Revive the pam_deny and pam_permit modules from Linux-PAM. They are

simple enough to be trusted.

Add account management functionality to the pam_unix module.

These changes should make it possible to use PAM in some ports.

Submitted by:	Max Khon <fjoe@iclub.nsu.ru>

12 files changed, 613 insertions, 2 deletions

diff --git a/contrib/libpam/modules/pam_deny/Makefile b/contrib/libpam/modules/pam_deny/Makefile
new file mode 100644
index 0000000..02506cb
--- /dev/null
+++ b/contrib/libpam/modules/pam_deny/Makefile
@@ -0,0 +1,125 @@
+#
+# $Id: Makefile,v 1.7 1997/04/05 06:43:41 morgan Exp morgan $
+#
+# This Makefile controls a build process of $(TITLE) module for
+# Linux-PAM. You should not modify this Makefile (unless you know
+# what you are doing!).
+#
+# $Log: Makefile,v $
+# Revision 1.7  1997/04/05 06:43:41  morgan
+# full-source-tree and fakeroot
+#
+# Revision 1.6  1997/02/15 19:04:27  morgan
+# fixed email
+#
+# Revision 1.5  1996/11/10 20:11:48  morgan
+# crossplatform support
+#
+# Revision 1.4  1996/09/05 06:50:12  morgan
+# ld --> gcc
+#
+# Revision 1.3  1996/05/26 15:48:38  morgan
+# make dynamic and static dirs
+#
+# Revision 1.2  1996/05/26 04:00:16  morgan
+# changes for automated static/dynamic modules
+#
+# Revision 1.1  1996/03/16 17:47:36  morgan
+# Initial revision
+#
+#
+# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11
+#
+
+# Convenient defaults for compiling independently of the full source
+# tree.
+ifndef FULL_LINUX_PAM_SOURCE_TREE
+export DYNAMIC=-DPAM_DYNAMIC
+export CC=gcc
+export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
+       -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
+       -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
+       -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
+       -Wshadow -pedantic -fPIC
+export MKDIR=mkdir -p
+export LD_D=gcc -shared -Xlinker -x
+endif
+
+#
+
+TITLE=pam_deny
+
+#
+
+LIBSRC = $(TITLE).c
+LIBOBJ = $(TITLE).o
+LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
+LIBOBJS = $(addprefix static/,$(LIBOBJ))
+
+dynamic/%.o : %.c
+	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
+
+static/%.o : %.c
+	$(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
+
+
+ifdef DYNAMIC
+LIBSHARED = $(TITLE).so
+endif
+ifdef STATIC
+LIBSTATIC = lib$(TITLE).o
+endif
+
+####################### don't edit below #######################
+
+dummy:
+	@echo "**** This is not a top-level Makefile "
+	exit
+
+all: dirs $(LIBSHARED) $(LIBSTATIC) register
+
+dirs:
+ifdef DYNAMIC
+	$(MKDIR) ./dynamic
+endif
+ifdef STATIC
+	$(MKDIR) ./static
+endif
+
+register:
+ifdef STATIC
+	( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
+endif
+
+ifdef DYNAMIC
+$(LIBOBJD): $(LIBSRC)
+
+$(LIBSHARED):	$(LIBOBJD)
+		$(LD_D) -o $@ $(LIBOBJD)
+endif
+
+ifdef STATIC
+$(LIBOBJS): $(LIBSRC)
+
+$(LIBSTATIC): $(LIBOBJS)
+	$(LD) -r -o $@ $(LIBOBJS)
+endif
+
+install: all
+	$(MKDIR) $(FAKEROOT)$(SECUREDIR)
+ifdef DYNAMIC
+	$(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
+endif
+
+remove:
+	rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
+
+clean:
+	rm -f $(LIBOBJD) $(LIBOBJS) core *~
+
+extraclean: clean
+	rm -f *.a *.o *.so *.bak
+
+.c.o:	
+	$(CC) $(CFLAGS) -c $<
+
diff --git a/contrib/libpam/modules/pam_deny/README b/contrib/libpam/modules/pam_deny/README
new file mode 100644
index 0000000..4f7f6de
--- /dev/null
+++ b/contrib/libpam/modules/pam_deny/README
@@ -0,0 +1,4 @@
+# $Id: README,v 1.1 1996/03/16 18:11:12 morgan Exp $
+#
+
+this module always fails, it ignores all options.
diff --git a/contrib/libpam/modules/pam_deny/pam_deny.c b/contrib/libpam/modules/pam_deny/pam_deny.c
new file mode 100644
index 0000000..01b2def
--- /dev/null
+++ b/contrib/libpam/modules/pam_deny/pam_deny.c
@@ -0,0 +1,83 @@
+/* pam_deny module */
+
+/*
+ * $Id: pam_deny.c,v 1.4 1997/02/15 19:05:15 morgan Exp $
