1 files changed, 23 insertions, 17 deletions

diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c
index 9b58895..654edd3 100644
--- a/modules/pam_pwhistory/pam_pwhistory.c
+++ b/modules/pam_pwhistory/pam_pwhistory.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 2008 Thorsten Kukuk
- * Author: Thorsten Kukuk <kukuk@suse.de>
+ * Copyright (c) 2008, 2012 Thorsten Kukuk
+ * Author: Thorsten Kukuk <kukuk@thkukuk.de>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -103,6 +103,9 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
 }
 
 
+/* This module saves the current crypted password in /etc/security/opasswd
+   and then compares the new password with all entries in this file. */
+
 PAM_EXTERN int
 pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
@@ -155,10 +158,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
   if (pwd == NULL)
     return PAM_USER_UNKNOWN;
 
-  /* Ignore root if not enforced */
-  if (pwd->pw_uid == 0 && !options.enforce_for_root)
-    return PAM_SUCCESS;
-
   if ((strcmp(pwd->pw_passwd, "x") == 0)  ||
       ((pwd->pw_passwd[0] == '#') &&
        (pwd->pw_passwd[1] == '#') &&
@@ -168,15 +167,15 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
       if (spw == NULL)
 	return PAM_USER_UNKNOWN;
 
-      retval = save_old_password (pamh, user, pwd->pw_uid, spw->sp_pwdp,
-				  options.remember, options.debug);
+      retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
+			      options.remember, options.debug);
       if (retval != PAM_SUCCESS)
 	return retval;
     }
   else
     {
-      retval = save_old_password (pamh, user, pwd->pw_uid, pwd->pw_passwd,
-				  options.remember, options.debug);
+      retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
+			      options.remember, options.debug);
       if (retval != PAM_SUCCESS)
 	return retval;
     }
@@ -208,14 +207,21 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
       if (options.debug)
 	pam_syslog (pamh, LOG_DEBUG, "check against old password file");
 
-      if (check_old_password (pamh, user, newpass,
-			      options.debug) != PAM_SUCCESS)
+      if (check_old_pass (pamh, user, newpass,
+			  options.debug) != PAM_SUCCESS)
 	{
-	  pam_error (pamh,
-		     _("Password has been already used. Choose another."));
-	  newpass = NULL;
-	  /* Remove password item, else following module will use it */
-          pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL);
+	  if (getuid() || options.enforce_for_root ||
+	      (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+	    {
+	      pam_error (pamh,
+		         _("Password has been already used. Choose another."));
+	      newpass = NULL;
+	      /* Remove password item, else following module will use it */
+	      pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL);
+	    }
+	  else
+	    pam_info (pamh,
+		       _("Password has been already used."));
 	}
     }