summaryrefslogtreecommitdiffstats
path: root/contrib/libpam
diff options
context:
space:
mode:
authorjdp <jdp@FreeBSD.org>1998-11-25 19:46:10 +0000
committerjdp <jdp@FreeBSD.org>1998-11-25 19:46:10 +0000
commitfcce754470b5d0db4da5cdda5f12d56c25107682 (patch)
treea2da70898c64d0431b2d72de71fe9d4b79f84cd8 /contrib/libpam
parentaec3e1ab2f35e76981af7bfbffeb96922839135a (diff)
downloadFreeBSD-src-fcce754470b5d0db4da5cdda5f12d56c25107682.zip
FreeBSD-src-fcce754470b5d0db4da5cdda5f12d56c25107682.tar.gz
Remove files that we don't use and are unlikely to use. You can
still get them with "cvs upd -r pam_unpruned" if you want to look at them.
Diffstat (limited to 'contrib/libpam')
-rw-r--r--contrib/libpam/bin/README39
-rw-r--r--contrib/libpam/conf/Makefile60
-rwxr-xr-xcontrib/libpam/conf/install178
-rwxr-xr-xcontrib/libpam/conf/install_conf36
-rwxr-xr-xcontrib/libpam/conf/md5itall45
-rwxr-xr-xcontrib/libpam/conf/mkdirp50
-rw-r--r--contrib/libpam/conf/pam.conf126
-rw-r--r--contrib/libpam/conf/pam_conv1/Makefile41
-rw-r--r--contrib/libpam/conf/pam_conv1/README10
-rw-r--r--contrib/libpam/conf/pam_conv1/lex.yy.c1553
-rw-r--r--contrib/libpam/conf/pam_conv1/pam_conv.lex42
-rw-r--r--contrib/libpam/conf/pam_conv1/pam_conv.tab.c1019
-rw-r--r--contrib/libpam/conf/pam_conv1/pam_conv.y203
-rw-r--r--contrib/libpam/defs/hpux.defs36
-rw-r--r--contrib/libpam/defs/linux.defs32
-rw-r--r--contrib/libpam/defs/morgan.defs35
-rw-r--r--contrib/libpam/defs/redhat.defs34
-rw-r--r--contrib/libpam/defs/solaris.defs48
-rw-r--r--contrib/libpam/defs/sunos.defs37
-rw-r--r--contrib/libpam/doc/modules/README13
-rw-r--r--contrib/libpam/doc/modules/module.sgml-template170
-rw-r--r--contrib/libpam/doc/modules/pam_chroot.sgml86
-rw-r--r--contrib/libpam/doc/modules/pam_cracklib.sgml254
-rw-r--r--contrib/libpam/doc/modules/pam_deny.sgml179
-rw-r--r--contrib/libpam/doc/modules/pam_env.sgml125
-rw-r--r--contrib/libpam/doc/modules/pam_filter.sgml150
-rw-r--r--contrib/libpam/doc/modules/pam_ftp.sgml93
-rw-r--r--contrib/libpam/doc/modules/pam_group.sgml108
-rw-r--r--contrib/libpam/doc/modules/pam_krb4.sgml126
-rw-r--r--contrib/libpam/doc/modules/pam_lastlog.sgml119
-rw-r--r--contrib/libpam/doc/modules/pam_limits.sgml196
-rw-r--r--contrib/libpam/doc/modules/pam_listfile.sgml138
-rw-r--r--contrib/libpam/doc/modules/pam_mail.sgml124
-rw-r--r--contrib/libpam/doc/modules/pam_nologin.sgml75
-rw-r--r--contrib/libpam/doc/modules/pam_permit.sgml83
-rw-r--r--contrib/libpam/doc/modules/pam_pwdb.sgml245
-rw-r--r--contrib/libpam/doc/modules/pam_radius.sgml117
-rw-r--r--contrib/libpam/doc/modules/pam_rhosts.sgml157
-rw-r--r--contrib/libpam/doc/modules/pam_rootok.sgml85
-rw-r--r--contrib/libpam/doc/modules/pam_securetty.sgml72
-rw-r--r--contrib/libpam/doc/modules/pam_time.sgml166
-rw-r--r--contrib/libpam/doc/modules/pam_warn.sgml67
-rw-r--r--contrib/libpam/doc/modules/pam_wheel.sgml124
-rw-r--r--contrib/libpam/doc/ps/README3
-rw-r--r--contrib/libpam/doc/specs/draft-morgan-pam-00.raw270
-rw-r--r--contrib/libpam/doc/specs/formatter/Makefile16
-rw-r--r--contrib/libpam/doc/specs/formatter/parse.lex11
-rw-r--r--contrib/libpam/doc/specs/formatter/parse.y293
-rw-r--r--contrib/libpam/doc/txts/README3
-rw-r--r--contrib/libpam/examples/Makefile42
-rw-r--r--contrib/libpam/examples/blank.c173
-rw-r--r--contrib/libpam/examples/check_user.c65
-rw-r--r--contrib/libpam/examples/test.c99
-rw-r--r--contrib/libpam/examples/vpass.c47
-rw-r--r--contrib/libpam/examples/xsh.c139
-rw-r--r--contrib/libpam/modules/Makefile132
-rw-r--r--contrib/libpam/modules/README55
-rw-r--r--contrib/libpam/modules/dont_makefile19
-rw-r--r--contrib/libpam/modules/pam_access/Makefile111
-rw-r--r--contrib/libpam/modules/pam_access/README40
-rw-r--r--contrib/libpam/modules/pam_access/access.conf52
-rwxr-xr-xcontrib/libpam/modules/pam_access/install_conf46
-rw-r--r--contrib/libpam/modules/pam_access/pam_access.c424
-rw-r--r--contrib/libpam/modules/pam_cracklib/Makefile110
-rw-r--r--contrib/libpam/modules/pam_cracklib/README21
-rw-r--r--contrib/libpam/modules/pam_cracklib/pam_cracklib.c687
-rw-r--r--contrib/libpam/modules/pam_deny/Makefile125
-rw-r--r--contrib/libpam/modules/pam_deny/README4
-rw-r--r--contrib/libpam/modules/pam_deny/pam_deny.c94
-rw-r--r--contrib/libpam/modules/pam_env/Makefile107
-rw-r--r--contrib/libpam/modules/pam_env/README72
-rwxr-xr-xcontrib/libpam/modules/pam_env/install_conf46
-rw-r--r--contrib/libpam/modules/pam_env/pam_env.c779
-rw-r--r--contrib/libpam/modules/pam_env/pam_env.conf-example72
-rw-r--r--contrib/libpam/modules/pam_filter/Makefile150
-rw-r--r--contrib/libpam/modules/pam_filter/README94
-rw-r--r--contrib/libpam/modules/pam_filter/include/pam_filter.h32
-rw-r--r--contrib/libpam/modules/pam_filter/pam_filter.c747
-rw-r--r--contrib/libpam/modules/pam_filter/upperLOWER/Makefile58
-rw-r--r--contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c160
-rw-r--r--contrib/libpam/modules/pam_ftp/Makefile96
-rw-r--r--contrib/libpam/modules/pam_ftp/README20
-rw-r--r--contrib/libpam/modules/pam_ftp/pam_ftp.c295
-rw-r--r--contrib/libpam/modules/pam_group/Makefile114
-rw-r--r--contrib/libpam/modules/pam_group/group.conf60
-rwxr-xr-xcontrib/libpam/modules/pam_group/install_conf46
-rw-r--r--contrib/libpam/modules/pam_group/pam_group.c862
-rw-r--r--contrib/libpam/modules/pam_lastlog/Makefile106
-rw-r--r--contrib/libpam/modules/pam_lastlog/pam_lastlog.c469
-rw-r--r--contrib/libpam/modules/pam_limits/Makefile102
-rw-r--r--contrib/libpam/modules/pam_limits/README87
-rwxr-xr-xcontrib/libpam/modules/pam_limits/install_conf46
-rw-r--r--contrib/libpam/modules/pam_limits/limits.skel41
-rw-r--r--contrib/libpam/modules/pam_limits/pam_limits.c592
-rw-r--r--contrib/libpam/modules/pam_listfile/Makefile84
-rw-r--r--contrib/libpam/modules/pam_listfile/README25
-rw-r--r--contrib/libpam/modules/pam_listfile/pam_listfile.c436
-rw-r--r--contrib/libpam/modules/pam_mail/Makefile107
-rw-r--r--contrib/libpam/modules/pam_mail/pam_mail.c401
-rw-r--r--contrib/libpam/modules/pam_nologin/README12
-rw-r--r--contrib/libpam/modules/pam_nologin/pam_nologin.c124
-rw-r--r--contrib/libpam/modules/pam_permit/Makefile126
-rw-r--r--contrib/libpam/modules/pam_permit/README4
-rw-r--r--contrib/libpam/modules/pam_permit/pam_permit.c122
-rw-r--r--contrib/libpam/modules/pam_pwdb/BUGS8
-rw-r--r--contrib/libpam/modules/pam_pwdb/CHANGELOG10
-rw-r--r--contrib/libpam/modules/pam_pwdb/Makefile155
-rw-r--r--contrib/libpam/modules/pam_pwdb/README41
-rw-r--r--contrib/libpam/modules/pam_pwdb/TODO34
-rw-r--r--contrib/libpam/modules/pam_pwdb/bigcrypt.-c114
-rw-r--r--contrib/libpam/modules/pam_pwdb/md5.c259
-rw-r--r--contrib/libpam/modules/pam_pwdb/md5.h30
-rw-r--r--contrib/libpam/modules/pam_pwdb/md5_crypt.c164
-rw-r--r--contrib/libpam/modules/pam_pwdb/pam_pwdb.c257
-rw-r--r--contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c292
-rw-r--r--contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c129
-rw-r--r--contrib/libpam/modules/pam_pwdb/pam_unix_md.-c55
-rw-r--r--contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c371
-rw-r--r--contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c272
-rw-r--r--contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c112
-rw-r--r--contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c208
-rw-r--r--contrib/libpam/modules/pam_pwdb/support.-c910
-rw-r--r--contrib/libpam/modules/pam_radius/Makefile99
-rw-r--r--contrib/libpam/modules/pam_radius/README58
-rw-r--r--contrib/libpam/modules/pam_radius/pam_radius.c193
-rw-r--r--contrib/libpam/modules/pam_radius/pam_radius.h35
-rw-r--r--contrib/libpam/modules/pam_rhosts/Makefile94
-rw-r--r--contrib/libpam/modules/pam_rhosts/README57
-rw-r--r--contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c788
-rw-r--r--contrib/libpam/modules/pam_rootok/Makefile111
-rw-r--r--contrib/libpam/modules/pam_rootok/README18
-rw-r--r--contrib/libpam/modules/pam_rootok/pam_rootok.c118
-rw-r--r--contrib/libpam/modules/pam_securetty/Makefile83
