Skip to content

Add PAM parameter to avoid implicit try_first_pass behavior #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tsaarni wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add PAM parameter to avoid implicit try_first_pass behavior #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions man/pam_ldap.8.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,17 @@
</para>
</listitem>
</varlistentry>
<varlistentry id="clear_first_pass">
<term>
<option>clear_first_pass</option>
</term>
<listitem>
<para>
This causes the <acronym>PAM</acronym> module not to retain the password
in memory after authentication is complete.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

Expand Down
9 changes: 8 additions & 1 deletion pam/pam.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ struct pld_cfg {
int ignore_authinfo_unavail;
int debug;
uid_t minimum_uid;
int clear_first_pass;
};

static void cfg_init(pam_handle_t *pamh, int flags,
Expand All @@ -164,6 +165,7 @@ static void cfg_init(pam_handle_t *pamh, int flags,
cfg->ignore_authinfo_unavail = 0;
cfg->debug = 0;
cfg->minimum_uid = 0;
cfg->clear_first_pass = 0;
/* go over arguments */
for (i = 0; i < argc; i++)
{
Expand All @@ -185,6 +187,8 @@ static void cfg_init(pam_handle_t *pamh, int flags,
cfg->debug = 1;
else if (strncmp(argv[i], "minimum_uid=", 12) == 0)
cfg->minimum_uid = (uid_t)atoi(argv[i] + 12);
else if (strcmp(argv[i], "clear_first_pass") == 0)
cfg->clear_first_pass = 1;
else
pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]);
}
Expand Down Expand Up @@ -503,7 +507,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
if (cfg.debug)
pam_syslog(pamh, LOG_DEBUG, "authentication succeeded");
/* if password change is required, save old password in context */
if ((ctx->saved_authz.res == PAM_NEW_AUTHTOK_REQD) && (ctx->oldpassword == NULL))
if ((cfg.clear_first_pass == 0) &&
(ctx->saved_authz.res == PAM_NEW_AUTHTOK_REQD) &&
(ctx->oldpassword == NULL))
ctx->oldpassword = strdup(passwd);
/* update caller's idea of the user name */
if ((resp.msg[0] != '\0') && (strcmp(resp.msg, username) != 0))
Expand Down Expand Up @@ -682,6 +688,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
pam_error(pamh, "%s", resp.msg);
return remap_pam_rc(PAM_PERM_DENIED, &cfg);
}

/* see if we are dealing with an LDAP user first */
rc = nslcd_request_exists(pamh, &cfg, username);
if (rc != PAM_SUCCESS)
Expand Down
Loading