--- session.c.orig Fri Mar 21 02:15:18 2003 +++ session.c Mon Mar 31 16:10:35 2003 @@ -64,6 +64,11 @@ #define is_winnt (GetVersion() < 0x80000000) #endif +#ifdef __FreeBSD__ +#include +#define _PATH_CHPASS "/usr/bin/passwd" +#endif /* __FreeBSD__ */ + /* func */ Session *session_new(void); @@ -471,6 +476,13 @@ log_init(__progname, options.log_level, options.log_facility, log_stderr); /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + + /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. */ @@ -576,6 +588,9 @@ { int fdout, ptyfd, ttyfd, ptymaster; pid_t pid; +#if defined(USE_PAM) + const char *shorttty; +#endif if (s == NULL) fatal("do_exec_pty: no session"); @@ -583,7 +598,16 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + /* check if we have a pathname in the ttyname */ + shorttty = rindex( s->tty, '/' ); + if (shorttty != NULL ) { + /* use only the short filename to check */ + shorttty ++; + } else { + /* nothing found, use the whole name found */ + shorttty = s->tty; + } + do_pam_session(s->pw->pw_name, shorttty); do_pam_setcred(1); #endif @@ -593,6 +617,14 @@ /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); + + /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + /* Close the master side of the pseudo tty. */ close(ptyfd); @@ -726,6 +758,18 @@ struct sockaddr_storage from; struct passwd * pw = s->pw; pid_t pid = getpid(); +#ifdef HAVE_LOGIN_CAP + FILE *f; + char buf[256]; + char *fname; + const char *shorttty; +#endif /* HAVE_LOGIN_CAP */ +#ifdef __FreeBSD__ +#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ + char *newcommand; + struct timeval tv; + time_t warntime = DEFAULT_WARN; +#endif /* __FreeBSD__ */ /* * Get IP address of client. If the connection is not a socket, let @@ -759,6 +803,72 @@ } #endif +#ifdef __FreeBSD__ + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tv, NULL); +#ifdef HAVE_LOGIN_CAP + warntime = login_getcaptime(lc, "warnpassword", + DEFAULT_WARN, DEFAULT_WARN); +#endif /* HAVE_LOGIN_CAP */ + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + log("%s Password expired - forcing change", + pw->pw_name); + if (newcommand != NULL) + xfree(newcommand); + newcommand = xstrdup(_PATH_CHPASS); + } else if (pw->pw_change - tv.tv_sec < warntime && + !check_quietlogin(s, command)) + (void)printf( + "Warning: your password expires on %s", + ctime(&pw->pw_change)); + } + +#ifndef USE_PAM + if (pw->pw_expire) { + if (tv.tv_sec >= pw->pw_expire) { + (void)printf( + "Sorry -- your account has expired.\n"); + log( + "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", + pw->pw_name, get_remote_name_or_ip(utmp_len, + options.verify_reverse_mapping), s->tty); + exit(254); + } else if (pw->pw_expire - tv.tv_sec < warntime && + !check_quietlogin(s, command)) + (void)printf( + "Warning: your account expires on %s", + ctime(&pw->pw_expire)); + } +#endif /* !USE_PAM */ +#endif /* __FreeBSD__ */ + +#ifdef HAVE_LOGIN_CAP + /* check if we have a pathname in the ttyname */ + shorttty = rindex( s->tty, '/' ); + if (shorttty != NULL ) { + /* use only the short filename to check */ + shorttty ++; + } else { + /* nothing found, use the whole name found */ + shorttty = s->tty; + } + if (!auth_ttyok(lc, shorttty)) { + (void)printf("Permission denied.