-rw-r--r--contrib/libpam/modules/pam_securetty/README9
-rw-r--r--contrib/libpam/modules/pam_securetty/pam_securetty.c204
-rw-r--r--contrib/libpam/modules/pam_shells/Makefile84
-rw-r--r--contrib/libpam/modules/pam_shells/README10
-rw-r--r--contrib/libpam/modules/pam_shells/pam_shells.c131
-rw-r--r--contrib/libpam/modules/pam_stress/Makefile109
-rw-r--r--contrib/libpam/modules/pam_stress/README66
-rw-r--r--contrib/libpam/modules/pam_stress/pam_stress.c581
-rw-r--r--contrib/libpam/modules/pam_tally/Makefile93
-rw-r--r--contrib/libpam/modules/pam_tally/README51
-rw-r--r--contrib/libpam/modules/pam_tally/pam_tally.c634
-rw-r--r--contrib/libpam/modules/pam_time/Makefile121
-rw-r--r--contrib/libpam/modules/pam_time/README37
-rwxr-xr-xcontrib/libpam/modules/pam_time/install_conf46
-rw-r--r--contrib/libpam/modules/pam_time/pam_time.c614
-rw-r--r--contrib/libpam/modules/pam_time/time.conf64
-rw-r--r--contrib/libpam/modules/pam_unix/CHANGELOG6
-rw-r--r--contrib/libpam/modules/pam_unix/Makefile155
-rw-r--r--contrib/libpam/modules/pam_unix/README39
-rw-r--r--contrib/libpam/modules/pam_unix/pam_unix_acct.c117
-rw-r--r--contrib/libpam/modules/pam_unix/pam_unix_auth.c309
-rw-r--r--contrib/libpam/modules/pam_unix/pam_unix_passwd.c813
-rw-r--r--contrib/libpam/modules/pam_unix/pam_unix_sess.c181
-rw-r--r--contrib/libpam/modules/pam_unix/support.c152
-rw-r--r--contrib/libpam/modules/pam_warn/Makefile96
-rw-r--r--contrib/libpam/modules/pam_warn/README23
-rw-r--r--contrib/libpam/modules/pam_warn/pam_warn.c112
-rw-r--r--contrib/libpam/modules/pam_wheel/Makefile94
-rw-r--r--contrib/libpam/modules/pam_wheel/README33
-rw-r--r--contrib/libpam/modules/pam_wheel/pam_wheel.c277
163 files changed, 0 insertions, 26807 deletions
diff --git a/contrib/libpam/bin/README b/contrib/libpam/bin/README
deleted file mode 100644
index 92ab525..0000000
--- a/contrib/libpam/bin/README
+++ /dev/null
@@ -1,39 +0,0 @@
-##
-# $Id: README,v 1.6 1997/02/15 19:21:08 morgan Exp $
-##
-# $Log: README,v $
-# Revision 1.6 1997/02/15 19:21:08 morgan
-# fixed email
-#
-# Revision 1.5 1996/08/09 05:29:43 morgan
-# trimmed in line with the removal of applications from the distribution
-#
-#
-##
-
-(now we are getting networked apps, be careful to try and test on a
-securely isolated system!)
-
-N=2 <-- blank xsh
-
-Following a 'make install' (which should be done as root) in the
-parent directory this directory will contain $N binaries. The source
-for these programs is in ../examples. They are various short programs
-to use and otherwise test-drive the Linux-PAM libraries/modules with.
-
-These programs grant no privileges, but they give an idea of how well
-the modules are working.
-
-blank is new as of Linux-PAM-0.21. If you are writing/modifying an
-application it might be a place to start...
-
-xsh is new as of Linux-PAM-0.31, it is identical to blank, but invokes
-/bin/sh if the user is authenticated.
-
-[other apps are to be found in SimplePAMApps and many more on Red
-Hat's server.. http://www.redhat.com/]
-
-Best wishes
-
-Andrew
-(morgan@parc.power.net)
diff --git a/contrib/libpam/conf/Makefile b/contrib/libpam/conf/Makefile
deleted file mode 100644
index 4fb9f7c..0000000
--- a/contrib/libpam/conf/Makefile
+++ /dev/null
@@ -1,60 +0,0 @@
-#
-# $Id: Makefile,v 1.8 1997/04/05 06:59:33 morgan Exp $
-#
-# $Log: Makefile,v $
-# Revision 1.8 1997/04/05 06:59:33 morgan
-# fakeroot and $(MAKE)
-#
-# Revision 1.7 1997/02/15 15:53:51 morgan
-# added lines to make pam_conv1
-#
-# Revision 1.6 1996/11/10 19:48:09 morgan
-# fix for systems that have not installed bash in /bin/
-#
-# Revision 1.5 1996/03/16 22:21:26 morgan
-# added 'make remove' option
-#
-# Revision 1.4 1996/03/10 21:01:47 morgan
-# added .ignore_age flag file
-#
-# Revision 1.3 1996/03/10 17:41:28 morgan
-# make RCScheck check for the presence of the executable before running
-# it!
-#
-# Revision 1.2 1996/03/10 17:16:42 morgan
-# added md5RCS/ RCScheck entry
-#
-#
-
-dummy:
- @echo "*** This is not a top level Makefile!"
-
-##########################################################
-
-all:
- $(MAKE) -C pam_conv1 all
-
-install: $(FAKEROOT)$(CONFIGED)/pam.conf
- $(MAKE) -C pam_conv1 install
-
-$(FAKEROOT)$(CONFIGED)/pam.conf: ./pam.conf
- bash -f ./install_conf
-
-remove:
- rm -f $(FAKEROOT)$(CONFIGED)/pam.conf
- $(MAKE) -C pam_conv1 remove
-
-check:
- bash -f ./md5itall
-
-RCScheck:
- if [ -x ./md5RCS ]; then bash -f ./md5RCS ; fi
-
-lclean:
- rm -f core *~ .ignore_age
-
-clean: lclean
- $(MAKE) -C pam_conv1 clean
-
-extraclean: lclean
- $(MAKE) -C pam_conv1 extraclean
diff --git a/contrib/libpam/conf/install b/contrib/libpam/conf/install
deleted file mode 100755
index 2eae367..0000000
--- a/contrib/libpam/conf/install
+++ /dev/null
@@ -1,178 +0,0 @@
-#!/bin/sh
-#
-# [This file was lifted from an X distribution. There was no explicit
-# copyright in the file, but the following text was associated with it.
-# should anyone from the X Consortium wish to alter the following
-# text. Please email <morgan@parc.power.net> Thanks. ]
-#
-# --------------------------
-# The X Consortium maintains and distributes the X Window System and
-# related software and documentation in coordinated releases. A release
-# consists of two distinct parts:
-#
-# 1) Specifications and Sample implementations of X Consortium
-# standards, and
-#
-# 2) software and documentation contributed by the general X Consortium
-# community.
-#
-# The timing and contents of a release are determined by the Consortium
-# staff based on the needs and desires of the Members and the advice of
-# the Advisory Board, tempered by the resource constraints of the
-# Consortium.
-#
-# Members have access to all X Consortium produced software and
-# documentation prior to release to the public. Each Member can receive
-# pre-releases and public releases at no charge. In addition, Members
-# have access to software and documentation while it is under
-# development, and can periodically request snapshots of the development
-# system at no charge.
-#
-# The X Consortium also maintains an electronic mail system for
-# reporting problems with X Consortium produced software and
-# documentation. Members have access to all bug reports, as well as all
-# software patches as they are incrementally developed by the Consortium
-# staff between releases.
-#
-# In general, all materials included in X Consortium releases are
-# copyrighted and contain permission notices granting unrestricted use,
-# sales and redistribution rights provided that the copyrights and the
-# permission notices are left intact. All materials are provided "as
-# is," without express or implied warranty.
-# --------------------------
-#
-# This accepts bsd-style install arguments and makes the appropriate calls
-# to the System V install.
-#
-
-flags=""
-dst=""
-src=""
-dostrip=""
-owner=""
-mode=""
-
-while [ x$1 != x ]; do
- case $1 in
- -c) shift
- continue;;
-
- -m) flags="$flags $1 $2 "
- mode="$2"
- shift
- shift
- continue;;
-
- -o) flags="$flags -u $2 "
- owner="$2"
- shift
- shift
- continue;;
-
- -g) flags="$flags $1 $2 "
- shift
- shift
- continue;;
-
- -s) dostrip="strip"
- shift
- continue;;
-
- *) if [ x$src = x ]
- then
- src=$1
- else
- dst=$1
- fi
- shift
- continue;;
- esac
-done
-
-case "$mode" in
-"")
- ;;
-*)
- case "$owner" in
- "")
- flags="$flags -u root"
- ;;
- esac
- ;;
-esac
-
-if [ x$src = x ]
-then
- echo "$0: no input file specified"
- exit 1
-fi
-
-if [ x$dst = x ]
-then
- echo "$0: no destination specified"
- exit 1
-fi
-
-
-# set up some variable to be used later
-
-rmcmd=""
-srcdir="."
-
-# if the destination isn't a directory we'll need to copy it first
-
-if [ ! -d $dst ]
-then
- dstbase=`basename $dst`
- cp $src /tmp/$dstbase
- rmcmd="rm -f /tmp/$dstbase"
- src=$dstbase
- srcdir=/tmp
- dst="`echo $dst | sed 's,^\(.*\)/.*$,\1,'`"
- if [ x$dst = x ]
- then
- dst="."
