Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / e41bba584737f028579961ddf6669b6a768e47e7^! / . / auth.c
commite41bba584737f028579961ddf6669b6a768e47e7[log] [tgz]
authorDarren Tucker <dtucker@zip.com.au>Mon Aug 25 11:51:19 2003 +1000
committerDarren Tucker <dtucker@zip.com.au>Mon Aug 25 11:51:19 2003 +1000
tree65b6dba443b02b4ebfe6704162685e1f712643b4
parent5ade9abc37df3dacacbe20104877ca6dab61082a [diff] [blame]
 - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny
   any access to locked accounts.  ok djm@

diff --git a/auth.c b/auth.c
index d4768a1..9a59e27 100644
--- a/auth.c
+++ b/auth.c

@@ -73,23 +73,25 @@
 allowed_user(struct passwd * pw)
 {
 	struct stat st;
-	const char *hostname = NULL, *ipaddr = NULL;
+	const char *hostname = NULL, *ipaddr = NULL, *passwd;
 	char *shell;
 	int i;
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
-    defined(HAS_SHADOW_EXPIRE)
-	struct spwd *spw;
-	time_t today;
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+	struct spwd *spw = NULL;
 #endif
 
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
 	if (!pw || !pw->pw_name)
 		return 0;
 
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
-    defined(HAS_SHADOW_EXPIRE)
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+	if (!options.use_pam)
+		spw = getspnam(pw->pw_name);
+#ifdef HAS_SHADOW_EXPIRE
 #define	DAY		(24L * 60 * 60) /* 1 day in seconds */
-	if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) {
+	if (!options.use_pam && spw != NULL) {
+		time_t today;
+
 		today = time(NULL) / DAY;
 		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
 		    " sp_max %d", (int)today, (int)spw->sp_expire,
@@ -117,8 +119,41 @@
 			return 0;
 		}
 	}
+#endif /* HAS_SHADOW_EXPIRE */
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+
+    	/* grab passwd field for locked account check */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+	if (spw != NULL)
+		passwd = spw->sp_pwdp;
+#else
+	passwd = pw->pw_passwd;
 #endif
 
+	/* check for locked account */ 
+	if (passwd && *passwd) {
+		int locked = 0;
+
+#ifdef LOCKED_PASSWD_STRING
+		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
+			 locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_PREFIX
+		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
+		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
+			 locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_SUBSTR
+		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
+			locked = 1;
+#endif
+		if (locked) {
+			logit("User %.100s not allowed because account is locked",
+			    pw->pw_name);
+			return 0;
+		}
+	}
+
 	/*
 	 * Get the shell from the password data.  An empty shell field is
 	 * legal, and means /bin/sh.