[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-298-gae30a
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-298-gae30a11 |
|
Date: |
Wed, 29 May 2013 15:14:47 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via ae30a115919812538838839f6cb2ecdf59017c3e (commit)
from d1d52cce92dd289b800ec922d77b0b4cd4c83fdc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ae30a115919812538838839f6cb2ecdf59017c3e
commit ae30a115919812538838839f6cb2ecdf59017c3e
Author: Mats Erik Andersson <address@hidden>
Date: Mon May 27 23:51:28 2013 +0200
rshd: Locked or expired accounts.
diff --git a/ChangeLog b/ChangeLog
index 2f4bac5..125b6aa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2013-05-27 Mats Erik Andersson <address@hidden>
+
+ rshd: Check account locking and expiration.
+
+ * src/rshd.c [HAVE_SHADOW_H]: Include <shadow.h>.
+ (DAY) [!DAY]: New macro.
+ (doit): Multiple, minor changes to error strings.
+ [!WITH_PAM]: New checks of account being either
+ locked, or expired. The code tests HAVE_GETSPNAM
+ and HAVE_STRUCT_PASSWD_PW_EXPIRE for system quirks.
+
2013-05-22 Mats Erik Andersson <address@hidden>
libinetutils: Clarify Kerberos dependency.
diff --git a/src/rshd.c b/src/rshd.c
index cfad200..3cf6f22 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -129,6 +129,9 @@
# include <sys/filio.h>
#endif
#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+# include <shadow.h>
+#endif
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
@@ -175,6 +178,10 @@
# define MAX(a,b) (((a) > (b)) ? (a) : (b))
#endif
+#ifndef DAY
+# define DAY (24 * 60 * 60)
+#endif
+
int keepalive = 1; /* flag for SO_KEEPALIVE scoket option */
int check_all;
int log_success; /* If TRUE, log all successful accesses */
@@ -718,9 +725,9 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
rc = getaddrinfo (hostname, NULL, &hints, &res);
if (rc != 0)
{
- syslog (LOG_INFO, "Could not resolve address for %s",
+ syslog (LOG_INFO, "Could not resolve address for %s.",
hostname);
- errorstr = "Could not resolve address for your host (%s)\n";
+ errorstr = "Could not resolve address for your host (%s).\n";
hostname = addrstr;
}
else
@@ -743,9 +750,9 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
if (ai == NULL)
{
syslog (LOG_NOTICE,
- "Host addr %s not listed for host %s",
+ "Host addr %s not listed for host %s.",
addrstr, hostname);
- errorstr = "Host address mismatch for %s\n";
+ errorstr = "Host address mismatch for %s.\n";
hostname = addrstr;
}
}
@@ -779,7 +786,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
{
char *remotehost = alloca (strlen (hostname) + 1);
if (!remotehost)
- errorstr = "Out of memory\n";
+ errorstr = "Out of memory.\n";
else
{
strcpy (remotehost, hostname);
@@ -788,9 +795,9 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
if (hp == NULL)
{
syslog (LOG_INFO,
- "Couldn't look up address for %s", remotehost);
+ "Couldn't look up address for %s.", remotehost);
errorstr =
- "Couldn't look up address for your host (%s)\n";
+ "Couldn't look up address for your host (%s).\n";
hostname = addrstr;
}
else
@@ -799,9 +806,9 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
if (hp->h_addr_list[0] == NULL)
{
syslog (LOG_NOTICE,
- "Host addr %s not listed for host %s",
+ "Host addr %s not listed for host %s.",
addrstr, hp->h_name);
- errorstr = "Host address mismatch for %s\n";
+ errorstr = "Host address mismatch for %s.\n";
hostname = addrstr;
break;
}
@@ -1186,6 +1193,8 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
goto fail;
}
+ /* Checks existence of account, and more.
+ */
pam_rc = pam_authenticate (pam_handle, PAM_SILENT);
if (pam_rc != PAM_SUCCESS)
{
@@ -1208,6 +1217,8 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
}
+ /* Checks expiration of account, and more.
+ */
pam_rc = pam_acct_mgmt (pam_handle, PAM_SILENT);
if (pam_rc != PAM_SUCCESS)
{
@@ -1229,7 +1240,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
case PAM_PERM_DENIED:
case PAM_USER_UNKNOWN:
default:
- errorstr = "Permission denied.";
+ errorstr = "Permission denied.\n";
goto fail;
break;
}
@@ -1260,19 +1271,115 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
errorstr = "Login incorrect.\n";
goto fail;
}
-#endif /* WITH_PAM */
+#else /* !WITH_PAM */
+ /*
+ * The account exists by a previous call to getpwnam().
