If the auth_type setting in /etc/security/login.cfg is set to

PAM_AUTH but pam_start() fails, fall back to use AIX authentication.
Skip the auth_type check if sudo is not compiled with PAM support.

plugins/sudoers/auth/aix_auth.c

@@ -44,9 +44,10 @@
  * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm
  */
 
-#define AIX_AUTH_UNKNOWN	0
+#ifdef HAVE_PAM
-#define AIX_AUTH_STD		1
+# define AIX_AUTH_UNKNOWN	0
-#define AIX_AUTH_PAM		2
+# define AIX_AUTH_STD		1
+# define AIX_AUTH_PAM		2
 
 static int
 sudo_aix_authtype(void)
@@ -115,15 +116,22 @@ sudo_aix_authtype(void)
 
     debug_return_int(authtype);
 }
+#endif /* HAVE_PAM */
 
 int
 sudo_aix_init(struct passwd *pw, sudo_auth *auth)
 {
     debug_decl(sudo_aix_init, SUDOERS_DEBUG_AUTH)
 
+#ifdef HAVE_PAM
     /* Check auth_type in /etc/security/login.cfg. */
-    if (sudo_aix_authtype() == AIX_AUTH_PAM)
+    if (sudo_aix_authtype() == AIX_AUTH_PAM) {
-	debug_return_int(AUTH_FAILURE);
+	if (sudo_pam_init_quiet(pw, auth) == AUTH_SUCCESS) {
+	    /* Fail AIX authentication so we can use PAM instead. */
+	    debug_return_int(AUTH_FAILURE);
+	}
+    }
+#endif
     debug_return_int(AUTH_SUCCESS);
 }
 

plugins/sudoers/auth/pam.c

@@ -83,19 +83,29 @@ static char *def_prompt = PASSPROMPT;
 static bool getpass_error;
 static pam_handle_t *pamh;
 
-int
+static int
-sudo_pam_init(struct passwd *pw, sudo_auth *auth)
+sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet)
 {
-    static int pam_status;
+    static int pam_status = PAM_SUCCESS;
     int rc;
     debug_decl(sudo_pam_init, SUDOERS_DEBUG_AUTH)
 
+    /* Stash pointer to last pam status. */
+    auth->data = &pam_status;
+
+#ifdef _AIX
+    if (pamh != NULL) {
+	/* Already initialized (may happen with AIX). */
+	debug_return_int(AUTH_SUCCESS);
+    }
+#endif /* _AIX */
+
     /* Initial PAM setup */
-    auth->data = (void *) &pam_status;
     pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
 	def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
     if (pam_status != PAM_SUCCESS) {
-	log_warning(0, N_("unable to initialize PAM"));
+	if (!quiet)
+	    log_warning(0, N_("unable to initialize PAM"));
 	debug_return_int(AUTH_FATAL);
     }
 
@@ -143,6 +153,20 @@ sudo_pam_init(struct passwd *pw, sudo_auth *auth)
     debug_return_int(AUTH_SUCCESS);
 }
 
+int
+sudo_pam_init(struct passwd *pw, sudo_auth *auth)
+{
+    return sudo_pam_init2(pw, auth, false);
+}
+
+#ifdef _AIX
+int
+sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth)
+{
+    return sudo_pam_init2(pw, auth, true);
+}
+#endif /* _AIX */
+
 int
 sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
 {

plugins/sudoers/auth/sudo_auth.h

@@ -64,6 +64,7 @@ int sudo_fwtk_init(struct passwd *pw, sudo_auth *auth);
 int sudo_fwtk_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
 int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth);
 int sudo_pam_init(struct passwd *pw, sudo_auth *auth);
+int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth);
 int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
 int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth);
 int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);