From cafc16591fdfbb7077a31baf1a054e351eda6382 Mon Sep 17 00:00:00 2001
From: markm <markm@FreeBSD.org>
Date: Mon, 4 Jun 2001 19:16:57 +0000
Subject: Add the "nullok" option that causes this module to succeed if the
 Unix password is empty/null.

---
 lib/libpam/modules/pam_unix/pam_unix.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'lib/libpam/modules/pam_unix/pam_unix.c')

diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index c8ddde7..cc97ad9 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -69,10 +69,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 			return retval;
 		pwd = getpwnam(user);
 	}
-	if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
-	    options)) != PAM_SUCCESS)
-		return retval;
 	if (pwd != NULL) {
+		if (pwd->pw_passwd[0] == '\0' && (options & PAM_OPT_NULLOK))
+			/*
+			 * No password case. XXX Are we giving too much away
+			 * by not prompting for a password?
+			 */
+			return PAM_SUCCESS;
+		else {
+			if ((retval = pam_get_pass(pamh, &password,
+			    PASSWORD_PROMPT, options)) != PAM_SUCCESS)
+				return retval;
+		}
 		encrypted = crypt(password, pwd->pw_passwd);
 		if (password[0] == '\0' && pwd->pw_passwd[0] != '\0')
 			encrypted = ":";
-- 
cgit v1.1