Skip to content

Commit 17e6d3b

Browse files
tsaarnitsaarni
committed
Add PAM parameter to forcibly reverse use|try_first_pass
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
1 parent b7841fc commit 17e6d3b

File tree

2 files changed

+19
-1
lines changed

2 files changed

+19
-1
lines changed

man/pam_ldap.8.xml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,17 @@
173173
</para>
174174
</listitem>
175175
</varlistentry>
176+
<varlistentry id="clear_first_pass">
177+
<term>
178+
<option>clear_first_pass</option>
179+
</term>
180+
<listitem>
181+
<para>
182+
This causes the <acronym>PAM</acronym> module not to use the previous
183+
stacked modules password and will always prompt the user.
184+
</para>
185+
</listitem>
186+
</varlistentry>
176187
</variablelist>
177188
</refsect1>
178189

pam/pam.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,7 @@ struct pld_cfg {
150150
int ignore_authinfo_unavail;
151151
int debug;
152152
uid_t minimum_uid;
153+
int clear_first_pass;
153154
};
154155

155156
static void cfg_init(pam_handle_t *pamh, int flags,
@@ -164,6 +165,7 @@ static void cfg_init(pam_handle_t *pamh, int flags,
164165
cfg->ignore_authinfo_unavail = 0;
165166
cfg->debug = 0;
166167
cfg->minimum_uid = 0;
168+
cfg->clear_first_pass = 0;
167169
/* go over arguments */
168170
for (i = 0; i < argc; i++)
169171
{
@@ -185,6 +187,8 @@ static void cfg_init(pam_handle_t *pamh, int flags,
185187
cfg->debug = 1;
186188
else if (strncmp(argv[i], "minimum_uid=", 12) == 0)
187189
cfg->minimum_uid = (uid_t)atoi(argv[i] + 12);
190+
else if (strcmp(argv[i], "clear_first_pass") == 0)
191+
cfg->clear_first_pass = 1;
188192
else
189193
pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]);
190194
}
@@ -503,7 +507,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
503507
if (cfg.debug)
504508
pam_syslog(pamh, LOG_DEBUG, "authentication succeeded");
505509
/* if password change is required, save old password in context */
506-
if ((ctx->saved_authz.res == PAM_NEW_AUTHTOK_REQD) && (ctx->oldpassword == NULL))
510+
if ((cfg.clear_first_pass == 0) &&
511+
(ctx->saved_authz.res == PAM_NEW_AUTHTOK_REQD) &&
512+
(ctx->oldpassword == NULL))
507513
ctx->oldpassword = strdup(passwd);
508514
/* update caller's idea of the user name */
509515
if ((resp.msg[0] != '\0') && (strcmp(resp.msg, username) != 0))
@@ -682,6 +688,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
682688
pam_error(pamh, "%s", resp.msg);
683689
return remap_pam_rc(PAM_PERM_DENIED, &cfg);
684690
}
691+
685692
/* see if we are dealing with an LDAP user first */
686693
rc = nslcd_request_exists(pamh, &cfg, username);
687694
if (rc != PAM_SUCCESS)

0 commit comments

Comments
 (0)