* Add log messages for password or account expiry; it makes it much easier

to debug (on the server) why a login failed with this information. * If _PASSWORD_CHGNOW is defined (it's -1 in NetBSD), check that pw_change is not set to that before testing if the password has expired. Still prevent the login, but log a different failure message in this case. XXX: we need to decide if we let interactive logins occur in this case, but force a password change, a la login(1).
2003-03-24 18:25:21 +00:00 · 2003-03-24 18:25:21 +00:00 · 829c77a0ca
parent 78b50cb215
commit 829c77a0ca
2 changed files with 23 additions and 4 deletions
--- a/crypto/dist/ssh/auth.c
+++ b/crypto/dist/ssh/auth.c
@ -1,4 +1,4 @@
-/*	$NetBSD: auth.c,v 1.16 2002/12/06 03:39:07 thorpej Exp $	*/
+/*	$NetBSD: auth.c,v 1.17 2003/03/24 18:25:21 lukem Exp $	*/
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -160,12 +160,26 @@ allowed_user(struct passwd * pw)

 		(void)gettimeofday(&tv, (struct timezone *)NULL);
 		if (pw->pw_expire) {
-			if (tv.tv_sec >= pw->pw_expire)
+			if (tv.tv_sec >= pw->pw_expire) {
+				logit("User %.100s not allowed because account has expired",
+				    pw->pw_name);
 				return 0;	/* expired */
+			}
 		}
+#ifdef _PASSWORD_CHGNOW
+		if (pw->pw_change == _PASSWORD_CHGNOW) {
+			logit("User %.100s not allowed because password needs to be changed",
+			    pw->pw_name);
+
+			return 0;	/* can't force password change (yet) */
+		}
+#endif
 		if (pw->pw_change) {
-			if (tv.tv_sec >= pw->pw_change)
+			if (tv.tv_sec >= pw->pw_change) {
+				logit("User %.100s not allowed because password has expired",
+				    pw->pw_name);
 				return 0;	/* expired */
+			}
 		}
 	}

--- a/crypto/dist/ssh/session.c
+++ b/crypto/dist/ssh/session.c
@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.28 2002/12/06 03:39:10 thorpej Exp $	*/
+/*	$NetBSD: session.c,v 1.29 2003/03/24 18:25:22 lukem Exp $	*/
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@ -675,6 +675,11 @@ do_login(Session *s, const char *command)
 		if (pw->pw_expire && pw->pw_expire - tv.tv_sec < pw_warntime)
 			printf("Warning: your account expires on %s",
 			    ctime(&pw->pw_expire));
+#ifdef _PASSWORD_CHGNOW
+		if (pw->pw_change == _PASSWORD_CHGNOW) {
+			printf("Warning: your password has expired.  Please change it as soon as possible.\n");
+		} else
+#endif
 		if (pw->pw_change && pw->pw_change - tv.tv_sec < pw_warntime)
 			printf("Warning: your password expires on %s",
 			    ctime(&pw->pw_change));