diff options
author | Darren Tucker <dtucker@dtucker.net> | 2022-03-26 02:49:50 +0100 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2022-03-26 02:49:50 +0100 |
commit | 2923d026e55998133c0f6e5186dca2a3c0fa5ff5 (patch) | |
tree | 85f247a961f6f27bf53f436e74aae0b5f1c1b03f | |
parent | Add OpenWRT mips and mipsel test targets. (diff) | |
download | openssh-2923d026e55998133c0f6e5186dca2a3c0fa5ff5.tar.xz openssh-2923d026e55998133c0f6e5186dca2a3c0fa5ff5.zip |
Factor out platform-specific locked account check.
Also fixes an incorrect free on platforms with both libiaf and shadow
passwords (probably only Unixware). Prompted by github PR#284,
originally from @c3h2_ctf and stoeckmann@.
-rw-r--r-- | auth.c | 50 | ||||
-rw-r--r-- | platform.c | 51 | ||||
-rw-r--r-- | platform.h | 1 |
3 files changed, 55 insertions, 47 deletions
@@ -104,59 +104,15 @@ allowed_user(struct ssh *ssh, struct passwd * pw) const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; u_int i; int r; -#ifdef USE_SHADOW - struct spwd *spw = NULL; -#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; -#ifdef USE_SHADOW - if (!options.use_pam) - spw = getspnam(pw->pw_name); -#ifdef HAS_SHADOW_EXPIRE - if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) + if (!options.use_pam && platform_locked_account(pw)) { + logit("User %.100s not allowed because account is locked", + pw->pw_name); return 0; -#endif /* HAS_SHADOW_EXPIRE */ -#endif /* USE_SHADOW */ - - /* grab passwd field for locked account check */ - passwd = pw->pw_passwd; -#ifdef USE_SHADOW - if (spw != NULL) -#ifdef USE_LIBIAF - passwd = get_iaf_password(pw); -#else - passwd = spw->sp_pwdp; -#endif /* USE_LIBIAF */ -#endif - - /* check for locked account */ - if (!options.use_pam && passwd && *passwd) { - int locked = 0; - -#ifdef LOCKED_PASSWD_STRING - if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) - locked = 1; -#endif -#ifdef LOCKED_PASSWD_PREFIX - if (strncmp(passwd, LOCKED_PASSWD_PREFIX, - strlen(LOCKED_PASSWD_PREFIX)) == 0) - locked = 1; -#endif -#ifdef LOCKED_PASSWD_SUBSTR - if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) - locked = 1; -#endif -#ifdef USE_LIBIAF - free((void *) passwd); -#endif /* USE_LIBIAF */ - if (locked) { - logit("User %.100s not allowed because account is locked", - pw->pw_name); - return 0; - } } /* diff --git a/platform.c b/platform.c index 44ba71dc5..4fe8744ee 100644 --- a/platform.c +++ b/platform.c @@ -18,6 +18,7 @@ #include <stdarg.h> #include <stdio.h> +#include <string.h> #include <unistd.h> #include "log.h" @@ -197,3 +198,53 @@ platform_krb5_get_principal_name(const char *pw_name) return NULL; #endif } + +/* returns 1 if account is locked */ +int +platform_locked_account(struct passwd *pw) +{ + int locked = 0; + char *passwd = pw->pw_passwd; +#ifdef USE_SHADOW + struct spwd *spw = NULL; +#ifdef USE_LIBIAF + char *iaf_passwd = NULL; +#endif + + spw = getspnam(pw->pw_name); +#ifdef HAS_SHADOW_EXPIRE + if (spw != NULL && auth_shadow_acctexpired(spw)) + return 1; +#endif /* HAS_SHADOW_EXPIRE */ + + if (spw != NULL) +#ifdef USE_LIBIAF + iaf_passwd = passwd = get_iaf_password(pw); +#else + passwd = spw->sp_pwdp; +#endif /* USE_LIBIAF */ +#endif + + /* check for locked account */ + if (passwd && *passwd) { +#ifdef LOCKED_PASSWD_STRING + if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_PREFIX + if (strncmp(passwd, LOCKED_PASSWD_PREFIX, + strlen(LOCKED_PASSWD_PREFIX)) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_SUBSTR + if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) + locked = 1; +#endif + } +#ifdef USE_LIBIAF + if (iaf_passwd != NULL) + freezero(iaf_passwd, strlen(iaf_passwd)); +#endif /* USE_LIBIAF */ + + return locked; +} diff --git a/platform.h b/platform.h index ea4f9c584..98c48da40 100644 --- a/platform.h +++ b/platform.h @@ -28,6 +28,7 @@ void platform_setusercontext(struct passwd *); void platform_setusercontext_post_groups(struct passwd *); char *platform_get_krb5_client(const char *); char *platform_krb5_get_principal_name(const char *); +int platform_locked_account(struct passwd *) int platform_sys_dir_uid(uid_t); void platform_disable_tracing(int); |