+ *
+ * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
+ *
+ * $Log: pam_deny.c,v $
+ * Revision 1.4  1997/02/15 19:05:15  morgan
+ * fixed email
+ *
+ * Revision 1.3  1996/06/02 08:06:19  morgan
+ * changes for new static protocol
+ *
+ * Revision 1.2  1996/05/26 04:01:12  morgan
+ * added static support
+ *
+ * Revision 1.1  1996/03/16 17:47:36  morgan
+ * Initial revision
+ *
+ */
+
+/*
+ * here, we make definitions for the externally accessible functions
+ * in this file (these definitions are required for static modules
+ * but strongly encouraged generally) they are used to instruct the
+ * modules include file to define their prototypes.
+ */
+
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+#define PAM_SM_SESSION
+#define PAM_SM_PASSWORD
+
+#include <security/pam_modules.h>
+
+/* --- authentication management functions --- */
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
+			,const char **argv)
+{
+     return PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
+		   ,const char **argv)
+{
+     return PAM_CRED_UNAVAIL;
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
+		     ,const char **argv)
+{
+     return PAM_ACCT_EXPIRED;
+}
+
+/* --- password management --- */
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
+		     ,const char **argv)
+{
+     return PAM_AUTHTOK_ERR;
+}
+
+/* --- session management --- */
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
+			,const char **argv)
+{
+    return PAM_SYSTEM_ERR;
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
+			 ,const char **argv)
+{
+     return PAM_SYSTEM_ERR;
+}
+
+/* end of module definition */
+
+PAM_MODULE_ENTRY("pam_deny");
diff --git a/contrib/libpam/modules/pam_permit/Makefile b/contrib/libpam/modules/pam_permit/Makefile
new file mode 100644
index 0000000..823b624
--- /dev/null
+++ b/contrib/libpam/modules/pam_permit/Makefile
@@ -0,0 +1,126 @@
+#
+# $Id: Makefile,v 1.8 1997/04/05 06:33:25 morgan Exp morgan $
+#
+# This Makefile controls a build process of $(TITLE) module for
+# Linux-PAM. You should not modify this Makefile (unless you know
+# what you are doing!).
+#
+# $Log: Makefile,v $
+# Revision 1.8  1997/04/05 06:33:25  morgan
+# fakeroot
+#
+# Revision 1.7  1997/02/15 19:02:27  morgan
+# updated email address
+#
+# Revision 1.6  1996/11/10 20:14:34  morgan
+# cross platform support
+#
+# Revision 1.5  1996/09/05 06:32:45  morgan
+# ld --> gcc
+#
+# Revision 1.4  1996/05/26 15:49:25  morgan
+# make dynamic and static dirs
+#
+# Revision 1.3  1996/05/26 04:04:26  morgan
+# automated static support
+#
+# Revision 1.2  1996/03/16 17:56:38  morgan
+# tidied up
+#
+#
+# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11
+#
+
+# Convenient defaults for compiling independently of the full source
+# tree.
+ifndef FULL_LINUX_PAM_SOURCE_TREE
+export DYNAMIC=-DPAM_DYNAMIC
+export CC=gcc
+export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
+       -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
+       -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
+       -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
+       -Wshadow -pedantic -fPIC
+export MKDIR=mkdir -p
+export LD_D=gcc -shared -Xlinker -x
+endif
+
+#
+#
+
+TITLE=pam_permit
+
+#
+
+LIBSRC = $(TITLE).c
+LIBOBJ = $(TITLE).o
+LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
+LIBOBJS = $(addprefix static/,$(LIBOBJ))
+
+ifdef DYNAMIC
+LIBSHARED = $(TITLE).so
+endif
+
+ifdef STATIC
+LIBSTATIC = lib$(TITLE).o
+endif
+
+####################### don't edit below #######################
+
+all: dirs $(LIBSHARED) $(LIBSTATIC) register
+
+dynamic/%.o : %.c
+	$(CC) $(CFLAGS) $(DYNAMIC) $(TARGET_ARCH) -c $< -o $@
+
+static/%.o : %.c
+	$(CC) $(CFLAGS) $(STATIC) $(TARGET_ARCH) -c $< -o $@
+
+dirs:
+ifdef DYNAMIC
+	$(MKDIR) ./dynamic
+endif
+ifdef STATIC
+	$(MKDIR) ./static
