pam-MySQL icon indicating copy to clipboard operation
pam-MySQL copied to clipboard
verified publisher icon NigelCunningham

Feature: Don't try_first_pass when password undefined

Open tnafele opened this issue 6 years ago • 1 comments

Hi there, this is feature request:

When pam_mysql is the first module in a chain it always checks an unset password first, because try_first_pass is enabled by default. Disabling this speeds up things quite a bit.

Isn't there a way to detect if it's the first module or if the password never has been set (NULL instead of an empty string)? IMHO it would be a nice feature to skip try_first_pass in such situations.

I'm not familiar to PAM internals, so I can't tell if this would be possible at all.

Cheers!

tnafele avatar Jan 28 '20 13:01 tnafele

Thanks for the request. I'll see what I can do.

NigelCunningham avatar Mar 22 '20 11:03 NigelCunningham

I think this should be happening already:

  if (ctx->use_first_pass || ctx->try_first_pass) {
    retval = pam_mysql_get_item(pamh, PAM_AUTHTOK,
        (PAM_GET_ITEM_CONST void **)&passwd);

    switch (retval) {
      case PAM_SUCCESS:
        break;

      case PAM_NO_MODULE_DATA:
        passwd = NULL;
        goto askpass;

NigelCunningham avatar Mar 13 '24 10:03 NigelCunningham

Since this is an old issue, I'll close it for now on the assumption that the above is correct; please feel free to show me I'm wrong.

NigelCunningham avatar Mar 13 '24 10:03 NigelCunningham