- (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>

- (djm) Added password expiry checking (no password change support)

CREDITS

@@ -3,9 +3,10 @@ Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 
 Theo de Raadt, and Dug Song - Creators of OpenSSH
 
-Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
 Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
+Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
 Andrew McGill <andrewm@datrix.co.za> - SCO fixes
+Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
 Andy Sloane <andy@guildsoftware.com> - bugfixes
 Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes
 Ben Lindstrom <mouring@pconline.com> - NeXT support
@@ -35,7 +36,7 @@ IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes
 Jani Hakala <jahakala@cc.jyu.fi> - Patches
 Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes
 Jim Knoble <jmknoble@pobox.com> - Many patches
-jonchen (email unknown) - the original author of PAM support of SSH
+Jonchen (email unknown) - the original author of PAM support of SSH
 Juergen Keil <jk@tools.de> - scp bugfixing
 Kees Cook <cook@cpoint.net> - scp fixes
 Kenji Miyake <kenji@miyake.org> - Configure fixes

ChangeLog

@@ -1,5 +1,7 @@
 20000626
  - (djm) Better fix to aclocal tests from Garrick James <garrick@james.net>
+ - (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>
+ - (djm) Added password expiry checking (no password change support)
  - OpenBSD CVS update
    - provos@cvs.openbsd.org  2000/06/25 14:17:58
      [channels.c]

acconfig.h

@@ -133,6 +133,9 @@
 /* Define if you want to disable shadow passwords */
 #undef DISABLE_SHADOW
 
+/* Define if you want to use shadow password expire field */
+#undef HAS_SHADOW_EXPIRE
+
 /* Define if you want have trusted HPUX */
 #undef HAVE_HPUX_TRUSTED_SYSTEM_PW
 

auth.c

@@ -22,6 +22,9 @@ RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
 #ifdef HAVE_LOGIN_H
 #include <login.h>
 #endif
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#include <shadow.h>
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
 
 #include "bufaux.h"
 #include "ssh2.h"
@@ -53,11 +56,32 @@ allowed_user(struct passwd * pw)
 #ifdef WITH_AIXAUTHENTICATE
 	char *loginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
+	defined(HAS_SHADOW_EXPIRE)
+  struct spwd *spw;
 
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
 	if (!pw)
 		return 0;
 
+	spw = getspnam(pw->pw_name);
+	if (spw == NULL)
+		return 0;
+	
+	/* Check account expiry */
+	if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire))
+		return 0;
+
+	/* Check password expiry */
+	if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && 
+		((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact)))
+		return 0;
+#else
+	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
+	if (!pw)
+		return 0;
+#endif
+
 	/*
 	 * Get the shell from the password data.  An empty shell field is
 	 * legal, and means /bin/sh.

configure.in

@@ -236,6 +236,8 @@ if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; t
 
 	AC_CHECK_FUNCS(pam_getenvlist)
 
+	disable_shadow=yes
+
 	PAM_MSG="yes"
 
 	# Check PAM strerror arguments (old PAM)
@@ -933,10 +935,30 @@ AC_ARG_WITH(shadow,
 	[
 		if test "x$withval" = "xno" ; then	
 			AC_DEFINE(DISABLE_SHADOW)
+			disable_shadow=yes
 		fi
 	]
 )
 
+if test -z "$disable_shadow" ; then
+	AC_MSG_CHECKING([if the systems has expire shadow information])
+	AC_TRY_COMPILE(
+	[
+#include <sys/types.h>
+#include <shadow.h>
+	struct spwd sp;
+	],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ],
+	[ sp_expire_available=yes ], []
+	)
+
+	if test "x$sp_expire_available" = "xyes" ; then
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAS_SHADOW_EXPIRE)
+	else
+		AC_MSG_RESULT(no)
+	fi
+fi
+
 # Use ip address instead of hostname in $DISPLAY
 DISPLAY_HACK_MSG="no" 
 AC_ARG_WITH(ipaddr-display,