1 /* $XConsortium: vgauth.c /main/4 1996/10/04 16:56:33 drk $ */
3 * (c) Copyright 1993, 1994 Hewlett-Packard Company *
4 * (c) Copyright 1993, 1994 International Business Machines Corp. *
5 * (c) Copyright 1993, 1994 Sun Microsystems, Inc. *
6 * (c) Copyright 1993, 1994 Novell, Inc. *
8 /************************************<+>*************************************
9 ****************************************************************************
13 ** Project: HP Visual User Environment (DT)
15 ** Description: Dtgreet user authentication routines
17 ** These routines validate the user; checking name, password,
18 ** number of users on the system, password aging, etc.
21 ** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company
24 ** Conditional compiles for HPUX:
27 ** HP-UX 7.0/7.03 restricted license counting algorithms
28 ** are used. Otherwise HP-UX 8.0 and beyond is used
30 ** AUDIT HP C2 security enhancements; checks for existence of
31 ** SECUREPASSWD file and authenticates user against
32 ** password contained in that file. Also performs
33 ** self-auditing of login actions. Incompatible with
36 ** BLS HP BLS B1 simple authentication.
38 ** __AFS AFS 3 authentication mechanism
39 ** __KERBEROS Kerberos authentication mechanism
40 ** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism
42 ** Platform identification:
44 ** __hpux HP-UX OS only
45 ** __apollo Domain OS only
46 ** __hp_osf HP OSF/1 OS only
49 ** SVR4 SUN OS and USL
52 ****************************************************************************
53 ************************************<+>*************************************/
56 /***************************************************************************
60 ***************************************************************************/
67 /* necessary for bzero */
69 #include <X11/Xfuncs.h>
79 * Define as generic those without platform specific code.
81 #if !(defined(__hpux) || \
82 defined(__apollo) || \
89 /***************************************************************************
91 * Start authentication routines (HPUX)
93 ***************************************************************************/
95 #include <sys/param.h> /* for MAXUID macro */
96 #include <sys/types.h>
97 #include <sys/utsname.h>
104 # include <sys/audit.h>
105 # include <sys/errno.h>
106 # include <sys/stat.h>
107 # define SECUREPASS "/.secure/etc/passwd"
111 # include <sys/security.h>
116 #include <afs/kautils.h>
121 # define KRBLIFE 255 /* max lifetime */
122 #endif /* __KERBEROS */
125 # include "rgy_base.h"
130 #define how_to_count ut_exit.e_exit
133 int num_users[] = { 2, 32767 };
134 # define MIN_VERSION 'A'
135 # define UNLIMITED 'B'
137 int num_users[] = { 2, 16, 32, 64 , 8 };
138 # define MIN_VERSION 'A'
139 # define UNLIMITED 'U'
142 /* Maximum number of users allowed with restricted license */
143 #if OSMAJORVERSION < 8
144 # define MAX_STRICT_USERS 2
146 # define MAX_STRICT_USERS 8
149 #define NUM_VERSIONS (sizeof(num_users)/sizeof(num_users[0])) - 1
153 /***************************************************************************
155 * External declarations (HPUX)
157 ***************************************************************************/
159 extern Widget focusWidget; /* login or password text field */
161 extern long groups[NGROUPS];
165 extern boolean rgy_$using_local_registry();
166 extern struct passwd * getpwnam_full();
167 extern boolean is_acct_expired();
168 extern boolean is_passwd_expired();
169 extern boolean is_passwd_invalid();
170 extern boolean rgy_$is_des();
175 /***************************************************************************
177 * Procedure declarations (HPUX)
179 ***************************************************************************/
181 static void Audit( struct passwd *p, char *msg, int errnum) ;
182 static int CheckPassword( char *name, char *passwd, struct passwd **ppwd );
183 static int CountUsers( int added_users) ;
184 static int CountUsersStrict( char *new_user) ;
185 static int PasswordAged( register struct passwd *pw) ;
186 static void WriteBtmp( char *name) ;
191 /***************************************************************************
193 * Global variables (HPUX)
195 ***************************************************************************/
198 struct s_passwd *s_pwd;
200 int secure; /* flag to denote existance of secure passwd file */
205 struct pr_passwd *b1_pwd;
209 rgy_$acct_admin_t admin_part;
210 rgy_$policy_t policy;
211 rgy_$acct_user_t user_part;
216 /***************************************************************************
220 * Construct self audit record for event and write to the audit trail.
