couldn't log on to my -CURRENT machine after upgrade to latest PAM

Don Lewis truckman at
Mon Jan 9 14:27:13 UTC 2012

On  9 Jan, Dag-Erling Smørgrav wrote:
> Don Lewis <truckman at> writes:
>> The documentation says that /etc/pam.conf is only used if
>> /etc/pam.d/service-name isn't found, and the code appears to agree
>> with that, however this doesn't seem to be working as expected after
>> the latest import of PAM.
> The culprit was this commit:
> However, I'm not confident that simply reverting this commit is the
> right way to go.

Thanks for the detective work.  It looks to me like the bug is caused by
the change in the openpam_parse_chain() return value.  In the previous
code it returned the value of count, which I would guess was greater
than zero if it found something.  In that case, the for loop in
openpam_load_chain() would be terminated because r != 0.  In the new
code, openpam_parse_chain() will return PAM_SUCCESS if it found
something, and the loop in openpam_load_chain() will go through another
iteration because ret == PAM_SUCCESS.  I think the code around the end
of the loop should look more like:
		if (ret == PAM_SUCCESS)
	return (ret);

More information about the freebsd-current mailing list