Feature: Don't try_first_pass when password undefined
Hi there, this is feature request:
When pam_mysql is the first module in a chain it always checks an unset password first, because try_first_pass is enabled by default. Disabling this speeds up things quite a bit.
Isn't there a way to detect if it's the first module or if the password never has been set (NULL instead of an empty string)? IMHO it would be a nice feature to skip try_first_pass in such situations.
I'm not familiar to PAM internals, so I can't tell if this would be possible at all.
Cheers!
Thanks for the request. I'll see what I can do.
I think this should be happening already:
if (ctx->use_first_pass || ctx->try_first_pass) {
retval = pam_mysql_get_item(pamh, PAM_AUTHTOK,
(PAM_GET_ITEM_CONST void **)&passwd);
switch (retval) {
case PAM_SUCCESS:
break;
case PAM_NO_MODULE_DATA:
passwd = NULL;
goto askpass;
Since this is an old issue, I'll close it for now on the assumption that the above is correct; please feel free to show me I'm wrong.