locked_out_es - determine if password-management disallows user login (Enhanced Security)
Security Library (libsecurity.so)
struct es_passwd *prpwd);
The locked_out_es() function determines whether the password management values for an extended profile prohibit the user from logging in. This routine is called as part of the login processing under ENHANCED security.
If the current time falls within the grace limit parameter (uflg->fg_grace_limit and ufld->fd_grace_limit), then access is allowed. Otherwise, the following values are checked.
If the profile has vacation information set (uflg->fg_vac_start and uflg->fg_vac_end and ufld->fd_vac_start and ufld->fd_vac_end), and the fields are valid (both fd_vac_start and fd_vac_end are non-zero, and the start time is less than the end time), and the current time is during the vacation period, then the user is prohibited from logging in.
If the profile has valid vacation information set, and that vacation is now over, some adjustments are made to other time intervals which get checked. If the last successful password change was before that vacation, then the password lifetime check is extended by the duration of the user's vacation. If the last successful login was before that vacation, then the maximum login interval checked below is extended by the length of the vacation.
If the user's password has not been changed successfully for a long enough time that it has passed its lifetime (which may be adjusted for comparison purposes as described above for the vacation handling), and it is not a null password, then the user is prohibited from logging in. (Fields checked are uflg->fg_encrypt, ufld->fd_encrypt, uflg->fg_schange, ufld->fd_schange, uflg->fg_lifetime, ufld->fd_lifetime, sflg->fg_lifetime, sfld->fd_lifetime, in addition to the vacationing checks above.)
If the profile is marked with a maximum login interval (also known as minimum login frequency), and if the last successful login time recorded (possibly adjusted by the vacation handling described above) is more than that interval before the present time, then the user is prohibited from logging in. (Fields checked are uflg->fg_slogin, ufld->fd_slogin, uflg->fg_max_login_int, ufld->fd_max_login_int, and the vacationing checks above.)
If break-in evasion is enabled for the profile with a non-zero value for the maximum allowed unsuccessful attempts (uflg->fg_max_tries, ufld->fd_max_tries, sflg->fg_max_tries, sfld->fd_max_tries), and if there have been at least that many consecutive unsuccessful login attempts recorded for the account (uflg->fg_nlogins, ufld->fd_nlogins), then the user may be prohibited from logging in. If there is no last unsuccessful login time recorded (uflg->fg_ulogin) or if there is no unlock interval for the account (uflg->fg_unlockint, ufld->fd_unlockint, sflg->fg_unlockint, sfld->fd_unlockint), the user is prohibited from logging in. If there is a non-zero unlock interval and a last unsuccessful login time has been recorded, but adding the unlock interval to the last unsuccessful login time produces a value which is greater than the current time, then the user is prohibited from logging in.
If the profile is marked as being locked by the system administrator, then the user is prohibited from logging in. (Fields checked are uflg->fg_lock, ufld->fd_lock, sflg->fg_lock, sfld->fd_lock.)
If none of these checks indicates that the user is locked out, a value of 0 is returned.
A return of 1 indicates that the password management values for this profile keep the associated user from logging in at the current time. A return of 0 indicates that the password management values for this profile do not prevent the associated user from logging in.
When locked_out_es() returns 1 to indicate that the user is locked out, it also attempts to make an audit entry with audgenl() to indicate that fact.
In order to quickstart a program, the program must be linked as follows:
See the shared library discussion in the Programmer's Guide for more information about using the quickstarting feature.
getespwent(3), getesdfent(3), audgenl(3), dxaccounts(8X)
Security delim off