force PAM api call; write .irodsA only in free func

d-w-moore · d-w-moore · commit da490fc6e83b · 2024-09-23T09:02:01.000-04:00
diff --git a/irods/client_init.py b/irods/client_init.py
@@ -12,10 +12,11 @@ def write_credentials_with_native_password( password ):
 
 def write_credentials_with_pam_password( password ):
     s = h.make_session()
-    assert(not s.auth_file)
     s.pool.account.password = password
-    with cfg.loadlines( [dict(setting='legacy_auth.pam.password_for_auto_renew',value='')] ):
+    with cfg.loadlines( [dict(setting='legacy_auth.pam.password_for_auto_renew',value=None),
+                         dict(setting='legacy_auth.pam.store_password_to_environment',value=False)] ):
         to_encode = s.pam_pw_negotiated
+    assert(not s.auth_file)
     if to_encode:
         open(s.pool.account.derived_auth_file,'w').write(obf.encode(to_encode[0]))
         return True
diff --git a/irods/connection.py b/irods/connection.py
@@ -461,16 +461,14 @@ def _login_pam(self):
 
         import irods.client_configuration as cfg
         inline_password = (self.account.authentication_scheme == self.account._original_authentication_scheme)
-        # By default, let server determine the TTL.
-        time_to_live_in_hours = 0
+        time_to_live_in_hours = cfg.legacy_auth.pam.time_to_live_in_hours
         # For certain characters in the pam password, if they need escaping with '\' then do so.
         new_pam_password = PAM_PW_ESC_PATTERN.sub(lambda m: '\\'+m.group(1), self.account.password)
-        if not inline_password:
+        if not inline_password and cfg.legacy_auth.pam.password_for_auto_renew is not None:
             # Login using PAM password from .irodsA
             try:
                 self._login_native()
             except (ex.CAT_PASSWORD_EXPIRED, ex.CAT_INVALID_USER, ex.CAT_INVALID_AUTHENTICATION) as exc:
-                time_to_live_in_hours = cfg.legacy_auth.pam.time_to_live_in_hours
                 if cfg.legacy_auth.pam.password_for_auto_renew:
                     new_pam_password = cfg.legacy_auth.pam.password_for_auto_renew
                     # Fall through and retry the native login later, after creating a new PAM password