- fi
-fi
-
-
-# If the src file has a directory, copy it to /tmp to make install happy
-
-srcbase=`basename $src`
-
-if [ "$src" != "$srcbase" -a "$src" != "./$srcbase" ]
-then
- cp $src /tmp/$srcbase
- src=$srcbase
- srcdir=/tmp
- rmcmd="rm -f /tmp/$srcbase"
-fi
-
-# do the actual install
-
-if [ -f /usr/sbin/install ]
-then
- installcmd=/usr/sbin/install
-elif [ -f /etc/install ]
-then
- installcmd=/etc/install
-else
- installcmd=install
-fi
-
-# This rm is commented out because some people want to be able to
-# install through symbolic links. Uncomment it if it offends you.
-rm -f $dst/$srcbase
-(cd $srcdir ; $installcmd -f $dst $flags $src)
-
-if [ x$dostrip = xstrip ]
-then
- strip $dst/$srcbase
-fi
-
-# and clean up
-
-$rmcmd
-
-exit
-
diff --git a/contrib/libpam/conf/install_conf b/contrib/libpam/conf/install_conf
deleted file mode 100755
index db650a0..0000000
--- a/contrib/libpam/conf/install_conf
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/bash
-
-CONFILE="$FAKEROOT"$CONFIGED/pam.conf
-IGNORE_AGE=./.ignore_age
-CONF=./pam.conf
-
-echo
-
-if [ -f "$IGNORE_AGE" ]; then
- echo "you don't want to be bothered with the age of your $CONFILE file"
- yes="n"
-elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then
- if [ -f "$CONFILE" ]; then
- echo "\
-An older Linux-PAM configuration file already exists ($CONFILE)"
- WRITE=overwrite
- fi
- echo -n "\
-Do you wish to copy the $CONF file in this distribution
-to $CONFILE ? (y/n) [n] "
- read yes
-else
- yes=n
-fi
-
-if [ "$yes" = "y" ]; then
- echo " copying $CONF to $CONFILE"
- cp $CONF $CONFILE
-else
- touch "$IGNORE_AGE"
- echo " Skipping $CONF installation"
-fi
-
-echo
-
-exit 0
diff --git a/contrib/libpam/conf/md5itall b/contrib/libpam/conf/md5itall
deleted file mode 100755
index 6328a4f..0000000
--- a/contrib/libpam/conf/md5itall
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-#
-# $Id$
-#
-# $Log$
-#
-# Created by Andrew G. Morgan (morgan@parc.power.net)
-#
-
-MD5SUM=md5sum
-CHKFILE1=./.md5sum
-CHKFILE2=./.md5sum-new
-
-which $MD5SUM > /dev/null
-result=$?
-
-if [ -x "$MD5SUM" ] || [ $result -eq 0 ]; then
- rm -f $CHKFILE2
- echo -n "computing md5 checksums."
- for x in `cat ../.filelist` ; do
- (cd ../.. ; $MD5SUM $x) >> $CHKFILE2
- echo -n "."
- done
- echo
- if [ -f "$CHKFILE1" ]; then
- echo "\
----> Note, since the last \`make check', the following file(s) have changed:
-==========================================================================="
- diff $CHKFILE1 $CHKFILE2
- if [ $? -eq 0 ]; then
- echo "\
---------------------------- Nothing has changed ---------------------------"
- fi
- echo "\
-==========================================================================="
- fi
- rm -f "$CHKFILE1"
- mv "$CHKFILE2" "$CHKFILE1"
- chmod 400 "$CHKFILE1"
-else
- echo "\
-Please install \`$MD5SUM'.
-[It is used to check the integrity of this distribution]
----> no check done."
-fi
diff --git a/contrib/libpam/conf/mkdirp b/contrib/libpam/conf/mkdirp
deleted file mode 100755
index b0e04b0..0000000
--- a/contrib/libpam/conf/mkdirp
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/sh
-#
-# this is a wrapper for difficult mkdir programs...
-#
-
-for d in $*
-do
- if [ ! -d $d ]; then
- mkdir -p $d
- if [ $? -ne 0 ]; then exit $? ; fi
- fi
-done
-
-exit 0
-
-##########################################################################
-# if your mkdir does not support the -p option delete the above lines and
-# use what follows:
---------------------
-#!/bin/sh
-
-#VERBOSE=yes
-Cwd=`pwd`
-
-for d in $*
-do
- if [ "`echo $d|cut -c1`" != "/" ]; then
- x=`pwd`/$d
- else
- x=$d
- fi
- x="`echo $x|sed -e 'yX/X X'`"
- cd /
- for s in $x
- do
- if [ -d $s ]; then
- if [ -n "$VERBOSE" ]; then echo -n "[$s/]"; fi
- cd $s
- else
- mkdir $s
- if [ $? -ne 0 ]; then exit $? ; fi
- if [ -n "$VERBOSE" ]; then echo -n "$s/"; fi
- cd $s
- fi
- done
- if [ -n "$VERBOSE" ]; then echo ; fi
- cd $Cwd
-done
-
-exit 0
diff --git a/contrib/libpam/conf/pam.conf b/contrib/libpam/conf/pam.conf
deleted file mode 100644
index 2e4f034..0000000
--- a/contrib/libpam/conf/pam.conf
+++ /dev/null
@@ -1,126 +0,0 @@
-# ---------------------------------------------------------------------------#
-# /etc/pam.conf #
-# #
-# Last modified by Andrew G. Morgan <morgan@parc.power.net> #
-# ---------------------------------------------------------------------------#
-# $Id: pam.conf,v 1.18 1997/02/15 20:20:20 morgan Exp morgan $
-# ---------------------------------------------------------------------------#
-# serv. module ctrl module [path] ...[args..] #
-# name type flag #
-# ---------------------------------------------------------------------------#
-#
-# The PAM configuration file for the `chfn' service
-#
-chfn auth required pam_pwdb.so
-chfn account required pam_pwdb.so
-chfn password required pam_cracklib.so retry=3
-chfn password required pam_pwdb.so shadow md5 use_authtok
-#
-# The PAM configuration file for the `chsh' service
-#
-chsh auth required pam_pwdb.so
-chsh account required pam_pwdb.so
-chsh password required pam_cracklib.so retry=3
-chsh password required pam_pwdb.so shadow md5 use_authtok
-#
-# The PAM configuration file for the `ftp' service
-#
-ftp auth requisite pam_listfile.so \
- item=user sense=deny file=/etc/ftpusers onerr=succeed
-ftp auth requisite pam_shells.so
-ftp auth required pam_pwdb.so
-ftp account required pam_pwdb.so
-#
-# The PAM configuration file for the `imap' service
-#
-imap auth required pam_pwdb.so
-imap account required pam_pwdb.so
-#
-# The PAM configuration file for the `login' service
-#
-login auth requisite pam_securetty.so
-login auth required pam_pwdb.so
-login auth optional pam_group.so
-login account requisite pam_time.so
-login account required pam_pwdb.so
-login password required pam_cracklib.so retry=3
-login password required pam_pwdb.so shadow md5 use_authtok
-login session required pam_pwdb.so
-#
-# The PAM configuration file for the `netatalk' service
-#
-netatalk auth required pam_pwdb.so
-netatalk account required pam_pwdb.so
-#
-# The PAM configuration file for the `other' service
-#
-other auth required pam_deny.so
-other auth required pam_warn.so
-other account required pam_deny.so
-other password required pam_deny.so
-other password required pam_warn.so
-other session required pam_deny.so
-#
-# The PAM configuration file for the `passwd' service
-#
-passwd password requisite pam_cracklib.so retry=3
-passwd password required pam_pwdb.so shadow md5 use_authtok
-#
-# The PAM configuration file for the `rexec' service
-#
-rexec auth requisite pam_securetty.so
-rexec auth requisite pam_nologin.so
-rexec auth sufficient pam_rhosts_auth.so
-rexec auth required pam_pwdb.so
-rexec account required pam_pwdb.so
-rexec session required pam_pwdb.so
-rexec session required pam_limits.so
-#
-# The PAM configuration file for the `rlogin' service
-# this application passes control to `login' if it fails
-#
-rlogin auth requisite pam_securetty.so
-rlogin auth requisite pam_nologin.so
-rlogin auth required pam_rhosts_auth.so
-rlogin account required pam_pwdb.so
-rlogin password required pam_cracklib.so retry=3
-rlogin password required pam_pwdb.so shadow md5 use_authtok
-rlogin session required pam_pwdb.so
-rlogin session required pam_limits.so
-#
-# The PAM configuration file for the `rsh' service
-#
-rsh auth requisite pam_securetty.so
-rsh auth requisite pam_nologin.so
-rsh auth sufficient pam_rhosts_auth.so
-rsh auth required pam_pwdb.so
-rsh account required pam_pwdb.so
-rsh session required pam_pwdb.so
-rsh session required pam_limits.so
-#
-# The PAM configuration file for the `samba' service
-#
-samba auth required pam_pwdb.so
-samba account required pam_pwdb.so
-#
-# The PAM configuration file for the `su' service
-#
-su auth required pam_wheel.so
-su auth sufficient pam_rootok.so
-su auth required pam_pwdb.so
-su account required pam_pwdb.so
-su session required pam_pwdb.so
-#
-# The PAM configuration file for the `vlock' service
-#
-vlock auth required pam_pwdb.so
-#
-# The PAM configuration file for the `xdm' service
-#
-xdm auth required pam_pwdb.so
-xdm account required pam_pwdb.so
-#
-# The PAM configuration file for the `xlock' service
-#
-xlock auth required pam_pwdb.so
-
diff --git a/contrib/libpam/conf/pam_conv1/Makefile b/contrib/libpam/conf/pam_conv1/Makefile
deleted file mode 100644
index 7691dc3..0000000
--- a/contrib/libpam/conf/pam_conv1/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-#
-#
-ifeq ($(OS),solaris)
-
-clean:
- @echo not available in Solaris
-
-all:
- @echo not available in Solaris
-
-install:
- @echo not available in Solaris
-
-else
-
-all: pam_conv1
-
-pam_conv1: pam_conv.tab.c lex.yy.c
- $(CC) -o pam_conv1 pam_conv.tab.c -lfl
-
-pam_conv.tab.c: pam_conv.y lex.yy.c
- bison pam_conv.y
-
-lex.yy.c: pam_conv.lex
- flex pam_conv.lex
-
-lclean:
- rm -f core pam_conv1 lex.yy.c pam_conv.tab.c *.o *~
- rm -rf ./pam.d pam_conv.output
-
-clean: lclean
-
-install: pam_conv1
- cp -f ./pam_conv1 ../../bin
-
-endif
-
-remove:
- rm -f ../../bin/pam_conv1
-
-extraclean: remove clean
diff --git a/contrib/libpam/conf/pam_conv1/README b/contrib/libpam/conf/pam_conv1/README
deleted file mode 100644
index d3344bb..0000000
--- a/contrib/libpam/conf/pam_conv1/README
+++ /dev/null
@@ -1,10 +0,0 @@
-$Id: README,v 1.1 1997/02/15 15:50:50 morgan Exp $
-
-This directory contains a untility to convert pam.conf files to a pam.d/
-tree. The conversion program takes pam.conf from the standard input and
-creates the pam.d/ directory in the current directory.
