Support use_first_pass and try_first_pass.

NEWS

@@ -2,6 +2,10 @@ pam_yubico NEWS -- History of user-visible changes.             -*- outline -*-
 
 * Version 1.12 (unreleased)
 
+** Add support for "use_first_pass" and "try_first_pass".
+They work similar to other PAM modules, see README for more
+documentation.
+
 * Version 1.11 (released 2009-02-11)
 
 ** Added support to store user:keyid mapping in LDAP.

README

@@ -95,6 +95,18 @@ Supported PAM module parameters are:
   "debug":      to enable debug output to stdout,
   "alwaysok":   to enable that all authentication attempts should succeed
                 (aka presentation mode).
+
+  "try_first_pass":
+           Before prompting the user for their password, the module first
+           tries the previous stacked module´s password in case that satisfies
+           this module as well.
+
+  "use_first_pass":
+           The argument use_first_pass forces the module to use a previous
+           stacked modules password and will never prompt the user - if no
+           password is available or the password is not appropriate, the user
+           will be denied access.
+
   "url":        specify the URL template to use, this is set by calling
                 yubikey_client_set_url_template, which uses by default:
 	        http://api.yubico.com/wsapi/verify?id=%d&otp=%s

pam_yubico.c

@@ -322,6 +322,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
   int id = -1;
   int debug = 0;
   int alwaysok = 0;
+  int try_first_pass = 0;
+  int use_first_pass = 0;
   yubikey_client_t ykc;
   char *ldapserver = NULL;
   char *ldapdn = NULL;
@@ -336,6 +338,10 @@ pam_sm_authenticate (pam_handle_t * pamh,
 	debug = 1;
       if (strcmp (argv[i], "alwaysok") == 0)
 	alwaysok = 1;
+      if (strcmp (argv[i], "try_first_pass") == 0)
+	try_first_pass = 1;
+      if (strcmp (argv[i], "use_first_pass") == 0)
+	use_first_pass = 1;
       if (strncmp (argv[i], "authfile=", 9) == 0)
 	auth_file = (char *) argv[i] + 9;
       if (strncmp (argv[i], "url=", 4) == 0)
@@ -359,6 +365,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
       D (("id=%d", id));
       D (("debug=%d", debug));
       D (("alwaysok=%d", alwaysok));
+      D (("try_first_pass=%d", try_first_pass));
+      D (("use_first_pass=%d", use_first_pass));
       D (("authfile=%s", auth_file ? auth_file : "(null)"));
       D (("ldapserver=%s", ldapserver ? ldapserver : "(null)"));
       D (("ldapdn=%s", ldapdn ? ldapdn : "(null)"));
@@ -376,15 +384,27 @@ pam_sm_authenticate (pam_handle_t * pamh,
   if (debug)
     D (("get user returned: %s", user));
 
+  if (try_first_pass || use_first_pass)
+    {
       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
       if (retval != PAM_SUCCESS)
 	{
 	  if (debug)
-	D (("get password returned error: %s", pam_strerror (pamh, retval)));
+	    D (("get password returned error: %s",
+		pam_strerror (pamh, retval)));
 	  goto done;
 	}
       if (debug)
 	D (("get password returned: %s", password));
+    }
+
+  if (use_first_pass && password == NULL)
+    {
+      if (debug)
+	D (("use_first_pass set and no password, giving up"));
+      retval = PAM_AUTH_ERR;
+      goto done;
+    }
 
   if (password == NULL)
     {