When we want to authenticate first with local method and then with tacacs for example, the password is asked for local method and if not good is asked a second time for tacacs. So if we want to authenticate a user with tacacs, and the user exists localy, the password is asked two times before authentication is accepted.
Created attachment 3505 [details] Fix login authentication with PAM. Save the PAM password locally while trying all authentication methods. Tested with local method and tacacs on PowerPc8347.
Added to login.c +# if 0 +/* This supposedly can be used to avoid double password prompt, + * if used instead of standard misc_conv(): + * + * "When we want to authenticate first with local method and then with tacacs for example, + * the password is asked for local method and if not good is asked a second time for tacacs. + * So if we want to authenticate a user with tacacs, and the user exists localy, the password is + * asked two times before authentication is accepted." + * + * However, code looks shaky. For example, why misc_conv() return value is ignored? + * Are msg[i] and resp[i] indexes handled correctly? + */ +static char *passwd = NULL; +static int my_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + int i; + for (i = 0; i < num_msg; i++) { + switch (msg[i]->msg_style) { + case PAM_PROMPT_ECHO_OFF: + if (passwd == NULL) { + misc_conv(num_msg, msg, resp, data); + passwd = xstrdup(resp[i]->resp); + return PAM_SUCCESS; + } + + resp[0] = xzalloc(sizeof(struct pam_response)); + resp[0]->resp = passwd; + passwd = NULL; + resp[0]->resp_retcode = PAM_SUCCESS; + resp[1] = NULL; + return PAM_SUCCESS; + + default: + break; + } + } + + return PAM_SUCCESS; +} +# endif