@@ -72,20 +72,23 @@
allowed_user(struct passwd * pw)
{
struct stat st;
- const char *hostname = NULL, *ipaddr = NULL;
+ const char *hostname = NULL, *ipaddr = NULL, *passwd;
char *shell;
int i;
#ifdef WITH_AIXAUTHENTICATE
char *loginmsg;
#endif /* WITH_AIXAUTHENTICATE */
#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
- !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
struct spwd *spw;
+#endif
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw || !pw->pw_name)
return 0;
+#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
+ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
#define DAY (24L * 60 * 60) /* 1 day in seconds */
spw = getspnam(pw->pw_name);
if (spw != NULL) {
@@ -116,12 +119,20 @@
return 0;
}
}
-#else
- /* Shouldn't be called if pw is NULL, but better safe than sorry... */
- if (!pw || !pw->pw_name)
- return 0;
#endif
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+ passwd = spw->sp_pwdp;
+#else
+ passwd = pw->pw_passwd;
+#endif
+ /* check for locked account */
+ if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
+ log("User %.100s not allowed because account is locked",
+ pw->pw_name);
+ return 0;
+ }
+
/*
* Get the shell from the password data. An empty shell field is
* legal, and means /bin/sh.