From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 26 Nov 2018 11:50:14 +0000 (+0100)
Subject: Revert part of the commit 4da9febc
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=619f19d378529defa5864941caf8c4233aef46f5;p=linux-pam

Revert part of the commit 4da9febc

pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.

* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
  of disabled or invalid salt.
---

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 39e2bfac..eb2444bb 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -261,19 +261,10 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 			 spent->sp_namp);
 		return PAM_SUCCESS;
 	}
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
-	if (((curdays - spent->sp_lstchg > spent->sp_max)
-	    && (curdays - spent->sp_lstchg > spent->sp_inact)
-	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
-	    && (spent->sp_max != -1) && (spent->sp_inact != -1))
-	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
-	    || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
-#else
 	if ((curdays - spent->sp_lstchg > spent->sp_max)
 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
 	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-#endif
 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
 		D(("authtok expired"));
 		return PAM_AUTHTOK_EXPIRED;