-
-The program will fail if ./pam.d/ already exists.
-
-Andrew Morgan, February 1997
-
diff --git a/contrib/libpam/conf/pam_conv1/lex.yy.c b/contrib/libpam/conf/pam_conv1/lex.yy.c
deleted file mode 100644
index 5843e58..0000000
--- a/contrib/libpam/conf/pam_conv1/lex.yy.c
+++ /dev/null
@@ -1,1553 +0,0 @@
-/* A lexical scanner generated by flex */
-
-/* Scanner skeleton version:
- * $Header: /home/daffy/u0/vern/flex/RCS/flex.skl,v 2.91 96/09/10 16:58:48 vern Exp $
- */
-
-#define FLEX_SCANNER
-#define YY_FLEX_MAJOR_VERSION 2
-#define YY_FLEX_MINOR_VERSION 5
-
-#include <stdio.h>
-
-
-/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
-#ifdef c_plusplus
-#ifndef __cplusplus
-#define __cplusplus
-#endif
-#endif
-
-
-#ifdef __cplusplus
-
-#include <stdlib.h>
-#include <unistd.h>
-
-/* Use prototypes in function declarations. */
-#define YY_USE_PROTOS
-
-/* The "const" storage-class-modifier is valid. */
-#define YY_USE_CONST
-
-#else /* ! __cplusplus */
-
-#if __STDC__
-
-#define YY_USE_PROTOS
-#define YY_USE_CONST
-
-#endif /* __STDC__ */
-#endif /* ! __cplusplus */
-
-#ifdef __TURBOC__
- #pragma warn -rch
- #pragma warn -use
-#include <io.h>
-#include <stdlib.h>
-#define YY_USE_CONST
-#define YY_USE_PROTOS
-#endif
-
-#ifdef YY_USE_CONST
-#define yyconst const
-#else
-#define yyconst
-#endif
-
-
-#ifdef YY_USE_PROTOS
-#define YY_PROTO(proto) proto
-#else
-#define YY_PROTO(proto) ()
-#endif
-
-/* Returned upon end-of-file. */
-#define YY_NULL 0
-
-/* Promotes a possibly negative, possibly signed char to an unsigned
- * integer for use as an array index. If the signed char is negative,
- * we want to instead treat it as an 8-bit unsigned char, hence the
- * double cast.
- */
-#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
-
-/* Enter a start condition. This macro really ought to take a parameter,
- * but we do it the disgusting crufty way forced on us by the ()-less
- * definition of BEGIN.
- */
-#define BEGIN yy_start = 1 + 2 *
-
-/* Translate the current start state into a value that can be later handed
- * to BEGIN to return to the state. The YYSTATE alias is for lex
- * compatibility.
- */
-#define YY_START ((yy_start - 1) / 2)
-#define YYSTATE YY_START
-
-/* Action number for EOF rule of a given start state. */
-#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-
-/* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE yyrestart( yyin )
-
-#define YY_END_OF_BUFFER_CHAR 0
-
-/* Size of default input buffer. */
-#define YY_BUF_SIZE 16384
-
-typedef struct yy_buffer_state *YY_BUFFER_STATE;
-
-extern int yyleng;
-extern FILE *yyin, *yyout;
-
-#define EOB_ACT_CONTINUE_SCAN 0
-#define EOB_ACT_END_OF_FILE 1
-#define EOB_ACT_LAST_MATCH 2
-
-/* The funky do-while in the following #define is used to turn the definition
- * int a single C statement (which needs a semi-colon terminator). This
- * avoids problems with code like:
- *
- * if ( condition_holds )
- * yyless( 5 );
- * else
- * do_something_else();
- *
- * Prior to using the do-while the compiler would get upset at the
- * "else" because it interpreted the "if" statement as being all
- * done when it reached the ';' after the yyless() call.
- */
-
-/* Return all but the first 'n' matched characters back to the input stream. */
-
-#define yyless(n) \
- do \
- { \
- /* Undo effects of setting up yytext. */ \
- *yy_cp = yy_hold_char; \
- YY_RESTORE_YY_MORE_OFFSET \
- yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \
- YY_DO_BEFORE_ACTION; /* set up yytext again */ \
- } \
- while ( 0 )
-
-#define unput(c) yyunput( c, yytext_ptr )
-
-/* The following is because we cannot portably get our hands on size_t
- * (without autoconf's help, which isn't available because we want
- * flex-generated scanners to compile on their own).
- */
-typedef unsigned int yy_size_t;
-
-
-struct yy_buffer_state
- {
- FILE *yy_input_file;
-
- char *yy_ch_buf; /* input buffer */
- char *yy_buf_pos; /* current position in input buffer */
-
- /* Size of input buffer in bytes, not including room for EOB
- * characters.
- */
- yy_size_t yy_buf_size;
-
- /* Number of characters read into yy_ch_buf, not including EOB
- * characters.
- */
- int yy_n_chars;
-
- /* Whether we "own" the buffer - i.e., we know we created it,
- * and can realloc() it to grow it, and should free() it to
- * delete it.
- */
- int yy_is_our_buffer;
-
- /* Whether this is an "interactive" input source; if so, and
- * if we're using stdio for input, then we want to use getc()
- * instead of fread(), to make sure we stop fetching input after
- * each newline.
- */
- int yy_is_interactive;
-
- /* Whether we're considered to be at the beginning of a line.
- * If so, '^' rules will be active on the next match, otherwise
- * not.
- */
- int yy_at_bol;
-
- /* Whether to try to fill the input buffer when we reach the
- * end of it.
- */
- int yy_fill_buffer;
-
- int yy_buffer_status;
-#define YY_BUFFER_NEW 0
-#define YY_BUFFER_NORMAL 1
- /* When an EOF's been seen but there's still some text to process
- * then we mark the buffer as YY_EOF_PENDING, to indicate that we
- * shouldn't try reading from the input source any more. We might
- * still have a bunch of tokens to match, though, because of
- * possible backing-up.
- *
- * When we actually see the EOF, we change the status to "new"
- * (via yyrestart()), so that the user can continue scanning by
- * just pointing yyin at a new input file.
- */
-#define YY_BUFFER_EOF_PENDING 2
- };
-
-static YY_BUFFER_STATE yy_current_buffer = 0;
-
-/* We provide macros for accessing buffer states in case in the
- * future we want to put the buffer states in a more general
- * "scanner state".
- */
-#define YY_CURRENT_BUFFER yy_current_buffer
-
-
-/* yy_hold_char holds the character lost when yytext is formed. */
-static char yy_hold_char;
-
-static int yy_n_chars; /* number of characters read into yy_ch_buf */
-
-
-int yyleng;
-
-/* Points to current character in buffer. */
-static char *yy_c_buf_p = (char *) 0;
-static int yy_init = 1; /* whether we need to initialize */
-static int yy_start = 0; /* start state number */
-
-/* Flag which is used to allow yywrap()'s to do buffer switches
- * instead of setting up a fresh yyin. A bit of a hack ...
- */
-static int yy_did_buffer_switch_on_eof;
-
-void yyrestart YY_PROTO(( FILE *input_file ));
-
-void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer ));
-void yy_load_buffer_state YY_PROTO(( void ));
-YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size ));
-void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file ));
-void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer )
-
-YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size ));
-YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
-YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
-
-static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
-static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t ));
-static void yy_flex_free YY_PROTO(( void * ));
-
-#define yy_new_buffer yy_create_buffer
-
-#define yy_set_interactive(is_interactive) \
- { \
- if ( ! yy_current_buffer ) \
- yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
- yy_current_buffer->yy_is_interactive = is_interactive; \
- }
-
-#define yy_set_bol(at_bol) \
- { \
- if ( ! yy_current_buffer ) \
- yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
- yy_current_buffer->yy_at_bol = at_bol; \
- }
-
-#define YY_AT_BOL() (yy_current_buffer->yy_at_bol)
-
-typedef unsigned char YY_CHAR;
-FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
-typedef int yy_state_type;
-extern char *yytext;
-#define yytext_ptr yytext
-
-static yy_state_type yy_get_previous_state YY_PROTO(( void ));
-static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state ));
-static int yy_get_next_buffer YY_PROTO(( void ));
-static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
-
-/* Done after the current pattern has been matched and before the
- * corresponding action - sets up yytext.
