6569824 password reset loops for password changes when owner is not allowed to change password aging policy

1 files changed, 34 insertions, 18 deletions

diff --git a/usr/src/lib/pam_modules/dhkeys/dhkeys.c b/usr/src/lib/pam_modules/dhkeys/dhkeys.c
index cc99c2f5b1..d3ad05dbfa 100644
--- a/usr/src/lib/pam_modules/dhkeys/dhkeys.c
+++ b/usr/src/lib/pam_modules/dhkeys/dhkeys.c
@@ -175,12 +175,13 @@ get_and_set_seckey(
  * pam_setcred, we have to be somewhat careful:
  *
  *      - if called from pam_sm_authenticate:
- *		1. if we don't need creds (no NIS+ or not tight), we don't
- *		   set them (they will be set by pam_sm_setcred()) and return
- *		   PAM_IGNORE.
- *              2. if we do need to set them (passwd == "*NP*"), we try to
- *		   do so. Not having credentials in this case results in
- *		   PAM_AUTH_ERR.
+ *		1. if we don't need creds (no NIS+), we don't set them
+ *		   and return PAM_IGNORE.
+ *              2. else, we always try to establish credentials;
+ *                 if (passwd == "*NP*"), not having credentials results
+ *                 in PAM_AUTH_ERR.
+ *                 if (passwd != "*NP*"), any failure to set credentials
+ *                 results in PAM_IGNORE
  *
  *	- if called from pam_sm_setcred:
  *		If we are root (uid == 0), we do nothing and return PAM_IGNORE.
@@ -216,6 +217,12 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 	int	scratchlen;
 
 	int	need_cred;	/* is not having credentials set a failure? */
+	int	auth_cred_flags;
+				/*
+				 * no_warn if creds not needed and
+				 * authenticating
+				 */
+	int	auth_path = (codepath == CODEPATH_PAM_SM_AUTHENTICATE);
 	char *repository_name = NULL;	/* which repository are we using */
 	char *repository_pass = NULL;	/* user's password from that rep */
 	pwu_repository_t *pwu_rep;
@@ -303,18 +310,19 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 	repository_name = attr_pw[1].data.val_s;
 	repository_pass = attr_pw[0].data.val_s;
 
-	need_cred = (strcmp(repository_name, "nisplus") == 0 &&
-	    strcmp(repository_pass, "*NP*") == 0);
-
-	if (codepath == CODEPATH_PAM_SM_AUTHENTICATE && need_cred == 0) {
-		/*
-		 * No need to set credentials right now.
-		 * Will do so later through pam_sm_setcred()
-		 */
+	if (auth_path && (strcmp(repository_name, "nisplus") != 0)) {
 		result = PAM_IGNORE;
 		goto out;
 	}
 
+	need_cred = (strcmp(repository_pass, "*NP*") == 0);
+	if (auth_path) {
+		auth_cred_flags =
+		    (need_cred ? flags : flags | PAM_SILENT);
+	} else {
+		auth_cred_flags = flags;
+	}
+
 	if (uid == 0)		/* "root", need to create a host-netname */
 		err = host2netname(netname, NULL, NULL);
 	else
@@ -358,7 +366,7 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 			if (!get_and_set_seckey(pamh, netname, mp->keylen,
 			    mp->algtype, short_passp, uid, gid,
 			    &get_seckey_cnt, &good_pw_cnt, &set_seckey_cnt,
-			    flags, debug)) {
+			    auth_cred_flags, debug)) {
 				result = PAM_BUF_ERR;
 				goto out;
 			}
@@ -382,7 +390,7 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 	 */
 	if (!get_and_set_seckey(pamh, netname, AUTH_DES_KEYLEN,
 	    AUTH_DES_ALGTYPE, short_passp, uid, gid, &get_seckey_cnt,
-	    &good_pw_cnt, &set_seckey_cnt, flags, debug)) {
+	    &good_pw_cnt, &set_seckey_cnt, auth_cred_flags, debug)) {
 		result = PAM_BUF_ERR;
 		goto out;
 	}
@@ -405,12 +413,20 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 	}
 
 	if (good_pw_cnt == 0) {			/* wrong password */
-		result = PAM_AUTH_ERR;
+		if (auth_path) {
+			result = need_cred ? PAM_AUTH_ERR : PAM_IGNORE;
+		} else {
+			result = PAM_AUTH_ERR;
+		}
 		goto out;
 	}
 
 	if (set_seckey_cnt == 0) {
-		result = PAM_SYSTEM_ERR;
+		if (auth_path) {
+			result = need_cred ? PAM_SYSTEM_ERR : PAM_IGNORE;
+		} else {
+			result = PAM_SYSTEM_ERR;
+		}
 		goto out;
 	}