221 * This routine assumes that the effective uid is currently 0. If auditing
222 * is not defined, this routine does nothing.
223 ***************************************************************************/
226 Audit( struct passwd *p, char *msg, int errnum )
232 struct self_audit_rec audrec;
237 * make sure program is back to super-user...
245 txtptr = (char *)audrec.aud_body.text;
246 sprintf(txtptr, "User= %s uid=%ld audid=%ld%s", p->pw_name,
247 (long)p->pw_uid, (long)p->pw_audid, msg);
248 audrec.aud_head.ah_pid = getpid();
249 audrec.aud_head.ah_error = errnum;
250 audrec.aud_head.ah_event = EN_LOGINS;
251 audrec.aud_head.ah_len = strlen (txtptr);
252 status = audwrite(&audrec);
258 LogError(ReadCatalog(
259 MC_LOG_SET,MC_LOG_NOT_SUSER,MC_DEF_LOG_NOT_SUSER));
263 LogError(ReadCatalog(
264 MC_LOG_SET,MC_LOG_INV_EVENT,MC_DEF_LOG_INV_EVENT));
268 LogError(ReadCatalog(
269 MC_LOG_SET,MC_LOG_ERR_ERRNO,MC_DEF_LOG_ERR_ERRNO),
286 /***************************************************************************
288 * CountUsers (HPUX only)
290 * see if new user has exceeded the maximum.
291 ***************************************************************************/
296 CountUsers( int added_users )
298 int count[NCOUNT], nusers, i;
301 for (i=0; i<NCOUNT; i++)
304 count[added_users]++;
306 while ( (entry = getutent()) != NULL) {
307 if (entry->ut_type == USER_PROCESS) {
308 i = entry->how_to_count;
309 if (i < 0 || i >= NCOUNT)
310 i = 1; /* if out of range, then count */
311 /* as ordinary user */
319 * [0] does not count at all
320 * [1] counts as real user
321 * [2] logins via a pty which have not gone trough login. These
322 * collectively count as 1 user IF count[3] is 0, otherwise,
323 * they are not counted. Starting with HP-UX 8.0 they are
324 * no longer counted at all.
325 * [3] logins via a pty which have been logged through login (i.e.
326 * rlogin and telnet). these count as 1 "real" user per
328 * [4-15] may be used for groups of users which collectively
333 #if OSMAJORVERSION < 8
334 for (i=2; i<NCOUNT; i++)
336 for (i=3; i<NCOUNT; i++)
347 /***************************************************************************
349 * CountUsersStrict (HPUX only)
351 * see if new user has exceeded the maximum.
352 ***************************************************************************/
355 CountUsersStrict( char *new_user )
357 char pty_users[MAX_STRICT_USERS][8];
358 int count[NCOUNT], nusers, i, cnt, pty_off = -1, uname_off;
362 * Initialize count array...
364 for (i = 0; i < NCOUNT; i++)
368 * Add in the new user (we know it's not a pty)...
