2 * CDE - Common Desktop Environment
4 * Copyright (c) 1993-2012, The Open Group. All rights reserved.
6 * These libraries and programs are free software; you can
7 * redistribute them and/or modify them under the terms of the GNU
8 * Lesser General Public License as published by the Free Software
9 * Foundation; either version 2 of the License, or (at your option)
12 * These libraries and programs are distributed in the hope that
13 * they will be useful, but WITHOUT ANY WARRANTY; without even the
14 * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
15 * PURPOSE. See the GNU Lesser General Public License for more
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with these librararies and programs; if not, write
20 * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
21 * Floor, Boston, MA 02110-1301 USA
23 /* $XConsortium: dce_acct_mgmt.c /main/5 1996/05/09 04:26:10 drk $ */
26 * Copyright (c) 1992-1995, by Sun Microsystems, Inc.
27 * All rights reserved.
30 #ident "@(#)dce_acct_mgmt.c 1.3 95/08/02 SMI"
33 #include <security/pam_appl.h>
34 #include <security/pam_modules.h>
36 #include <dce/sec_login.h>
37 #include <dce/dce_error.h>
43 * pam_sm_acct_mgmt main account managment routine.
44 * XXX: The routine just prints out a warning message.
45 * It may need to force the user to change his/her
49 #include <security/pam_appl.h>
51 #define SECS_PER_HOUR (60*60)
52 #define SECS_PER_DAY (SECS_PER_HOUR * 24)
55 do_warn(pam_handle_t *pamh, time_t cur, time_t t, char *desc);
58 do_warn_passwd(pam_handle_t *pamh);
67 dce_module_data_t *dsd;
68 sec_login_net_info_t net_info;
71 int result = PAM_AUTH_ERR;
74 int allow_expired_passwd = 0;
78 for (i = 0; i < argc; i++) {
79 if (strcmp(argv[i], "debug") == 0)
81 else if (strcmp(argv[i], "allow_expired_passwd") == 0)
82 allow_expired_passwd = 1;
83 else if (strcmp(argv[i], "nowarn") == 0)
87 "illegal DCE acct_mgmt option %s", argv[i]);
90 if (flags & PAM_SILENT) warn = 0;
92 if (debug) syslog(LOG_DEBUG, "DCE pam_sm_acct_mgmt");
94 if (pam_get_data(pamh, DCE_DATA, (void**)&dsd) != PAM_SUCCESS ||
96 return (PAM_AUTH_ERR);
99 if (dsd->auth_status != PAM_SUCCESS)
100 return (dsd->auth_status);
102 if (dsd->auth_src == sec_login_auth_src_local) {
103 /* we can't call sec_login_inquire_net_info on locally */
104 /* authenticated contexts. Might want an option to dis-allow */
105 /* them. For now we just allow them. */
106 return (PAM_SUCCESS);
109 sec_login_inquire_net_info(dsd->login_context, &net_info, &st);
111 if (st != error_status_ok && st != sec_login_s_not_certified) {
113 dce_error_string_t text;
115 syslog(LOG_DEBUG, "sec_login_inquire_net_info: %s",
116 get_dce_error_message(st, text));
118 return (PAM_PERM_DENIED);
124 if (dsd->reset_passwd) {
125 do_warn_passwd(pamh);
127 do_warn(pamh, curtime,
128 (time_t) net_info.passwd_expiration_date,
133 if (warn) do_warn(pamh, curtime,
134 (time_t) net_info.acct_expiration_date, "account");
136 result = PAM_SUCCESS;
138 if ((net_info.passwd_expiration_date &&
139 net_info.passwd_expiration_date < curtime) ||
142 result = PAM_AUTHTOKEN_REQD;
144 dsd->passwd_expired = 1;
148 * I assume an expired account is worse then an expired password,
149 * so if both the password and account are expired we want to
150 * return PAM_ACCT_EXPIRED.
153 if (net_info.acct_expiration_date &&
154 net_info.acct_expiration_date < curtime) {
155 result = PAM_ACCT_EXPIRED;
158 sec_login_free_net_info(&net_info);
164 do_warn(pam_handle_t *pamh, time_t cur, time_t t, char *desc)
166 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
169 return; /* unlimited */
173 PAM_MSG(pamh, 1, "Warning: Your DCE %s has expired.\n"), desc);
174 } else if ((cur + SECS_PER_DAY) > t) {
177 hours = (t - cur) / (SECS_PER_HOUR);
178 hours = hours ? hours : 1;
179 sprintf(messages[0], PAM_MSG(pamh, 2,
180 "Warning: Your DCE %s will expire within %d hour%s.\n"),
181 desc, hours, (hours == 1) ? "" : "s");
182 } else if ((cur + (2*SECS_PER_DAY)) > t) {
183 sprintf(messages[0], PAM_MSG(pamh, 3,
184 "Warning: Your DCE %s will expire in 2 days.\n"), desc);
188 __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, NULL);
193 do_warn_passwd(pam_handle_t *pamh)
195 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
198 PAM_MSG(pamh, 4, "Warning: Your DCE passwd has expired.\n"));
200 __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, NULL);