diff options
| -rw-r--r-- | src/sss_client/pam_sss.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d62e9485c..2ba6f158e 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, int pam_flags) { int ret; - + int *exp_data = NULL; + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data); + /* we query for the old password during PAM_PRELIM_CHECK to make * pam_sss work e.g. with pam_cracklib */ if (pam_flags & PAM_PRELIM_CHECK) { - if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) { + if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) { ret = prompt_password(pamh, pi, _("Current Password: ")); if (ret != PAM_SUCCESS) { D(("failed to get password from user")); |