diff options
-rw-r--r-- | modules/pam_pwhistory/pam_pwhistory.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 4c582bc2..e9b28eb1 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -155,10 +155,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (pwd == NULL) return PAM_USER_UNKNOWN; - /* Ignore root if not enforced */ - if (pwd->pw_uid == 0 && !options.enforce_for_root) - return PAM_SUCCESS; - if ((strcmp(pwd->pw_passwd, "x") == 0) || ((pwd->pw_passwd[0] == '#') && (pwd->pw_passwd[1] == '#') && @@ -211,11 +207,18 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (check_old_pass (pamh, user, newpass, options.debug) != PAM_SUCCESS) { - pam_error (pamh, - _("Password has been already used. Choose another.")); - newpass = NULL; - /* Remove password item, else following module will use it */ - pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + if (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + { + pam_error (pamh, + _("Password has been already used. Choose another.")); + newpass = NULL; + /* Remove password item, else following module will use it */ + pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + } + else + pam_info (pamh, + _("Password has been already used.")); } } |