- pam_sm_chauthtok() can return PAM_TRY_AGAIN.
- "sufficient" should not terminate the chain if the PAM_PRELIM_CHECK flag is set. Sponsored by: DARPA, NAI Labs git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@81 185d5e19-27fe-0310-9dcf-9bff6b9f3609
This commit is contained in:
parent
ffabf53a8c
commit
8ea571eeba
|
@ -111,7 +111,8 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
continue;
|
||||
if (r == PAM_SUCCESS) {
|
||||
/*
|
||||
* For pam_setcred(), treat "sufficient" as
|
||||
* For pam_setcred() and pam_chauthtok() with the
|
||||
* PAM_PRELIM_CHECK flag, treat "sufficient" as
|
||||
* "optional".
|
||||
*
|
||||
* Note that Solaris libpam does not terminate
|
||||
|
@ -119,7 +120,9 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
* previously failed. I'm not sure why.
|
||||
*/
|
||||
if (chain->flag == PAM_SUFFICIENT &&
|
||||
primitive != PAM_SM_SETCRED)
|
||||
primitive != PAM_SM_SETCRED &&
|
||||
(primitive != PAM_SM_CHAUTHTOK ||
|
||||
!(flags & PAM_PRELIM_CHECK)))
|
||||
break;
|
||||
continue;
|
||||
}
|
||||
|
@ -203,7 +206,8 @@ _openpam_check_error_code(int primitive, int r)
|
|||
r == PAM_AUTHTOK_ERR ||
|
||||
r == PAM_AUTHTOK_RECOVERY_ERR ||
|
||||
r == PAM_AUTHTOK_LOCK_BUSY ||
|
||||
r == PAM_AUTHTOK_DISABLE_AGING)
|
||||
r == PAM_AUTHTOK_DISABLE_AGING ||
|
||||
r == PAM_TRY_AGAIN)
|
||||
return;
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -51,8 +51,18 @@ int
|
|||
pam_chauthtok(pam_handle_t *pamh,
|
||||
int flags)
|
||||
{
|
||||
int pam_err;
|
||||
|
||||
return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags));
|
||||
if (flags & PAM_PRELIM_CHECK || flags & PAM_UPDATE_AUTHTOK)
|
||||
return (PAM_SYMBOL_ERR);
|
||||
pam_err = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
|
||||
flags | PAM_PRELIM_CHECK);
|
||||
if (pam_err == PAM_SUCCESS)
|
||||
pam_err = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
|
||||
flags | PAM_UPDATE_AUTHTOK);
|
||||
pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
|
||||
pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
||||
return (pam_err);
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -61,4 +71,5 @@ pam_chauthtok(pam_handle_t *pamh,
|
|||
* =openpam_dispatch
|
||||
* =pam_sm_chauthtok
|
||||
* !PAM_IGNORE
|
||||
* PAM_SYMBOL_ERR
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue