From 4c006b194bbb0ccd6ce3aceab6e53a640710252a Mon Sep 17 00:00:00 2001
From: David Bartley <dtbartle@csclub.uwaterloo.ca>
Date: Thu, 17 Jan 2008 21:18:54 -0500
Subject: [PATCH] Only allow 1 month grace period

---
 pam_csc.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/pam_csc.c b/pam_csc.c
index 8df021f..69fe1c6 100644
--- a/pam_csc.c
+++ b/pam_csc.c
@@ -165,7 +165,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
     int i;
     time_t cur_time;
     struct tm* local_time;
-    int long_term;
+    int long_term, term_month;
     static const char term_chars[] = {'w', 's', 'f'};
     char cur_term[6], prev_term[6];
     LDAP *ld_csc = NULL, *ld_cscf = NULL;
@@ -219,6 +219,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
     sprintf(cur_term, "%c%d", term_chars[long_term % 3], long_term / 3);
     long_term--;
     sprintf(prev_term, "%c%d", term_chars[long_term % 3], long_term / 3);
+    term_month = local_time->tm_mon % 4;
 
     /* connect to CSC */
     WARN_LDAP( ldap_create(&ld_csc) )
@@ -330,10 +331,23 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
     /* check if account is expired */
     if(expired)
     {
-        /* show notice and continue */
-        pam_csc_print_message(pamh, PAM_CSC_EXPIRED_MSG, PAM_TEXT_INFO);
-        syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_ERROR, 
-            username);
+        /* we allow once month grace-period */
+        if(term_month == 0)
+        {
+            /* show notice and continue */
+            pam_csc_print_message(pamh, PAM_CSC_EXPIRED_MSG, PAM_TEXT_INFO);
+            syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_ERROR, 
+                username);
+        }
+        else
+        {
+            /* show notice and disallow login */
+            pam_csc_print_message(pamh, PAM_CSC_EXPIRED_MSG, PAM_ERROR_MSG);
+            syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_WARNING, 
+                username);
+            retval = PAM_AUTH_ERR;
+            goto cleanup;
+        }
     }
 
     if(cscf)