[OATH-Toolkit-help] Bug#807990: third patch, fails more gracefully

[Antoine Beaupré]

the following patch makes use of the PAM_USER_UNKNONWN flag in a more
graceful way, and checks before prompting the password. it could be
using more direct parsing functions, but that turned out to be harder
because the parse_usersfile function has a more complicated signature
than the actual authentication function.

diff --git a/pam_oath/README b/pam_oath/README
index bef4265..a6cbe56 100644
--- a/pam_oath/README
+++ b/pam_oath/README
@@ -23,7 +23,7 @@ window open before making any changes!
 
 ---------
 # head -1 /etc/pam.d/su
-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
+auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20 
[user_unknown=ignore]
 #
 ---------
 
diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
index 2820318..25a3452 100644
--- a/pam_oath/pam_oath.c
+++ b/pam_oath/pam_oath.c
@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
     }
   DBG (("get user returned: %s", user));
 
+  // quick check to skip unconfigured users before prompting for password
+  {
+    time_t last_otp;
+    otp[0] = '\0';
+    rc = oath_authenticate_usersfile (cfg.usersfile,
+                                      user,
+                                      otp, cfg.window, onlypasswd, &last_otp);
+
+    DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
+          oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
+          oath_strerror (rc), ctime (&last_otp)));
+    if (rc == OATH_UNKNOWN_USER)
+      {
+        return PAM_USER_UNKNOWN;
+      }
+  }
+
   if (cfg.try_first_pass || cfg.use_first_pass)
     {
       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);

it still parses the file twice, but i'm not sure how to fix that short
of loading the whole file in memory, which isn't the way the library
works now.

a.
-- 
We have no friends but the mountains.
                        - Kurdish saying