- */
-#define YY_DO_BEFORE_ACTION \
- yytext_ptr = yy_bp; \
- yyleng = (int) (yy_cp - yy_bp); \
- yy_hold_char = *yy_cp; \
- *yy_cp = '\0'; \
- yy_c_buf_p = yy_cp;
-
-#define YY_NUM_RULES 6
-#define YY_END_OF_BUFFER 7
-static yyconst short int yy_accept[21] =
- { 0,
- 0, 0, 7, 3, 4, 5, 1, 3, 3, 3,
- 4, 1, 1, 1, 3, 2, 3, 1, 1, 0
- } ;
-
-static yyconst int yy_ec[256] =
- { 0,
- 1, 1, 1, 1, 1, 1, 1, 1, 2, 3,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 2, 1, 1, 4, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 5, 1, 1, 1, 1, 1, 1, 1, 1,
-
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1
- } ;
-
-static yyconst int yy_meta[6] =
- { 0,
- 1, 2, 3, 1, 1
- } ;
-
-static yyconst short int yy_base[24] =
- { 0,
- 0, 0, 26, 20, 0, 27, 5, 10, 19, 20,
- 0, 0, 0, 15, 0, 27, 0, 0, 0, 27,
- 17, 6, 20
- } ;
-
-static yyconst short int yy_def[24] =
- { 0,
- 20, 1, 20, 21, 22, 20, 20, 20, 21, 8,
- 22, 7, 23, 20, 9, 20, 10, 7, 14, 0,
- 20, 20, 20
- } ;
-
-static yyconst short int yy_nxt[33] =
- { 0,
- 4, 5, 6, 7, 8, 12, 13, 11, 12, 14,
- 15, 9, 16, 15, 17, 18, 12, 9, 18, 19,
- 13, 13, 20, 10, 10, 20, 3, 20, 20, 20,
- 20, 20
- } ;
-
-static yyconst short int yy_chk[33] =
- { 0,
- 1, 1, 1, 1, 1, 7, 7, 22, 7, 7,
- 8, 8, 8, 8, 8, 14, 14, 21, 14, 14,
- 23, 23, 10, 9, 4, 3, 20, 20, 20, 20,
- 20, 20
- } ;
-
-static yy_state_type yy_last_accepting_state;
-static char *yy_last_accepting_cpos;
-
-/* The intent behind this definition is that it'll catch
- * any uses of REJECT which flex missed.
- */
-#define REJECT reject_used_but_not_detected
-#define yymore() yymore_used_but_not_detected
-#define YY_MORE_ADJ 0
-#define YY_RESTORE_YY_MORE_OFFSET
-char *yytext;
-#line 1 "pam_conv.lex"
-#define INITIAL 0
-#line 3 "pam_conv.lex"
-/*
- * $Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $
- *
- * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
- *
- * This file is covered by the Linux-PAM License (which should be
- * distributed with this file.)
- */
-
- const static char lexid[]=
- "$Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $\n"
- "Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>\n";
-
- extern int current_line;
-#line 389 "lex.yy.c"
-
-/* Macros after this point can all be overridden by user definitions in
- * section 1.
- */
-
-#ifndef YY_SKIP_YYWRAP
-#ifdef __cplusplus
-extern "C" int yywrap YY_PROTO(( void ));
-#else
-extern int yywrap YY_PROTO(( void ));
-#endif
-#endif
-
-#ifndef YY_NO_UNPUT
-static void yyunput YY_PROTO(( int c, char *buf_ptr ));
-#endif
-
-#ifndef yytext_ptr
-static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int ));
-#endif
-
-#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen YY_PROTO(( yyconst char * ));
-#endif
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
-static int yyinput YY_PROTO(( void ));
-#else
-static int input YY_PROTO(( void ));
-#endif
-#endif
-
-#if YY_STACK_USED
-static int yy_start_stack_ptr = 0;
-static int yy_start_stack_depth = 0;
-static int *yy_start_stack = 0;
-#ifndef YY_NO_PUSH_STATE
-static void yy_push_state YY_PROTO(( int new_state ));
-#endif
-#ifndef YY_NO_POP_STATE
-static void yy_pop_state YY_PROTO(( void ));
-#endif
-#ifndef YY_NO_TOP_STATE
-static int yy_top_state YY_PROTO(( void ));
-#endif
-
-#else
-#define YY_NO_PUSH_STATE 1
-#define YY_NO_POP_STATE 1
-#define YY_NO_TOP_STATE 1
-#endif
-
-#ifdef YY_MALLOC_DECL
-YY_MALLOC_DECL
-#else
-#if __STDC__
-#ifndef __cplusplus
-#include <stdlib.h>
-#endif
-#else
-/* Just try to get by without declaring the routines. This will fail
- * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int)
- * or sizeof(void*) != sizeof(int).
- */
-#endif
-#endif
-
-/* Amount of stuff to slurp up with each read. */
-#ifndef YY_READ_BUF_SIZE
-#define YY_READ_BUF_SIZE 8192
-#endif
-
-/* Copy whatever the last rule matched to the standard output. */
-
-#ifndef ECHO
-/* This used to be an fputs(), but since the string might contain NUL's,
- * we now use fwrite().
- */
-#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
-#endif
-
-/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL,
- * is returned in "result".
- */
-#ifndef YY_INPUT
-#define YY_INPUT(buf,result,max_size) \
- if ( yy_current_buffer->yy_is_interactive ) \
- { \
- int c = '*', n; \
- for ( n = 0; n < max_size && \
- (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
- buf[n] = (char) c; \
- if ( c == '\n' ) \
- buf[n++] = (char) c; \
- if ( c == EOF && ferror( yyin ) ) \
- YY_FATAL_ERROR( "input in flex scanner failed" ); \
- result = n; \
- } \
- else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \
- && ferror( yyin ) ) \
- YY_FATAL_ERROR( "input in flex scanner failed" );
-#endif
-
-/* No semi-colon after return; correct usage is to write "yyterminate();" -
- * we don't want an extra ';' after the "return" because that will cause
- * some compilers to complain about unreachable statements.
- */
-#ifndef yyterminate
-#define yyterminate() return YY_NULL
-#endif
-
-/* Number of entries by which start-condition stack grows. */
-#ifndef YY_START_STACK_INCR
-#define YY_START_STACK_INCR 25
-#endif
-
-/* Report a fatal error. */
-#ifndef YY_FATAL_ERROR
-#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
-#endif
-
-/* Default declaration of generated scanner - a define so the user can
- * easily add parameters.
- */
-#ifndef YY_DECL
-#define YY_DECL int yylex YY_PROTO(( void ))
-#endif
-
-/* Code executed at the beginning of each rule, after yytext and yyleng
- * have been set up.
- */
-#ifndef YY_USER_ACTION
-#define YY_USER_ACTION
-#endif
-
-/* Code executed at the end of each rule. */
-#ifndef YY_BREAK
-#define YY_BREAK break;
-#endif
-
-#define YY_RULE_SETUP \
- YY_USER_ACTION
-
-YY_DECL
- {
- register yy_state_type yy_current_state;
- register char *yy_cp, *yy_bp;
- register int yy_act;
-
-#line 19 "pam_conv.lex"
-
-
-#line 543 "lex.yy.c"
-
- if ( yy_init )
- {
- yy_init = 0;
-
-#ifdef YY_USER_INIT
- YY_USER_INIT;
-#endif
-
- if ( ! yy_start )
- yy_start = 1; /* first start state */
-
- if ( ! yyin )
- yyin = stdin;
-
- if ( ! yyout )
- yyout = stdout;
-
- if ( ! yy_current_buffer )
- yy_current_buffer =
- yy_create_buffer( yyin, YY_BUF_SIZE );
-
- yy_load_buffer_state();
- }
-
- while ( 1 ) /* loops until end-of-file is reached */
- {
- yy_cp = yy_c_buf_p;
-
- /* Support of yytext. */
- *yy_cp = yy_hold_char;
-
- /* yy_bp points to the position in yy_ch_buf of the start of
- * the current run.
- */
- yy_bp = yy_cp;
-
- yy_current_state = yy_start;
-yy_match:
- do
- {
- register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
- if ( yy_accept[yy_current_state] )
- {
- yy_last_accepting_state = yy_current_state;
- yy_last_accepting_cpos = yy_cp;
- }
- while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
- {
- yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 21 )
- yy_c = yy_meta[(unsigned int) yy_c];
- }
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- ++yy_cp;
- }
- while ( yy_base[yy_current_state] != 27 );
-
-yy_find_action:
- yy_act = yy_accept[yy_current_state];
- if ( yy_act == 0 )
- { /* have to back up */
- yy_cp = yy_last_accepting_cpos;
- yy_current_state = yy_last_accepting_state;
- yy_act = yy_accept[yy_current_state];
- }
-
- YY_DO_BEFORE_ACTION;
-
-
-do_action: /* This label is used only to access EOF actions. */
-
-
- switch ( yy_act )
- { /* beginning of action switch */
- case 0: /* must back up */
- /* undo the effects of YY_DO_BEFORE_ACTION */
- *yy_cp = yy_hold_char;
- yy_cp = yy_last_accepting_cpos;
- yy_current_state = yy_last_accepting_state;
- goto yy_find_action;
-
-case 1:
-YY_RULE_SETUP
-#line 21 "pam_conv.lex"
-; /* skip comments (sorry) */
- YY_BREAK
-case 2:
-YY_RULE_SETUP
-#line 23 "pam_conv.lex"
-{
- ++current_line;
-}
- YY_BREAK
-case 3:
-YY_RULE_SETUP
-#line 27 "pam_conv.lex"
-{
- return TOK;
-}
- YY_BREAK
-case 4:
-YY_RULE_SETUP
-#line 31 "pam_conv.lex"
-; /* Ignore */
- YY_BREAK
-case YY_STATE_EOF(INITIAL):
-#line 33 "pam_conv.lex"
-{
- return EOFILE;
-}
- YY_BREAK
-case 5:
-YY_RULE_SETUP
-#line 37 "pam_conv.lex"
-{
- ++current_line;
- return NL;
-}
- YY_BREAK
-case 6:
-YY_RULE_SETUP
-#line 42 "pam_conv.lex"
-ECHO;
- YY_BREAK
-#line 669 "lex.yy.c"
-
- case YY_END_OF_BUFFER:
- {
- /* Amount of text matched not including the EOB char. */
- int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1;
-
- /* Undo the effects of YY_DO_BEFORE_ACTION. */
- *yy_cp = yy_hold_char;
- YY_RESTORE_YY_MORE_OFFSET
-
- if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW )
- {
- /* We're scanning a new file or input source. It's
- * possible that this happened because the user
- * just pointed yyin at a new source and called
- * yylex(). If so, then we have to assure
- * consistency between yy_current_buffer and our
- * globals. Here is the right place to do so, because
- * this is the first action (other than possibly a
- * back-up) that will match for the new input source.
