From 1b829e63ebd2c21bbe60b7d8245f424b844b7e0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Wed, 12 Jun 2002 18:07:05 +0000 Subject: [PATCH] Don't treat PAM_NEW_AUTHTOK_REQD as an error. Try to emulate Solaris more closely. Sponsored by: DARPA, NAI Labs git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@158 185d5e19-27fe-0310-9dcf-9bff6b9f3609 --- lib/openpam_dispatch.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/lib/openpam_dispatch.c b/lib/openpam_dispatch.c index 81a38d0..feef9e9 100644 --- a/lib/openpam_dispatch.c +++ b/lib/openpam_dispatch.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_dispatch.c#15 $ + * $P4: //depot/projects/openpam/lib/openpam_dispatch.c#16 $ */ #include @@ -109,20 +109,16 @@ openpam_dispatch(pam_handle_t *pamh, if (r == PAM_IGNORE) continue; - if (r == PAM_SUCCESS) { + if (r == PAM_SUCCESS || r == PAM_NEW_AUTHTOK_REQD) { /* * For pam_setcred() and pam_chauthtok() with the * PAM_PRELIM_CHECK flag, treat "sufficient" as * "optional". - * - * Note that Solaris libpam does not terminate - * the chain here if a required module has - * previously failed. I'm not sure why. */ - if (chain->flag == PAM_SUFFICIENT && + if (chain->flag == PAM_SUFFICIENT && !fail && primitive != PAM_SM_SETCRED && - (primitive != PAM_SM_CHAUTHTOK || - !(flags & PAM_PRELIM_CHECK))) + !(primitive == PAM_SM_CHAUTHTOK && + (flags & PAM_PRELIM_CHECK))) break; continue; } @@ -153,7 +149,7 @@ openpam_dispatch(pam_handle_t *pamh, } } - if (!fail) + if (!fail && err != PAM_NEW_AUTHTOK_REQD) err = PAM_SUCCESS; openpam_log(PAM_LOG_DEBUG, "returning: %s", pam_strerror(pamh, err)); return (err);