The following program is to detect whether a user account is locked and
unfortunately reports that some active, unlocked accounts are locked.
It is a test program for a routine I *need* for our radius authentication
server that is used with our Livingston Portmaster router/remote access
server.
#include <sys/types.h>
#include <stdio.h>
#include <sys/security.h>
#include <prot.h>
main()
{
struct pr_passwd *name;
char *acct[9];
set_auth_parameters(); /* Required to access tcb prpw */
printf("Login name to check for Account Lock: ");
gets(acct);
if ((name = getprpwnam(acct)) == NULL){
printf("User not found!\n");
exit(0);
}
initprivs(acct); /* Required to access user privs with ->uflg.fg_
(I think) */
if (name->uflg.fg_lock) {
printf("Account is retired!\n");
printf("User: %s, Retired: %d\n", name->ufld.fd_name, name->uflg.fg_lock);
}
else printf("%s does not have fg_lock set.\n", name->ufld.fd_name);
exit(0);
}
This is an excerpt from the getprwent man page describing fd_lock:
fd_lock Indicates whether the administrative lock on the account is
set. The account is considered disabled (locked) if the pass-
word is dead, if the maximum number of unsuccessful attempts
has been exceeded, or the administrative lock is set.
The uflg.fg lock should report 0 for not locked and 1 for locked, but on
some accounts it reports they are locked when Xisso and 'login' allow
them access as they should.
I need to patch our radiusd authentication server daemon to prevent
any unauthorized accesses by locked accounts. The enhanced security
(prpasswd) patch I installed for it works fine, but it only checks for a
matching password, not an adminstrative lock or expired access. Obviously
that allows locked accounts PPP access to our network and people can
Netscape away at our expense.
The above test program always seems to report locked status correctly
when an account is shown as locked in Xisso, but various users are also
incorrectly getting locked out when they should be granted access.
Obviously this is a serious problem and I don't wish to have to manually
remove users from the system the minute they expire only to have to
adduser them again if they subscribe.
I have seen other minor references to different types of locks, but I
find nothing readily edittable that should cause an active account to be
flagged as locked.
I have no problem getting any info I want from the protected password
database, but it's a nuisance if I have to play time conversion games to
calculate if an account is locked when there's a flag to do it! This is
drivin' me nutzo!
I have contacted DEC software support about it and mailed them a copy of
the above program and I am still waiting to hear back from them, but I
thought one of the 'gurus' might have a little insight.
J. Henry Priebe Jr. President & Network Adminstrator
root_at_net.bluemoon.net Blue Moon Internet Services
sysop_at_bbs.bluemoon.net Blue Moon Online System
http://www.bluemoon.net "The Moon is in the Sky and Everyone is there!"
Received on Fri Dec 01 1995 - 00:49:18 NZDT