372 while ( (entry = getutent()) != NULL ) {
373 if (entry->ut_type == USER_PROCESS) {
374 i = entry->how_to_count;
376 /* if out of range, then count as ordinary user logged in
378 if (i == 1 || (i < 0 || i >= NCOUNT))
380 /* See if it is a pty login granted by login program */
383 /* See if user is already logged in via login pty */
385 for (cnt = 0; cnt <= pty_off; cnt++)
386 if (strncmp(pty_users[cnt], entry->ut_user, 8) == 0)
389 if (uname_off == -1) { /* user is not logged in via pty yet */
391 if (pty_off >= MAX_STRICT_USERS) /* cannot add any
393 return(MAX_STRICT_USERS + 1);
394 /* add the user name to the array of pty users */
396 strncpy(pty_users[++pty_off], entry->ut_user, 8);
398 } /* end if (i == 3) */
401 } /* end if entry->ut_type == USER_PROCESS */
402 } /* end while (entry = getutent()) */
407 * [0] does not count at all
408 * [1] counts as "real" user
409 * [2] logins via a pty which have not gone trough login. These
410 * collectively count as 1 user IF count[3] is 0, otherwise,
411 * they are not counted. Starting with HP-UX 8.0 they are
412 * no longer counted at all.
413 * [3] logins via a pty which have been logged through login (i.e.
414 * rlogin and telnet). these count as 1 "real" user per
416 * [4-15] may be used for groups of users which collectively count
420 nusers = pty_off + 1 + count[1]; /* Current number of users is sum of
421 users logged in via tty + the
422 number of unique users logged in
423 via pty which have gone through
426 #if OSMAJORVERSION < 8
427 if ((count[3] == 0) && (count[2] != 0))
428 nusers++; /* Add 1 user for all pty logins IF
429 none of pty logins have been
430 granted by the login program */
433 * Don't count any hpterm logins (exit status of 2). We already
434 * counted all pty logins granted by the login program.
438 for (i = 4; i < NCOUNT; i++)
447 /***************************************************************************
449 * PasswordAged (HPUX)
451 * see if password has aged
452 ***************************************************************************/
453 #define SECONDS_IN_WEEK 604800L
456 PasswordAged( register struct passwd *pw )
458 long change_week; /* week password was changed (1/1/70 = Week 0) */
459 long last_week; /* week after which password must change */
460 long first_week; /* week before which password can't change */
461 long this_week; /* this week derived from time() */
463 char *passwdAge; /* password aging time */
470 passwdAge = pw->pw_age;
474 passwdAge = s_pwd->pw_age;
479 /* Account validity checks: If we were able to connect to the network
480 * registry, then we've acquired account and policy data and can perform
481 * account/password checking
484 lrgy = rgy_$using_local_registry();
487 /* Check for password expiration or invalidity */
488 if ( rgy_$is_passwd_expired(&user_part, &policy ) != 0 ) {
496 if (*passwdAge == NULL)
499 first_week = last_week = change_week = (long) a64l(passwdAge);
500 last_week &= 0x3f; /* first six bits */
501 first_week = (first_week >> 6) & 0x3f; /* next six bits */
502 change_week >>= 12; /* everything else */
504 this_week = (long) time((long *) 0) / SECONDS_IN_WEEK;
507 ** Password aging conditions:
508 ** * if the last week is less than the first week (e.g., the aging
509 ** field looks like "./"), only the superuser can change the
510 ** password. We don't request a new password.
511 ** * if the week the password was last changed is after this week,
512 ** we have a problem, and request a new password.
513 ** * if this week is after the specified aging time, we request
516 if (last_week < first_week)
519 if (change_week <= this_week && this_week <= (change_week + last_week))
529 /***************************************************************************
531 * CheckPassword (HPUX only)
533 * Check validity of user password. One of several authentication schemes
534 * can be used, including Kerberos, AFS 3, HP BLS and traditional
535 * /etc/passwd. These are selectable via a resource in Dtlogin.
537 * Domain registry authentication (PasswdEtc) can also be compiled in as
538 * the only authentication scheme used.
540 ***************************************************************************/
543 CheckPassword( char *name, char *passwd, struct passwd **ppwd )
552 char realm[REALM_SZ];
554 #endif /* __KERBEROS */
559 * validate that user has an entry in the shadow password file on an
560 * HP-UX C2 trusted system. Keep info in a global structure.
564 s_pwd = getspwnam(name);
574 * look up user's regular account information...
579 * look up entry from registry...
