diff options
| author | Ralf Haferkamp <rhafer@suse.de> | 2010-03-12 14:37:33 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-03-15 08:15:28 -0400 |
| commit | dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72 (patch) | |
| tree | 1e85ad1166027f6045a5ffb1d69f7255fed570aa /src/sss_client | |
| parent | ea38c85d4de7515fd946704c6dd56bb99198f033 (diff) | |
| download | sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.tar.gz sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.tar.bz2 sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.zip | |
Prompt for old password even when running as root
When changing an expired password (during e.g. login) the PAM module needs
to prompt for the old password even when running as root.
Diffstat (limited to 'src/sss_client')
| -rw-r--r-- | src/sss_client/pam_sss.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d62e9485..2ba6f158 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, int pam_flags) { int ret; - + int *exp_data = NULL; + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data); + /* we query for the old password during PAM_PRELIM_CHECK to make * pam_sss work e.g. with pam_cracklib */ if (pam_flags & PAM_PRELIM_CHECK) { - if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) { + if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) { ret = prompt_password(pamh, pi, _("Current Password: ")); if (ret != PAM_SUCCESS) { D(("failed to get password from user")); |