diff --git a/ChangeLog b/ChangeLog index 55031f702..20f1ec089 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20040210 + - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c + openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's + native password expiry. + 20040207 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 @@ -1820,4 +1825,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3217 2004/02/07 01:29:39 dtucker Exp $ +$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 5cc88155c..a58dc042b 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -43,14 +43,11 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); #include "servconf.h" #include "auth.h" #include "auth-options.h" -#ifdef WITH_AIXAUTHENTICATE -# include "canohost.h" -#endif extern ServerOptions options; int sys_auth_passwd(Authctxt *, const char *); -static void +void disable_forwarding(void) { no_port_forwarding_flag = 1; @@ -121,14 +118,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) return (auth_close(as)); } } -#elif defined(WITH_AIXAUTHENTICATE) -int -sys_auth_passwd(Authctxt *authctxt, const char *password) -{ - return (aix_authenticate(authctxt->pw->pw_name, password, - get_canonical_hostname(options.use_dns))); -} -#else +#elif !defined(CUSTOM_SYS_AUTH_PASSWD) int sys_auth_passwd(Authctxt *authctxt, const char *password) { diff --git a/auth.h b/auth.h index c51717f2c..b39e48d9a 100644 --- a/auth.h +++ b/auth.h @@ -123,6 +123,7 @@ void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ #include "auth-pam.h" +void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 6fc2ef771..a5511bbef 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -98,10 +98,10 @@ aix_remove_embedded_newlines(char *p) * returns 0. */ int -aix_authenticate(const char *name, const char *password, const char *host) +sys_auth_passwd(Authctxt *ctxt, const char *password) { - char *authmsg = NULL, *msg; - int authsuccess = 0, reenter, result; + char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name; + int authsuccess = 0, expired, reenter, result; do { result = authenticate((char *)name, (char *)password, &reenter, @@ -114,7 +114,12 @@ aix_authenticate(const char *name, const char *password, const char *host) if (result == 0) { authsuccess = 1; - /* No pty yet, so just label the line as "ssh" */ + host = (char *)get_canonical_hostname(options.use_dns); + + /* + * Record successful login. We don't have a pty yet, so just + * label the line as "ssh" + */ aix_setauthdb(name); if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) { if (msg != NULL) { @@ -123,6 +128,32 @@ aix_authenticate(const char *name, const char *password, const char *host) xfree(msg); } } + + /* + * Check if the user's password is expired. + */ + expired = passwdexpired(name, &msg); + if (msg && *msg) { + buffer_append(&loginmsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + } + debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); + + switch (expired) { + case 0: /* password not expired */ + break; + case 1: /* expired, password change required */ + ctxt->force_pwchange = 1; + disable_forwarding(); + break; + default: /* user can't change(2) or other error (-1) */ + logit("Password can't be changed for user %s: %.100s", + name, msg); + if (msg) + xfree(msg); + authsuccess = 0; + } + aix_restoreauthdb(); } diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 930b3f248..ef03661ed 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.18 2004/02/10 01:50:20 dtucker Exp $ */ /* * @@ -36,6 +36,9 @@ # include #endif +/* For Authctxt */ +#include "auth.h" + /* Some versions define r_type in the above headers, which causes a conflict */ #ifdef r_type # undef r_type @@ -62,11 +65,12 @@ void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE +# define CUSTOM_SYS_AUTH_PASSWD 1 +int sys_auth_passwd(Authctxt *, const char *); # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); #endif -int aix_authenticate(const char *, const char *, const char *); void aix_setauthdb(const char *); void aix_restoreauthdb(void); void aix_remove_embedded_newlines(char *);