validate.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831
  1. /*
  2. * CDE - Common Desktop Environment
  3. *
  4. * Copyright (c) 1993-2012, The Open Group. All rights reserved.
  5. *
  6. * These libraries and programs are free software; you can
  7. * redistribute them and/or modify them under the terms of the GNU
  8. * Lesser General Public License as published by the Free Software
  9. * Foundation; either version 2 of the License, or (at your option)
  10. * any later version.
  11. *
  12. * These libraries and programs are distributed in the hope that
  13. * they will be useful, but WITHOUT ANY WARRANTY; without even the
  14. * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
  15. * PURPOSE. See the GNU Lesser General Public License for more
  16. * details.
  17. *
  18. * You should have received a copy of the GNU Lesser General Public
  19. * License along with these libraries and programs; if not, write
  20. * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
  21. * Floor, Boston, MA 02110-1301 USA
  22. */
  23. /* $XConsortium: validate.c /main/4 1995/10/27 16:19:47 rswiston $ */
  24. /************************************<+>*************************************
  25. ****************************************************************************
  26. **
  27. ** File: validate.c
  28. **
  29. ** Project: HP Visual User Environment (DT)
  30. **
  31. ** Description: Dtgreet BLS user authentication routines
  32. **
  33. ** These routines validate the user; checking name, password,
  34. ** number of users on the system, password aging, etc.
  35. **
  36. **
  37. ** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company
  38. **
  39. **
  40. ** Conditional compiles:
  41. **
  42. ** OSMAJORVERSION < 8
  43. ** HP-UX 7.0/7.03 restricted license counting algorithms
  44. ** are used. Otherwise HP-UX 8.0 and beyond is used
  45. **
  46. ** BLS HP BLS B1 simple authentication.
  47. **
  48. ** __hpux HP-UX OS only
  49. **
  50. ****************************************************************************
  51. ************************************<+>*************************************/
  52. #ifdef BLS
  53. /***************************************************************************
  54. *
  55. * Includes & Defines
  56. *
  57. ***************************************************************************/
  58. #include <stdio.h>
  59. #include <fcntl.h>
  60. #include <stdlib.h>
  61. #include <pwd.h>
  62. #include "../vg.h"
  63. /***************************************************************************
  64. *
  65. * HP-UX BLS authentication routines
  66. *
  67. ***************************************************************************/
  68. #include <sys/param.h> /* for MAXUID macro */
  69. #include <sys/types.h>
  70. #include <sys/utsname.h>
  71. #include <string.h>
  72. #include <utmp.h>
  73. #include <time.h>
  74. #include <grp.h>
  75. /* BLS only headers */
  76. # include <sys/security.h>
  77. # include <prot.h>
  78. # include "bls.h"
  79. #define how_to_count ut_exit.e_exit
  80. #ifdef __hp9000s300
  81. static int num_users[] = { 2, 32767 };
  82. # define MIN_VERSION 'A'
  83. # define UNLIMITED 'B'
  84. #else
  85. static int num_users[] = { 2, 16, 32, 64 , 8 };
  86. # define MIN_VERSION 'A'
  87. # define UNLIMITED 'U'
  88. #endif
  89. /* Maximum number of users allowed with restricted license */
  90. #if OSMAJORVERSION < 8
  91. # define MAX_STRICT_USERS 2
  92. #else
  93. # define MAX_STRICT_USERS 8
  94. #endif
  95. #define NUM_VERSIONS (sizeof(num_users)/sizeof(num_users[0])) - 1
  96. /***************************************************************************
  97. *
  98. * External declarations
  99. *
  100. ***************************************************************************/
  101. extern Widget focusWidget; /* login or password text field */
  102. extern long groups[NGROUPS];
  103. /***************************************************************************
  104. *
  105. * Procedure declarations
  106. *
  107. ***************************************************************************/
  108. static int CheckPassword( char *name, char *passwd );
  109. static int CountUsers( int added_users) ;
  110. static int CountUsersStrict( char *new_user) ;
  111. static void WriteBtmp( char *name) ;
  112. /***************************************************************************
  113. *
  114. * Global variables
  115. *
  116. ***************************************************************************/
  117. /* BLS only data */
  118. struct pr_passwd *b1_pwd;
  119. struct verify_info verify_data;
  120. struct verify_info *verify = &verify_data;
  121. struct greet_info greet_data;
  122. struct greet_info *greet = &greet_data;
  123. static int UserHasPassword = 1;
  124. /***************************************************************************
  125. *
  126. * CountUsers
  127. *
  128. * see if new user has exceeded the maximum.
