- (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
native password expiry.
diff --git a/ChangeLog b/ChangeLog
index 55031f7..20f1ec0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20040210
+ - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
+ openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
+ native password expiry.
+
20040207
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2004/02/06 23:41:13
@@ -1820,4 +1825,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.3217 2004/02/07 01:29:39 dtucker Exp $
+$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $
diff --git a/auth-passwd.c b/auth-passwd.c
index 5cc8815..a58dc04 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -43,14 +43,11 @@
#include "servconf.h"
#include "auth.h"
#include "auth-options.h"
-#ifdef WITH_AIXAUTHENTICATE
-# include "canohost.h"
-#endif
extern ServerOptions options;
int sys_auth_passwd(Authctxt *, const char *);
-static void
+void
disable_forwarding(void)
{
no_port_forwarding_flag = 1;
@@ -121,14 +118,7 @@
return (auth_close(as));
}
}
-#elif defined(WITH_AIXAUTHENTICATE)
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
- return (aix_authenticate(authctxt->pw->pw_name, password,
- get_canonical_hostname(options.use_dns)));
-}
-#else
+#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
int
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
diff --git a/auth.h b/auth.h
index c51717f..b39e48d 100644
--- a/auth.h
+++ b/auth.h
@@ -123,6 +123,7 @@
#endif /* KRB5 */
#include "auth-pam.h"
+void disable_forwarding(void);
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 6fc2ef7..a5511bb 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -98,10 +98,10 @@
* returns 0.
*/
int
-aix_authenticate(const char *name, const char *password, const char *host)
+sys_auth_passwd(Authctxt *ctxt, const char *password)
{
- char *authmsg = NULL, *msg;
- int authsuccess = 0, reenter, result;
+ char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name;
+ int authsuccess = 0, expired, reenter, result;
do {
result = authenticate((char *)name, (char *)password, &reenter,
@@ -114,7 +114,12 @@
if (result == 0) {
authsuccess = 1;
- /* No pty yet, so just label the line as "ssh" */
+ host = (char *)get_canonical_hostname(options.use_dns);
+
+ /*
+ * Record successful login. We don't have a pty yet, so just
+ * label the line as "ssh"
+ */
aix_setauthdb(name);
if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) {
if (msg != NULL) {
@@ -123,6 +128,32 @@
xfree(msg);
}
}
+
+ /*
+ * Check if the user's password is expired.
+ */
+ expired = passwdexpired(name, &msg);
+ if (msg && *msg) {
+ buffer_append(&loginmsg, msg, strlen(msg));
+ aix_remove_embedded_newlines(msg);
+ }
+ debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
+
+ switch (expired) {
+ case 0: /* password not expired */
+ break;
+ case 1: /* expired, password change required */
+ ctxt->force_pwchange = 1;
+ disable_forwarding();
+ break;
+ default: /* user can't change(2) or other error (-1) */
+ logit("Password can't be changed for user %s: %.100s",
+ name, msg);
+ if (msg)
+ xfree(msg);
+ authsuccess = 0;
+ }
+
aix_restoreauthdb();
}
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 930b3f2..ef03661 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.18 2004/02/10 01:50:20 dtucker Exp $ */
/*
*
@@ -36,6 +36,9 @@
# include <usersec.h>
#endif
+/* For Authctxt */
+#include "auth.h"
+
/* Some versions define r_type in the above headers, which causes a conflict */
#ifdef r_type
# undef r_type
@@ -62,11 +65,12 @@
void aix_usrinfo(struct passwd *);
#ifdef WITH_AIXAUTHENTICATE
+# define CUSTOM_SYS_AUTH_PASSWD 1
+int sys_auth_passwd(Authctxt *, const char *);
# define CUSTOM_FAILED_LOGIN 1
void record_failed_login(const char *, const char *);
#endif
-int aix_authenticate(const char *, const char *, const char *);
void aix_setauthdb(const char *);
void aix_restoreauthdb(void);
void aix_remove_embedded_newlines(char *);