581 * need getpwnam_full to get policy data for passwd expiration
584 p = getpwnam_full(name, &user_part, &admin_part, &policy);
592 if ( p == NULL || strlen(name) == 0 )
599 * AFS password authentication...
602 if ( IsVerifyName(VN_AFS) ) {
604 if (focusWidget == login_text)
607 if ( ka_UserAuthenticateGeneral(
608 KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG,
609 p->pw_name, /* kerberos name */
610 (char *)0, /* instance */
611 (char *)0, /* realm */
612 passwd, /* password */
613 0, /* default lifetime */
616 &reason) == 0 ) { /* error string */
618 if (strcmp(p->pw_passwd, "*") == 0)
625 LogError(ReadCatalog(
626 MC_LOG_SET,MC_LOG_AFS_FAILATH,MC_DEF_LOG_AFS_FAILATH),reason);
635 * Kerberos password authentication...
638 if ( IsVerifyName(VN_KRB) ) {
640 if (focusWidget == login_text)
643 (void)krb_get_lrealm(realm, 1);
645 setresuid(p->pw_uid, p->pw_uid, -1);
646 kerno = krb_get_pw_in_tkt(p->pw_name,
656 if (kerno == KSUCCESS)
657 if (strcmp(p->pw_passwd, "*") == 0)
663 #endif /* __KERBEROS */
668 * traditional password verification...
671 if (strcmp (crypt (passwd, p->pw_passwd), p->pw_passwd) == 0)
677 * If regular passwd check fails, try old-style Apollo SR
680 if (rgy_$is_des(passwd, strlen(passwd), p->pw_passwd) == TRUE)
686 * all password checks failed...
696 /***************************************************************************
702 * return codes indicate authentication results.
703 ***************************************************************************/
705 #define MAXATTEMPTS 3
707 struct passwd nouser = {"", "nope"}; /* invalid user password struct */
710 Verify( char *name, char *passwd )
713 static int login_attempts = 0; /* # failed authentications */
715 struct passwd *p; /* password structure */
717 struct utsname utsnam;
724 * turn on self auditing...
727 if (audswitch(AUD_SUSPEND) == -1)
733 * set the secure flag if SECUREPASS exists. If so, we
734 * are using it for authentication instead of /etc/passwd...
737 secure = (stat(SECUREPASS, &s_pfile) < 0) ? 0:1;
741 * set the audit process flag unconditionally on since we want
742 * to log all logins regardless of whether the user's audit
747 setaudproc(AUD_PROC);
753 * validate password...
756 if ( CheckPassword(name, passwd, &p) == FALSE) {
757 if ( focusWidget == passwd_text ) {
761 if ((++login_attempts % MAXATTEMPTS) == 0 ) {
763 if (p->pw_name == NULL )
766 Audit(p, " Failed login (bailout)", 1);
776 * check restricted license...
778 * Note: This only applies to local displays. Foreign displays
779 * (i.e. X-terminals) apparently do not count.
782 /* Get the version info via uname. If it doesn't look right,
783 * assume the smallest user configuration
786 if (getenv(LOCATION) != NULL) {
787 if (uname(&utsnam) < 0)
788 utsnam.version[0] = MIN_VERSION;
800 if ((!strncmp(utsnam.machine, "9000/834", UTSLEN)) ||
801 (!strncmp(utsnam.machine, "9000/844", UTSLEN)) ||
802 (!strncmp(utsnam.machine, "9000/836", UTSLEN)) ||
803 (!strncmp(utsnam.machine, "9000/846", UTSLEN)) ||
804 (!strncmp(utsnam.machine, "9000/843", UTSLEN)) ||
805 (!strncmp(utsnam.machine, "9000/853", UTSLEN))) {
807 /* strict_count = 1;*/
808 if (CountUsersStrict(name) > MAX_STRICT_USERS) {
810 " attempted to login - too many users on the system",
813 return(VF_MAX_USERS);
817 if (utsnam.version[0] != UNLIMITED) {
818 if ((utsnam.version[0]-'A' < 0) ||
819 (utsnam.version[0]-'A' > NUM_VERSIONS))
820 utsnam.version[0] = MIN_VERSION;
822 n = (int) utsnam.version[0] - 'A';
823 if (CountUsers(1) > num_users[n]) {
825 " attempted to login - too many users on the system",
828 return(VF_MAX_USERS);
836 * Check for account validity. Unfortunately, we have no graphical
837 * dialog for this at this time so the best we can do is log an
838 * error message and hope the system administrator sees it.
