From 319fee4e0823d5290102d1fcd938e59aa44d78d0 Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 17 Mar 2011 15:08:23 +0100 Subject: [PATCH] Revert "Wait with declaring PAM_SUCCESS on challenge-response until new" Tollef has argued that the login should not fail if, for example, the disk is full. I'd rather fail on the cautious side and make sure we don't end up always sending the same challenge to the YubiKey, but I'll leave it up to Tollef to decide for now. This reverts commit 14e917ffae52e05121a69a192d03f98090e8ae41. Conflicts: pam_yubico.c --- pam_yubico.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pam_yubico.c b/pam_yubico.c index 823fcd2..d4bad92 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -472,9 +472,10 @@ do_challenge_response(struct cfg *cfg, const char *username) yubikey_hex_encode(response_hex, (char *)response, response_len); - if (strcmp(response_hex, expected_response) != 0) { - D(("Unexpected C/R response : %s != %s", response_hex, expected_response)); - ret = PAM_AUTH_ERR; + if (strcmp(response_hex, expected_response) == 0) { + ret = PAM_SUCCESS; + } else { + D(("Unexpected C/R response : %s", response_hex)); goto out; } @@ -513,7 +514,6 @@ do_challenge_response(struct cfg *cfg, const char *username) goto out; D(("Challenge-response success!")); - ret = PAM_SUCCESS; out: if (yk_errno) {