+endif
+
+register:
+ifdef STATIC
+	( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
+endif
+
+ifdef DYNAMIC
+$(LIBOBJD): $(LIBSRC)
+endif
+
+ifdef DYNAMIC
+$(LIBSHARED):	$(LIBOBJD)
+		$(LD_D) -o $@ $(LIBOBJD)
+endif
+
+ifdef STATIC
+$(LIBOBJS): $(LIBSRC)
+endif
+
+ifdef STATIC
+$(LIBSTATIC): $(LIBOBJS)
+	$(LD) -r -o $@ $(LIBOBJS)
+endif
+
+install: all
+	$(MKDIR) $(FAKEROOT)$(SECUREDIR)
+ifdef DYNAMIC
+	$(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
+endif
+
+remove:
+	rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
+
+clean:
+	rm -f $(LIBOBJD) $(LIBOBJS) core *~
+
+extraclean: clean
+	rm -f *.a *.o *.so *.bak
+
+.c.o:	
+	$(CC) $(CFLAGS) -c $<
+
diff --git a/contrib/libpam/modules/pam_permit/README b/contrib/libpam/modules/pam_permit/README
new file mode 100644
index 0000000..da179a3
--- /dev/null
+++ b/contrib/libpam/modules/pam_permit/README
@@ -0,0 +1,4 @@
+# $Id: README,v 1.1 1996/03/16 18:12:51 morgan Exp $
+#
+
+this module always returns PAM_SUCCESS, it ignores all options.
diff --git a/contrib/libpam/modules/pam_permit/pam_permit.c b/contrib/libpam/modules/pam_permit/pam_permit.c
new file mode 100644
index 0000000..a01f9c2
--- /dev/null
+++ b/contrib/libpam/modules/pam_permit/pam_permit.c
@@ -0,0 +1,108 @@
+/* pam_permit module */
+
+/*
+ * $Id: pam_permit.c,v 1.5 1997/02/15 19:03:15 morgan Exp $
+ *
+ * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
+ *
+ * $Log: pam_permit.c,v $
+ * Revision 1.5  1997/02/15 19:03:15  morgan
+ * fixed email address
+ *
+ * Revision 1.4  1997/02/15 16:03:10  morgan
+ * force a name for user
+ *
+ * Revision 1.3  1996/06/02 08:10:14  morgan
+ * updated for new static protocol
+ *
+ */
+
+#define DEFAULT_USER "nobody"
+
+#include <stdio.h>
+
+/*
+ * here, we make definitions for the externally accessible functions
+ * in this file (these definitions are required for static modules
+ * but strongly encouraged generally) they are used to instruct the
+ * modules include file to define their prototypes.
+ */
+
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+#define PAM_SM_SESSION
+#define PAM_SM_PASSWORD
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+
+/* --- authentication management functions --- */
+
+PAM_EXTERN
+int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
+			,const char **argv)
+{
+    int retval;
+    const char *user=NULL;
+
+    /*
+     * authentication requires we know who the user wants to be
+     */
+    retval = pam_get_user(pamh, &user, NULL);
+    if (retval != PAM_SUCCESS) {
+	D(("get user returned error: %s", pam_strerror(pamh,retval)));
+	return retval;
+    }
+    if (user == NULL || *user == '\0') {
+	D(("username not known"));
+	pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
+    }
+    user = NULL;                                            /* clean up */
+
+    return PAM_SUCCESS;
+}
+
+PAM_EXTERN
+int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
+		   ,const char **argv)
+{
+     return PAM_SUCCESS;
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
+		     ,const char **argv)
+{
+     return PAM_SUCCESS;
+}
+
+/* --- password management --- */
+
+PAM_EXTERN
+int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
+		     ,const char **argv)
+{
+     return PAM_SUCCESS;
+}
+
+/* --- session management --- */
+
+PAM_EXTERN
+int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
+			,const char **argv)
+{
+    return PAM_SUCCESS;
+}
+
+PAM_EXTERN
+int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
+			 ,const char **argv)
+{
+     return PAM_SUCCESS;
+}
+
+/* end of module definition */
+
+PAM_MODULE_ENTRY("pam_permit");
diff --git a/lib/libpam/libpam/Makefile b/lib/libpam/libpam/Makefile
index 7603a65..ddcc688 100644
--- a/lib/libpam/libpam/Makefile
+++ b/lib/libpam/libpam/Makefile
@@ -61,9 +61,11 @@ HDRS3=		pam_mod_misc.h
 