841 if ( !rgy_$using_local_registry() ) {
842 if (rgy_$is_acct_expired(&admin_part) != 0 ) {
843 LogError(ReadCatalog(MC_LOG_SET,MC_LOG_ACC_EXP,MC_DEF_LOG_ACC_EXP),
851 * check password aging...
854 if ( PasswordAged(p) ) return(VF_PASSWD_AGED);
858 * verify home directory exists...
861 if(chdir(p->pw_dir) < 0) {
862 Audit(p, " attempted to login - no home directory", 1);
869 * check audit flag and id...
874 if (secure && (p->pw_audflg > 1 || p->pw_audflg < 0)) {
875 Audit(p, " attempted to login - bad audit flag", 1);
876 return(VF_BAD_AFLAG);
879 if (secure && (setaudid(p->pw_audid) == -1 )) {
880 Audit(p, " attempted to login - bad audit id", 1);
887 * validate uid and gid...
890 if ((p->pw_gid < 0) ||
891 (p->pw_gid > MAXUID) ||
892 (setgid(p->pw_gid) == -1)) {
894 Audit(p, " attempted to login - bad group id", 1);
901 * ka_UserAuthenticateGeneral() sets the group access of this process
902 * to the proper PAG. Pick up these values and pass them back to
903 * Dtlogin to be put into the user's environment...
906 if ( IsVerifyName(VN_AFS) ) {
907 groups[0] = groups[1] = 0;
908 getgroups(NGROUPS, groups);
914 if ((p->pw_uid < 0) ||
915 (p->pw_uid > MAXUID) ||
916 (setresuid(p->pw_uid, p->pw_uid, 0) == -1)) {
918 Audit(p, " attempted to login - bad user id", 1);
929 Audit(p, " Successful login", 0);
936 /***************************************************************************
940 * log bad login attempts
942 ***************************************************************************/
945 WriteBtmp( char *name )
948 struct utmp utmp, *u;
952 bzero(&utmp, sizeof(struct utmp));
954 utmp.ut_pid = getppid();
955 while ((u = getutent()) != NULL) {
956 if ( (u->ut_type == INIT_PROCESS ||
957 u->ut_type == LOGIN_PROCESS ||
958 u->ut_type == USER_PROCESS) &&
959 u->ut_pid == utmp.ut_pid ) {
968 * if no utmp entry, this may be an X-terminal. Construct a utmp
973 strncpy(utmp.ut_id, "??", sizeof(utmp.ut_id));
974 strncpy(utmp.ut_line, dpyinfo.name, sizeof(utmp.ut_line));
975 utmp.ut_type = LOGIN_PROCESS;
977 strncpy(utmp.ut_host, dpyinfo.name, sizeof(utmp.ut_host));
984 * If btmp exists, then record the bad attempt
986 if ( (fd = open(BTMP_FILE,O_WRONLY|O_APPEND)) >= 0) {
987 strncpy(u->ut_user, name, sizeof(u->ut_user));
988 (void) time(&u->ut_time);
989 write(fd, (char *)u, sizeof(utmp));
993 endutent(); /* Close utmp file */
996 /***************************************************************************
998 * End authentication routines (HPUX)
1000 ***************************************************************************/
1005 /***************************************************************************
1006 ***************************************************************************
1007 ***************************************************************************
1008 ***************************************************************************
1009 ***************************************************************************
1010 ***************************************************************************
1011 ***************************************************************************
1012 ***************************************************************************/
1016 /***************************************************************************
1018 * Start authentication routines (SUN)
1020 ***************************************************************************/
1025 /***************************************************************************
1027 * External declarations (SUN)
1029 ***************************************************************************/
1034 /***************************************************************************
1036 * Procedure declarations (SUN)
1038 ***************************************************************************/
1040 static void Audit( struct passwd *p, char *msg, int errnum) ;
1041 static int PasswordAged( register struct passwd *pw) ;
1042 static void WriteBtmp( char *name) ;
1047 /***************************************************************************
1049 * Global variables (SUN)
1051 ***************************************************************************/
1056 /***************************************************************************
1060 ***************************************************************************/
1063 Audit( struct passwd *p, char *msg, int errnum )
1067 * make sure program is back to super-user...
