*** ./plugins/sudoers/auth/aix_auth.c.orig Thu Jan 28 13:32:17 2021 --- ./plugins/sudoers/auth/aix_auth.c Thu Jan 28 13:33:04 2021 *************** *** 231,241 **** int sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { ! char *pass, *message = NULL; ! int result = 1, reenter = 0; int ret = AUTH_SUCCESS; debug_decl(sudo_aix_verify, SUDOERS_DEBUG_AUTH); do { pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); if (pass == NULL) --- 231,265 ---- int sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { ! char *pass, *message = NULL, *restrict_msg = NULL; ! int result = 1, reenter = 0, restrict_result = -1, pwdexp_msg = 0; int ret = AUTH_SUCCESS; + void *login_state = NULL; + debug_decl(sudo_aix_verify, SUDOERS_DEBUG_AUTH); + /* Use newer APIs */ + restrict_result = loginrestrictionsx(pw->pw_name, 0, NULL, + &restrict_msg, &login_state); + if (restrict_result != 0) + { + if (restrict_msg != NULL && restrict_msg[0] != '\0') + { + struct sudo_conv_message msg; + struct sudo_conv_reply repl; + + memset(&msg, 0, sizeof(msg)); + msg.msg_type = SUDO_CONV_ERROR_MSG; + msg.msg = restrict_msg; + memset(&repl, 0, sizeof(repl)); + sudo_conv(1, &msg, &repl, NULL); + free(restrict_msg); + restrict_msg = NULL; + } + sudo_warn("loginrestrictionsx"); + debug_return_int(AUTH_FATAL); + } + do { pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); if (pass == NULL) *************** *** 242,248 **** break; free(message); message = NULL; ! result = authenticate(pw->pw_name, pass, &reenter, &message); freezero(pass, strlen(pass)); prompt = message; } while (reenter); --- 266,272 ---- break; free(message); message = NULL; ! result = authenticatex(pw->pw_name, pass, &reenter, &message, &login_state); freezero(pass, strlen(pass)); prompt = message; } while (reenter); *************** *** 259,266 **** /* Check if password expired and allow user to change it if possible. */ if (ret == AUTH_SUCCESS) { ! result = passwdexpired(pw->pw_name, &message); if (message != NULL && message[0] != '\0') { int msg_type = SUDO_CONV_PREFER_TTY; msg_type |= result ? SUDO_CONV_ERROR_MSG : SUDO_CONV_INFO_MSG, sudo_printf(msg_type, "%s", message); --- 283,291 ---- /* Check if password expired and allow user to change it if possible. */ if (ret == AUTH_SUCCESS) { ! result = passwdexpiredx(pw->pw_name, &message, &login_state); if (message != NULL && message[0] != '\0') { + pwdexp_msg = 1; int msg_type = SUDO_CONV_PREFER_TTY; msg_type |= result ? SUDO_CONV_ERROR_MSG : SUDO_CONV_INFO_MSG, sudo_printf(msg_type, "%s", message); *************** *** 279,290 **** } break; case 2: /* password expired, only admin can change it */ ret = AUTH_FATAL; break; default: /* error (-1) */ ! sudo_warn("passwdexpired"); ret = AUTH_FATAL; break; } --- 304,318 ---- } break; case 2: + case 3: /* password expired, only admin can change it */ + if (!pwdexp_msg) + sudo_printf(SUDO_CONV_ERROR_MSG, "Your password expired, only admin can change it.\n"); ret = AUTH_FATAL; break; default: /* error (-1) */ ! sudo_warn("passwdexpiredx"); ret = AUTH_FATAL; break; }