char * xcrypt(const char *password, const char *salt) { char *crypted; /* * If we don't have a salt we are encrypting a fake password for * for timing purposes. Pick an appropriate salt. */ if (salt == NULL) salt = pick_salt(); # ifdef HAVE_MD5_PASSWORDS if (is_md5_salt(salt)) crypted = md5_crypt(password, salt); else crypted = crypt(password, salt); # elif defined(__hpux) && !defined(HAVE_SECUREWARE) if (iscomsec()) crypted = bigcrypt(password, salt); else crypted = crypt(password, salt); # elif defined(HAVE_SECUREWARE) crypted = bigcrypt(password, salt); # else crypted = crypt(password, salt); # endif return crypted; }
/* * Checks password expiry for platforms that use shadow passwd files. * Returns: 1 = password expired, 0 = password not expired */ int auth_shadow_pwexpired(Authctxt *ctxt) { struct spwd *spw = NULL; const char *user = ctxt->pw->pw_name; char buf[256]; time_t today; int daysleft, disabled = 0; if ((spw = getspnam((char *)user)) == NULL) { error("Could not get shadow information for %.100s", user); return 0; } today = time(NULL) / DAY; debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today, (int)spw->sp_lstchg, (int)spw->sp_max); #if defined(__hpux) && !defined(HAVE_SECUREWARE) if (iscomsec()) { struct pr_passwd *pr; pr = getprpwnam((char *)user); /* Test for Trusted Mode expiry disabled */ if (pr != NULL && pr->ufld.fd_min == 0 && pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 && pr->ufld.fd_pw_expire_warning == 0 && pr->ufld.fd_schange != 0) disabled = 1; } #endif /* TODO: check sp_inact */ daysleft = spw->sp_lstchg + spw->sp_max - today; if (disabled) { debug3("password expiration disabled"); } else if (spw->sp_lstchg == 0) { logit("User %.100s password has expired (root forced)", user); return 1; } else if (spw->sp_max == -1) { debug3("password expiration disabled"); } else if (daysleft < 0) { logit("User %.100s password has expired (password aged)", user); return 1; } else if (daysleft <= spw->sp_warn) { debug3("password will expire in %d days", daysleft); snprintf(buf, sizeof(buf), "Your password will expire in %d day%s.\n", daysleft, daysleft == 1 ? "" : "s"); buffer_append(&loginmsg, buf, strlen(buf)); } return 0; }
static char *_get_pw_info(pool *p, const char *u, time_t *lstchg, time_t *min, time_t *max, time_t *warn, time_t *inact, time_t *expire) { char *cpw = NULL; #if defined(HAVE_GETPRPWENT) || defined(COMSEC) struct pr_passwd *prpw; #endif #if !defined(HAVE_GETPRPWENT) || defined(COMSEC) struct passwd *pw; #endif /* Some platforms (i.e. BSD) provide "transparent" shadowing, which * requires that we are root in order to have the password member * filled in. */ PRIVS_ROOT #if !defined(HAVE_GETPRPWENT) || defined(COMSEC) # ifdef COMSEC if (!iscomsec()) { # endif /* COMSEC */ endpwent(); #if defined(BSDI3) || defined(BSDI4) /* endpwent() seems to be buggy on BSDI3.1 (is this true for 4.0?) * setpassent(0) _seems_ to do the same thing, however this conflicts * with the man page documented behavior. Argh, why do all the bsds * have to be different in this area (except OpenBSD, grin). */ setpassent(0); #else /* BSDI3 || BSDI4 */ setpwent(); #endif /* BSDI3 || BSDI4 */ pw = getpwnam(u); if (pw) { cpw = pstrdup(p, pw->pw_passwd); if (lstchg) *lstchg = (time_t) -1; if (min) *min = (time_t) -1; if (max) *max = (time_t) -1; if (warn) *warn = (time_t) -1; if (inact) *inact = (time_t) -1; if (expire) *expire = (time_t) -1; } endpwent(); #ifdef COMSEC } else { #endif /* COMSEC */ #endif /* !HAVE_GETPRWENT or COMSEC */ #if defined(HAVE_GETPRPWENT) || defined(COMSEC) endprpwent(); setprpwent(); prpw = getprpwnam((char *) u); if (prpw) { cpw = pstrdup(p, prpw->ufld.fd_encrypt); if (lstchg) *lstchg = (time_t) -1; if (min) *min = prpw->ufld.fd_min; if (max) *max = (time_t) -1; if (warn) *warn = (time_t) -1; if (inact) *inact = (time_t) -1; if (expire) *expire = prpw->ufld.fd_expire; } endprpwent(); #ifdef COMSEC } #endif /* COMSEC */ #endif /* HAVE_GETPRPWENT or COMSEC */ PRIVS_RELINQUISH #if defined(BSDI3) || defined(BSDI4) setpassent(1); #endif return cpw; }