[Pam-mysql-general] use_first_pass in the next module

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello all,

First of all I must say that I'm not very familiar with the PAM-internals.

I've faced problem when tried to configure OpenSSH server
(FreeBSD-5.3) with pam_mysql (0.7pre2).

Here is the piece of /etc/pam.d/sshd:

auth   sufficient  pam_mysql.so     user=...
auth   required    pam_unix.so      no_warn use_first_pass

It works just fine when user's password is stored in the mysql-database, but
fails when user has no password in the mysql, but has it in the unix
shadow-file (root-password for example).

I've found this code in the pam_mysql.c:

switch (pam_mysql_check_passwd(ctx, user, passwd,
                        !(flags & PAM_DISALLOW_NULL_AUTHTOK))) {
                case PAM_MYSQL_ERR_SUCCESS:
                        retval = PAM_SUCCESS;
                        break;

                case PAM_MYSQL_ERR_NO_ENTRY:
                        retval = PAM_USER_UNKNOWN;
                        goto out;

                case PAM_MYSQL_ERR_MISMATCH:
                        retval = PAM_AUTH_ERR;
                        goto out;

                case PAM_MYSQL_ERR_ALLOC:
                        retval = PAM_BUF_ERR;
                        goto out;

                default:
                        retval = PAM_SERVICE_ERR;
                        goto out;
        }

        (void) pam_set_item(pamh, PAM_AUTHTOK, passwd);

out:
        if (passwd != NULL) {
                xfree_overwrite(passwd);
        } 

But in this case the authtoken wouldn't be passed to the next module
in the chain unless PAM_MYSQL_ERR_SUCCESS is returned. Is it right?

-- 
Regards,
 Stefan