- */
- yy_n_chars = yy_current_buffer->yy_n_chars;
- yy_current_buffer->yy_input_file = yyin;
- yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL;
- }
-
- /* Note that here we test for yy_c_buf_p "<=" to the position
- * of the first EOB in the buffer, since yy_c_buf_p will
- * already have been incremented past the NUL character
- * (since all states make transitions on EOB to the
- * end-of-buffer state). Contrast this with the test
- * in input().
- */
- if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] )
- { /* This was really a NUL. */
- yy_state_type yy_next_state;
-
- yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text;
-
- yy_current_state = yy_get_previous_state();
-
- /* Okay, we're now positioned to make the NUL
- * transition. We couldn't have
- * yy_get_previous_state() go ahead and do it
- * for us because it doesn't know how to deal
- * with the possibility of jamming (and we don't
- * want to build jamming into it because then it
- * will run more slowly).
- */
-
- yy_next_state = yy_try_NUL_trans( yy_current_state );
-
- yy_bp = yytext_ptr + YY_MORE_ADJ;
-
- if ( yy_next_state )
- {
- /* Consume the NUL. */
- yy_cp = ++yy_c_buf_p;
- yy_current_state = yy_next_state;
- goto yy_match;
- }
-
- else
- {
- yy_cp = yy_c_buf_p;
- goto yy_find_action;
- }
- }
-
- else switch ( yy_get_next_buffer() )
- {
- case EOB_ACT_END_OF_FILE:
- {
- yy_did_buffer_switch_on_eof = 0;
-
- if ( yywrap() )
- {
- /* Note: because we've taken care in
- * yy_get_next_buffer() to have set up
- * yytext, we can now set up
- * yy_c_buf_p so that if some total
- * hoser (like flex itself) wants to
- * call the scanner after we return the
- * YY_NULL, it'll still work - another
- * YY_NULL will get returned.
- */
- yy_c_buf_p = yytext_ptr + YY_MORE_ADJ;
-
- yy_act = YY_STATE_EOF(YY_START);
- goto do_action;
- }
-
- else
- {
- if ( ! yy_did_buffer_switch_on_eof )
- YY_NEW_FILE;
- }
- break;
- }
-
- case EOB_ACT_CONTINUE_SCAN:
- yy_c_buf_p =
- yytext_ptr + yy_amount_of_matched_text;
-
- yy_current_state = yy_get_previous_state();
-
- yy_cp = yy_c_buf_p;
- yy_bp = yytext_ptr + YY_MORE_ADJ;
- goto yy_match;
-
- case EOB_ACT_LAST_MATCH:
- yy_c_buf_p =
- &yy_current_buffer->yy_ch_buf[yy_n_chars];
-
- yy_current_state = yy_get_previous_state();
-
- yy_cp = yy_c_buf_p;
- yy_bp = yytext_ptr + YY_MORE_ADJ;
- goto yy_find_action;
- }
- break;
- }
-
- default:
- YY_FATAL_ERROR(
- "fatal flex scanner internal error--no action found" );
- } /* end of action switch */
- } /* end of scanning one token */
- } /* end of yylex */
-
-
-/* yy_get_next_buffer - try to read in a new buffer
- *
- * Returns a code representing an action:
- * EOB_ACT_LAST_MATCH -
- * EOB_ACT_CONTINUE_SCAN - continue scanning from current position
- * EOB_ACT_END_OF_FILE - end of file
- */
-
-static int yy_get_next_buffer()
- {
- register char *dest = yy_current_buffer->yy_ch_buf;
- register char *source = yytext_ptr;
- register int number_to_move, i;
- int ret_val;
-
- if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] )
- YY_FATAL_ERROR(
- "fatal flex scanner internal error--end of buffer missed" );
-
- if ( yy_current_buffer->yy_fill_buffer == 0 )
- { /* Don't try to fill the buffer, so this is an EOF. */
- if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 )
- {
- /* We matched a single character, the EOB, so
- * treat this as a final EOF.
- */
- return EOB_ACT_END_OF_FILE;
- }
-
- else
- {
- /* We matched some text prior to the EOB, first
- * process it.
- */
- return EOB_ACT_LAST_MATCH;
- }
- }
-
- /* Try to read more data. */
-
- /* First move last chars to start of buffer. */
- number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1;
-
- for ( i = 0; i < number_to_move; ++i )
- *(dest++) = *(source++);
-
- if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING )
- /* don't do the read, it's not guaranteed to return an EOF,
- * just force an EOF
- */
- yy_current_buffer->yy_n_chars = yy_n_chars = 0;
-
- else
- {
- int num_to_read =
- yy_current_buffer->yy_buf_size - number_to_move - 1;
-
- while ( num_to_read <= 0 )
- { /* Not enough room in the buffer - grow it. */
-#ifdef YY_USES_REJECT
- YY_FATAL_ERROR(
-"input buffer overflow, can't enlarge buffer because scanner uses REJECT" );
-#else
-
- /* just a shorter name for the current buffer */
- YY_BUFFER_STATE b = yy_current_buffer;
-
- int yy_c_buf_p_offset =
- (int) (yy_c_buf_p - b->yy_ch_buf);
-
- if ( b->yy_is_our_buffer )
- {
- int new_size = b->yy_buf_size * 2;
-
- if ( new_size <= 0 )
- b->yy_buf_size += b->yy_buf_size / 8;
- else
- b->yy_buf_size *= 2;
-
- b->yy_ch_buf = (char *)
- /* Include room in for 2 EOB chars. */
- yy_flex_realloc( (void *) b->yy_ch_buf,
- b->yy_buf_size + 2 );
- }
- else
- /* Can't grow it, we don't own it. */
- b->yy_ch_buf = 0;
-
- if ( ! b->yy_ch_buf )
- YY_FATAL_ERROR(
- "fatal error - scanner input buffer overflow" );
-
- yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset];
-
- num_to_read = yy_current_buffer->yy_buf_size -
- number_to_move - 1;
-#endif
- }
-
- if ( num_to_read > YY_READ_BUF_SIZE )
- num_to_read = YY_READ_BUF_SIZE;
-
- /* Read in more data. */
- YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]),
- yy_n_chars, num_to_read );
-
- yy_current_buffer->yy_n_chars = yy_n_chars;
- }
-
- if ( yy_n_chars == 0 )
- {
- if ( number_to_move == YY_MORE_ADJ )
- {
- ret_val = EOB_ACT_END_OF_FILE;
- yyrestart( yyin );
- }
-
- else
- {
- ret_val = EOB_ACT_LAST_MATCH;
- yy_current_buffer->yy_buffer_status =
- YY_BUFFER_EOF_PENDING;
- }
- }
-
- else
- ret_val = EOB_ACT_CONTINUE_SCAN;
-
- yy_n_chars += number_to_move;
- yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
- yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
-
- yytext_ptr = &yy_current_buffer->yy_ch_buf[0];
-
- return ret_val;
- }
-
-
-/* yy_get_previous_state - get the state just before the EOB char was reached */
-
-static yy_state_type yy_get_previous_state()
- {
- register yy_state_type yy_current_state;
- register char *yy_cp;
-
- yy_current_state = yy_start;
-
- for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp )
- {
- register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
- if ( yy_accept[yy_current_state] )
- {
- yy_last_accepting_state = yy_current_state;
- yy_last_accepting_cpos = yy_cp;
- }
- while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
- {
- yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 21 )
- yy_c = yy_meta[(unsigned int) yy_c];
- }
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- }
-
- return yy_current_state;
- }
-
-
-/* yy_try_NUL_trans - try to make a transition on the NUL character
- *
- * synopsis
- * next_state = yy_try_NUL_trans( current_state );
- */
-
-#ifdef YY_USE_PROTOS
-static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state )
-#else
-static yy_state_type yy_try_NUL_trans( yy_current_state )
-yy_state_type yy_current_state;
-#endif
- {
- register int yy_is_jam;
- register char *yy_cp = yy_c_buf_p;
-
- register YY_CHAR yy_c = 1;
- if ( yy_accept[yy_current_state] )
- {
- yy_last_accepting_state = yy_current_state;
- yy_last_accepting_cpos = yy_cp;
- }
- while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
- {
- yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 21 )
- yy_c = yy_meta[(unsigned int) yy_c];
- }
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- yy_is_jam = (yy_current_state == 20);
-
- return yy_is_jam ? 0 : yy_current_state;
- }
-
-
-#ifndef YY_NO_UNPUT
-#ifdef YY_USE_PROTOS
-static void yyunput( int c, register char *yy_bp )
-#else
-static void yyunput( c, yy_bp )
-int c;
-register char *yy_bp;
-#endif
- {
- register char *yy_cp = yy_c_buf_p;
-
- /* undo effects of setting up yytext */
- *yy_cp = yy_hold_char;
-
- if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
- { /* need to shift things up to make room */
- /* +2 for EOB chars. */
- register int number_to_move = yy_n_chars + 2;
- register char *dest = &yy_current_buffer->yy_ch_buf[
- yy_current_buffer->yy_buf_size + 2];
- register char *source =
- &yy_current_buffer->yy_ch_buf[number_to_move];
-
- while ( source > yy_current_buffer->yy_ch_buf )
- *--dest = *--source;
-
- yy_cp += (int) (dest - source);
- yy_bp += (int) (dest - source);
- yy_current_buffer->yy_n_chars =
- yy_n_chars = yy_current_buffer->yy_buf_size;
-
- if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
- YY_FATAL_ERROR( "flex scanner push-back overflow" );
- }
-
- *--yy_cp = (char) c;
-
-
- yytext_ptr = yy_bp;
- yy_hold_char = *yy_cp;
- yy_c_buf_p = yy_cp;
- }
-#endif /* ifndef YY_NO_UNPUT */
-
-
-#ifdef __cplusplus
-static int yyinput()
-#else
-static int input()
-#endif
- {
- int c;
-
- *yy_c_buf_p = yy_hold_char;
-
- if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR )
- {
- /* yy_c_buf_p now points to the character we want to return.
- * If this occurs *before* the EOB characters, then it's a
- * valid NUL; if not, then we've hit the end of the buffer.
- */
- if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] )
- /* This was really a NUL. */
- *yy_c_buf_p = '\0';
-
- else
- { /* need more input */
- int offset = yy_c_buf_p - yytext_ptr;
- ++yy_c_buf_p;
-
- switch ( yy_get_next_buffer() )
- {
- case EOB_ACT_LAST_MATCH:
- /* This happens because yy_g_n_b()
- * sees that we've accumulated a
- * token and flags that we need to
- * try matching the token before
- * proceeding. But for input(),
- * there's no matching to consider.