+ * Is the account locked, or has it expired?
+ */
+ {
+ time_t now;
+
+# ifdef HAVE_GETSPNAM
+ struct spwd *spwd;
+
+ /*
+ * GNU/Linux, Solaris
+ *
+ * Locked account?
+ */
+ spwd = getspnam (pwd->pw_name);
+ if (!spwd)
+ {
+ syslog (LOG_ERR | LOG_AUTH, "No access to encrypted password.");
+ if (errorstr == NULL)
+ errorstr = "Login incorrect.\n";
+ goto fail;
+ }
+ else
+ {
+ /* Locked accounts have their passwords prefixed with a blocker. */
+ if (!strncmp ("!", spwd->sp_pwdp, strlen ("!"))
+ || !strncmp ("*LK*", spwd->sp_pwdp, strlen ("*OK*")))
+ {
+ syslog (LOG_INFO | LOG_AUTH,
+ "address@hidden as %s: account is locked. cmd='%.80s'",
+ remuser, hostname, locuser, cmdbuf);
+ if (errorstr == NULL)
+ errorstr = "Permission denied.\n";
+ goto fail;
+ }
+ }
-#if defined WITH_IRUSEROK_AF && !defined WITH_PAM
- switch (fromp->sa_family)
+ /*
+ * Expired account?
+ */
+ time (&now);
+ if (spwd->sp_expire > 0)
{
- case AF_INET6:
- fromaddrp = (void *) &((struct sockaddr_in6 *) fromp)->sin6_addr;
- break;
- case AF_INET:
- default:
- fromaddrp = (void *) &((struct sockaddr_in *) fromp)->sin_addr;
+ time_t end_acct = DAY * spwd->sp_expire;
+
+ if (difftime (now, end_acct) > 0)
+ {
+ syslog (LOG_INFO | LOG_AUTH,
+ "address@hidden as %s: account is expired. cmd='%.80s'",
+ remuser, hostname, locuser, cmdbuf);
+ if (errorstr == NULL)
+ errorstr = "Permission denied.\n";
+ goto fail;
+ }
}
-#endif
+# else /* !HAVE_GETSPNAM */
+ /*
+ * BSD systems.
+ *
+ * Locked account?
+ */
+ if (!strncmp ("*LOCKED*", pwd->pw_passwd, strlen ("*LOCKED*")))
+ {
+ syslog (LOG_INFO | LOG_AUTH,
+ "address@hidden as %s: account is locked. cmd='%.80s'",
+ remuser, hostname, locuser, cmdbuf);
+ if (errorstr == NULL)
+ errorstr = "Permission denied.\n";
+ goto fail;
+ }
+
+ /*
+ * Expired account?
+ */
+# ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE
+ time (&now);
+
+ /*
+ * Negative `pw_expire' indicates on NetBSD
+ * an immediate need for change of password.
+ */
+ if (((pwd->pw_expire > 0) && (difftime (now, pwd->pw_expire) > 0))
+ || (pwd->pw_expire < 0))
+ {
+ syslog (LOG_INFO | LOG_AUTH,
+ "address@hidden as %s: account is expired. cmd='%.80s'",
+ remuser, hostname, locuser, cmdbuf);
+ if (errorstr == NULL)
+ errorstr = "Permission denied.\n";
+ goto fail;
+ }
+# endif /* HAVE_STRUCT_PASSWD_PW_EXPIRE */
+# endif /* !HAVE_GETSPNAM */
+ }
+
+#if defined WITH_IRUSEROK_AF
+ switch (fromp->sa_family)
+ {
+ case AF_INET6:
+ fromaddrp = (void *) &((struct sockaddr_in6 *) fromp)->sin6_addr;
+ break;
+ case AF_INET:
+ default:
+ fromaddrp = (void *) &((struct sockaddr_in *) fromp)->sin_addr;
+ }
+# endif /* !WITH_IRUSEROK_AF */
+#endif /* !WITH_PAM */
#ifdef KRB4
if (use_kerberos)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 11 +++++
src/rshd.c | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++--------
2 files changed, 138 insertions(+), 20 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-298-gae30a11,
Mats Erik Andersson <=