Subject: pkg/5917: ssh does not check pw_change or pw_expire
To: None <gnats-bugs@gnats.netbsd.org>
From: Jarkko Torppa <torppa@staff.megabaud.fi>
List: netbsd-bugs
Date: 08/06/1998 00:48:21
>Number: 5917
>Category: pkg
>Synopsis: ssh does not check pw_change or pw_expire
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 5 14:50:01 1998
>Last-Modified:
>Originator: Jarkko Torppa
>Organization:
Dis
>Release: 1998-08-06 pkgsrc
>Environment:
System: NetBSD polykoira.megabaud.fi 1.3.2 NetBSD 1.3.2 (POLYKOIRA) #3: Tue Jun 16 13:09:59 EEST 1998 torppa@walrus.megabaud.fi:/usr/src/sys/arch/i386/compile/POLYKOIRA i386
>Description:
ssh does not check pw_change or pw_expire, in the distribution
there is routing for bsdi and FreeBSD (essentially same).
There are probaply many similar cases in the pkgs.
>How-To-Repeat:
build and install ssh from pkgsrc
change accoung to expired
log on with ssh
>Fix:
This fix is correct because:
- it is put in the place where comments say that such things should be.
- it alerts the user to expired passwords accounts simlarly to
what the HPUX code just below it does
This fix is incorrent because:
- There is no clear indication for user what is happening
- When client is run in verbose mode change/expiration status
is shown before passed authentication check
Not reported to ssh maintainers, because i'm really not sure
if checking BSD4_4 is the right way and what is stated above.
--- sshd.c.orig Wed Aug 5 21:35:31 1998
+++ sshd.c Wed Aug 5 23:52:17 1998
@@ -1736,55 +1736,59 @@
endspent();
}
#endif /* HAVE_ETC_SHADOW */
-#ifdef __FreeBSD__
- {
+/* Net2,BSD4.4,BSD/OS,NetBSD,FreeBSD and OpenBSD all define BSD4_4
+ man passwd(5) says that format has changed since BSD4.3
+ */
+#ifdef BSD4_4
+ if(pwd->pw_change || pwd->pw_expire) {
time_t currtime;
-
- if (pwd->pw_change || pwd->pw_expire)
- currtime = time(NULL);
-
+ currtime = time(NULL);
/*
* Check for an expired password
*/
- if (pwd->pw_change && pwd->pw_change <= currtime)
- {
- debug("Account %.100s's password is too old - forced to change.",
- user);
- if (options.forced_passwd_change)
- {
- forced_command = xmalloc(sizeof(PASSWD_PATH) + strlen(user) + 1);
- sprintf(forced_command, "%s %s", PASSWD_PATH, user);
- }
- else
- {
- return 0;
- }
- }
- else
+
+ if (pwd->pw_change)
{
- if (pwd->pw_change)
+ /* PASSWD_CHGNOW seems to be -1 for now but... */
+ if (
+#if defined(PASSWD_CHGNOW) && PASSWD_CHGNOW > 0
+ pwd->pw_change == PASSWD_CHGNOW ||
+#endif
+ pwd->pw_change <= currtime)
{
- days_before_password_expires = (pwd->pw_change - currtime) / 86400;
+ packet_send_debug("Password has expired");
+ if(options.forced_passwd_change)
+ {
+ debug("Account %.99s's password is too old - change forced.",
+ user);
+ forced_command = xmalloc(sizeof(PASSWD_PATH) +
+ strlen(user) + 1);
+ sprintf(forced_command, "%s %s", PASSWD_PATH, user);
+ }
+ else
+ {
+ return 0;
+ }
}
+#ifdef PASSWD_CHGNOW
+ if(pwd->pw_change != PASSWD_CHGNOW)
+ days_before_password_expires = (pwd->pw_change - currtime) / 86400;
+#endif
}
-
/*
* Check for expired account
*/
- if (pwd->pw_expire && pwd->pw_expire <= currtime)
+ if (pwd->pw_expire)
{
- debug("Account %.100s has expired - access denied.", user);
- return 0;
- }
- else
- {
- if (pwd->pw_expire)
+ if (pwd->pw_expire <= currtime)
{
- days_before_account_expires = (pwd->pw_expire - currtime) / 86400;
+ packet_send_debug("Account has expired");
+ return 0;
}
+ days_before_account_expires = (pwd->pw_expire - currtime) / 86400;
}
}
-#endif /* !FreeBSD */
+#endif /* !BSD4_4 */
#ifdef HAVE_HPUX_TCB_AUTH
{
@@ -2166,11 +2170,11 @@
pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
pwcopy.pw_uid = pw->pw_uid;
pwcopy.pw_gid = pw->pw_gid;
-#if (defined (__bsdi__) && _BSDI_VERSION >= 199510) || (defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H))
+#ifdef BSD4_4
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+#endif /* BSD4_4 */
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
@@ -3200,9 +3204,6 @@
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
#endif
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
- struct timeval tp;
-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
#ifdef HAVE_OSF1_C2_SECURITY
{
@@ -3360,30 +3361,6 @@
fputs(line, stdout);
fclose(f);
}
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
- if (pw->pw_change || pw->pw_expire)
- (void)gettimeofday(&tp, (struct timezone *)NULL);
- if (pw->pw_change)
- {
- if (tp.tv_sec >= pw->pw_change)
- {
- fprintf(stderr,"Sorry -- your password has expired.\n");
- exit(254);
- }
- days_before_password_expires = (pw->pw_change - tp.tv_sec) /
- 86400;
- }
- if (pw->pw_expire)
- {
- if (tp.tv_sec >= pw->pw_expire)
- {
- fprintf(stderr,"Sorry -- your account has expired.\n");
- exit(254);
- }
- days_before_account_expires = (pw->pw_expire - tp.tv_sec) /
- 86400;
- }
-#endif /* __bsdi__ & _BSDI_VERSION >= 199510 */
}
#if defined (__FreeBSD__) && defined HAVE_LOGIN_CAP_H
>Audit-Trail:
>Unformatted: