From 6de21466287c3e77850ab1d66f076405971ba4f3 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Mon, 9 Nov 2015 21:14:54 +0100
Subject: Only put the password to the first response (factor).

When modules start to support pre-auth, we would put the password+code
(in case of OTP setup) to both first and second factor, leading to
PAM_CRED_ERR / Failure setting user credentials.
---
 mod_authnz_pam.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c
index 968b567..87d3150 100644
--- a/mod_authnz_pam.c
+++ b/mod_authnz_pam.c
@@ -61,7 +61,11 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s
 		response[i].resp = 0;
 		response[i].resp_retcode = 0;
 		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-			response[i].resp = strdup(appdata_ptr);
+			if (i == 0) {
+				response[i].resp = strdup(appdata_ptr);
+			} else {
+				response[i].resp = NULL;
+			}
 		} else {
 			free(response);
 			return PAM_CONV_ERR;
-- 
cgit