From 413037c7e58d89192ee85bf864de0331a27e608c Mon Sep 17 00:00:00 2001
From: James Magahern <james@magahern.com>
Date: Mon, 14 Jan 2019 11:23:56 -0800
Subject: [PATCH] Fixes issue where if the challenge-response cannot be
 updated, the incorrect error message is displayed

If the PAM module cannot update the challenge response file (due to permissions errors, usually), the incorrect error message is displayed "Error communicating with YubiKey...".

This patch makes it so the correct error message is sent to the PAM client, which makes resolving this issue a lot easier.
---
 pam_yubico.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pam_yubico.c b/pam_yubico.c
index ac8b621..09f1b56 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -678,6 +678,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
   /*
    * Write the challenge and response we will expect the next time to the state file.
    */
+  errstr = "Error updating YubiKey challenge, please check syslog or contact your system administrator";
   if (response_len > sizeof(state.response)) {
     DBG("Got too long response ??? (%u/%zu)", response_len, sizeof(state.response));
     goto out;
@@ -723,7 +724,6 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
     goto restpriv_out;
   }
 
-  errstr = "Error updating YubiKey challenge, please check syslog or contact your system administrator";
   if (! write_chalresp_state (f, &state))
     goto out;
   if (fclose(f) < 0) {