1/*
2 * Copyright (c) 2004 Darren Tucker.  All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25#include "includes.h"
26
27#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
28#include <shadow.h>
29#include <stdarg.h>
30#include <string.h>
31#include <time.h>
32
33#include "key.h"
34#include "hostfile.h"
35#include "auth.h"
36#include "buffer.h"
37#include "log.h"
38
39#ifdef DAY
40# undef DAY
41#endif
42#define DAY	(24L * 60 * 60) /* 1 day in seconds */
43
44extern Buffer loginmsg;
45
46/*
47 * For the account and password expiration functions, we assume the expiry
48 * occurs the day after the day specified.
49 */
50
51/*
52 * Check if specified account is expired.  Returns 1 if account is expired,
53 * 0 otherwise.
54 */
55int
56auth_shadow_acctexpired(struct spwd *spw)
57{
58	time_t today;
59	int daysleft;
60	char buf[256];
61
62	today = time(NULL) / DAY;
63	daysleft = spw->sp_expire - today;
64	debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today,
65	    (int)spw->sp_expire, daysleft);
66
67	if (spw->sp_expire == -1) {
68		debug3("account expiration disabled");
69	} else if (daysleft < 0) {
70		logit("Account %.100s has expired", spw->sp_namp);
71		return 1;
72	} else if (daysleft <= spw->sp_warn) {
73		debug3("account will expire in %d days", daysleft);
74		snprintf(buf, sizeof(buf),
75		    "Your account will expire in %d day%s.\n", daysleft,
76		    daysleft == 1 ? "" : "s");
77		buffer_append(&loginmsg, buf, strlen(buf));
78	}
79
80	return 0;
81}
82
83/*
84 * Checks password expiry for platforms that use shadow passwd files.
85 * Returns: 1 = password expired, 0 = password not expired
86 */
87int
88auth_shadow_pwexpired(Authctxt *ctxt)
89{
90	struct spwd *spw = NULL;
91	const char *user = ctxt->pw->pw_name;
92	char buf[256];
93	time_t today;
94	int daysleft, disabled = 0;
95
96	if ((spw = getspnam((char *)user)) == NULL) {
97		error("Could not get shadow information for %.100s", user);
98		return 0;
99	}
100
101	today = time(NULL) / DAY;
102	debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
103	    (int)spw->sp_lstchg, (int)spw->sp_max);
104
105#if defined(__hpux) && !defined(HAVE_SECUREWARE)
106	if (iscomsec()) {
107		struct pr_passwd *pr;
108
109		pr = getprpwnam((char *)user);
110
111		/* Test for Trusted Mode expiry disabled */
112		if (pr != NULL && pr->ufld.fd_min == 0 &&
113		    pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 &&
114		    pr->ufld.fd_pw_expire_warning == 0 &&
115		    pr->ufld.fd_schange != 0)
116			disabled = 1;
117	}
118#endif
119
120	/* TODO: check sp_inact */
121	daysleft = spw->sp_lstchg + spw->sp_max - today;
122	if (disabled) {
123		debug3("password expiration disabled");
124	} else if (spw->sp_lstchg == 0) {
125		logit("User %.100s password has expired (root forced)", user);
126		return 1;
127	} else if (spw->sp_max == -1) {
128		debug3("password expiration disabled");
129	} else if (daysleft < 0) {
130		logit("User %.100s password has expired (password aged)", user);
131		return 1;
132	} else if (daysleft <= spw->sp_warn) {
133		debug3("password will expire in %d days", daysleft);
134		snprintf(buf, sizeof(buf),
135		    "Your password will expire in %d day%s.\n", daysleft,
136		    daysleft == 1 ? "" : "s");
137		buffer_append(&loginmsg, buf, strlen(buf));
138	}
139
140	return 0;
141}
142#endif	/* USE_SHADOW && HAS_SHADOW_EXPIRE */
143