1078 /***************************************************************************
1082 * log bad login attempts
1084 ***************************************************************************/
1087 WriteBtmp( char *name )
1095 /***************************************************************************
1097 * PasswordAged (SUN)
1099 * see if password has aged
1100 ***************************************************************************/
1101 #define SECONDS_IN_WEEK 604800L
1104 PasswordAged( register struct passwd *pw )
1106 long change_week; /* week password was changed (1/1/70 = Week 0) */
1107 long last_week; /* week after which password must change */
1108 long first_week; /* week before which password can't change */
1109 long this_week; /* this week derived from time() */
1110 char *file; /* help file name */
1111 char *command; /* the /bin/passwd command string */
1113 if (*pw->pw_age == NULL)
1116 first_week = last_week = change_week = (long) a64l(pw->pw_age);
1117 last_week &= 0x3f; /* first six bits */
1118 first_week = (first_week >> 6) & 0x3f; /* next six bits */
1119 change_week >>= 12; /* everything else */
1121 this_week = (long) time((long *) 0) / SECONDS_IN_WEEK;
1124 ** Password aging conditions:
1125 ** * if the last week is less than the first week (e.g., the aging
1126 ** field looks like "./"), only the superuser can change the
1127 ** password. We don't request a new password.
1128 ** * if the week the password was last changed is after this week,
1129 ** we have a problem, and request a new password.
1130 ** * if this week is after the specified aging time, we request
1133 if (last_week < first_week)
1136 if (change_week <= this_week && this_week <= (change_week + last_week))
1145 /***************************************************************************
1151 * return codes indicate authentication results.
1152 ***************************************************************************/
1154 #define MAXATTEMPTS 3
1156 extern Widget focusWidget; /* login or password text field */
1157 struct passwd nouser = {"", "nope"}; /* invalid user password struct */
1160 Verify( char *name, char *passwd )
1163 static int login_attempts = 0; /* # failed authentications */
1165 struct passwd *p; /* password structure */
1166 struct spwd *sp; /* shadow info */
1172 sp = getspnam(name);
1174 if (!p || strlen(name) == 0 ||
1175 strcmp (crypt (passwd, sp->sp_pwdp), sp->sp_pwdp)) {
1177 if ( focusWidget == passwd_text ) {
1181 if ((++login_attempts % MAXATTEMPTS) == 0 ) {
1183 if (p->pw_name == NULL )
1186 Audit(p, " Failed login (bailout)", 1);
1196 * check password aging...
1199 if ( PasswordAged(p) ) return(VF_PASSWD_AGED);
1202 * verify home directory exists...
1205 if(chdir(p->pw_dir) < 0) {
1206 Audit(p, " attempted to login - no home directory", 1);
1212 * validate uid and gid...