  129. ***************************************************************************/
  130. #define NCOUNT 16
  131. static int
  132. CountUsers( int added_users )
  133. {
  134. int count[NCOUNT], nusers, i;
  135. struct utmp *entry;
  136. for (i=0; i<NCOUNT; i++)
  137. count[i] = 0;
  138. count[added_users]++;
  139. while ( (entry = getutent()) != NULL) {
  140. if (entry->ut_type == USER_PROCESS) {
  141. i = entry->how_to_count;
  142. if (i < 0 || i >= NCOUNT)
  143. i = 1; /* if out of range, then count */
  144. /* as ordinary user */
  145. count[i]++;
  146. }
  147. }
  148. endutent();
  149. /*
  150. * KEY:
  151. * [0] does not count at all
  152. * [1] counts as real user
  153. * [2] logins via a pty which have not gone trough login. These
  154. * collectively count as 1 user IF count[3] is 0, otherwise,
  155. * they are not counted. Starting with HP-UX 8.0 they are
  156. * no longer counted at all.
  157. * [3] logins via a pty which have been logged through login (i.e.
  158. * rlogin and telnet). these count as 1 "real" user per
  159. * unique user name.
  160. * [4-15] may be used for groups of users which collectively
  161. * count as 1
  162. */
  163. nusers = count[1];
  164. #if OSMAJORVERSION < 8
  165. for (i=2; i<NCOUNT; i++)
  166. #else
  167. for (i=3; i<NCOUNT; i++)
  168. #endif
  169. if (count[i] > 0)
  170. nusers++;
  171. return(nusers);
  172. }
  173. /***************************************************************************
  174. *
  175. * CountUsersStrict
  176. *
  177. * see if new user has exceeded the maximum.
  178. ***************************************************************************/
  179. static int
  180. CountUsersStrict( char *new_user )
  181. {
  182. char pty_users[MAX_STRICT_USERS][8];
  183. int count[NCOUNT], nusers, i, cnt, pty_off = -1, uname_off;
  184. struct utmp *entry;
  185. /*
  186. * Initialize count array...
  187. */
  188. for (i = 0; i < NCOUNT; i++)
  189. count[i] = 0;
  190. /*
  191. * Add in the new user (we know it's not a pty)...
  192. */
  193. count[1]++;
  194. while ( (entry = getutent()) != NULL ) {
  195. if (entry->ut_type == USER_PROCESS) {
  196. i = entry->how_to_count;
  197. /* if out of range, then count as ordinary user logged in
  198. via a tty */
  199. if (i == 1 || (i < 0 || i >= NCOUNT))
  200. count[1]++;
  201. /* See if it is a pty login granted by login program */
  202. else if (i == 3) {
  203. count[3]++;
  204. /* See if user is already logged in via login pty */
  205. uname_off = -1;
  206. for (cnt = 0; cnt <= pty_off; cnt++)
  207. if (strncmp(pty_users[cnt], entry->ut_user, 8) == 0)
  208. uname_off = cnt;
  209. if (uname_off == -1) { /* user is not logged in via pty yet */
  210. if (pty_off >= MAX_STRICT_USERS) /* cannot add any
  211. more users */
  212. return(MAX_STRICT_USERS + 1);
  213. /* add the user name to the array of pty users */
  214. else
  215. strncpy(pty_users[++pty_off], entry->ut_user, 8);
  216. }
  217. } /* end if (i == 3) */
  218. else
  219. count[i]++;
  220. } /* end if entry->ut_type == USER_PROCESS */
  221. } /* end while (entry = getutent()) */
  222. endutent();
  223. /*
  224. * KEY:
  225. * [0] does not count at all
  226. * [1] counts as "real" user
  227. * [2] logins via a pty which have not gone trough login. These
  228. * collectively count as 1 user IF count[3] is 0, otherwise,
  229. * they are not counted. Starting with HP-UX 8.0 they are
  230. * no longer counted at all.
