diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/changelog
--- oath-toolkit-2.6.1/debian/changelog	2019-02-09 10:39:41.000000000 -0500
+++ oath-toolkit-2.6.1/debian/changelog	2016-08-20 09:51:41.000000000 -0400
@@ -1,3 +1,11 @@
+oath-toolkit (2.6.1-1.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * patch: fail gracefully for missing users (Closes: #807990)
+  * push to salsa
+
+ -- Antoine Beaupré <address@hidden>  Sat, 20 Aug 2016 09:51:41 -0400
+
 oath-toolkit (2.6.1-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru oath-toolkit-2.6.1/debian/control oath-toolkit-2.6.1/debian/control
--- oath-toolkit-2.6.1/debian/control	2018-06-22 13:48:52.000000000 -0400
+++ oath-toolkit-2.6.1/debian/control	2016-08-20 09:51:41.000000000 -0400
@@ -6,8 +6,8 @@
 Build-Depends: cdbs, debhelper (>= 7.0.0), libpam0g-dev, datefudge, gtk-doc-tools, dblatex, libxml2-utils, libxmlsec1-dev, dh-autoreconf
 Standards-Version: 3.9.6
 Homepage: http://www.nongnu.org/oath-toolkit/
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/oath-toolkit.git
-Vcs-Git: git://anonscm.debian.org/collab-maint/oath-toolkit.git
+Vcs-Browser: https://salsa.debian.org/debian/oath-toolkit
+Vcs-Git: https://salsa.debian.org/debian/oath-toolkit.git
 
 Package: liboath-dev
 Section: libdevel
diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
--- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	1969-12-31 19:00:00.000000000 -0500
+++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	2016-08-20 09:51:41.000000000 -0400
@@ -0,0 +1,83 @@
+From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <address@hidden>
+Date: Mon, 1 Aug 2016 12:25:10 -0400
+Subject: [PATCH] fail gracefully for missing users
+
+when the pam module is enabled, it forces *all* users to immediately
+start using OATH, or they can't login at all.
+
+a more progressive approach would seem more reasonable to me,
+especially since each user need to get an admin user to update the
+central file for them.
+
+this patch adds an early check to the users file and makes sure the
+user exists before prompting for a password.
+
+if the user is missing, it exits early with a standard error code
+(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
+(as shown in the README file). this leaves the policy decision up to
+the admin (and defaults to "fail closed").
+
+if the user is present, the code path remains the same except the
+usersfile is scanned twice, which may be a performance penalty on very
+slow filesystems or very large files. the only workaround I can think
+of for this would be to load the whole file into memory, but this
+could have significant memory impact on large files.
+
+the function used (`oath_authenticate_usersfile`) is a little overkill
+as it actually goes and tries to authenticate the user with an empty
+password. this is harmless because the file isn't updated if the OTP
+is incorrect and because no warning is sent to syslog.
+
+a possible improvement on this would be to have a warning shown to the
+user inciting them to configure OATH or to warn them about a possible
+typo in their username before they enter their regular passphrase
+---
+ pam_oath/README     |  2 +-
+ pam_oath/pam_oath.c | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/pam_oath/README b/pam_oath/README
+index bef4265..24b9f8b 100644
+--- a/pam_oath/README
++++ b/pam_oath/README
+@@ -23,7 +23,7 @@ window open before making any changes!
+ 
+ ---------
+ # head -1 /etc/pam.d/su
+-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
++auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
+ #
+ ---------
+ 
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 2820318..25a3452 100644
+--- a/pam_oath/pam_oath.c
++++ b/pam_oath/pam_oath.c
+@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
+     }
+   DBG (("get user returned: %s", user));
+ 
++  // quick check to skip unconfigured users before prompting for password
++  {
++    time_t last_otp;
++    otp[0] = '\0';
++    rc = oath_authenticate_usersfile (cfg.usersfile,
++                                      user,
++                                      otp, cfg.window, onlypasswd, &last_otp);
++
++    DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
++          oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
++          oath_strerror (rc), ctime (&last_otp)));
++    if (rc == OATH_UNKNOWN_USER)
++      {
++        return PAM_USER_UNKNOWN;
++      }
++  }
++
+   if (cfg.try_first_pass || cfg.use_first_pass)
+     {
+       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
+-- 
+2.1.4
+
diff -Nru oath-toolkit-2.6.1/debian/patches/series oath-toolkit-2.6.1/debian/patches/series
--- oath-toolkit-2.6.1/debian/patches/series	2019-02-09 10:39:41.000000000 -0500
+++ oath-toolkit-2.6.1/debian/patches/series	2016-08-20 09:51:41.000000000 -0400
@@ -1,2 +1,3 @@
 gtkdocize.patch
 new-glibc-check.patch
+0001-fail-gracefully-for-missing-users.patch