char *
xcrypt(const char *password, const char *salt)
{
char *crypted;
/*
* If we don't have a salt we are encrypting a fake password for
* for timing purposes. Pick an appropriate salt.
*/
if (salt == NULL)
salt = pick_salt();
# ifdef HAVE_MD5_PASSWORDS
if (is_md5_salt(salt))
crypted = md5_crypt(password, salt);
else
crypted = crypt(password, salt);
# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec())
crypted = bigcrypt(password, salt);
else
crypted = crypt(password, salt);
# elif defined(HAVE_SECUREWARE)
crypted = bigcrypt(password, salt);
# else
crypted = crypt(password, salt);
# endif
return crypted;
}
/*
* Checks password expiry for platforms that use shadow passwd files.
* Returns: 1 = password expired, 0 = password not expired
*/
int
auth_shadow_pwexpired(Authctxt *ctxt)
{
struct spwd *spw = NULL;
const char *user = ctxt->pw->pw_name;
char buf[256];
time_t today;
int daysleft, disabled = 0;
if ((spw = getspnam((char *)user)) == NULL) {
error("Could not get shadow information for %.100s", user);
return 0;
}
today = time(NULL) / DAY;
debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
(int)spw->sp_lstchg, (int)spw->sp_max);
#if defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec()) {
struct pr_passwd *pr;
pr = getprpwnam((char *)user);
/* Test for Trusted Mode expiry disabled */
if (pr != NULL && pr->ufld.fd_min == 0 &&
pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 &&
pr->ufld.fd_pw_expire_warning == 0 &&
pr->ufld.fd_schange != 0)
disabled = 1;
}
#endif
/* TODO: check sp_inact */
daysleft = spw->sp_lstchg + spw->sp_max - today;
if (disabled) {
debug3("password expiration disabled");
} else if (spw->sp_lstchg == 0) {
logit("User %.100s password has expired (root forced)", user);
return 1;
} else if (spw->sp_max == -1) {
debug3("password expiration disabled");
} else if (daysleft < 0) {
logit("User %.100s password has expired (password aged)", user);
return 1;
} else if (daysleft <= spw->sp_warn) {
debug3("password will expire in %d days", daysleft);
snprintf(buf, sizeof(buf),
"Your password will expire in %d day%s.\n", daysleft,
daysleft == 1 ? "" : "s");
buffer_append(&loginmsg, buf, strlen(buf));
}
return 0;
}
static char *_get_pw_info(pool *p, const char *u, time_t *lstchg, time_t *min,
time_t *max, time_t *warn, time_t *inact, time_t *expire) {
char *cpw = NULL;
#if defined(HAVE_GETPRPWENT) || defined(COMSEC)
struct pr_passwd *prpw;
#endif
#if !defined(HAVE_GETPRPWENT) || defined(COMSEC)
struct passwd *pw;
#endif
/* Some platforms (i.e. BSD) provide "transparent" shadowing, which
* requires that we are root in order to have the password member
* filled in.
*/
PRIVS_ROOT
#if !defined(HAVE_GETPRPWENT) || defined(COMSEC)
# ifdef COMSEC
if (!iscomsec()) {
# endif /* COMSEC */
endpwent();
#if defined(BSDI3) || defined(BSDI4)
/* endpwent() seems to be buggy on BSDI3.1 (is this true for 4.0?)
* setpassent(0) _seems_ to do the same thing, however this conflicts
* with the man page documented behavior. Argh, why do all the bsds
* have to be different in this area (except OpenBSD, grin).
*/
setpassent(0);
#else /* BSDI3 || BSDI4 */
setpwent();
#endif /* BSDI3 || BSDI4 */
pw = getpwnam(u);
if (pw) {
cpw = pstrdup(p, pw->pw_passwd);
if (lstchg)
*lstchg = (time_t) -1;
if (min)
*min = (time_t) -1;
if (max)
*max = (time_t) -1;
if (warn)
*warn = (time_t) -1;
if (inact)
*inact = (time_t) -1;
if (expire)
*expire = (time_t) -1;
}
endpwent();
#ifdef COMSEC
} else {
#endif /* COMSEC */
#endif /* !HAVE_GETPRWENT or COMSEC */
#if defined(HAVE_GETPRPWENT) || defined(COMSEC)
endprpwent();
setprpwent();
prpw = getprpwnam((char *) u);
if (prpw) {
cpw = pstrdup(p, prpw->ufld.fd_encrypt);
if (lstchg)
*lstchg = (time_t) -1;
if (min)
*min = prpw->ufld.fd_min;
if (max)
*max = (time_t) -1;
if (warn)
*warn = (time_t) -1;
if (inact)
*inact = (time_t) -1;
if (expire)
*expire = prpw->ufld.fd_expire;
}
endprpwent();
#ifdef COMSEC
}
#endif /* COMSEC */
#endif /* HAVE_GETPRPWENT or COMSEC */
PRIVS_RELINQUISH
#if defined(BSDI3) || defined(BSDI4)
setpassent(1);
#endif
return cpw;
}
