Support use_first_pass and try_first_pass.

2025-02-26 21:54:15 +01:00 · 2009-03-24 11:13:57 +00:00 · 2009-03-24 11:13:57 +00:00 · 0991ea610a
commit 0991ea610a
parent b25ce778d6
3 changed files with 41 additions and 5 deletions
--- a/4
+++ b/4
@ -2,6 +2,10 @@ pam_yubico NEWS -- History of user-visible changes.             -*- outline -*-

 * Version 1.12 (unreleased)

+** Add support for "use_first_pass" and "try_first_pass".
+They work similar to other PAM modules, see README for more
+documentation.
+
 * Version 1.11 (released 2009-02-11)

 ** Added support to store user:keyid mapping in LDAP.
--- a/12
+++ b/12
@ -95,6 +95,18 @@ Supported PAM module parameters are:
  "debug":      to enable debug output to stdout,
  "alwaysok":   to enable that all authentication attempts should succeed
                (aka presentation mode).
+
+  "try_first_pass":
+           Before prompting the user for their password, the module first
+           tries the previous stacked module´s password in case that satisfies
+           this module as well.
+
+  "use_first_pass":
+           The argument use_first_pass forces the module to use a previous
+           stacked modules password and will never prompt the user - if no
+           password is available or the password is not appropriate, the user
+           will be denied access.
+
  "url":        specify the URL template to use, this is set by calling
                yubikey_client_set_url_template, which uses by default:
 	        http://api.yubico.com/wsapi/verify?id=%d&otp=%s
--- a/pam_yubico.c
+++ b/pam_yubico.c
@ -322,6 +322,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
  int id = -1;
  int debug = 0;
  int alwaysok = 0;
+  int try_first_pass = 0;
+  int use_first_pass = 0;
  yubikey_client_t ykc;
  char *ldapserver = NULL;
  char *ldapdn = NULL;
@ -336,6 +338,10 @@ pam_sm_authenticate (pam_handle_t * pamh,
 	debug = 1;
      if (strcmp (argv[i], "alwaysok") == 0)
 	alwaysok = 1;
+      if (strcmp (argv[i], "try_first_pass") == 0)
+	try_first_pass = 1;
+      if (strcmp (argv[i], "use_first_pass") == 0)
+	use_first_pass = 1;
      if (strncmp (argv[i], "authfile=", 9) == 0)
 	auth_file = (char *) argv[i] + 9;
      if (strncmp (argv[i], "url=", 4) == 0)
@ -359,6 +365,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
      D (("id=%d", id));
      D (("debug=%d", debug));
      D (("alwaysok=%d", alwaysok));
+      D (("try_first_pass=%d", try_first_pass));
+      D (("use_first_pass=%d", use_first_pass));
      D (("authfile=%s", auth_file ? auth_file : "(null)"));
      D (("ldapserver=%s", ldapserver ? ldapserver : "(null)"));
      D (("ldapdn=%s", ldapdn ? ldapdn : "(null)"));
@ -376,15 +384,27 @@ pam_sm_authenticate (pam_handle_t * pamh,
  if (debug)
    D (("get user returned: %s", user));

-  retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
-  if (retval != PAM_SUCCESS)
+  if (try_first_pass || use_first_pass)
+    {
+      retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
+      if (retval != PAM_SUCCESS)
+	{
+	  if (debug)
+	    D (("get password returned error: %s",
+		pam_strerror (pamh, retval)));
+	  goto done;
+	}
+      if (debug)
+	D (("get password returned: %s", password));
+    }
+
+  if (use_first_pass && password == NULL)
    {
      if (debug)
-	D (("get password returned error: %s", pam_strerror (pamh, retval)));
+	D (("use_first_pass set and no password, giving up"));
+      retval = PAM_AUTH_ERR;
      goto done;
    }
-  if (debug)
-    D (("get password returned: %s", password));

  if (password == NULL)
    {