From ac9023eecfe3c13d212c548bb9d5d1b42a4e044b Mon Sep 17 00:00:00 2001
From: Diego Elio 'Flameeyes' Pettenò <flameeyes@gmail.com>
Date: Thu, 19 Aug 2010 12:28:44 +0200
Subject: Also protect account and password from pam_krb5 bad jumps.

Thanks to Simon Alman for reporting, in bug #333393
---
 system-auth.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system-auth.in b/system-auth.in
index 81c6542..a80d653 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -15,6 +15,8 @@ auth		optional	pam_permit.so
 account		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
 account		required	pam_unix.so DEBUG
+/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
+account		optional	pam_permit.so
  
 #if HAVE_CRACKLIB
 password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 DEBUG
@@ -26,6 +28,8 @@ password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
 password	KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
 password	required	pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
+/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
+password	optional	pam_permit.so
  
 #if HAVE_PAM_SSH
 session		optional	pam_ssh.so
-- 
cgit v1.2.3-65-gdbad