Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 48cb8aa935211ff95ff62267a799d3548df442d4^! / .
commit48cb8aa935211ff95ff62267a799d3548df442d4[log] [tgz]
authorDamien Miller <djm@mindrot.org>Tue Jan 07 12:19:32 2003 +1100
committerDamien Miller <djm@mindrot.org>Tue Jan 07 12:19:32 2003 +1100
tree6742fd1d49917a35b8cffd8e1c08e4d553343f9f
parent5e4471e45a9ba9a4ecafa91e15142feaa682bf02 [diff]
 - (djm) Bug #442: Check for and deny access to accounts with locked
   passwords. Patch from dtucker@zip.com.au

diff --git a/ChangeLog b/ChangeLog
index 0c6e463..3be46f5 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,6 +1,8 @@
 20030107
  - (djm) Bug #401: Work around Linux breakage with IPv6 mapped addresses. 
    Based on fix from yoshfuji@linux-ipv6.org
+ - (djm) Bug #442: Check for and deny access to accounts with locked 
+   passwords. Patch from dtucker@zip.com.au
 
 20030103
  - (djm) Bug #461: ssh-copy-id fails with no arguments. Patch from 
@@ -929,4 +931,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2541 2003/01/06 23:51:23 djm Exp $
+$Id: ChangeLog,v 1.2542 2003/01/07 01:19:32 djm Exp $

diff --git a/auth.c b/auth.c
index ee00128..0e79109 100644
--- a/auth.c
+++ b/auth.c

@@ -72,20 +72,23 @@
 allowed_user(struct passwd * pw)
 {
 	struct stat st;
-	const char *hostname = NULL, *ipaddr = NULL;
+	const char *hostname = NULL, *ipaddr = NULL, *passwd;
 	char *shell;
 	int i;
 #ifdef WITH_AIXAUTHENTICATE
 	char *loginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
 #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-	!defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 	struct spwd *spw;
+#endif
 
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
 	if (!pw || !pw->pw_name)
 		return 0;
 
+#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
+    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 #define	DAY		(24L * 60 * 60) /* 1 day in seconds */
 	spw = getspnam(pw->pw_name);
 	if (spw != NULL) {
@@ -116,12 +119,20 @@
 			return 0;
 		}
 	}
-#else
-	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
-	if (!pw || !pw->pw_name)
-		return 0;
 #endif
 
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+	passwd = spw->sp_pwdp;
+#else
+	passwd = pw->pw_passwd;
+#endif
+	/* check for locked account */
+	if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
+		log("User %.100s not allowed because account is locked",
+		    pw->pw_name);
+		return 0;
+	}
+
 	/*
 	 * Get the shell from the password data.  An empty shell field is
 	 * legal, and means /bin/sh.