Handle chauthtok with PAM_PRELIM_CHECK separately

If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.

1 files changed, 6 insertions, 0 deletions

diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c
index 44799266..69cbf55d 100644
--- a/server/responder/pam/pamsrv_cmd.c
+++ b/server/responder/pam/pamsrv_cmd.c
@@ -1051,6 +1051,11 @@ static int pam_cmd_chauthtok(struct cli_ctx *cctx) {
     return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK);
 }
 
+static int pam_cmd_chauthtok_prelim(struct cli_ctx *cctx) {
+    DEBUG(4, ("entering pam_cmd_chauthtok_prelim\n"));
+    return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK_PRELIM);
+}
+
 struct cli_protocol_version *register_cli_protocol_version(void)
 {
     static struct cli_protocol_version pam_cli_protocol_version[] = {
@@ -1073,6 +1078,7 @@ struct sss_cmd_table *get_pam_cmds(void)
         {SSS_PAM_OPEN_SESSION, pam_cmd_open_session},
         {SSS_PAM_CLOSE_SESSION, pam_cmd_close_session},
         {SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok},
+        {SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim},
         {SSS_CLI_NULL, NULL}
     };