  231. * [3] logins via a pty which have been logged through login (i.e.
  232. * rlogin and telnet). these count as 1 "real" user per
  233. * unique user name.
  234. * [4-15] may be used for groups of users which collectively count
  235. * as 1
  236. */
  237. nusers = pty_off + 1 + count[1]; /* Current number of users is sum of
  238. users logged in via tty + the
  239. number of unique users logged in
  240. via pty which have gone through
  241. login */
  242. #if OSMAJORVERSION < 8
  243. if ((count[3] == 0) && (count[2] != 0))
  244. nusers++; /* Add 1 user for all pty logins IF
  245. none of pty logins have been
  246. granted by the login program */
  247. #else
  248. /*
  249. * Don't count any hpterm logins (exit status of 2). We already
  250. * counted all pty logins granted by the login program.
  251. */
  252. #endif
  253. for (i = 4; i < NCOUNT; i++)
  254. if (count[i] > 0)
  255. nusers++;
  256. return(nusers);
  257. }
  258. /***************************************************************************
  259. *
  260. * CheckPassword
  261. *
  262. * Check validity of user password.
  263. *
  264. ***************************************************************************/
  265. static int
  266. CheckPassword( char *name, char *passwd )
  267. {
  268. char *crypt();
  269. struct passwd *p;
  270. char *reason;
  271. /*
  272. * HP BLS B1 password authentication...
  273. */
  274. if ( ISSECURE ) {
  275. b1_pwd = getprpwnam(name);
  276. if ( b1_pwd == NULL || strlen(name) == 0 ) {
  277. Debug("unknown user '%s'\n", name);
  278. audit_login((struct pr_passwd *)0, (struct passwd *)0,
  279. dpyinfo.name, "No entry in protected password db",
  280. ES_LOGIN_FAILED);
  281. return(FALSE);
  282. }
  283. /*
  284. * look up user's regular account information...
  285. */
  286. p = getpwnam(name);
  287. if ( p == NULL || strlen(name) == 0 ) {
  288. Debug("unknown user '%s'\n", name);
  289. audit_login((struct pr_passwd *)0, (struct passwd *)0,
  290. dpyinfo.name, "No entry in password file",
  291. ES_LOGIN_FAILED);
  292. return(FALSE);
  293. }
  294. /* verify_info has become a catchall for info needed later */
  295. verify->user_name = name;
  296. verify->prpwd = b1_pwd;
  297. verify->pwd = p;
  298. strncpy(verify->terminal, dpyinfo.name, 15);
  299. verify->terminal[15]='\0';
  300. }
  301. Debug("Verify %s \n",name);
  302. /* if the password doesn't exists, we can't check it, but
  303. * the user will be forced to change it later */
  304. if ( (UserHasPassword = password_exists(verify)) != 0 )
  305. if ( strcmp(bigcrypt(passwd,b1_pwd->ufld.fd_encrypt),
  306. b1_pwd->ufld.fd_encrypt) ) {
  307. Debug("verify failed\n");
  308. audit_login( b1_pwd, p ,dpyinfo.name,
  309. "Password incorrect",
  310. ES_LOGIN_FAILED);
  311. return(FALSE);
  312. } else {
  313. Debug ("username/password verify succeeded\n");
  314. return(TRUE);
  315. }
  316. /*
  317. * all password checks failed...
  318. */
  319. return (FALSE);
  320. }
  321. /***************************************************************************
  322. *
  323. * BLS_Verify
  324. *
  325. * verify the user
  326. *
  327. * return codes indicate authentication results.
  328. ***************************************************************************/
  329. #define MAXATTEMPTS 3
  330. static struct passwd nouser = {"", "nope"}; /* invalid user password struct */
  331. int
  332. BLS_Verify( char *name, char *passwd )
  333. {
  334. static int login_attempts = 0; /* # failed authentications */
  335. struct passwd *p; /* password structure */
  336. struct pr_passwd *prpwd;
  337. struct utsname utsnam;
  338. int n;
  339. int uid;
  340. /*
  341. * Desparate maneuvre to give dtgreet the privledges it needs
  342. */
  343. if ( login_attempts == 0 ) {
  344. Debug("Setting luid for dtgreet\n");
  345. if ( getluid() == -1 )
  346. setluid(getuid());
  347. }
  348. /*
  349. * validate password...
