Revert part of the commit 4da9febc

pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.

* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
  of disabled or invalid salt.

1 files changed, 0 insertions, 9 deletions

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 39e2bfac..eb2444bb 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -261,19 +261,10 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 			 spent->sp_namp);
 		return PAM_SUCCESS;
 	}
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-	if (((curdays - spent->sp_lstchg > spent->sp_max)
-	    && (curdays - spent->sp_lstchg > spent->sp_inact)
-	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
-	    && (spent->sp_max != -1) && (spent->sp_inact != -1))
-	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
-	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
-#else
 	if ((curdays - spent->sp_lstchg > spent->sp_max)
 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
 	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-#endif
 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
 		D(("authtok expired"));
 		return PAM_AUTHTOK_EXPIRED;