\n"); + log( + "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", + pw->pw_name, get_remote_name_or_ip(utmp_len, + options.verify_reverse_mapping), s->tty); + exit(254); + } +#endif /* HAVE_LOGIN_CAP */ + if (check_quietlogin(s, command)) return; @@ -772,7 +882,17 @@ #endif /* WITH_AIXAUTHENTICATE */ #ifndef NO_SSH_LASTLOG - if (options.print_lastlog && s->last_login_time != 0) { + /* + * If the user has logged in before, display the time of last + * login. However, don't display anything extra if a command + * has been specified (so that ssh can be used to execute + * commands on a remote machine without users knowing they + * are going to another machine). Login(1) will do this for + * us as well, so check if login(1) is used + */ + if (command == NULL && options.print_lastlog && + s->last_login_time != 0 && + !options.use_login) { time_string = ctime(&s->last_login_time); if (strchr(time_string, '\n')) *strchr(time_string, '\n') = 0; @@ -784,7 +904,30 @@ } #endif /* NO_SSH_LASTLOG */ - do_motd(); +#ifdef HAVE_LOGIN_CAP + if (command == NULL && + !options.use_login) { + fname = login_getcapstr(lc, "copyright", NULL, NULL); + if (fname != NULL && (f = fopen(fname, "r")) != NULL) { + while (fgets(buf, sizeof(buf), f) != NULL) + fputs(buf, stdout); + fclose(f); + } else + (void)printf("%s\n\t%s %s\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); + } +#endif /* HAVE_LOGIN_CAP */ + + /* + * Print /etc/motd unless a command was specified or printing + * it was disabled in server options or login(1) will be + * used. Note that some machines appear to print it in + * /etc/profile or similar. + */ + if (command == NULL && !options.use_login) + do_motd(); } /* @@ -800,9 +943,9 @@ #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r"); -#else +#else /* !HAVE_LOGIN_CAP */ f = fopen("/etc/motd", "r"); -#endif +#endif /* HAVE_LOGIN_CAP */ if (f) { while (fgets(buf, sizeof(buf), f)) fputs(buf, stdout); @@ -829,10 +972,10 @@ #ifdef HAVE_LOGIN_CAP if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) return 1; -#else +#else /* HAVE_LOGIN_CAP */ if (stat(buf, &st) >= 0) return 1; -#endif +#endif /* HAVE_LOGIN_CAP */ return 0; } @@ -952,6 +1095,10 @@ char buf[256]; u_int i, envsize; char **env, *laddr; +#ifdef HAVE_LOGIN_CAP + extern char **environ; + char **senv, **var; +#endif /* HAVE_LOGIN_CAP */ struct passwd *pw = s->pw; /* Initialize the environment. */ @@ -959,6 +1106,9 @@ env = xmalloc(envsize * sizeof(char *)); env[0] = NULL; + /* Moved up to resove confict with gsssapi patches */ + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); #ifdef HAVE_CYGWIN /* * The Windows environment contains some setting which are @@ -1003,9 +1153,21 @@ /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); +#ifdef HAVE_LOGIN_CAP + senv = environ; + environ = xmalloc(sizeof(char *)); + *environ = NULL; + if (setusercontext(lc, pw, pw->pw_uid, + LOGIN_SETENV|LOGIN_SETPATH) < 0) { + perror("unable to set user context enviroment"); + } + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) + xfree(*var); + xfree(environ); + environ = senv; +#endif /* HAVE_LOGIN_CAP */ } - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); /* Set custom environment options from RSA authentication. */ if (!options.use_login) { @@ -1219,7 +1381,7 @@ setpgid(0, 0); # endif if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { + (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) { perror("unable to set user context"); exit(1); } @@ -1382,7 +1544,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ - for (i = 3; i < 64; i++) + for (i = 3; i < getdtablesize(); i++) close(i); /* @@ -1412,6 +1574,31 @@ exit(1); #endif } + +#ifdef __FreeBSD__ + if (!options.use_login) { + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + syslog(LOG_INFO, + "%s Password expired - forcing change", + pw->pw_name); + if (system("/usr/bin/passwd") != 0) { + perror("/usr/bin/passwd"); + exit(1); + } + } + } + } +#endif /* __FreeBSD__ */ if (!options.use_login) do_rc_files(s, shell);