  350. */
  351. if ( CheckPassword(name, passwd) == FALSE) {
  352. p = verify->pwd;
  353. if ( focusWidget == passwd_text ) {
  354. WriteBtmp(name);
  355. if ((++login_attempts % MAXATTEMPTS) == 0 ) {
  356. if (p->pw_name == NULL )
  357. p = &nouser;
  358. audit_login( b1_pwd, p ,dpyinfo.name,
  359. "Failed login(bailout)",
  360. ES_LOGIN_FAILED);
  361. }
  362. } else if ( !UserHasPassword ) {
  363. /*
  364. * The user has not password -- this must be the initial login for this
  365. * user. Treat it like an expired password. This should invoke the
  366. * password program on behalf of the user.
  367. */
  368. UserHasPassword = 1;
  369. return VF_PASSWD_AGED;
  370. }
  371. return(VF_INVALID);
  372. }
  373. prpwd = verify->prpwd;
  374. p = verify->pwd;
  375. /* check that the uid of both passwd and pr_passwd struct's agree */
  376. uid = p->pw_uid;
  377. if (uid != prpwd->ufld.fd_uid) {
  378. audit_login(prpwd, p, verify->terminal,
  379. "User id's inconsistent across password database\n",
  380. ES_LOGIN_FAILED);
  381. Debug("login failed - uid's do not match\n");
  382. return VF_BAD_UID;
  383. }
  384. verify->uid = uid;
  385. /* check if user's account is locked
  386. * This can be by dead password (lifetime exceeded),
  387. * fd_lock is set, or fd_max_tries is exceeded.
  388. * locked_out is from libsec, but is poorly documented.
  389. */
  390. if (locked_out(prpwd)) {
  391. Debug("Account locked\n");
  392. audit_login(prpwd, p, verify->terminal,
  393. "Account locked", ES_LOGIN_FAILED);
  394. return VF_INVALID;
  395. }
  396. /* can user log in at this time?
  397. * time_lock is in libsec, but poorly documented
  398. */
  399. if (time_lock(prpwd)) {
  400. Debug("Account time-locked\n");
  401. audit_login(prpwd, p, verify->terminal,
  402. "Account time-locked", ES_LOGIN_FAILED);
  403. return VF_INVALID;
  404. }
  405. /****************************************************
  406. xdm checks the security level here using
  407. verify_sec_user
  408. We do it later from the dtgreet callback rountine
  409. VerifySensitivityLevel()
  410. ****************************************************/
  411. #if 0
  412. /*
  413. * check restricted license...
  414. *
  415. * Note: This only applies to local displays. Foreign displays
  416. * (i.e. X-terminals) apparently do not count.
  417. */
  418. /* Get the version info via uname. If it doesn't look right,
  419. * assume the smallest user configuration
  420. */
  421. if (getenv(LOCATION) != NULL) {
  422. if (uname(&utsnam) < 0)
  423. utsnam.version[0] = MIN_VERSION;
  424. /*
  425. * Mappings:
  426. * 834 -> 834
  427. * 844 -> 844
  428. * 836 -> 635
  429. * 846 -> 645
  430. * 843 -> 642
  431. * 853 -> 652
  432. */
  433. if ((!strncmp(utsnam.machine, "9000/834", UTSLEN)) ||
  434. (!strncmp(utsnam.machine, "9000/844", UTSLEN)) ||
  435. (!strncmp(utsnam.machine, "9000/836", UTSLEN)) ||
  436. (!strncmp(utsnam.machine, "9000/846", UTSLEN)) ||
  437. (!strncmp(utsnam.machine, "9000/843", UTSLEN)) ||
  438. (!strncmp(utsnam.machine, "9000/853", UTSLEN))) {
  439. /* strict_count = 1;*/
  440. if (CountUsersStrict(name) > MAX_STRICT_USERS) {
  441. audit_login( b1_pwd, p ,dpyinfo.name,
  442. "Attempted to login - too many users on the system",
  443. ES_LOGIN_FAILED);
  444. return(VF_MAX_USERS);
  445. }
  446. }
  447. else {
  448. if (utsnam.version[0] != UNLIMITED) {
  449. if ((utsnam.version[0]-'A' < 0) ||
  450. (utsnam.version[0]-'A' > NUM_VERSIONS))
  451. utsnam.version[0] = MIN_VERSION;
  452. n = (int) utsnam.version[0] - 'A';
  453. if (CountUsers(1) > num_users[n]) {
  454. audit_login( b1_pwd, p ,dpyinfo.name,
  455. "Attempted to login - too many users on the system",
  456. ES_LOGIN_FAILED);
  457. return(VF_MAX_USERS);
  458. }
  459. }
  460. }
  461. }
  462. #endif /* 0 */
  463. /*
  464. * check password aging...
