From c1986a03dc27c670e32973c2fabd8fb504585670 Mon Sep 17 00:00:00 2001 From: Jens Kuehnel Date: Wed, 26 Nov 2014 18:06:53 +0100 Subject: add force_prompt option to enforce new password prompt for use with Token --- src/pam_radius_auth.c | 10 ++++++++-- src/pam_radius_auth.h | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c index dab127e..346d35d 100644 --- a/src/pam_radius_auth.c +++ b/src/pam_radius_auth.c @@ -164,6 +164,9 @@ static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf) snprintf(conf->prompt, MAXPROMPT, "%s: ", (char*)*argv+7); } + } else if (!strcmp(*argv, "force_prompt")) { + conf->force_prompt= TRUE; + } else if (!strncmp(*argv, "max_challenge=", 14)) { conf->max_challenge = atoi(*argv+14); @@ -1135,8 +1138,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c request->id = request->vector[0]; /* this should be evenly distributed */ /* grab the password (if any) from the previous authentication layer */ - retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); - PAM_FAIL_CHECK; + if (!config.force_prompt) { + DPRINT(LOG_DEBUG, "ignore last_pass, force_prompt set"); + retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); + PAM_FAIL_CHECK; + } if (password) { password = strdup(password); diff --git a/src/pam_radius_auth.h b/src/pam_radius_auth.h index 74450e2..894d3fe 100644 --- a/src/pam_radius_auth.h +++ b/src/pam_radius_auth.h @@ -70,6 +70,7 @@ typedef struct radius_conf_t { int localifdown; char *client_id; int accounting_bug; + int force_prompt; int max_challenge; int sockfd; int debug; -- cgit v1.2.3