1 files changed, 117 insertions, 0 deletions

diff --git a/debian/patches-applied/dont_freeze_password_chain b/debian/patches-applied/dont_freeze_password_chain
new file mode 100644
index 00000000..799d0a0e
--- /dev/null
+++ b/debian/patches-applied/dont_freeze_password_chain
@@ -0,0 +1,117 @@
+Don't freeze the chain for chauthtok.
+
+bugzilla.novell.com#470337, LP: #303515.
+
+Author: Thorsten Kukuk  <kukuk@thkukuk.de>
+
+Upstream status: cherry-picked from upstream.
+
+=== modified file 'doc/man/pam_sm_chauthtok.3.xml'
+--- doc/man/pam_sm_chauthtok.3.xml	2006-06-28 14:22:40 +0000
++++ doc/man/pam_sm_chauthtok.3.xml	2009-02-18 00:34:47 +0000
+@@ -40,7 +40,7 @@
+       </citerefentry> interface.
+     </para>
+     <para>
+-      This function is used to (re-)set the authentication token of the user. 
++      This function is used to (re-)set the authentication token of the user.
+     </para>
+     <para>
+        Valid flags, which may be logically OR'd with
+@@ -60,10 +60,10 @@
+         <listitem>
+           <para>
+             This argument indicates to the module that the users
+-            authentication token (password) should only be changed if 
+-            it has expired. This flag is optional and 
+-            <emphasis>must</emphasis> be combined with one of the 
+-            following two flags. Note, however, the following two options 
++            authentication token (password) should only be changed if
++            it has expired. This flag is optional and
++            <emphasis>must</emphasis> be combined with one of the
++            following two flags. Note, however, the following two options
+             are <emphasis>mutually exclusive</emphasis>.
+           </para>
+         </listitem>
+@@ -72,15 +72,20 @@
+         <term>PAM_PRELIM_CHECK</term>
+         <listitem>
+           <para>
+-            This indicates that the modules are being probed as to 
+-            their ready status for altering the user's authentication 
+-            token. If the module requires access to another system over 
+-            some network it should attempt to verify it can connect to 
+-            this system on receiving this flag. If a module cannot establish 
+-            it is ready to update the user's authentication token it should 
++            This indicates that the modules are being probed as to
++            their ready status for altering the user's authentication
++            token. If the module requires access to another system over
++            some network it should attempt to verify it can connect to
++            this system on receiving this flag. If a module cannot establish
++            it is ready to update the user's authentication token it should
+             return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
+             information will be passed back to the application.
+           </para>
++          <para>
++             If the control value <emphasis>sufficient</emphasis> is used in
++             the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
++             of the modules following that control value is not always executed.
++          </para>
+         </listitem>
+       </varlistentry>
+       <varlistentry>
+@@ -89,18 +94,18 @@
+           <para>
+             This informs the module that this is the call it should change
+             the authorization tokens. If the flag is logically OR'd with
+-            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the 
++            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
+             token is only changed if it has actually expired.
+           </para>
+         </listitem>
+       </varlistentry>
+     </variablelist>
+     <para>
+-      The PAM library calls this function twice in succession. The first 
+-      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, 
+-      if the module does not return 
++      The PAM library calls this function twice in succession. The first
++      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
++      if the module does not return
+       <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
+-      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on 
++      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
+       the second call that the authorization token is (possibly) changed.
+     </para>
+   </refsect1>
+
+=== modified file 'libpam/pam_dispatch.c'
+--- libpam/pam_dispatch.c	2008-12-03 22:16:33 +0000
++++ libpam/pam_dispatch.c	2009-02-18 00:34:47 +0000
+@@ -132,11 +132,10 @@
+ 	}
+ 
+ 	/*
+-	 * use_cached_chain is how we ensure that the setcred/close_session
+-	 * and chauthtok(2) modules are called in the same order as they did
+-	 * when they were invoked as auth/open_session/chauthtok(1). This
+-	 * feature was added in 0.75 to make the behavior of pam_setcred
+-	 * sane. It was debugged by release 0.76.
++	 * use_cached_chain is how we ensure that the setcred and
++         * close_session modules are called in the same order as they did
++	 * when they were invoked as auth/open_session. This feature was
++	 * added in 0.75 to make the behavior of pam_setcred sane.
+ 	 */
+ 	if (use_cached_chain != _PAM_PLEASE_FREEZE) {
+ 
+@@ -358,9 +357,6 @@
+ 	break;
+     case PAM_CHAUTHTOK:
+ 	h = pamh->handlers.conf.chauthtok;
+-	if (flags & PAM_UPDATE_AUTHTOK) {
+-	    use_cached_chain = _PAM_MUST_BE_FROZEN;
+-	}
+ 	break;
+     default:
+ 	pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
+