 # Static PAM modules:
 STATIC_MODULES+= ${MODOBJDIR}/pam_cleartext_pass_ok/libpam_cleartext_pass_ok.a
+STATIC_MODULES+= ${MODOBJDIR}/pam_deny/libpam_deny.a
 .if defined(MAKE_KERBEROS4)
 STATIC_MODULES+= ${MODOBJDIR}/pam_kerberosIV/libpam_kerberosIV.a
 .endif
+STATIC_MODULES+= ${MODOBJDIR}/pam_permit/libpam_permit.a
 STATIC_MODULES+= ${MODOBJDIR}/pam_radius/libpam_radius.a
 STATIC_MODULES+= ${MODOBJDIR}/pam_skey/libpam_skey.a
 STATIC_MODULES+= ${MODOBJDIR}/pam_tacplus/libpam_tacplus.a
diff --git a/lib/libpam/modules/Makefile b/lib/libpam/modules/Makefile
index 5a3e3c1..74136ba 100644
--- a/lib/libpam/modules/Makefile
+++ b/lib/libpam/modules/Makefile
@@ -25,9 +25,11 @@
 #	$FreeBSD$
 
 SUBDIR+=	pam_cleartext_pass_ok
+SUBDIR+=	pam_deny
 .if defined(MAKE_KERBEROS4)
 SUBDIR+=	pam_kerberosIV
 .endif
+SUBDIR+=	pam_permit
 SUBDIR+=	pam_radius
 SUBDIR+=	pam_skey
 SUBDIR+=	pam_tacplus
diff --git a/lib/libpam/modules/pam_deny/Makefile b/lib/libpam/modules/pam_deny/Makefile
new file mode 100644
index 0000000..17b1447
--- /dev/null
+++ b/lib/libpam/modules/pam_deny/Makefile
@@ -0,0 +1,41 @@
+# Copyright 1999 Max Khon.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+.PATH:		${PAMDIR}/modules/pam_deny
+
+LIB=		pam_deny
+SHLIB_NAME=	pam_deny.so
+SRCS=		pam_deny.c
+CFLAGS+=	-Wall
+CFLAGS+=	-I${PAMDIR}/libpam/include
+DPADD+=		${LIBGCC_PIC}
+LDADD+=		-lgcc_pic
+INTERNALLIB=	yes
+INTERNALSTATICLIB=yes
+
+.include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_permit/Makefile b/lib/libpam/modules/pam_permit/Makefile
new file mode 100644
index 0000000..8863ff5
--- /dev/null
+++ b/lib/libpam/modules/pam_permit/Makefile
@@ -0,0 +1,42 @@
+# Copyright 1999 Max Khon.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+.PATH:		${PAMDIR}/modules/pam_permit
+
+LIB=		pam_permit
+SHLIB_NAME=	pam_permit.so
+SRCS=		pam_permit.c
+CFLAGS+=	-Wall
+CFLAGS+=	-I${PAMDIR}/libpam/include
+CFLAGS+=	-I${.CURDIR}/../../libpam
+DPADD+=		${LIBGCC_PIC}
+LDADD+=		-lgcc_pic
+INTERNALLIB=	yes
+INTERNALSTATICLIB=yes
+
+.include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile
index d3bb689..d049e2b 100644
--- a/lib/libpam/modules/pam_unix/Makefile
+++ b/lib/libpam/modules/pam_unix/Makefile
@@ -32,8 +32,8 @@ SRCS=		pam_unix.c
 CFLAGS+=	-Wall
 CFLAGS+=	-I${PAMDIR}/libpam/include
 CFLAGS+=	-I${.CURDIR}/../../libpam
-DPADD+=		${LIBGCC_PIC}
-LDADD+=		-lgcc_pic
+DPADD+=		${LIBUTIL} ${LIBGCC_PIC}
+LDADD+=		-lutil -lgcc_pic
 INTERNALLIB=	yes
 INTERNALSTATICLIB=yes
 
