Factor out platform-specific locked account check.
Also fixes an incorrect free on platforms with both libiaf and shadow passwords (probably only Unixware). Prompted by github PR#284, originally from @c3h2_ctf and stoeckmann@.
This commit is contained in:
parent
d23efe4b12
commit
2923d026e5
46
auth.c
46
auth.c
|
@ -104,60 +104,16 @@ allowed_user(struct ssh *ssh, struct passwd * pw)
|
||||||
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
||||||
u_int i;
|
u_int i;
|
||||||
int r;
|
int r;
|
||||||
#ifdef USE_SHADOW
|
|
||||||
struct spwd *spw = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
||||||
if (!pw || !pw->pw_name)
|
if (!pw || !pw->pw_name)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
#ifdef USE_SHADOW
|
if (!options.use_pam && platform_locked_account(pw)) {
|
||||||
if (!options.use_pam)
|
|
||||||
spw = getspnam(pw->pw_name);
|
|
||||||
#ifdef HAS_SHADOW_EXPIRE
|
|
||||||
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
|
||||||
return 0;
|
|
||||||
#endif /* HAS_SHADOW_EXPIRE */
|
|
||||||
#endif /* USE_SHADOW */
|
|
||||||
|
|
||||||
/* grab passwd field for locked account check */
|
|
||||||
passwd = pw->pw_passwd;
|
|
||||||
#ifdef USE_SHADOW
|
|
||||||
if (spw != NULL)
|
|
||||||
#ifdef USE_LIBIAF
|
|
||||||
passwd = get_iaf_password(pw);
|
|
||||||
#else
|
|
||||||
passwd = spw->sp_pwdp;
|
|
||||||
#endif /* USE_LIBIAF */
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* check for locked account */
|
|
||||||
if (!options.use_pam && passwd && *passwd) {
|
|
||||||
int locked = 0;
|
|
||||||
|
|
||||||
#ifdef LOCKED_PASSWD_STRING
|
|
||||||
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
|
||||||
locked = 1;
|
|
||||||
#endif
|
|
||||||
#ifdef LOCKED_PASSWD_PREFIX
|
|
||||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
|
||||||
strlen(LOCKED_PASSWD_PREFIX)) == 0)
|
|
||||||
locked = 1;
|
|
||||||
#endif
|
|
||||||
#ifdef LOCKED_PASSWD_SUBSTR
|
|
||||||
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
|
|
||||||
locked = 1;
|
|
||||||
#endif
|
|
||||||
#ifdef USE_LIBIAF
|
|
||||||
free((void *) passwd);
|
|
||||||
#endif /* USE_LIBIAF */
|
|
||||||
if (locked) {
|
|
||||||
logit("User %.100s not allowed because account is locked",
|
logit("User %.100s not allowed because account is locked",
|
||||||
pw->pw_name);
|
pw->pw_name);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Deny if shell does not exist or is not executable unless we
|
* Deny if shell does not exist or is not executable unless we
|
||||||
|
|
51
platform.c
51
platform.c
|
@ -18,6 +18,7 @@
|
||||||
|
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
@ -197,3 +198,53 @@ platform_krb5_get_principal_name(const char *pw_name)
|
||||||
return NULL;
|
return NULL;
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* returns 1 if account is locked */
|
||||||
|
int
|
||||||
|
platform_locked_account(struct passwd *pw)
|
||||||
|
{
|
||||||
|
int locked = 0;
|
||||||
|
char *passwd = pw->pw_passwd;
|
||||||
|
#ifdef USE_SHADOW
|
||||||
|
struct spwd *spw = NULL;
|
||||||
|
#ifdef USE_LIBIAF
|
||||||
|
char *iaf_passwd = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
spw = getspnam(pw->pw_name);
|
||||||
|
#ifdef HAS_SHADOW_EXPIRE
|
||||||
|
if (spw != NULL && auth_shadow_acctexpired(spw))
|
||||||
|
return 1;
|
||||||
|
#endif /* HAS_SHADOW_EXPIRE */
|
||||||
|
|
||||||
|
if (spw != NULL)
|
||||||
|
#ifdef USE_LIBIAF
|
||||||
|
iaf_passwd = passwd = get_iaf_password(pw);
|
||||||
|
#else
|
||||||
|
passwd = spw->sp_pwdp;
|
||||||
|
#endif /* USE_LIBIAF */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* check for locked account */
|
||||||
|
if (passwd && *passwd) {
|
||||||
|
#ifdef LOCKED_PASSWD_STRING
|
||||||
|
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
||||||
|
locked = 1;
|
||||||
|
#endif
|
||||||
|
#ifdef LOCKED_PASSWD_PREFIX
|
||||||
|
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
||||||
|
strlen(LOCKED_PASSWD_PREFIX)) == 0)
|
||||||
|
locked = 1;
|
||||||
|
#endif
|
||||||
|
#ifdef LOCKED_PASSWD_SUBSTR
|
||||||
|
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
|
||||||
|
locked = 1;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
#ifdef USE_LIBIAF
|
||||||
|
if (iaf_passwd != NULL)
|
||||||
|
freezero(iaf_passwd, strlen(iaf_passwd));
|
||||||
|
#endif /* USE_LIBIAF */
|
||||||
|
|
||||||
|
return locked;
|
||||||
|
}
|
||||||
|
|
|
@ -28,6 +28,7 @@ void platform_setusercontext(struct passwd *);
|
||||||
void platform_setusercontext_post_groups(struct passwd *);
|
void platform_setusercontext_post_groups(struct passwd *);
|
||||||
char *platform_get_krb5_client(const char *);
|
char *platform_get_krb5_client(const char *);
|
||||||
char *platform_krb5_get_principal_name(const char *);
|
char *platform_krb5_get_principal_name(const char *);
|
||||||
|
int platform_locked_account(struct passwd *)
|
||||||
int platform_sys_dir_uid(uid_t);
|
int platform_sys_dir_uid(uid_t);
|
||||||
void platform_disable_tracing(int);
|
void platform_disable_tracing(int);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue