* Add log messages for password or account expiry; it makes it much easier

to debug (on the server) why a login failed with this information.

* If _PASSWORD_CHGNOW is defined (it's -1 in NetBSD), check that pw_change
  is not set to that before testing if the password has expired.
  Still prevent the login, but log a different failure message in this case.
  XXX:	we need to decide if we let interactive logins occur in this case,
	but force a password change, a la login(1).
This commit is contained in:
lukem 2003-03-24 18:25:21 +00:00
parent 78b50cb215
commit 829c77a0ca
2 changed files with 23 additions and 4 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: auth.c,v 1.16 2002/12/06 03:39:07 thorpej Exp $ */ /* $NetBSD: auth.c,v 1.17 2003/03/24 18:25:21 lukem Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -160,12 +160,26 @@ allowed_user(struct passwd * pw)
(void)gettimeofday(&tv, (struct timezone *)NULL); (void)gettimeofday(&tv, (struct timezone *)NULL);
if (pw->pw_expire) { if (pw->pw_expire) {
if (tv.tv_sec >= pw->pw_expire) if (tv.tv_sec >= pw->pw_expire) {
logit("User %.100s not allowed because account has expired",
pw->pw_name);
return 0; /* expired */ return 0; /* expired */
}
} }
#ifdef _PASSWORD_CHGNOW
if (pw->pw_change == _PASSWORD_CHGNOW) {
logit("User %.100s not allowed because password needs to be changed",
pw->pw_name);
return 0; /* can't force password change (yet) */
}
#endif
if (pw->pw_change) { if (pw->pw_change) {
if (tv.tv_sec >= pw->pw_change) if (tv.tv_sec >= pw->pw_change) {
logit("User %.100s not allowed because password has expired",
pw->pw_name);
return 0; /* expired */ return 0; /* expired */
}
} }
} }

View File

@ -1,4 +1,4 @@
/* $NetBSD: session.c,v 1.28 2002/12/06 03:39:10 thorpej Exp $ */ /* $NetBSD: session.c,v 1.29 2003/03/24 18:25:22 lukem Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -675,6 +675,11 @@ do_login(Session *s, const char *command)
if (pw->pw_expire && pw->pw_expire - tv.tv_sec < pw_warntime) if (pw->pw_expire && pw->pw_expire - tv.tv_sec < pw_warntime)
printf("Warning: your account expires on %s", printf("Warning: your account expires on %s",
ctime(&pw->pw_expire)); ctime(&pw->pw_expire));
#ifdef _PASSWORD_CHGNOW
if (pw->pw_change == _PASSWORD_CHGNOW) {
printf("Warning: your password has expired. Please change it as soon as possible.\n");
} else
#endif
if (pw->pw_change && pw->pw_change - tv.tv_sec < pw_warntime) if (pw->pw_change && pw->pw_change - tv.tv_sec < pw_warntime)
printf("Warning: your password expires on %s", printf("Warning: your password expires on %s",
ctime(&pw->pw_change)); ctime(&pw->pw_change));