Don't freeze the chain for chauthtok. bugzilla.novell.com#470337, LP: #303515. Author: Thorsten Kukuk Upstream status: cherry-picked from upstream. === modified file 'doc/man/pam_sm_chauthtok.3.xml' Index: doc/man/pam_sm_chauthtok.3.xml =================================================================== --- doc/man/pam_sm_chauthtok.3.xml.orig 2009-04-17 12:44:11.000000000 -0700 +++ doc/man/pam_sm_chauthtok.3.xml 2009-04-17 12:47:40.000000000 -0700 @@ -40,7 +40,7 @@ interface. - This function is used to (re-)set the authentication token of the user. + This function is used to (re-)set the authentication token of the user. Valid flags, which may be logically OR'd with @@ -60,10 +60,10 @@ This argument indicates to the module that the users - authentication token (password) should only be changed if - it has expired. This flag is optional and - must be combined with one of the - following two flags. Note, however, the following two options + authentication token (password) should only be changed if + it has expired. This flag is optional and + must be combined with one of the + following two flags. Note, however, the following two options are mutually exclusive. @@ -72,15 +72,20 @@ PAM_PRELIM_CHECK - This indicates that the modules are being probed as to - their ready status for altering the user's authentication - token. If the module requires access to another system over - some network it should attempt to verify it can connect to - this system on receiving this flag. If a module cannot establish - it is ready to update the user's authentication token it should + This indicates that the modules are being probed as to + their ready status for altering the user's authentication + token. If the module requires access to another system over + some network it should attempt to verify it can connect to + this system on receiving this flag. If a module cannot establish + it is ready to update the user's authentication token it should return PAM_TRY_AGAIN, this information will be passed back to the application. + + If the control value sufficient is used in + the password stack, the PAM_PRELIM_CHECK section + of the modules following that control value is not always executed. + @@ -89,18 +94,18 @@ This informs the module that this is the call it should change the authorization tokens. If the flag is logically OR'd with - PAM_CHANGE_EXPIRED_AUTHTOK, the + PAM_CHANGE_EXPIRED_AUTHTOK, the token is only changed if it has actually expired. - The PAM library calls this function twice in succession. The first - time with PAM_PRELIM_CHECK and then, - if the module does not return + The PAM library calls this function twice in succession. The first + time with PAM_PRELIM_CHECK and then, + if the module does not return PAM_TRY_AGAIN, subsequently with - PAM_UPDATE_AUTHTOK. It is only on + PAM_UPDATE_AUTHTOK. It is only on the second call that the authorization token is (possibly) changed. Index: libpam/pam_dispatch.c =================================================================== --- libpam/pam_dispatch.c.orig 2009-04-17 12:47:17.000000000 -0700 +++ libpam/pam_dispatch.c 2009-04-17 12:47:40.000000000 -0700 @@ -128,11 +128,10 @@ } /* - * use_cached_chain is how we ensure that the setcred/close_session - * and chauthtok(2) modules are called in the same order as they did - * when they were invoked as auth/open_session/chauthtok(1). This - * feature was added in 0.75 to make the behavior of pam_setcred - * sane. It was debugged by release 0.76. + * use_cached_chain is how we ensure that the setcred and + * close_session modules are called in the same order as they did + * when they were invoked as auth/open_session. This feature was + * added in 0.75 to make the behavior of pam_setcred sane. */ if (use_cached_chain != _PAM_PLEASE_FREEZE) { @@ -342,9 +341,6 @@ break; case PAM_CHAUTHTOK: h = pamh->handlers.conf.chauthtok; - if (flags & PAM_UPDATE_AUTHTOK) { - use_cached_chain = _PAM_MUST_BE_FROZEN; - } break; default: pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);