  465. */
  466. if ( passwordExpired(verify)) {
  467. audit_login( b1_pwd, p ,dpyinfo.name,
  468. "Password expired",
  469. ES_LOGIN_FAILED);
  470. return(VF_PASSWD_AGED);
  471. }
  472. /*
  473. * verify home directory exists...
  474. */
  475. if(chdir(p->pw_dir) < 0) {
  476. Debug("Attempted to login -- no home directory\n");
  477. audit_login( b1_pwd, p ,dpyinfo.name,
  478. " Attempted to login - no home directory",
  479. ES_LOGIN_FAILED);
  480. return(VF_HOME);
  481. }
  482. /*
  483. * validate uid and gid...
  484. */
  485. #ifdef NGROUPS
  486. getGroups(greet->name, verify, p->pw_gid);
  487. #else
  488. verify->gid = pwd->pw_gid;
  489. if ((p->pw_gid < 0) ||
  490. (p->pw_gid > MAXUID) ||
  491. (setgid(p->pw_gid) == -1)) {
  492. Debug("Attempted to login -- bad group id");
  493. audit_login( b1_pwd, p ,dpyinfo.name,
  494. "Attempted to login - bad group id",
  495. ES_LOGIN_FAILED);
  496. return(VF_BAD_GID);
  497. }
  498. #endif /* NGROUPS */
  499. if ((p->pw_uid < 0) ||
  500. (p->pw_uid > MAXUID) ||
  501. (setresuid(p->pw_uid, p->pw_uid, 0) == -1)) {
  502. Debug("Attempted to login -- bad user id\n");
  503. audit_login( b1_pwd, p ,dpyinfo.name,
  504. "Attempted to login - bad user id",
  505. ES_LOGIN_FAILED);
  506. return(VF_BAD_UID);
  507. }
  508. /*
  509. * verify ok...
  510. */
  511. Debug ("Successful login\n");
  512. audit_login( b1_pwd, p ,dpyinfo.name,
  513. "Successful login",
  514. ES_LOGIN_REMOTE);
  515. return(VF_OK);
  516. }
  517. /***************************************************************************
  518. *
  519. * WriteBtmp
  520. *
  521. * log bad login attempts
  522. *
  523. ***************************************************************************/
  524. static void
  525. WriteBtmp( char *name )
  526. {
  527. int fd;
  528. struct utmp utmp, *u;
  529. Boolean found=FALSE;
  530. bzero(&utmp, sizeof(struct utmp));
  531. utmp.ut_pid = getppid();
  532. while ((u = getutent()) != NULL) {
  533. if ( (u->ut_type == INIT_PROCESS ||
  534. u->ut_type == LOGIN_PROCESS ||
  535. u->ut_type == USER_PROCESS) &&
  536. u->ut_pid == utmp.ut_pid ) {
  537. found = TRUE;
  538. break;
  539. }
  540. }
  541. /*
  542. * if no utmp entry, this may be an X-terminal. Construct a utmp
  543. * entry for it...
