/* * Do authentication via AIX's authenticate routine. We loop until the * reenter parameter is 0, but normally authenticate is called only once. * * Note: this function returns 1 on success, whereas AIX's authenticate() * returns 0. */ int sys_auth_passwd(Authctxt *ctxt, const char *password) { char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name; int authsuccess = 0, expired, reenter, result; do { result = authenticate((char *)name, (char *)password, &reenter, &authmsg); aix_remove_embedded_newlines(authmsg); debug3("AIX/authenticate result %d, authmsg %.100s", result, authmsg); } while (reenter); if (!aix_valid_authentications(name)) result = -1; if (result == 0) { authsuccess = 1; /* * Record successful login. We don't have a pty yet, so just * label the line as "ssh" */ aix_setauthdb(name); /* * Check if the user's password is expired. */ expired = passwdexpired(name, &msg); if (msg && *msg) { buffer_append(ctxt->loginmsg, msg, strlen(msg)); aix_remove_embedded_newlines(msg); } debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); switch (expired) { case 0: /* password not expired */ break; case 1: /* expired, password change required */ ctxt->force_pwchange = 1; break; default: /* user can't change(2) or other error (-1) */ logit("Password can't be changed for user %s: %.100s", name, msg); if (msg) xfree(msg); authsuccess = 0; } aix_restoreauthdb(); } if (authmsg != NULL) xfree(authmsg); return authsuccess; }
if (loginrestrictions(cmd->argv[0], mode, NULL, &reason) != 0) { PRIVS_RELINQUISH if (reason && *reason) { pr_log_auth(LOG_WARNING, "login restricted for user '%s': %.100s", cmd->argv[0], reason); } pr_log_debug(DEBUG2, "AIX loginrestrictions() failed for user '%s': %s", cmd->argv[0], strerror(errno)); return PR_ERROR_INT(cmd, PR_AUTH_DISABLEDPWD); } code = passwdexpired(cmd->argv[0], &reason); PRIVS_RELINQUISH switch (code) { case 0: /* Password not expired for user */ break; case 1: /* Password expired and needs to be changed */ pr_log_auth(LOG_WARNING, "password expired for user '%s': %.100s", cmd->argv[0], reason); return PR_ERROR_INT(cmd, PR_AUTH_AGEPWD); case 2: /* Password expired, requires sysadmin to change it */
gchar * mdm_verify_user (MdmDisplay *d, const char *username, gboolean allow_retry) { gchar *login, *passwd, *ppasswd; struct passwd *pwent; struct spwd *sp; #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \ || defined (HAVE_LOGINRESTRICTIONS) gchar *message = NULL; #endif #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) gchar *info_msg = NULL, *response = NULL; gint reEnter, ret; #endif if (d->attached && d->timed_login_ok) mdm_slave_greeter_ctl_no_ret (MDM_STARTTIMER, ""); if (username == NULL) { authenticate_again: /* Ask for the user's login */ mdm_verify_select_user (NULL); mdm_slave_greeter_ctl_no_ret (MDM_MSG, _("Please enter your username")); login = mdm_slave_greeter_ctl (MDM_PROMPT, _("Username:"******""); g_free (login); return NULL; } } mdm_slave_greeter_ctl_no_ret (MDM_MSG, ""); if (mdm_daemon_config_get_value_bool (MDM_KEY_DISPLAY_LAST_LOGIN)) { char *info = mdm_get_last_info (login); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, info); g_free (info); } } else { login = g_strdup (username); } mdm_slave_greeter_ctl_no_ret (MDM_SETLOGIN, login); pwent = getpwnam (login); setspent (); /* Lookup shadow password */ sp = getspnam (login); /* Use shadow password when available */ if (sp != NULL) { ppasswd = g_strdup (sp->sp_pwdp); } else { /* In case shadow password cannot be retrieved (when using NIS authentication for example), use standard passwd */ if (pwent != NULL && pwent->pw_passwd != NULL) ppasswd = g_strdup (pwent->pw_passwd); else /* If no password can be retrieved, set it to NULL */ ppasswd = NULL; } endspent (); /* Request the user's password */ if (pwent != NULL && ve_string_empty (ppasswd)) { /* eeek a passwordless account */ passwd = g_strdup (""); } else { passwd = mdm_slave_greeter_ctl (MDM_NOECHO, _("Password:"******""); if (mdm_slave_greeter_check_interruption ()) { if (d->attached) mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, ""); g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } } if (d->attached) mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, ""); if (pwent == NULL) { mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY)); mdm_debug ("Couldn't authenticate user"); print_cant_auth_errbox (); g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } /* Check whether password is valid */ if (ppasswd == NULL || (ppasswd[0] != '\0' && strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) { mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY)); mdm_debug ("Couldn't authenticate user"); print_cant_auth_errbox (); g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } if (( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_ROOT) || ( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_REMOTE_ROOT) && ! d->attached)) && pwent->pw_uid == 0) { mdm_debug ("Root login disallowed on display '%s'", d->name); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("The system administrator " "is not allowed to login " "from this screen")); /*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG, _("Root login disallowed"));*/ g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } #ifdef HAVE_LOGINRESTRICTIONS /* Check with the 'loginrestrictions' function if the user has been disallowed */ if (loginrestrictions (login, 0, NULL, &message) != 0) { mdm_debug ("User not allowed to log in"); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nThe system administrator " "has disabled your " "account.")); g_free (login); g_free (passwd); g_free (ppasswd); if (message != NULL) free (message); return NULL; } if (message != NULL) free (message); message = NULL; #else /* ! HAVE_LOGINRESTRICTIONS */ /* check for the standard method of disallowing users */ if (pwent->pw_shell != NULL && (strcmp (pwent->pw_shell, NOLOGIN) == 0 || strcmp (pwent->pw_shell, "/bin/true") == 0 || strcmp (pwent->pw_shell, "/bin/false") == 0)) { mdm_debug ("User not allowed to log in"); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nThe system administrator " "has disabled your " "account.")); /*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG, _("Login disabled"));*/ g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } #endif /* HAVE_LOGINRESTRICTIONS */ g_free (passwd); g_free (ppasswd); if ( ! mdm_slave_check_user_wants_to_log_in (login)) { g_free (login); login = NULL; goto authenticate_again; } if ( ! mdm_setup_gids (login, pwent->pw_gid)) { mdm_debug ("Cannot set user group"); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nCannot set your user group; " "you will not be able to log in. " "Please contact your system administrator.")); g_free (login); return NULL; } #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) switch (passwdexpired (login, &info_msg)) { case 1 : mdm_debug ("User password has expired"); mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, _("You are required to change your password.\n" "Please choose a new one.")); g_free (info_msg); do { ret = chpass (login, response, &reEnter, &message); g_free (response); if (ret != 1) { if (ret != 0) { mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nCannot change your password; " "you will not be able to log in. " "Please try again later or contact " "your system administrator.")); } else if ((reEnter != 0) && (message)) { response = mdm_slave_greeter_ctl (MDM_NOECHO, message); if (response == NULL) response = g_strdup (""); } } g_free (message); message = NULL; } while ( ((reEnter != 0) && (ret == 0)) || (ret ==1) ); g_free (response); g_free (message); if ((ret != 0) || (reEnter != 0)) { return NULL; } #if defined (CAN_CLEAR_ADMCHG) /* The password is changed by root, clear the ADM_CHG flag in the passwd file */ ret = setpwdb (S_READ | S_WRITE); if (!ret) { upwd = getuserpw (login); if (upwd == NULL) { ret = -1; } else { upwd->upw_flags &= ~PW_ADMCHG; ret = putuserpw (upwd); if (!ret) { ret = endpwdb (); } } } if (ret) { mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING, _("Your password has been changed but " "you may have to change it again. " "Please try again later or contact " "your system administrator.")); } #else /* !CAN_CLEAR_ADMCHG */ mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING, _("Your password has been changed but you " "may have to change it again. Please try again " "later or contact your system administrator.")); #endif /* CAN_CLEAR_ADMCHG */ break; case 2 : mdm_debug ("User password has expired"); mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, _("Your password has expired.\n" "Only a system administrator can now change it")); g_free (info_msg); return NULL; break; case -1 : mdm_debug ("Internal error on passwdexpired"); mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, _("An internal error occurred. You will not be able to log in.\n" "Please try again later or contact your system administrator.")); g_free (info_msg); return NULL; break; default : g_free (info_msg); break; } #endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */ return login; }