- * So convert the EOB_ACT_LAST_MATCH
- * to EOB_ACT_END_OF_FILE.
- */
-
- /* Reset buffer status. */
- yyrestart( yyin );
-
- /* fall through */
-
- case EOB_ACT_END_OF_FILE:
- {
- if ( yywrap() )
- return EOF;
-
- if ( ! yy_did_buffer_switch_on_eof )
- YY_NEW_FILE;
-#ifdef __cplusplus
- return yyinput();
-#else
- return input();
-#endif
- }
-
- case EOB_ACT_CONTINUE_SCAN:
- yy_c_buf_p = yytext_ptr + offset;
- break;
- }
- }
- }
-
- c = *(unsigned char *) yy_c_buf_p; /* cast for 8-bit char's */
- *yy_c_buf_p = '\0'; /* preserve yytext */
- yy_hold_char = *++yy_c_buf_p;
-
-
- return c;
- }
-
-
-#ifdef YY_USE_PROTOS
-void yyrestart( FILE *input_file )
-#else
-void yyrestart( input_file )
-FILE *input_file;
-#endif
- {
- if ( ! yy_current_buffer )
- yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE );
-
- yy_init_buffer( yy_current_buffer, input_file );
- yy_load_buffer_state();
- }
-
-
-#ifdef YY_USE_PROTOS
-void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer )
-#else
-void yy_switch_to_buffer( new_buffer )
-YY_BUFFER_STATE new_buffer;
-#endif
- {
- if ( yy_current_buffer == new_buffer )
- return;
-
- if ( yy_current_buffer )
- {
- /* Flush out information for old buffer. */
- *yy_c_buf_p = yy_hold_char;
- yy_current_buffer->yy_buf_pos = yy_c_buf_p;
- yy_current_buffer->yy_n_chars = yy_n_chars;
- }
-
- yy_current_buffer = new_buffer;
- yy_load_buffer_state();
-
- /* We don't actually know whether we did this switch during
- * EOF (yywrap()) processing, but the only time this flag
- * is looked at is after yywrap() is called, so it's safe
- * to go ahead and always set it.
- */
- yy_did_buffer_switch_on_eof = 1;
- }
-
-
-#ifdef YY_USE_PROTOS
-void yy_load_buffer_state( void )
-#else
-void yy_load_buffer_state()
-#endif
- {
- yy_n_chars = yy_current_buffer->yy_n_chars;
- yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos;
- yyin = yy_current_buffer->yy_input_file;
- yy_hold_char = *yy_c_buf_p;
- }
-
-
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_create_buffer( FILE *file, int size )
-#else
-YY_BUFFER_STATE yy_create_buffer( file, size )
-FILE *file;
-int size;
-#endif
- {
- YY_BUFFER_STATE b;
-
- b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
- if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
- b->yy_buf_size = size;
-
- /* yy_ch_buf has to be 2 characters longer than the size given because
- * we need to put in 2 end-of-buffer characters.
- */
- b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 );
- if ( ! b->yy_ch_buf )
- YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
- b->yy_is_our_buffer = 1;
-
- yy_init_buffer( b, file );
-
- return b;
- }
-
-
-#ifdef YY_USE_PROTOS
-void yy_delete_buffer( YY_BUFFER_STATE b )
-#else
-void yy_delete_buffer( b )
-YY_BUFFER_STATE b;
-#endif
- {
- if ( ! b )
- return;
-
- if ( b == yy_current_buffer )
- yy_current_buffer = (YY_BUFFER_STATE) 0;
-
- if ( b->yy_is_our_buffer )
- yy_flex_free( (void *) b->yy_ch_buf );
-
- yy_flex_free( (void *) b );
- }
-
-
-#ifndef YY_ALWAYS_INTERACTIVE
-#ifndef YY_NEVER_INTERACTIVE
-extern int isatty YY_PROTO(( int ));
-#endif
-#endif
-
-#ifdef YY_USE_PROTOS
-void yy_init_buffer( YY_BUFFER_STATE b, FILE *file )
-#else
-void yy_init_buffer( b, file )
-YY_BUFFER_STATE b;
-FILE *file;
-#endif
-
-
- {
- yy_flush_buffer( b );
-
- b->yy_input_file = file;
- b->yy_fill_buffer = 1;
-
-#if YY_ALWAYS_INTERACTIVE
- b->yy_is_interactive = 1;
-#else
-#if YY_NEVER_INTERACTIVE
- b->yy_is_interactive = 0;
-#else
- b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
-#endif
-#endif
- }
-
-
-#ifdef YY_USE_PROTOS
-void yy_flush_buffer( YY_BUFFER_STATE b )
-#else
-void yy_flush_buffer( b )
-YY_BUFFER_STATE b;
-#endif
-
- {
- if ( ! b )
- return;
-
- b->yy_n_chars = 0;
-
- /* We always need two end-of-buffer characters. The first causes
- * a transition to the end-of-buffer state. The second causes
- * a jam in that state.
- */
- b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
- b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
-
- b->yy_buf_pos = &b->yy_ch_buf[0];
-
- b->yy_at_bol = 1;
- b->yy_buffer_status = YY_BUFFER_NEW;
-
- if ( b == yy_current_buffer )
- yy_load_buffer_state();
- }
-
-
-#ifndef YY_NO_SCAN_BUFFER
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size )
-#else
-YY_BUFFER_STATE yy_scan_buffer( base, size )
-char *base;
-yy_size_t size;
-#endif
- {
- YY_BUFFER_STATE b;
-
- if ( size < 2 ||
- base[size-2] != YY_END_OF_BUFFER_CHAR ||
- base[size-1] != YY_END_OF_BUFFER_CHAR )
- /* They forgot to leave room for the EOB's. */
- return 0;
-
- b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
- if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
-
- b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */
- b->yy_buf_pos = b->yy_ch_buf = base;
- b->yy_is_our_buffer = 0;
- b->yy_input_file = 0;
- b->yy_n_chars = b->yy_buf_size;
- b->yy_is_interactive = 0;
- b->yy_at_bol = 1;
- b->yy_fill_buffer = 0;
- b->yy_buffer_status = YY_BUFFER_NEW;
-
- yy_switch_to_buffer( b );
-
- return b;
- }
-#endif
-
-
-#ifndef YY_NO_SCAN_STRING
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str )
-#else
-YY_BUFFER_STATE yy_scan_string( yy_str )
-yyconst char *yy_str;
-#endif
- {
- int len;
- for ( len = 0; yy_str[len]; ++len )
- ;
-
- return yy_scan_bytes( yy_str, len );
- }
-#endif
-
-
-#ifndef YY_NO_SCAN_BYTES
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len )
-#else
-YY_BUFFER_STATE yy_scan_bytes( bytes, len )
-yyconst char *bytes;
-int len;
-#endif
- {
- YY_BUFFER_STATE b;
- char *buf;
- yy_size_t n;
- int i;
-
- /* Get memory for full buffer, including space for trailing EOB's. */
- n = len + 2;
- buf = (char *) yy_flex_alloc( n );
- if ( ! buf )
- YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
-
- for ( i = 0; i < len; ++i )
- buf[i] = bytes[i];
-
- buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR;
-
- b = yy_scan_buffer( buf, n );
- if ( ! b )
- YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
-
- /* It's okay to grow etc. this buffer, and we should throw it
- * away when we're done.
- */
- b->yy_is_our_buffer = 1;
-
- return b;
- }
-#endif
-
-
-#ifndef YY_NO_PUSH_STATE
-#ifdef YY_USE_PROTOS
-static void yy_push_state( int new_state )
-#else
-static void yy_push_state( new_state )
-int new_state;
-#endif
- {
- if ( yy_start_stack_ptr >= yy_start_stack_depth )
- {
- yy_size_t new_size;
-
- yy_start_stack_depth += YY_START_STACK_INCR;
- new_size = yy_start_stack_depth * sizeof( int );
-
- if ( ! yy_start_stack )
- yy_start_stack = (int *) yy_flex_alloc( new_size );
-
- else
- yy_start_stack = (int *) yy_flex_realloc(
- (void *) yy_start_stack, new_size );
-
- if ( ! yy_start_stack )
- YY_FATAL_ERROR(
- "out of memory expanding start-condition stack" );
- }
-
- yy_start_stack[yy_start_stack_ptr++] = YY_START;
-
- BEGIN(new_state);
- }
-#endif
-
-
-#ifndef YY_NO_POP_STATE
-static void yy_pop_state()
- {
- if ( --yy_start_stack_ptr < 0 )
- YY_FATAL_ERROR( "start-condition stack underflow" );
-
- BEGIN(yy_start_stack[yy_start_stack_ptr]);
- }
-#endif
-
-
-#ifndef YY_NO_TOP_STATE
-static int yy_top_state()
- {
- return yy_start_stack[yy_start_stack_ptr - 1];
- }
-#endif
-
-#ifndef YY_EXIT_FAILURE
-#define YY_EXIT_FAILURE 2
-#endif
-
-#ifdef YY_USE_PROTOS
-static void yy_fatal_error( yyconst char msg[] )
-#else
-static void yy_fatal_error( msg )
-char msg[];
-#endif
- {
- (void) fprintf( stderr, "%s\n", msg );
- exit( YY_EXIT_FAILURE );
- }
-
-
-
-/* Redefine yyless() so it works in section 3 code. */
-
-#undef yyless
-#define yyless(n) \
- do \
- { \
- /* Undo effects of setting up yytext. */ \
- yytext[yyleng] = yy_hold_char; \
- yy_c_buf_p = yytext + n; \
- yy_hold_char = *yy_c_buf_p; \
- *yy_c_buf_p = '\0'; \
- yyleng = n; \
- } \
- while ( 0 )
-
-
-/* Internal utility routines. */
-
-#ifndef yytext_ptr
-#ifdef YY_USE_PROTOS
-static void yy_flex_strncpy( char *s1, yyconst char *s2, int n )
-#else
-static void yy_flex_strncpy( s1, s2, n )
-char *s1;
-yyconst char *s2;
-int n;
-#endif
- {
- register int i;
- for ( i = 0; i < n; ++i )
- s1[i] = s2[i];
- }
-#endif
-
-#ifdef YY_NEED_STRLEN
-#ifdef YY_USE_PROTOS
-static int yy_flex_strlen( yyconst char *s )
-#else
-static int yy_flex_strlen( s )
-yyconst char *s;
-#endif
- {
- register int n;
- for ( n = 0; s[n]; ++n )
- ;
-
- return n;
- }
-#endif
-
-
-#ifdef YY_USE_PROTOS
-static void *yy_flex_alloc( yy_size_t size )
-#else
-static void *yy_flex_alloc( size )
-yy_size_t size;
-#endif
- {
- return (void *) malloc( size );
- }
-
-#ifdef YY_USE_PROTOS
-static void *yy_flex_realloc( void *ptr, yy_size_t size )
-#else
-static void *yy_flex_realloc( ptr, size )
-void *ptr;
-yy_size_t size;
-#endif
- {
- /* The cast to (char *) in the following accommodates both
- * implementations that use char* generic pointers, and those
- * that use void* generic pointers. It works with the latter
- * because both ANSI C and C++ allow castless assignment from
- * any pointer type to void*, and deal with argument conversions
- * as though doing an assignment.