  544. */
  545. if ( ! found ) {
  546. strncpy(utmp.ut_id, "??", sizeof(utmp.ut_id));
  547. strncpy(utmp.ut_line, dpyinfo.name, sizeof(utmp.ut_line));
  548. utmp.ut_type = LOGIN_PROCESS;
  549. strncpy(utmp.ut_host, dpyinfo.name, sizeof(utmp.ut_host));
  550. u = &utmp;
  551. }
  552. /*
  553. * If btmp exists, then record the bad attempt
  554. */
  555. if ( (fd = open(BTMP_FILE,O_WRONLY|O_APPEND)) >= 0) {
  556. strncpy(u->ut_user, name, sizeof(u->ut_user));
  557. (void) time(&u->ut_time);
  558. write(fd, (char *)u, sizeof(utmp));
  559. (void) close(fd);
  560. }
  561. endutent(); /* Close utmp file */
  562. }
  563. /***************************************************************************
  564. *
  565. * VerifySensitivityLevel
  566. *
  567. * verify B1 Sensitivity Level
  568. **************************************************************************/
  569. extern char *sensitivityLevel;
  570. int
  571. VerifySensitivityLevel( void)
  572. {
  573. int i;
  574. greet->b1security = sensitivityLevel =
  575. (char *) XmTextFieldGetString(passwd_text);
  576. /* new functions: (side effects: auditing, change verify) */
  577. if (verify_user_seclevel(verify, sensitivityLevel)
  578. && verify_sec_xterm(verify, sensitivityLevel)) {
  579. Debug("verify_user_seclevel succeeded.\n");
  580. return VF_OK;
  581. }
  582. Debug("verify_user_seclevel failed\n");
  583. return (VF_BAD_SEN_LEVEL);
  584. }
  585. #ifdef NGROUPS
  586. groupMember ( char *name, char **members )
  587. {
  588. while (*members) {
  589. if (!strcmp (name, *members))
  590. return 1;
  591. ++members;
  592. }
  593. return 0;
  594. }
  595. getGroups ( char *name, struct verify_info *verify, int gid)
  596. {
  597. int ngroups;
  598. struct group *g;
  599. int i;
  600. ngroups = 0;
  601. verify->groups[ngroups++] = gid;
  602. setgrent ();
  603. while (g = getgrent()) {
  604. /*
  605. * make the list unique
  606. */
  607. for (i = 0; i < ngroups; i++)
  608. if (verify->groups[i] == g->gr_gid)
  609. break;
  610. if (i != ngroups)
  611. continue;
  612. if (groupMember (name, g->gr_mem)) {
  613. if (ngroups >= NGROUPS)
  614. LogError ("%s belongs to more than %d groups, %s ignored\n",
  615. name, NGROUPS, g->gr_name);
  616. else
  617. verify->groups[ngroups++] = g->gr_gid;
  618. }
  619. }
  620. verify->ngroups = ngroups;
  621. endgrent ();
  622. }
  623. #endif
  624. /* check whether the password has expired or not.
  625. * return 1 means that the password has expired.
  626. */
  627. int
  628. passwordExpired( struct verify_info *verify)
  629. {
  630. struct pr_passwd *pr;
  631. time_t expiration;
  632. time_t last_change;
  633. time_t expiration_time;
  634. time_t now;
  635. int passwd_status;
  636. struct pr_passwd save_data;
  637. struct pr_default *df;
  638. char *ttime;
  639. char ptime[64];
  640. pr = verify->prpwd;
  641. /*
  642. * If null password, do not check expiration.
  643. */
  644. if (!pr->uflg.fg_encrypt || (pr->ufld.fd_encrypt[0] == '\0'))
  645. return 0;
  646. now = time((long *) 0);
  647. if (pr->uflg.fg_schange)
  648. last_change = pr->ufld.fd_schange;
  649. else
  650. last_change = (time_t) 0;
  651. if (pr->uflg.fg_expire)
  652. expiration = pr->ufld.fd_expire;
  653. else if (pr->sflg.fg_expire)
  654. expiration = pr->sfld.fd_expire;
  655. else
  656. expiration = (time_t) 0;
  657. df = getprdfnam(AUTH_DEFAULT);
  658. /*
  659. * A 0 or missing expiration field means there is no
  660. * expiration.
  661. */
  662. expiration_time = expiration ? last_change + expiration : 0;
  663. if (expiration_time && now > expiration_time ) {
  664. /*
  665. * The password has expired
  666. */
  667. Debug("The password is expired\n");
  668. return 1;
  669. }
  670. Debug("The password is not expired\n");
  671. return 0;
  672. }
  673. /***************************************************************************
  674. *
  675. * end HP-UX authentication routines
  676. *
  677. ***************************************************************************/
  678. #endif /* BLS */