1216 if ((p->pw_gid < 0) ||
1217 (setgid(p->pw_gid) == -1)) {
1219 Audit(p, " attempted to login - bad group id", 1);
1223 if ((p->pw_uid < 0) ||
1224 (seteuid(p->pw_uid) == -1)) {
1226 Audit(p, " attempted to login - bad user id", 1);
1236 Audit(p, " Successful login", 0);
1242 /***************************************************************************
1244 * End authentication routines (SUN)
1246 ***************************************************************************/
1249 /***************************************************************************
1250 ***************************************************************************
1251 ***************************************************************************
1252 ***************************************************************************
1253 ***************************************************************************
1254 ***************************************************************************
1255 ***************************************************************************
1256 ***************************************************************************/
1259 /***************************************************************************
1261 * Start authentication routines (AIX)
1263 ***************************************************************************/
1266 #include <sys/types.h>
1267 #include <usersec.h>
1269 #include <userconf.h>
1271 /***************************************************************************
1273 * External declarations (AIX)
1275 ***************************************************************************/
1280 /***************************************************************************
1282 * Procedure declarations (AIX)
1284 ***************************************************************************/
1286 static void Audit( struct passwd *p, char *msg, int errnum) ;
1287 static int PasswordAged(char *name, register struct passwd *pw) ;
1288 static void WriteBtmp( char *name) ;
1293 /***************************************************************************
1295 * Global variables (AIX)
1297 ***************************************************************************/
1302 /***************************************************************************
1306 ***************************************************************************/
1309 Audit( struct passwd *p, char *msg, int errnum )
1313 * make sure program is back to super-user...
1324 /***************************************************************************
1328 * log bad login attempts
1330 ***************************************************************************/
1333 WriteBtmp( char *name )
1341 /***************************************************************************
1343 * PasswordAged (AIX)
1345 * see if password has aged
1346 ***************************************************************************/
1347 #define SECONDS_IN_WEEK 604800L
1350 PasswordAged(char *name, register struct passwd *pw )
1352 struct userpw *pupw; /* authentication information from getuserpw() */
1353 struct userpw upw; /* working authentication information */
1354 int err; /* return code from getconfattr() */
1355 ulong maxage; /* maximun age from getconfattr() */
1356 ulong now; /* time now */
1359 * Determine user password aging criteria. Note that only
1360 * the 'lastupdate' and 'flags' fields are set by this operation.
1363 if ((pupw = getuserpw(name)) != NULL)
1365 upw.upw_lastupdate = pupw->upw_lastupdate;
1366 upw.upw_flags = pupw->upw_flags;
1370 upw.upw_lastupdate = 0;
1376 * Consider password as having not expired if nocheck set.
1378 if (upw.upw_flags & PW_NOCHECK) return(FALSE);
1381 * Get system password aging criteria.
1383 err = getconfattr (SC_SYS_PASSWD, SC_MAXAGE, (void *)&maxage, SEC_INT);
1387 * Change from weeks to seconds
1389 maxage = maxage * SECONDS_IN_WEEK;
1390 now = time ((long *) 0);
1392 if ((upw.upw_lastupdate + maxage) >= now)
1395 * Password has not expired.
1403 * Could not retrieve system password aging info or maxage set to
1404 * zero. In either case, consider password has having not expired.
1410 * We haven't returned by now, so indicate password has expired.
1417 /***************************************************************************
1423 * return codes indicate authentication results.
1424 ***************************************************************************/
1426 #define MAXATTEMPTS 3
1428 extern Widget focusWidget; /* login or password text field */
1429 struct passwd nouser = {"", "nope"}; /* invalid user password struct */
1432 Verify( char *name, char *passwd )
1435 static int login_attempts = 0; /* # failed authentications */
1437 struct passwd *p; /* password structure */
1444 if (!p || strlen(name) == 0 ||
1445 strcmp (crypt (passwd, p->pw_passwd), p->pw_passwd)) {
1447 if ( focusWidget == passwd_text ) {
1451 if ((++login_attempts % MAXATTEMPTS) == 0 ) {
1453 if (p->pw_name == NULL )
1456 Audit(p, " Failed login (bailout)", 1);
1466 * check password aging...
1469 if ( PasswordAged(name,p) ) return(VF_PASSWD_AGED);
1472 * verify home directory exists...
1475 if(chdir(p->pw_dir) < 0) {
1476 Audit(p, " attempted to login - no home directory", 1);
1482 * validate uid and gid...
