summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@dtucker.net>2022-03-26 02:49:50 +0100
committerDarren Tucker <dtucker@dtucker.net>2022-03-26 02:49:50 +0100
commit2923d026e55998133c0f6e5186dca2a3c0fa5ff5 (patch)
tree85f247a961f6f27bf53f436e74aae0b5f1c1b03f
parentAdd OpenWRT mips and mipsel test targets. (diff)
downloadopenssh-2923d026e55998133c0f6e5186dca2a3c0fa5ff5.tar.xz
openssh-2923d026e55998133c0f6e5186dca2a3c0fa5ff5.zip
Factor out platform-specific locked account check.
Also fixes an incorrect free on platforms with both libiaf and shadow passwords (probably only Unixware). Prompted by github PR#284, originally from @c3h2_ctf and stoeckmann@.
-rw-r--r--auth.c50
-rw-r--r--platform.c51
-rw-r--r--platform.h1
3 files changed, 55 insertions, 47 deletions
diff --git a/auth.c b/auth.c
index 560e8ecac..81d275895 100644
--- a/auth.c
+++ b/auth.c
@@ -104,59 +104,15 @@ allowed_user(struct ssh *ssh, struct passwd * pw)
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
u_int i;
int r;
-#ifdef USE_SHADOW
- struct spwd *spw = NULL;
-#endif
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw || !pw->pw_name)
return 0;
-#ifdef USE_SHADOW
- if (!options.use_pam)
- spw = getspnam(pw->pw_name);
-#ifdef HAS_SHADOW_EXPIRE
- if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
+ if (!options.use_pam && platform_locked_account(pw)) {
+ logit("User %.100s not allowed because account is locked",
+ pw->pw_name);
return 0;
-#endif /* HAS_SHADOW_EXPIRE */
-#endif /* USE_SHADOW */
-
- /* grab passwd field for locked account check */
- passwd = pw->pw_passwd;
-#ifdef USE_SHADOW
- if (spw != NULL)
-#ifdef USE_LIBIAF
- passwd = get_iaf_password(pw);
-#else
- passwd = spw->sp_pwdp;
-#endif /* USE_LIBIAF */
-#endif
-
- /* check for locked account */
- if (!options.use_pam && passwd && *passwd) {
- int locked = 0;
-
-#ifdef LOCKED_PASSWD_STRING
- if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
- locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_PREFIX
- if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
- strlen(LOCKED_PASSWD_PREFIX)) == 0)
- locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_SUBSTR
- if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
- locked = 1;
-#endif
-#ifdef USE_LIBIAF
- free((void *) passwd);
-#endif /* USE_LIBIAF */
- if (locked) {
- logit("User %.100s not allowed because account is locked",
- pw->pw_name);
- return 0;
- }
}
/*
diff --git a/platform.c b/platform.c
index 44ba71dc5..4fe8744ee 100644
--- a/platform.c
+++ b/platform.c
@@ -18,6 +18,7 @@
#include <stdarg.h>
#include <stdio.h>
+#include <string.h>
#include <unistd.h>
#include "log.h"
@@ -197,3 +198,53 @@ platform_krb5_get_principal_name(const char *pw_name)
return NULL;
#endif
}
+
+/* returns 1 if account is locked */
+int
+platform_locked_account(struct passwd *pw)
+{
+ int locked = 0;
+ char *passwd = pw->pw_passwd;
+#ifdef USE_SHADOW
+ struct spwd *spw = NULL;
+#ifdef USE_LIBIAF
+ char *iaf_passwd = NULL;
+#endif
+
+ spw = getspnam(pw->pw_name);
+#ifdef HAS_SHADOW_EXPIRE
+ if (spw != NULL && auth_shadow_acctexpired(spw))
+ return 1;
+#endif /* HAS_SHADOW_EXPIRE */
+
+ if (spw != NULL)
+#ifdef USE_LIBIAF
+ iaf_passwd = passwd = get_iaf_password(pw);
+#else
+ passwd = spw->sp_pwdp;
+#endif /* USE_LIBIAF */
+#endif
+
+ /* check for locked account */
+ if (passwd && *passwd) {
+#ifdef LOCKED_PASSWD_STRING
+ if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
+ locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_PREFIX
+ if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
+ strlen(LOCKED_PASSWD_PREFIX)) == 0)
+ locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_SUBSTR
+ if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
+ locked = 1;
+#endif
+ }
+#ifdef USE_LIBIAF
+ if (iaf_passwd != NULL)
+ freezero(iaf_passwd, strlen(iaf_passwd));
+#endif /* USE_LIBIAF */
+
+ return locked;
+}
diff --git a/platform.h b/platform.h
index ea4f9c584..98c48da40 100644
--- a/platform.h
+++ b/platform.h
@@ -28,6 +28,7 @@ void platform_setusercontext(struct passwd *);
void platform_setusercontext_post_groups(struct passwd *);
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
+int platform_locked_account(struct passwd *)
int platform_sys_dir_uid(uid_t);
void platform_disable_tracing(int);