diff options
| author | Ralf Haferkamp <rhafer@suse.de> | 2010-03-12 14:37:33 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-03-15 08:15:28 -0400 |
| commit | dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72 (patch) | |
| tree | 1e85ad1166027f6045a5ffb1d69f7255fed570aa | |
| parent | ea38c85d4de7515fd946704c6dd56bb99198f033 (diff) | |
| download | sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.tar.gz sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.tar.xz sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.zip | |
Prompt for old password even when running as root
When changing an expired password (during e.g. login) the PAM module needs
to prompt for the old password even when running as root.
| -rw-r--r-- | src/sss_client/pam_sss.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d62e9485c..2ba6f158e 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, int pam_flags) { int ret; - + int *exp_data = NULL; + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data); + /* we query for the old password during PAM_PRELIM_CHECK to make * pam_sss work e.g. with pam_cracklib */ if (pam_flags & PAM_PRELIM_CHECK) { - if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) { + if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) { ret = prompt_password(pamh, pi, _("Current Password: ")); if (ret != PAM_SUCCESS) { D(("failed to get password from user")); |