1 files changed, 24 insertions, 10 deletions

diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c
index 9776fffddfa1..c2a933f9d47d 100644
--- a/contrib/openpam/lib/pam_get_authtok.c
+++ b/contrib/openpam/lib/pam_get_authtok.c
@@ -53,23 +53,37 @@ pam_get_authtok(pam_handle_t *pamh,
 	const char *prompt)
 {
 	char *p, *resp;
-	int r;
+	int r, style;
 
 	if (pamh == NULL || authtok == NULL)
 		return (PAM_SYSTEM_ERR);
 
-	r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
-	if (r == PAM_SUCCESS && *authtok != NULL)
-		return (PAM_SUCCESS);
-	if (prompt == NULL) {
-		if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
-		    (const void **)&p) != PAM_SUCCESS || p == NULL)
-			prompt = "Password:";
+	if (openpam_get_option(pamh, "try_first_pass") ||
+	    openpam_get_option(pamh, "use_first_pass")) {
+		r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+		if (r == PAM_SUCCESS && *authtok != NULL)
+			return (PAM_SUCCESS);
+		else if (openpam_get_option(pamh, "use_first_pass"))
+			return (r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
 	}
-	r = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp,
-	    "%s", prompt ? prompt : p);
+	if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
+	    (const void **)&p) != PAM_SUCCESS || p == NULL)
+		if (prompt == NULL)
+			prompt = "Password:";
+	style = openpam_get_option(pamh, "echo_pass") ?
+	    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
+	r = pam_prompt(pamh, style, &resp, "%s", p ? p : prompt);
 	if (r != PAM_SUCCESS)
 		return (r);
 	*authtok = resp;
 	return (pam_set_item(pamh, PAM_AUTHTOK, *authtok));
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_get_item
+ *	=pam_prompt
+ *	=pam_set_item
+ *	!PAM_SYMBOL_ERR
+ */