Subject: pkg/5917: ssh does not check pw_change or pw_expire
To: None <gnats-bugs@gnats.netbsd.org>
From: Jarkko Torppa <torppa@staff.megabaud.fi>
List: netbsd-bugs
Date: 08/06/1998 00:48:21
>Number:         5917
>Category:       pkg
>Synopsis:       ssh does not check pw_change or pw_expire
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug  5 14:50:01 1998
>Last-Modified:
>Originator:     Jarkko Torppa
>Organization:
Dis
>Release:        1998-08-06 pkgsrc
>Environment:
	
System: NetBSD polykoira.megabaud.fi 1.3.2 NetBSD 1.3.2 (POLYKOIRA) #3: Tue Jun 16 13:09:59 EEST 1998 torppa@walrus.megabaud.fi:/usr/src/sys/arch/i386/compile/POLYKOIRA i386


>Description:
  ssh does not check pw_change or pw_expire, in the distribution
there is routing for bsdi and FreeBSD (essentially same).

There are probaply many similar cases in the pkgs.

>How-To-Repeat:
build and install ssh from pkgsrc
change accoung to expired
log on with ssh
>Fix:

This fix is correct because:
 - it is put in the place where comments say that such things should be. 
 - it alerts the user to expired passwords accounts simlarly to
   what the HPUX code just below it does
This fix is incorrent because:
 - There is no clear indication for user what is happening
 - When client is run in verbose mode change/expiration status
   is shown before passed authentication check

Not reported to ssh maintainers, because i'm really not sure
if checking BSD4_4 is the right way and what is stated above.

--- sshd.c.orig	Wed Aug  5 21:35:31 1998
+++ sshd.c	Wed Aug  5 23:52:17 1998
@@ -1736,55 +1736,59 @@
     endspent();
   }
 #endif /* HAVE_ETC_SHADOW */
-#ifdef __FreeBSD__
-  {
+/* Net2,BSD4.4,BSD/OS,NetBSD,FreeBSD and OpenBSD all define BSD4_4
+   man passwd(5) says that format has changed since BSD4.3
+ */
+#ifdef BSD4_4 
+  if(pwd->pw_change || pwd->pw_expire) {
     time_t currtime;
-    
-    if (pwd->pw_change || pwd->pw_expire)
-      currtime = time(NULL);
-    
+    currtime = time(NULL);
     /*
      * Check for an expired password
      */
-    if (pwd->pw_change && pwd->pw_change <= currtime)
-      {
-	debug("Account %.100s's password is too old - forced to change.",
-	      user);
-	if (options.forced_passwd_change)
-	  {
-	    forced_command = xmalloc(sizeof(PASSWD_PATH) + strlen(user) + 1);
-	    sprintf(forced_command, "%s %s", PASSWD_PATH, user);
-	  }
-	else
-	  {
-	    return 0;
-	  }
-      }
-    else
+
+    if (pwd->pw_change)
       {
-	if (pwd->pw_change)
+	/* PASSWD_CHGNOW seems to be -1 for now but... */
+	if (
+#if defined(PASSWD_CHGNOW) && PASSWD_CHGNOW > 0
+	    pwd->pw_change == PASSWD_CHGNOW ||
+#endif
+	    pwd->pw_change <= currtime)
 	  {
-	    days_before_password_expires = (pwd->pw_change - currtime) / 86400;
+	    packet_send_debug("Password has expired");
+	    if(options.forced_passwd_change)
+	      {
+		debug("Account %.99s's password is too old - change forced.",
+		      user);
+		forced_command = xmalloc(sizeof(PASSWD_PATH) +
+					 strlen(user) + 1);
+		sprintf(forced_command, "%s %s", PASSWD_PATH, user);
+	      }
+	    else
+	      {
+		return 0;
+	      }
 	  }
+#ifdef PASSWD_CHGNOW
+	if(pwd->pw_change != PASSWD_CHGNOW)
+	  days_before_password_expires = (pwd->pw_change - currtime) / 86400;
+#endif
       }
-    
     /*
      * Check for expired account
      */
-    if (pwd->pw_expire && pwd->pw_expire <= currtime)
+    if (pwd->pw_expire)
       {
-	debug("Account %.100s has expired - access denied.", user);
-	return 0;
-      }
-    else
-      {
-	if (pwd->pw_expire)
+	if (pwd->pw_expire <= currtime)
 	  {
-	    days_before_account_expires = (pwd->pw_expire - currtime) / 86400;
+	    packet_send_debug("Account has expired");
+	    return 0;
 	  }
+	days_before_account_expires = (pwd->pw_expire - currtime) / 86400;
       }
   }
-#endif  /* !FreeBSD */
+#endif  /* !BSD4_4 */
 
 #ifdef HAVE_HPUX_TCB_AUTH
   {
@@ -2166,11 +2170,11 @@
   pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
   pwcopy.pw_uid = pw->pw_uid;
   pwcopy.pw_gid = pw->pw_gid;
-#if (defined (__bsdi__) && _BSDI_VERSION >= 199510) || (defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H))
+#ifdef BSD4_4
   pwcopy.pw_class = xstrdup(pw->pw_class);
   pwcopy.pw_change = pw->pw_change;
   pwcopy.pw_expire = pw->pw_expire;
-#endif /*  __bsdi__  && _BSDI_VERSION >= 199510 */
+#endif /*  BSD4_4 */
   pwcopy.pw_dir = xstrdup(pw->pw_dir);
   pwcopy.pw_shell = xstrdup(pw->pw_shell);
   pw = &pwcopy;
@@ -3200,9 +3204,6 @@
 #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
   login_cap_t *lc;
 #endif
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 
-  struct timeval tp;
-#endif /*  __bsdi__ && _BSDI_VERSION >= 199510 */
 
 #ifdef HAVE_OSF1_C2_SECURITY
   {
@@ -3360,30 +3361,6 @@
 		fputs(line, stdout);
 	      fclose(f);
 	    }
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
-	  if (pw->pw_change || pw->pw_expire)
-	    (void)gettimeofday(&tp, (struct timezone *)NULL);
-	  if (pw->pw_change)
-	    {
-	      if (tp.tv_sec >= pw->pw_change)
-		{
-		  fprintf(stderr,"Sorry -- your password has expired.\n");
-		  exit(254);
-		}
-	      days_before_password_expires = (pw->pw_change - tp.tv_sec) /
-		86400;
-	    }
-	  if (pw->pw_expire)
-	    {
-	      if (tp.tv_sec >= pw->pw_expire)
-		{
-		  fprintf(stderr,"Sorry -- your account has expired.\n");
-		  exit(254);
-		}
-	      days_before_account_expires = (pw->pw_expire - tp.tv_sec) /
-		86400;
-	    }
-#endif /* __bsdi__ & _BSDI_VERSION >= 199510   */
 	}
 
 #if defined (__FreeBSD__) && defined HAVE_LOGIN_CAP_H

>Audit-Trail:
>Unformatted: