PAM: Fail empty password in passkey fallback

We can assume in this fallback chain that an empty password is not allowed. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
SSSD · Jul 24, 2023 · 43d89dd · 43d89dd
1 parent d019132
commit 43d89dd
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
@@ -2549,6 +2549,11 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
                 /* Fallback to password auth if no PIN was entered */
                 if (ret == EIO) {
                     ret = prompt_password(pamh, pi, _("Password: "));
+                    if (pi->pam_authtok_size == 0) {
+                        D(("Empty password failure"));
+                        pi->passkey_prompt_pin = NULL;
+                        return PAM_AUTHTOK_ERR;
+                    }
                 }
             } else {
                 ret = prompt_password(pamh, pi, _("Password: "));