Revert part of the commit 4da9febc

pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.

* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
  of disabled or invalid salt.

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 39e2bfac2061fb4fa99e071929de69b818376fda..eb2444bbd71279e7c082083b59f0f185fbffa0ee 100644 (file)
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -261,19 +261,10 @@ PAMH_ARG_DECL(int check_shadow_expiry,
                         spent->sp_namp);
                return PAM_SUCCESS;
        }
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-       if (((curdays - spent->sp_lstchg > spent->sp_max)
-           && (curdays - spent->sp_lstchg > spent->sp_inact)
-           && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
-           && (spent->sp_max != -1) && (spent->sp_inact != -1))
-           || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
-           || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
-#else
        if ((curdays - spent->sp_lstchg > spent->sp_max)
            && (curdays - spent->sp_lstchg > spent->sp_inact)
            && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
            && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-#endif
                *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
                D(("authtok expired"));
                return PAM_AUTHTOK_EXPIRED;