i'm working on this. this is what i have now. sp_inact is not handled
consistently across shadow platforms, so i'm going to not address that
right now. the following is the predecessor to bug14.
what is the timeframe for 3.2.1p1? markus suggested a few more weeks.
Index: auth.c
==================================================================RCS file:
/var/cvs/openssh/auth.c,v
retrieving revision 1.51
diff -u -r1.51 auth.c
--- auth.c 22 Mar 2002 03:08:31 -0000 1.51
+++ auth.c 24 Apr 2002 19:51:00 -0000
@@ -80,18 +80,35 @@
if (!pw || !pw->pw_name)
return 0;
+#define DAY (24L * 60 * 60) /* 1 day in seconds */
spw = getspnam(pw->pw_name);
if (spw != NULL) {
- int days = time(NULL) / 86400;
+ time_t today = time(NULL) / DAY;
+ debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
+ " sp_max %d", (int)today, (int)spw->sp_expire,
+ (int)spw->sp_lstchg, (int)spw->sp_max);
- /* Check account expiry */
- if ((spw->sp_expire >= 0) && (days > spw->sp_expire))
+ /*
+ * We assume account and password expiration occurs the
+ * day after the day specified.
+ */
+ if (spw->sp_expire != -1 && today > spw->sp_expire) {
+ log("Account %.100s has expired", pw->pw_name);
return 0;
+ }
- /* Check password expiry */
- if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0)
&&
- (days > (spw->sp_lstchg + spw->sp_max)))
+ if (spw->sp_lstchg == 0) {
+ log("User %.100s password has expired (root forced)",
+ pw->pw_name);
return 0;
+ }
+
+ if (spw->sp_max != -1 &&
+ today > spw->sp_lstchg + spw->sp_max) {
+ log("User %.100s password has expired (password aged)",
+ pw->pw_name);
+ return 0;
+ }
}
#else
/* Shouldn't be called if pw is NULL, but better safe than sorry... */