pam_get_authtok() may be used any time that a password needs to be entered, unlike pam_get_authtok_{no,}verify(), which may only be used when changing a password; yet when the user aborts, it prints "Password change aborted." whether or not that was the operation being performed. This bug was non-obvious because none of the modules distributed with Linux-PAM use it for anything but changing passwords; pam_unix has its own utility function that it uses instead. As an example, the nss-pam-ldapd package uses it in pam_sm_authenticate(). libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the password is trying to be changed before printing a message about the password change being aborted. --- libpam/pam_get_authtok.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c index 31bb162..663f1f3 100644 --- a/libpam/pam_get_authtok.c +++ b/libpam/pam_get_authtok.c @@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, if (retval != PAM_SUCCESS || resp[0] == NULL || (chpass > 1 && resp[1] == NULL)) { - /* We want to abort the password change */ - pam_error (pamh, _("Password change aborted.")); + /* We want to abort */ + if (chpass) + pam_error (pamh, _("Password change aborted.")); return PAM_AUTHTOK_ERR; }