Massage and then apply a patch from Vincent Berger

Fri Dec 19 15:44:03 2003  George Lebl <jirka@5z.com>

	* configure.in, acconfig.h, daemon/verify-(crypt|shadow).c: Massage
	  and then apply a patch from Vincent Berger
	  <vincent.berger@ext.bull.net> to add password expiration and
	  checking in the crypt/shadow code, at least on AIX.  Fixes
	  #123766

2 files changed, 201 insertions, 0 deletions

diff --git a/daemon/verify-crypt.c b/daemon/verify-crypt.c
index d63c8c0e..1bd230b4 100644
--- a/daemon/verify-crypt.c
+++ b/daemon/verify-crypt.c
@@ -103,6 +103,14 @@ gdm_verify_user (GdmDisplay *d,
 {
     gchar *login, *passwd, *ppasswd;
     struct passwd *pwent;
+#if defined(HAVE_PASSWDEXPIRED) && defined(HAVE_CHPASS) \
+    || defined(HAVE_LOGINRESTRICTIONS)
+    gchar *message = NULL;
+#endif
+#if defined(HAVE_PASSWDEXPIRED) && defined(HAVE_CHPASS)
+    gchar *info_msg = NULL, *response = NULL;
+    gint reEnter, ret;
+#endif
 
     if (local)
 	    gdm_slave_greeter_ctl_no_ret (GDM_STARTTIMER, "");
@@ -208,6 +216,28 @@ authenticate_again:
 	    return NULL;
     }
 
+#ifdef HAVE_LOGINRESTRICTIONS
+
+    /* Check with the 'loginrestrictions' function
+       if the user has been disallowed */
+    if (loginrestrictions (login, 0, NULL, &message)) {
+	    gdm_error (_("User %s not allowed to log in"), login);
+	    gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
+					  _("\nThe system administrator "
+					    "has disabled your "
+					    "account."));
+	    g_free (login);
+	    g_free (passwd);
+	    g_free (ppasswd);
+	    g_free (message);
+	    return NULL;
+    }
+    
+    g_free (message);
+    message = NULL;
+
+#else /* ! HAVE_LOGINRESTRICTIONS */
+
     /* check for the standard method of disallowing users */
     if (pwent->pw_shell != NULL &&
 	(strcmp (pwent->pw_shell, "/sbin/nologin") == 0 ||
@@ -226,6 +256,8 @@ authenticate_again:
 	    return NULL;
     }	
 
+#endif /* HAVE_LOGINRESTRICTIONS */
+
     g_free (passwd);
     g_free (ppasswd);
 
@@ -239,6 +271,74 @@ authenticate_again:
 	    return NULL;
     }
     
+#if defined(HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
+
+    switch (passwdexpired (login, &info_msg)) {
+    case 1 :
+	    gdm_error (_("Password of %s has expired"), login);
+	    gdm_error_box (d, GTK_MESSAGE_ERROR,
+			   _("You are required to change your password.\n"
+			     "Please choose a new one."));
+	    g_free (info_msg);
+
+	    do {
+		    ret = chpass (login, response, &reEnter, &message);
+		    g_free (response);
+
+		    if (ret != 1) {
+			    if (ret != 0) {
+				    gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
+								  _("\nCannot change your password, "
+								    "you will not be able to log in, "
+								    "please try again later or contact "
+								    "your system administrator."));
+			    } else if ((reEnter != 0) && (message)) {
+				    response = gdm_slave_greeter_ctl (GDM_NOECHO, message);
+				    if (response == NULL)
+					    response = g_strdup ("");
+			    }
+		    }
+
+		    g_free(message);
+		    message = NULL;
+
+	    } while ( ((reEnter != 0) && (ret == 0))
+		      || (ret ==1) );
+
+	    g_free (response);
+	    g_free (message);
+
+	    if ((ret != 0) || (reEnter != 0)) {
+		    return NULL;
+	    }
+
+	    break;
+
+    case 2 :
+	    gdm_error (_("Password of %s has expired"), login);
+	    gdm_error_box (d, GTK_MESSAGE_ERROR,
+			   _("Your password has expired.\n"
+			     "Only a system administrator can now change it"));
+	    g_free (info_msg);
+	    return NULL;
+	    break;    
+
+    case -1 :
+	    gdm_error (_("Internal error on passwdexpired"));
+	    gdm_error_box (d, GTK_MESSAGE_ERROR,
+			   _("An internal error occured, you will not be able to log in.\n"
+			     "Please try again later or contact your system administrator."));
+	    g_free (info_msg);
+	    return NULL;
+	    break;    
+
+    default :
+	    g_free (info_msg);
+	    break;
+    }
+
+#endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */
+
     return login;
 }
 
