- added try_first_pass option to pam_cracklib

- use try_first_pass for pam_unix and pam_cracklib in system-auth (#182350)

pam-0.99.3.0-cracklib-try-first-pass.patch

@@ -0,0 +1,46 @@
+--- Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c.try-first-pass	2006-01-08 10:49:05.000000000 +0100
++++ Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c	2006-02-24 10:42:53.000000000 +0100
+@@ -93,6 +93,7 @@
+ 	int low_credit;
+ 	int oth_credit;
+ 	int use_authtok;
++	int try_first_pass;
+ 	char prompt_type[BUFSIZ];
+         char cracklib_dictpath[PATH_MAX];
+ };
+@@ -158,6 +159,10 @@
+ 		 opt->oth_credit = 0;
+ 	 } else if (!strncmp(*argv,"use_authtok",11)) {
+ 		 opt->use_authtok = 1;
++	 } else if (!strncmp(*argv,"use_first_pass",14)) {
++		 opt->use_authtok = 1;
++	 } else if (!strncmp(*argv,"try_first_pass",14)) {
++		 opt->try_first_pass = 1;
+ 	 } else if (!strncmp(*argv,"dictpath=",9)) {
+ 	     strncpy(opt->cracklib_dictpath, *argv+9,
+ 		     sizeof(opt->cracklib_dictpath) - 1);
+@@ -559,7 +564,7 @@
+          * set PAM_AUTHTOK and return
+          */
+ 
+-	if (options.use_authtok == 1) {
++	if (options.use_authtok == 1 || options.try_first_pass == 1) {
+ 	    const void *item = NULL;
+ 
+ 	    retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
+@@ -570,11 +575,13 @@
+ 	    } else if (item != NULL) {      /* we have a password! */
+ 		token1 = x_strdup(item);
+ 		item = NULL;
++		options.use_authtok = 1;    /* don't ask for the password again */
+ 	    } else {
+ 		retval = PAM_AUTHTOK_RECOVERY_ERR;         /* didn't work */
+ 	    }
+-
+-	} else {
++	}
++	
++	if (options.use_authtok != 1) {
+             /* Prepare to ask the user for the first time */
+             resp = NULL;
+ 	    retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,

pam.spec

@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications.
 Name: pam
 Version: 0.99.3.0
-Release: 1.2
+Release: 2
 License: GPL or BSD
 Group: System Environment/Base
 Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -31,6 +31,7 @@ Patch34: pam-0.99.2.1-dbpam.patch
 Patch70: pam-0.99.2.1-selinux-nofail.patch
 Patch72: pam-0.99.3.0-pie.patch
 Patch80: pam-0.99.2.1-selinux-drop-multiple.patch
+Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch
 
 BuildRoot: %{_tmppath}/%{name}-root
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -86,6 +87,7 @@ cp $RPM_SOURCE_DIR/config-util.pamd .
 %patch70 -p1 -b .nofail
 %patch72 -p1 -b .pie
 %patch80 -p1 -b .drop-multiple
+%patch81 -p1 -b .try-first-pass
 
 for readme in modules/pam_*/README ; do
 	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@@ -351,6 +353,11 @@ fi
 %{_libdir}/libpam_misc.so
 
 %changelog
+* Fri Feb 24 2006 Tomas Mraz <tmraz@redhat.com> 0.99.3.0-2
+- added try_first_pass option to pam_cracklib
+- use try_first_pass for pam_unix and pam_cracklib in
+  system-auth (#182350)
+
 * Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 0.99.3.0-1.2
 - bump again for double-long bug on ppc(64)
 

system-auth.pamd

@@ -2,13 +2,13 @@
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
-auth        sufficient    pam_unix.so likeauth nullok
+auth        sufficient    pam_unix.so try_first_pass nullok
 auth        required      pam_deny.so
 
 account     required      pam_unix.so
 
-password    required      pam_cracklib.so retry=3
-password    sufficient    pam_unix.so nullok use_authtok md5 shadow
+password    required      pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok md5 shadow
 password    required      pam_deny.so
 
 session     required      pam_limits.so