From f300115a64d413cefe4bf5d3f905269e8c605bdb Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Mon, 24 Jun 2019 14:12:52 +0200
Subject: [PATCH] check if user file exists before trying to open

and return AUTH_NO_TOKENS if file doesn't exist. This fixes issues in
the nullok case where this user should just be skipped over, handle
other issues with user file as an AUTH_ERROR.

fixes #194
---
 pam_yubico.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pam_yubico.c b/pam_yubico.c
index 0f7ded1..e87b1ae 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -181,6 +181,7 @@ authorize_user_token (struct cfg *cfg,
       size_t buflen = sizeof(buf);
       int pwres;
       PAM_MODUTIL_DEF_PRIVS(privs);
+      struct stat st;
 
       pwres = getpwnam_r (username, &pass, buf, buflen, &p);
       if (p == NULL) {
@@ -206,7 +207,11 @@ authorize_user_token (struct cfg *cfg,
         goto free_out;
       }
 
-      retval = check_user_token (userfile, username, otp_id, cfg->debug, cfg->debug_file);
+      if (stat (userfile, &st) != 0 && errno == ENOENT) {
+        retval = AUTH_NO_TOKENS;
+      } else {
+        retval = check_user_token (userfile, username, otp_id, cfg->debug, cfg->debug_file);
+      }
 
       if(pam_modutil_regain_priv(pamh, &privs)) {
         DBG ("could not restore privileges");