diff --git a/daemon/verify-shadow.c b/daemon/verify-shadow.c
index 9bdeb4c1..695fbc61 100644
--- a/daemon/verify-shadow.c
+++ b/daemon/verify-shadow.c
@@ -102,6 +102,14 @@ gdm_verify_user (GdmDisplay *d, const char *username, const gchar *display, gboo
     gchar *login, *passwd, *ppasswd;
     struct passwd *pwent;
     struct spwd *sp;
+#if defined(HAVE_PASSWDEXPIRED) && defined(HAVE_CHPASS) \
+    || defined(HAVE_LOGINRESTRICTIONS)
+    gchar *message = NULL;
+#endif
+#if defined(HAVE_PASSWDEXPIRED) && defined(HAVE_CHPASS)
+    gchar *info_msg = NULL, *response = NULL;
+    gint reEnter, ret;
+#endif
 
     if (local)
 	    gdm_slave_greeter_ctl_no_ret (GDM_STARTTIMER, "");
@@ -226,6 +234,28 @@ authenticate_again:
 	    return NULL;
     }
 
+#ifdef HAVE_LOGINRESTRICTIONS
+
+    /* Check with the 'loginrestrictions' function
+       if the user has been disallowed */
+    if (loginrestrictions (login, 0, NULL, &message)) {
+	    gdm_error (_("User %s not allowed to log in"), login);
+	    gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
+					  _("\nThe system administrator "
+					    "has disabled your "
+					    "account."));
+	    g_free (login);
+	    g_free (passwd);
+	    g_free (ppasswd);
+	    g_free (message);
+	    return NULL;
+    }
+    
+    g_free (message);
+    message = NULL;
+
+#else /* ! HAVE_LOGINRESTRICTIONS */
+
     /* check for the standard method of disallowing users */
     if (pwent->pw_shell != NULL &&
 	(strcmp (pwent->pw_shell, "/sbin/nologin") == 0 ||
@@ -243,6 +273,9 @@ authenticate_again:
 	    g_free (ppasswd);
 	    return NULL;
     }	
+
+#endif /* HAVE_LOGINRESTRICTIONS */
+
     g_free (passwd);
     g_free (ppasswd);
 
@@ -256,6 +289,74 @@ authenticate_again:
 	    return NULL;
     }
 
+#if defined(HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
+
+    switch (passwdexpired (login, &info_msg)) {
+    case 1 :
+	    gdm_error (_("Password of %s has expired"), login);
+	    gdm_error_box (d, GTK_MESSAGE_ERROR,
+			   _("You are required to change your password.\n"
+			     "Please choose a new one."));
+	    g_free (info_msg);
+
+	    do {
+		    ret = chpass (login, response, &reEnter, &message);
+		    g_free (response);
+
+		    if (ret != 1) {
+			    if (ret != 0) {
+				    gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
+								  _("\nCannot change your password, "
+								    "you will not be able to log in, "
+								    "please try again later or contact "
+								    "your system administrator."));
+			    } else if ((reEnter != 0) && (message)) {
+				    response = gdm_slave_greeter_ctl (GDM_NOECHO, message);
+				    if (response == NULL)
+					    response = g_strdup ("");
+			    }
+		    }
+
+		    g_free(message);
+		    message = NULL;
+
+	    } while ( ((reEnter != 0) && (ret == 0))
+		      || (ret ==1) );
+
+	    g_free (response);
+	    g_free (message);
+
+	    if ((ret != 0) || (reEnter != 0)) {
+		    return NULL;
+	    }
+
+	    break;
+
+    case 2 :
+	    gdm_error (_("Password of %s has expired"), login);
+	    gdm_error_box (d, GTK_MESSAGE_ERROR,
+			   _("Your password has expired.\n"
+			     "Only a system administrator can now change it"));
+	    g_free (info_msg);
+	    return NULL;
+	    break;    
+
+    case -1 :
+	    gdm_error (_("Internal error on passwdexpired"));
+	    gdm_error_box (d, GTK_MESSAGE_ERROR,
+			   _("An internal error occured, you will not be able to log in.\n"
+			     "Please try again later or contact your system administrator."));
+	    g_free (info_msg);
+	    return NULL;
+	    break;    
+
+    default :
+	    g_free (info_msg);
+	    break;
+    }
+
+#endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */
+
     return login;
 }