pam_unix: "try_first_pass" functionality missing

[ikerexxe]

Even though "try_first_pass" is mentioned in pam_unix man page, there isn't any functionality attached to it in the code. So I wonder if this is intentional and the option will be retired, or if the functionality should be there and this is a real issue. Any feedback?

In any case I'm willing to help improve it.

[t8m]

The reason is that pam_get_authtok behaves like the try_first_pass is always used. Which, IMO, makes sense. But documentation should be probably improved.

[ikerexxe]

Thank you @t8m. I'll plan for this task and I hope to work on it soon.

[OJFord]

Interesting, the behaviour I'm seeing (with v1.5.1, and thought this was going to be a report of the same) is try_first_pass doing what I expect from use_first_pass: complains the stacked password/token is wrong, and then fails without prompting.

(I noticed while testing my own module, inserted between what usually provides my password and include system-auth with has pam_unix.so try_first_pass. As a first test, I had my module set_authtok to an empty string, just to verify it would fail, i.e. I was indeed changing it; it did, but then I didn't get a prompt to re-enter it.)

[t8m]

Yep, the current default behavior is something in between the thing that is documented for try_first_pass and use_first_pass. It behaves as try_first_pass in the sense that if there is no PAM_AUTHTOK set, it will prompt for a password where the use_first_pass would just fail right away. On the other hand if the PAM_AUTHTOK is not a valid password, it will not prompt for a password which is more like use_first_pass.