From d65b34db7dbf12ea8dbfd0435d59235a56142c8d Mon Sep 17 00:00:00 2001
From: John Polstra <jdp@FreeBSD.org>
Date: Sat, 8 May 1999 01:59:27 +0000
Subject: Revive the pam_deny and pam_permit modules from Linux-PAM.  They are
 simple enough to be trusted.

Add account management functionality to the pam_unix module.

These changes should make it possible to use PAM in some ports.

Submitted by:	Max Khon <fjoe@iclub.nsu.ru>
---
 lib/libpam/modules/pam_unix/pam_unix.c | 74 ++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

(limited to 'lib/libpam/modules/pam_unix/pam_unix.c')

diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index b68a9d4b7bf3..329b7844f8eb 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -27,18 +27,26 @@
  */
 
 #include <sys/types.h>
+#include <sys/time.h>
+#include <login_cap.h>
 #include <pwd.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdio.h>
 #include <unistd.h>
 
 #define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
 #include <security/pam_modules.h>
 
 #include "pam_mod_misc.h"
 
 #define PASSWORD_PROMPT	"Password:"
 
+/*
+ * authentication management
+ */
+
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
     const char **argv)
@@ -87,4 +95,70 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	return PAM_SUCCESS;
 }
 
+/* 
+ * account management
+ *
+ * check pw_change and pw_expire fields
+ */
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+		     int argc, const char **argv)
+{
+	const char *user;
+	struct passwd *pw;
+	struct timeval tp;
+	time_t warntime;
+	login_cap_t *lc = NULL;
+	char buf[128];
+	int retval;
+
+	retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
+	if (retval != PAM_SUCCESS || user == NULL)
+		/* some implementations return PAM_SUCCESS here */
+		return PAM_USER_UNKNOWN;
+
+	if ((pw = getpwnam(user)) == NULL)
+		return PAM_USER_UNKNOWN;
+
+	retval = PAM_SUCCESS;
+	lc = login_getpwclass(pw);
+
+	if (pw->pw_change || pw->pw_expire)
+		gettimeofday(&tp, NULL);
+
+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
+
+	warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN,
+	    DEFAULT_WARN);
+
+	if (pw->pw_change) {
+		if (tp.tv_sec >= pw->pw_change)
+			/* some implementations return PAM_AUTHTOK_EXPIRED */
+			retval = PAM_NEW_AUTHTOK_REQD;
+		else if (pw->pw_change - tp.tv_sec < warntime) {
+			snprintf(buf, sizeof(buf),
+			    "Warning: your password expires on %s",
+			    ctime(&pw->pw_change));
+			pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL);
+		}
+	}
+
+	warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN,
+	    DEFAULT_WARN);
+
+	if (pw->pw_expire) {
+		if (tp.tv_sec >= pw->pw_expire)
+			retval = PAM_ACCT_EXPIRED;
+		else if (pw->pw_expire - tp.tv_sec < warntime) {
+			snprintf(buf, sizeof(buf),
+			    "Warning: your account expires on %s",
+			    ctime(&pw->pw_expire));
+			pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL);
+		}
+	}
+
+	login_close(lc);
+	return retval;
+}
+
 PAM_MODULE_ENTRY("pam_unix");
-- 
cgit v1.2.3