diff options
authorLuke Shumaker <>2014-12-22 15:46:43 -0500
committerTomas Mraz <>2015-01-02 09:16:20 +0100
commitc1023edd3d2e9dcd83a7822f1830a69f51101334 (patch)
parent9d1545efee73ec834b051c50a1bc0d2a63d8765b (diff)
libpam: Only print "Password change aborted" when it's true.
pam_get_authtok() may be used any time that a password needs to be entered, unlike pam_get_authtok_{no,}verify(), which may only be used when changing a password; yet when the user aborts, it prints "Password change aborted." whether or not that was the operation being performed. This bug was non-obvious because none of the modules distributed with Linux-PAM use it for anything but changing passwords; pam_unix has its own utility function that it uses instead. As an example, the nss-pam-ldapd package uses it in pam_sm_authenticate(). libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the password is trying to be changed before printing a message about the password change being aborted.
1 files changed, 3 insertions, 2 deletions
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 31bb1627..663f1f36 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
if (retval != PAM_SUCCESS || resp[0] == NULL ||
(chpass > 1 && resp[1] == NULL))
- /* We want to abort the password change */
- pam_error (pamh, _("Password change aborted."));
+ /* We want to abort */
+ if (chpass)
+ pam_error (pamh, _("Password change aborted."));