From aeaf48654b44a82de8184306336559b75708d4a9 Mon Sep 17 00:00:00 2001
From: des <des@FreeBSD.org>
Date: Mon, 21 Jan 2002 18:53:03 +0000
Subject: Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam()
 fails, as PAM_USER_UNKNOWN will break the chain, revealing to an attacker
 that the user does not exist.

Sponsored by:	DARPA, NAI Labs
---
 lib/libpam/modules/pam_opieaccess/pam_opieaccess.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
index 79e92ce..a2716f5 100644
--- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
+++ b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
@@ -73,7 +73,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 
 	pwent = getpwnam(luser);
 	if (pwent == NULL)
-		PAM_RETURN(PAM_USER_UNKNOWN);
+		PAM_RETURN(PAM_SERVICE_ERR);
 
 	if (opielookup(&opie, luser) != 0)
 		PAM_RETURN(PAM_IGNORE);
-- 
cgit v1.1