pam_localuser: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN

Give the application a chance to handle PAM_INCOMPLETE.

* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
it.

2 files changed, 15 insertions, 4 deletions

diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml
index 2a8b2e04..4d3daa9e 100644
--- a/modules/pam_localuser/pam_localuser.8.xml
+++ b/modules/pam_localuser/pam_localuser.8.xml
@@ -103,6 +103,16 @@
         </varlistentry>
 
         <varlistentry>
+          <term>PAM_INCOMPLETE</term>
+          <listitem>
+            <para>
+              The conversation method supplied by the application
+              returned PAM_CONV_AGAIN.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
           <term>PAM_SERVICE_ERR</term>
           <listitem>
             <para>
diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c
index 249d09cf..9ffd54a3 100644
--- a/modules/pam_localuser/pam_localuser.c
+++ b/modules/pam_localuser/pam_localuser.c
@@ -60,7 +60,7 @@ int
 pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		     int argc, const char **argv)
 {
-	int i, ret = PAM_SUCCESS;
+	int i, ret;
 	FILE *fp;
 	int debug = 0;
 	const char *filename = "/etc/passwd";
@@ -95,9 +95,10 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		}
 	}
 
-	if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) {
-		pam_syslog (pamh, LOG_ERR, "user name not specified yet");
-		return PAM_SERVICE_ERR;
+	/* Obtain the user name.  */
+	if ((ret = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+		pam_syslog (pamh, LOG_ERR, "cannot determine user name");
+		return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : PAM_SERVICE_ERR;
 	}
 
 	if ((user_len = strlen(user)) == 0) {