On Po, 2014-12-22 at 15:46 -0500, Luke Shumaker wrote:
pam_get_authtok() may be used any time that a password needs to be
entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.
This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead. As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().
libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.
---
libpam/pam_get_authtok.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 31bb162..663f1f3 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
if (retval != PAM_SUCCESS || resp[0] == NULL ||
(chpass > 1 && resp[1] == NULL))
{
- /* We want to abort the password change */
- pam_error (pamh, _("Password change aborted."));
+ /* We want to abort */
+ if (chpass)
+ pam_error (pamh, _("Password change aborted."));
return PAM_AUTHTOK_ERR;
}
Thanks for the bug report and patch. I applied it to the git repository.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)