pam_faillock: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN

Give the application a chance to handle PAM_INCOMPLETE.

* modules/pam_faillock/pam_faillock.c (get_pam_user): Return
PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.

2 files changed, 10 insertions, 1 deletions

diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml
index d7f2a3ce..c734c28c 100644
--- a/modules/pam_faillock/pam_faillock.8.xml
+++ b/modules/pam_faillock/pam_faillock.8.xml
@@ -171,6 +171,15 @@
         </listitem>
       </varlistentry>
       <varlistentry>
+        <term>PAM_INCOMPLETE</term>
+        <listitem>
+          <para>
+            The conversation method supplied by the application
+            returned PAM_CONV_AGAIN.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
         <term>PAM_SUCCESS</term>
         <listitem>
           <para>
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
index e340a83c..142cf7e3 100644
--- a/modules/pam_faillock/pam_faillock.c
+++ b/modules/pam_faillock/pam_faillock.c
@@ -394,7 +394,7 @@ get_pam_user(pam_handle_t *pamh, struct options *opts)
 	struct passwd *pwd;
 
 	if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
-		return rv;
+		return rv == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rv;
 	}
 
 	if (*user == '\0') {