1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
/* ========================================================================
* Copyright 1988-2006 University of Washington
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* ========================================================================
*/
/*
* Program: POSIX check password
*
* Author: Mark Crispin
* Networks and Distributed Computing
* Computing & Communications
* University of Washington
* Administration Building, AG-44
* Seattle, WA 98195
* Internet: MRC@CAC.Washington.EDU
*
* Date: 1 August 1988
* Last Edited: 30 August 2006
*/
/* Check password
* Accepts: login passwd struct
* password string
* argument count
* argument vector
* Returns: passwd struct if password validated, NIL otherwise
*/
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
char tmp[MAILTMPLEN];
struct spwd *sp = NIL;
time_t left;
time_t now = time (0);
struct tm *t = gmtime (&now);
int zone = t->tm_hour * 60 + t->tm_min;
int julian = t->tm_yday;
t = localtime (&now); /* get local time now */
/* minus UTC minutes since midnight */
zone = t->tm_hour * 60 + t->tm_min - zone;
/* julian can be one of:
* 36x local time is December 31, UTC is January 1, offset -24 hours
* 1 local time is 1 day ahead of UTC, offset +24 hours
* 0 local time is same day as UTC, no offset
* -1 local time is 1 day behind UTC, offset -24 hours
* -36x local time is January 1, UTC is December 31, offset +24 hours
*/
if ((julian = t->tm_yday -julian) != 0)
zone += ((julian < 0) == (abs (julian) == 1)) ? -24*60 : 24*60;
/* days since 1/1/1970 local time */
now = ((now /60) + zone) / (60*24);
/* non-shadow authentication */
if (!pw->pw_passwd || !pw->pw_passwd[0] || !pw->pw_passwd[1] ||
strcmp (pw->pw_passwd,(char *) crypt (pass,pw->pw_passwd))) {
/* As far as I've been able to determine, here is how the expiration
* fields in the shadow authentication data work:
* lstchg last password change date if non-negative. If zero, the
* user can not log in without changing password.
* max number of days a password is valid if positive
* warn number of days of password expiration warning
* expire date account expires if positive
* inact number of days an account can be inactive (not checked!)
* The expiration day is the *last* day that the password or account
* is valid.
*/
/* shadow authentication */
if ((sp = getspnam (pw->pw_name)) && sp->sp_lstchg &&
((sp->sp_lstchg < 0) || (sp->sp_max <= 0) ||
((sp->sp_lstchg + sp->sp_max) >= now)) &&
((sp->sp_expire <= 0) || (sp->sp_expire >= now)) &&
sp->sp_pwdp && sp->sp_pwdp[0] && sp->sp_pwdp[1] &&
!strcmp (sp->sp_pwdp,(char *) crypt (pass,sp->sp_pwdp))) {
if ((sp->sp_lstchg > 0) && (sp->sp_max > 0) &&
((left = (sp->sp_lstchg + sp->sp_max) - now) <= sp->sp_warn)) {
if (left) {
sprintf (tmp,"[ALERT] Password expires in %ld day(s)",(long) left);
mm_notify (NIL,tmp,NIL);
}
else mm_notify (NIL,"[ALERT] Password expires today!",WARN);
}
if ((sp->sp_expire > 0) && ((left = sp->sp_expire - now) < 28)) {
if (left) {
sprintf (tmp,"[ALERT] Account expires in %ld day(s)",(long) left);
mm_notify (NIL,tmp,NIL);
}
else mm_notify (NIL,"[ALERT] Account expires today!",WARN);
}
endspent (); /* don't need shadow password data any more */
}
else pw = NIL; /* password failed */
}
return pw;
}
|