1486 if ((p->pw_gid < 0) ||
1487 (setgid(p->pw_gid) == -1)) {
1489 Audit(p, " attempted to login - bad group id", 1);
1493 if ((p->pw_uid < 0)) {
1494 Audit(p, " attempted to login - bad user id", 1);
1504 Audit(p, " Successful login", 0);
1511 /***************************************************************************
1513 * End authentication routines (AIX)
1515 ***************************************************************************/
1519 /***************************************************************************
1520 ***************************************************************************
1521 ***************************************************************************
1522 ***************************************************************************
1523 ***************************************************************************
1524 ***************************************************************************
1525 ***************************************************************************
1526 ***************************************************************************/
1529 /***************************************************************************
1531 * Start authentication routines (generic)
1533 ***************************************************************************/
1536 /***************************************************************************
1538 * These are a set of routine to do simple password, home dir, uid, and gid
1539 * validation. They can be used as a first pass validation for future
1542 * When platform specific validation is developed, those routines should be
1543 * included in their own section and the use of these routines discontinued.
1545 ***************************************************************************/
1550 /***************************************************************************
1552 * External declarations (generic)
1554 ***************************************************************************/
1559 /***************************************************************************
1561 * Procedure declarations (generic)
1563 ***************************************************************************/
1565 static void Audit( struct passwd *p, char *msg, int errnum) ;
1566 static int PasswordAged( register struct passwd *pw) ;
1567 static void WriteBtmp( char *name) ;
1572 /***************************************************************************
1574 * Global variables (generic)
1576 ***************************************************************************/
1581 /***************************************************************************
1585 ***************************************************************************/
1588 Audit( struct passwd *p, char *msg, int errnum )
1592 * make sure program is back to super-user...
1603 /***************************************************************************
1605 * WriteBtmp (generic)
1607 * log bad login attempts
1609 ***************************************************************************/
1612 WriteBtmp( char *name )
1620 /***************************************************************************
1622 * PasswordAged (Generic)
1624 * see if password has aged
1625 ***************************************************************************/
1626 #define SECONDS_IN_WEEK 604800L
1629 PasswordAged( register struct passwd *pw )
1636 /***************************************************************************
1642 * return codes indicate authentication results.
1643 ***************************************************************************/
1645 #define MAXATTEMPTS 3
1647 extern Widget focusWidget; /* login or password text field */
1648 struct passwd nouser = {"", "nope"}; /* invalid user password struct */
1651 Verify( char *name, char *passwd )
1654 static int login_attempts = 0; /* # failed authentications */
1656 struct passwd *p; /* password structure */
1663 if (!p || strlen(name) == 0 ||
1664 strcmp (crypt (passwd, p->pw_passwd), p->pw_passwd)) {
1666 if ( focusWidget == passwd_text ) {
1670 if ((++login_attempts % MAXATTEMPTS) == 0 ) {
1672 if (p->pw_name == NULL )
1675 Audit(p, " Failed login (bailout)", 1);
1685 * check password aging...
1688 if ( PasswordAged(p) ) return(VF_PASSWD_AGED);
1692 * verify home directory exists...
1695 if(chdir(p->pw_dir) < 0) {
1696 Audit(p, " attempted to login - no home directory", 1);
1702 * validate uid and gid...
1706 if ((p->pw_gid < 0) ||
1707 (setgid(p->pw_gid) == -1)) {
1709 Audit(p, " attempted to login - bad group id", 1);
1713 if ((p->pw_uid < 0) ||
1714 (seteuid(p->pw_uid) == -1)) {
1716 Audit(p, " attempted to login - bad user id", 1);
1726 Audit(p, " Successful login", 0);
1733 /***************************************************************************
1735 * End authentication routines (generic)
1737 ***************************************************************************/
1738 #endif /* generic */
1742 /***************************************************************************
1743 ***************************************************************************
1744 ***************************************************************************
1745 ***************************************************************************
1746 ***************************************************************************
1747 ***************************************************************************
1748 ***************************************************************************
1749 ***************************************************************************/