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index b68a9d4..329b784 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -27,18 +27,26 @@
  */
 
 #include <sys/types.h>
+#include <sys/time.h>
+#include <login_cap.h>
 #include <pwd.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdio.h>
 #include <unistd.h>
 
 #define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
 #include <security/pam_modules.h>
 
 #include "pam_mod_misc.h"
 
 #define PASSWORD_PROMPT	"Password:"
 
+/*
+ * authentication management
+ */
+
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
     const char **argv)
@@ -87,4 +95,70 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	return PAM_SUCCESS;
 }
 
+/* 
+ * account management
+ *
+ * check pw_change and pw_expire fields
+ */
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+		     int argc, const char **argv)
+{
+	const char *user;
+	struct passwd *pw;
+	struct timeval tp;
+	time_t warntime;
+	login_cap_t *lc = NULL;
+	char buf[128];
+	int retval;
+
+	retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
+	if (retval != PAM_SUCCESS || user == NULL)
+		/* some implementations return PAM_SUCCESS here */
+		return PAM_USER_UNKNOWN;
+
+	if ((pw = getpwnam(user)) == NULL)
+		return PAM_USER_UNKNOWN;
+
+	retval = PAM_SUCCESS;
+	lc = login_getpwclass(pw);
+
+	if (pw->pw_change || pw->pw_expire)
+		gettimeofday(&tp, NULL);
+
+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
+
+	warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN,
+	    DEFAULT_WARN);
+
+	if (pw->pw_change) {
+		if (tp.tv_sec >= pw->pw_change)
+			/* some implementations return PAM_AUTHTOK_EXPIRED */
+			retval = PAM_NEW_AUTHTOK_REQD;
+		else if (pw->pw_change - tp.tv_sec < warntime) {
+			snprintf(buf, sizeof(buf),
+			    "Warning: your password expires on %s",
+			    ctime(&pw->pw_change));
+			pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL);
+		}
+	}
+
+	warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN,
+	    DEFAULT_WARN);
+
+	if (pw->pw_expire) {
+		if (tp.tv_sec >= pw->pw_expire)
+			retval = PAM_ACCT_EXPIRED;
+		else if (pw->pw_expire - tp.tv_sec < warntime) {
+			snprintf(buf, sizeof(buf),
+			    "Warning: your account expires on %s",
+			    ctime(&pw->pw_expire));
+			pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL);
+		}
+	}
+
+	login_close(lc);
+	return retval;
+}
+
 PAM_MODULE_ENTRY("pam_unix");