summaryrefslogtreecommitdiff
path: root/src/sss_client
diff options
context:
space:
mode:
authorRalf Haferkamp <rhafer@suse.de>2010-03-12 14:37:33 +0100
committerStephen Gallagher <sgallagh@redhat.com>2010-03-15 08:15:28 -0400
commitdcf257af0cc0ba8bb9d4ec2b311e5548459f6e72 (patch)
tree1e85ad1166027f6045a5ffb1d69f7255fed570aa /src/sss_client
parentea38c85d4de7515fd946704c6dd56bb99198f033 (diff)
downloadsssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.tar.gz
sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.tar.bz2
sssd-dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72.zip
Prompt for old password even when running as root
When changing an expired password (during e.g. login) the PAM module needs to prompt for the old password even when running as root.
Diffstat (limited to 'src/sss_client')
-rw-r--r--src/sss_client/pam_sss.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d62e9485..2ba6f158 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
int pam_flags)
{
int ret;
-
+ int *exp_data = NULL;
+ pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data);
+
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) {
+ if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
ret = prompt_password(pamh, pi, _("Current Password: "));
if (ret != PAM_SUCCESS) {
D(("failed to get password from user"));