From 619f19d378529defa5864941caf8c4233aef46f5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 26 Nov 2018 12:50:14 +0100
Subject: Revert part of the commit 4da9febc

pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.

* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
  of disabled or invalid salt.
---
 modules/pam_unix/passverify.c | 9 ---------
 1 file changed, 9 deletions(-)

(limited to 'modules/pam_unix')

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 39e2bfac..eb2444bb 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -261,19 +261,10 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 			 spent->sp_namp);
 		return PAM_SUCCESS;
 	}
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-	if (((curdays - spent->sp_lstchg > spent->sp_max)
-	    && (curdays - spent->sp_lstchg > spent->sp_inact)
-	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
-	    && (spent->sp_max != -1) && (spent->sp_inact != -1))
-	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
-	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
-#else
 	if ((curdays - spent->sp_lstchg > spent->sp_max)
 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
 	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-#endif
 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
 		D(("authtok expired"));
 		return PAM_AUTHTOK_EXPIRED;
-- 
cgit v1.2.3