netbsd-bugs: bin/936: allow login to force password change

Subject: bin/936: allow login to force password change
To: None <gnats-admin@NetBSD.ORG>
From: Simon J. Gerraty <sjg@zen.void.oz.au>
List: netbsd-bugs
Date: 04/02/1995 13:20:08
>Number:         936
>Category:       bin
>Synopsis:       patch to allow login to force password change on initial login.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Apr  2 13:20:07 1995
>Originator:     Simon J. Gerraty
>Organization:
Zen Programming...
>Release:        Mar27 -current
>Environment:
	
System: NetBSD zen.void.oz.au 1.0A NetBSD 1.0A (ZEN) #0: Wed Mar 29 22:56:59 EST 1995 root@zen.void.oz.au:/d2/current/src/sys/arch/i386/compile/ZEN i386


>Description:
	
The patch below adds support to login(1) for a "magic" change date
that means expire on next login.  This is useful for newly added
accounts or for simply forcing users to change their passwords after
some security event...

Note: if the user authenticated via S/Key they are only warned about
the need for password change as it makes no sense to make a user enter
a password from an insecure terminal.
>How-To-Repeat:
	
>Fix:
	
*** login/login.c.old	Sun Apr  2 13:05:35 1995
--- login/login.c	Sun Apr  2 15:52:47 1995
***************
*** 83,88 ****
--- 83,89 ----
  int	 rootterm __P((char *));
  void	 sigint __P((int));
  void	 sleepexit __P((int));
+ void	do_chpass __P((void));
  char	*stypeof __P((char *));
  void	 timedout __P((int));
  int	 pwcheck __P((char *, char *, char *, char *));
***************
*** 112,117 ****
--- 113,128 ----
  struct	passwd *pwd;
  int	failures;
  char	term[64], *envinit[1], *hostname, *username, *tty;
+ #ifdef SKEY
+ int	used_skey = 0;
+ #endif
+ 
+ #ifndef IMEDIATE_CHANGE
+ # define IMEDIATE_CHANGE 1
+ #endif
+ #ifndef WARN_DAYS
+ # define WARN_DAYS 7				/* give 1 week warning */
+ #endif
  
  int
  main(argc, argv)
***************
*** 128,133 ****
--- 139,145 ----
  	char *domain, *p, *salt, *ttyn;
  	char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
  	char localhost[MAXHOSTNAMELEN];
+ 	int need_chpass = 0;
  	
  	(void)signal(SIGALRM, timedout);
  	(void)alarm(timeout);
***************
*** 349,359 ****
  	if (pwd->pw_change || pwd->pw_expire)
  		(void)gettimeofday(&tp, (struct timezone *)NULL);
  	if (pwd->pw_change)
! 		if (tp.tv_sec >= pwd->pw_change) {
  			(void)printf("Sorry -- your password has expired.\n");
  			sleepexit(1);
  		} else if (pwd->pw_change - tp.tv_sec <
! 		    2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
  			(void)printf("Warning: your password expires on %s",
  			    ctime(&pwd->pw_change));
  	if (pwd->pw_expire)
--- 361,373 ----
  	if (pwd->pw_change || pwd->pw_expire)
  		(void)gettimeofday(&tp, (struct timezone *)NULL);
  	if (pwd->pw_change)
! 		if (pwd->pw_change == IMEDIATE_CHANGE) {
! 			need_chpass = 1;
! 		} else if (tp.tv_sec >= pwd->pw_change) {
  			(void)printf("Sorry -- your password has expired.\n");
  			sleepexit(1);
  		} else if (pwd->pw_change - tp.tv_sec <
! 		    WARN_DAYS * DAYSPERWEEK * SECSPERDAY && !quietlog)
  			(void)printf("Warning: your password expires on %s",
  			    ctime(&pwd->pw_change));
  	if (pwd->pw_expire)
***************
*** 361,367 ****
  			(void)printf("Sorry -- your account has expired.\n");
  			sleepexit(1);
  		} else if (pwd->pw_expire - tp.tv_sec <
! 		    2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
  			(void)printf("Warning: your account expires on %s",
  			    ctime(&pwd->pw_expire));
  
--- 375,381 ----
  			(void)printf("Sorry -- your account has expired.\n");
  			sleepexit(1);
  		} else if (pwd->pw_expire - tp.tv_sec <
! 		    WARN_DAYS * DAYSPERWEEK * SECSPERDAY && !quietlog)
  			(void)printf("Warning: your account expires on %s",
  			    ctime(&pwd->pw_expire));
  
***************
*** 457,462 ****
--- 471,480 ----
  	else
  		(void) setuid(pwd->pw_uid);
  
+ 	/* wait until we are un-privileged */
+ 	if (need_chpass)
+ 		do_chpass();
+ 	
  	execlp(pwd->pw_shell, tbuf, 0);
  	err(1, "%s", pwd->pw_shell);
  }
***************
*** 471,477 ****
  			fprintf(stderr, "You have no s/key. ");
  			return 1;
  		} else {
! 			return skey_authenticate(user);
  		}
  	}
  #endif
--- 489,499 ----
  			fprintf(stderr, "You have no s/key. ");
  			return 1;
  		} else {
! 			int ret = skey_authenticate(user);
! 
! 			if (ret == 0)
! 				used_skey = 1;
! 			return ret;
  		}
  	}
  #endif
***************
*** 675,678 ****
--- 697,718 ----
  {
  	(void)sleep(5);
  	exit(eval);
+ }
+ 
+ void
+ do_chpass()
+ {
+ #ifdef SKEY
+ 	/*
+ 	 * if user logged on using skey, don't make them
+ 	 * type a password in...
+ 	 */
+ 	if (used_skey) {
+ 		(void)printf("Warning: your password has expired, change it as soon as possible.\n");
+ 		return;
+ 	}
+ #endif
+ 	(void)printf("Your password has expired, chose a new one.\n");
+ 	if (system("passwd") != 0)
+ 		sleepexit(1);
  }
>Audit-Trail:
>Unformatted: