Date: Wed, 12 Jun 2002 09:07:41 -0700 (PDT) From: Dag-Erling Smorgrav <des@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 12753 for review Message-ID: <200206121607.g5CG7f866706@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=12753 Change 12753 by des@des.at.des.thinksec.com on 2002/06/12 09:07:05 Don't treat PAM_NEW_AUTHTOK_REQD as an error. Try to emulate Solaris more closely. Sponsored by: DARPA, NAI Labs Affected files ... ... //depot/projects/openpam/lib/openpam_dispatch.c#16 edit Differences ... ==== //depot/projects/openpam/lib/openpam_dispatch.c#16 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_dispatch.c#15 $ + * $P4: //depot/projects/openpam/lib/openpam_dispatch.c#16 $ */ #include <sys/param.h> @@ -109,20 +109,16 @@ if (r == PAM_IGNORE) continue; - if (r == PAM_SUCCESS) { + if (r == PAM_SUCCESS || r == PAM_NEW_AUTHTOK_REQD) { /* * For pam_setcred() and pam_chauthtok() with the * PAM_PRELIM_CHECK flag, treat "sufficient" as * "optional". - * - * Note that Solaris libpam does not terminate - * the chain here if a required module has - * previously failed. I'm not sure why. */ - if (chain->flag == PAM_SUFFICIENT && + if (chain->flag == PAM_SUFFICIENT && !fail && primitive != PAM_SM_SETCRED && - (primitive != PAM_SM_CHAUTHTOK || - !(flags & PAM_PRELIM_CHECK))) + !(primitive == PAM_SM_CHAUTHTOK && + (flags & PAM_PRELIM_CHECK))) break; continue; } @@ -153,7 +149,7 @@ } } - if (!fail) + if (!fail && err != PAM_NEW_AUTHTOK_REQD) err = PAM_SUCCESS; openpam_log(PAM_LOG_DEBUG, "returning: %s", pam_strerror(pamh, err)); return (err); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206121607.g5CG7f866706>