055_pam_unix_nullok_secure: also don't call the helper at all from

_unix_blankpasswd when we can detect that null passwords are disallowed,
to avoid causing spammy logs on successful authentications.
Closes: #496620.

2 files changed, 10 insertions, 6 deletions

diff --git a/debian/changelog b/debian/changelog
index 9ecb6771..0edc3f2d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,10 @@ pam (1.0.1-4) UNRELEASED; urgency=low
   [ Steve Langasek ]
   * 007_modules_pam_unix: update the manpage at the same time as the xml
     source (grr, autogenerated files in source packages).  Closes: #495804.
+  * 055_pam_unix_nullok_secure: also don't call the helper at all from
+    _unix_blankpasswd when we can detect that null passwords are disallowed,
+    to avoid causing spammy logs on successful authentications.
+    Closes: #496620.
 
  -- Julien Cristau <jcristau@debian.org>  Thu, 21 Aug 2008 00:03:56 +0200
 
diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure
index 745a8e55..18f9f95b 100644
--- a/debian/patches-applied/055_pam_unix_nullok_secure
+++ b/debian/patches-applied/055_pam_unix_nullok_secure
@@ -67,11 +67,11 @@ Index: pam.deb/modules/pam_unix/support.c
  	  args[2]=strdup("nullok");
  	} else {
  	  args[2]=strdup("nonull");
-@@ -554,6 +573,17 @@
- 	if (salt)
- 		_pam_delete(salt);
+@@ -527,6 +546,17 @@
+ 	if (on(UNIX__NONULL, ctrl))
+ 		return 0;	/* will fail but don't let on yet */
  
-+	if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) {
++	if (on(UNIX_NULLOK_SECURE, ctrl)) {
 +		int retval2;
 +		const void *uttyname;
 +		retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
@@ -82,9 +82,9 @@ Index: pam.deb/modules/pam_unix/support.c
 +			return 0;
 +	}
 +
- 	return retval;
- }
+ 	/* UNIX passwords area */
  
+ 	retval = get_pwd_hash(pamh, name, &pwd, &salt);
 @@ -613,7 +643,8 @@
  			}
  		}