Date: Wed, 4 Jun 1997 13:36:36 -0400 (EDT) From: Keith Mitchell <kmitch@weenix.guru.org> To: torstenb@freebsd.org Subject: SSH port patch Message-ID: <199706091651.MAA11106@weenix.guru.org>
next in thread | raw e-mail | index | archive | help
The current port of ssh does not take into account expired passwords
or expired accounts and will therefore still let people in if their
account expires. The following patch fixes that as well as flagging "*" as
a locked password along with "*LK*".
*** sshd.c.orig Wed Jun 4 12:49:10 1997
--- sshd.c Wed Jun 4 13:05:13 1997
***************
*** 1551,1562 ****
* with "*LK*".
*/
{
! if (strncmp(passwd,"*LK*", 4) == 0)
{
debug("Account %.100s is locked.", user);
return 0;
}
}
#ifdef CHECK_ETC_SHELLS
{
int invalid = 1;
--- 1551,1594 ----
* with "*LK*".
*/
{
! if ((strncmp(passwd,"*LK*", 4) == 0) || (strncmp(passwd, "*", 1) == 0))
{
debug("Account %.100s is locked.", user);
return 0;
}
}
+
+ #ifdef __FreeBSD__
+ {
+ time_t currtime;
+
+ currtime = time(NULL);
+
+ /*
+ * Check for an expired password
+ */
+ if ((pwd -> pw_change) < currtime)
+ {
+ debug("Account %.100s's password is too old - forced to change.",
+ user);
+ if (options.forced_passwd_change)
+ forced_command = "/usr/bin/passwd";
+ else
+ {
+ return 0;
+ }
+ }
+
+ /*
+ * Check for expired account
+ */
+ if ((pwd -> pw_expire) < currtime)
+ {
+ debug("Account %.100s has expired - access denied.", user);
+ return 0;
+ }
+ }
+ #endif
#ifdef CHECK_ETC_SHELLS
{
int invalid = 1;
--
Keith Mitchell Head Administrator: acm.vt.edu
Email: kmitch@weenix.guru.org PGP key available upon request
http://weenix.guru.org/~kmitch
Address and URL (c) 1997 Keith Mitchell - All Rights Reserved
Unauthorized use or duplication prohibited
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706091651.MAA11106>