From 45bf20d8490372713a500f4b1589d11a36dcff6b Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Jun 22 2011 20:03:22 +0000
Subject: - only permit a password prompt in attempt 3 if we didn't already

  ask for a password

---

diff --git a/src/password.c b/src/password.c
index f061c14..7681627 100644
--- a/src/password.c
+++ b/src/password.c
@@ -348,7 +348,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 					 options,
 					 PASSWORD_CHANGE_PRINCIPAL,
 					 NULL, tmp_gicopts,
-					 _pam_krb5_always_prompter,
+					 options->permit_password_callback ?
+					 _pam_krb5_always_prompter :
+					 _pam_krb5_normal_prompter,
 					 NULL,
 					 &tmp_result);
 			prelim_attempted = 1;