- */
- return (void *) realloc( (char *) ptr, size );
- }
-
-#ifdef YY_USE_PROTOS
-static void yy_flex_free( void *ptr )
-#else
-static void yy_flex_free( ptr )
-void *ptr;
-#endif
- {
- free( ptr );
- }
-
-#if YY_MAIN
-int main()
- {
- yylex();
- return 0;
- }
-#endif
-#line 42 "pam_conv.lex"
-
diff --git a/contrib/libpam/conf/pam_conv1/pam_conv.lex b/contrib/libpam/conf/pam_conv1/pam_conv.lex
deleted file mode 100644
index d5f618e..0000000
--- a/contrib/libpam/conf/pam_conv1/pam_conv.lex
+++ /dev/null
@@ -1,42 +0,0 @@
-
-%{
-/*
- * $Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $
- *
- * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
- *
- * This file is covered by the Linux-PAM License (which should be
- * distributed with this file.)
- */
-
- const static char lexid[]=
- "$Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $\n"
- "Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>\n";
-
- extern int current_line;
-%}
-
-%%
-
-"#"[^\n]* ; /* skip comments (sorry) */
-
-"\\\n" {
- ++current_line;
-}
-
-([^\n\t ]|[\\][^\n])+ {
- return TOK;
-}
-
-[ \t]+ ; /* Ignore */
-
-<<EOF>> {
- return EOFILE;
-}
-
-[\n] {
- ++current_line;
- return NL;
-}
-
-%%
diff --git a/contrib/libpam/conf/pam_conv1/pam_conv.tab.c b/contrib/libpam/conf/pam_conv1/pam_conv.tab.c
deleted file mode 100644
index 6ca566c..0000000
--- a/contrib/libpam/conf/pam_conv1/pam_conv.tab.c
+++ /dev/null
@@ -1,1019 +0,0 @@
-
-/* A Bison parser, made from pam_conv.y
- by GNU Bison version 1.25
- */
-
-#define YYBISON 1 /* Identify Bison output. */
-
-#define NL 258
-#define EOFILE 259
-#define TOK 260
-
-#line 1 "pam_conv.y"
-
-
-/*
- * $Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $
- *
- * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
- *
- * This file is covered by the Linux-PAM License (which should be
- * distributed with this file.)
- */
-
- const static char bisonid[]=
- "$Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $\n"
- "Copyright (c) Andrew G. Morgan 1997-8 <morgan@linux.kernel.org>\n";
-
-#include <string.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <stdlib.h>
-
- int current_line=1;
- extern char *yytext;
-
-/* XXX - later we'll change this to be the specific conf file(s) */
-#define newpamf stderr
-
-#define PAM_D "./pam.d"
-#define PAM_D_MODE 0755
-#define PAM_D_MAGIC_HEADER \
- "#%PAM-1.0\n" \
- "#[For version 1.0 syntax, the above header is optional]\n"
-
-#define PAM_D_FILE_FMT PAM_D "/%s"
-
- const char *old_to_new_ctrl_flag(const char *old);
- void yyerror(const char *format, ...);
-
-#line 39 "pam_conv.y"
-typedef union {
- int def;
- char *string;
-} YYSTYPE;
-#include <stdio.h>
-
-#ifndef __cplusplus
-#ifndef __STDC__
-#define const
-#endif
-#endif
-
-
-
-#define YYFINAL 17
-#define YYFLAG -32768
-#define YYNTBASE 6
-
-#define YYTRANSLATE(x) ((unsigned)(x) <= 260 ? yytranslate[x] : 11)
-
-static const char yytranslate[] = { 0,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 1, 2, 3, 4, 5
-};
-
-#if YYDEBUG != 0
-static const short yyprhs[] = { 0,
- 0, 1, 4, 7, 10, 17, 20, 21, 24, 26
-};
-
-static const short yyrhs[] = { -1,
- 6, 3, 0, 6, 7, 0, 6, 4, 0, 10,
- 10, 10, 9, 8, 3, 0, 1, 3, 0, 0,
- 8, 10, 0, 5, 0, 5, 0
-};
-
-#endif
-
-#if YYDEBUG != 0
-static const short yyrline[] = { 0,
- 53, 54, 55, 56, 62, 126, 132, 135, 151, 157
-};
-#endif
-
-
-#if YYDEBUG != 0 || defined (YYERROR_VERBOSE)
-
-static const char * const yytname[] = { "$","error","$undefined.","NL","EOFILE",
-"TOK","complete","line","tokenls","path","tok", NULL
-};
-#endif
-
-static const short yyr1[] = { 0,
- 6, 6, 6, 6, 7, 7, 8, 8, 9, 10
-};
-
-static const short yyr2[] = { 0,
- 0, 2, 2, 2, 6, 2, 0, 2, 1, 1
-};
-
-static const short yydefact[] = { 1,
- 0, 0, 2, 4, 10, 3, 0, 6, 0, 0,
- 9, 7, 0, 5, 8, 0, 0
-};
-
-static const short yydefgoto[] = { 1,
- 6, 13, 12, 7
-};
-
-static const short yypact[] = {-32768,
- 4, 7,-32768,-32768,-32768,-32768, 6,-32768, 6, 8,
--32768,-32768, -2,-32768,-32768, 12,-32768
-};
-
-static const short yypgoto[] = {-32768,
--32768,-32768,-32768, -7
-};
-
-
-#define YYLAST 13
-
-
-static const short yytable[] = { 9,
- 14, 10, 5, 16, 2, 15, 3, 4, 5, 8,
- 5, 17, 11
-};
-
-static const short yycheck[] = { 7,
- 3, 9, 5, 0, 1, 13, 3, 4, 5, 3,
- 5, 0, 5
-};
-/* -*-C-*- Note some compilers choke on comments on `#line' lines. */
-#line 3 "/usr/share/bison.simple"
-
-/* Skeleton output parser for bison,
- Copyright (C) 1984, 1989, 1990 Free Software Foundation, Inc.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2, or (at your option)
- any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
-
-/* As a special exception, when this file is copied by Bison into a
- Bison output file, you may use that output file without restriction.
- This special exception was added by the Free Software Foundation
- in version 1.24 of Bison. */
-
-#ifndef alloca
-#ifdef __GNUC__
-#define alloca __builtin_alloca
-#else /* not GNU C. */
-#if (!defined (__STDC__) && defined (sparc)) || defined (__sparc__) || defined (__sparc) || defined (__sgi)
-#include <alloca.h>
-#else /* not sparc */
-#if defined (MSDOS) && !defined (__TURBOC__)
-#include <malloc.h>
-#else /* not MSDOS, or __TURBOC__ */
-#if defined(_AIX)
-#include <malloc.h>
- #pragma alloca
-#else /* not MSDOS, __TURBOC__, or _AIX */
-#ifdef __hpux
-#ifdef __cplusplus
-extern "C" {
-void *alloca (unsigned int);
-};
-#else /* not __cplusplus */
-void *alloca ();
-#endif /* not __cplusplus */
-#endif /* __hpux */
-#endif /* not _AIX */
-#endif /* not MSDOS, or __TURBOC__ */
-#endif /* not sparc. */
-#endif /* not GNU C. */
-#endif /* alloca not defined. */
-
-/* This is the parser code that is written into each bison parser
- when the %semantic_parser declaration is not specified in the grammar.
- It was written by Richard Stallman by simplifying the hairy parser
- used when %semantic_parser is specified. */
-
-/* Note: there must be only one dollar sign in this file.
- It is replaced by the list of actions, each action
- as one case of the switch. */
-
-#define yyerrok (yyerrstatus = 0)
-#define yyclearin (yychar = YYEMPTY)
-#define YYEMPTY -2
-#define YYEOF 0
-#define YYACCEPT return(0)
-#define YYABORT return(1)
-#define YYERROR goto yyerrlab1
-/* Like YYERROR except do call yyerror.
- This remains here temporarily to ease the
- transition to the new meaning of YYERROR, for GCC.
- Once GCC version 2 has supplanted version 1, this can go. */
-#define YYFAIL goto yyerrlab
-#define YYRECOVERING() (!!yyerrstatus)
-#define YYBACKUP(token, value) \
-do \
- if (yychar == YYEMPTY && yylen == 1) \
- { yychar = (token), yylval = (value); \
- yychar1 = YYTRANSLATE (yychar); \
- YYPOPSTACK; \
- goto yybackup; \
- } \
- else \
- { yyerror ("syntax error: cannot back up"); YYERROR; } \
-while (0)
-
-#define YYTERROR 1
-#define YYERRCODE 256
-
-#ifndef YYPURE
-#define YYLEX yylex()
-#endif
-
-#ifdef YYPURE
-#ifdef YYLSP_NEEDED
-#ifdef YYLEX_PARAM
-#define YYLEX yylex(&yylval, &yylloc, YYLEX_PARAM)
-#else
-#define YYLEX yylex(&yylval, &yylloc)
-#endif
-#else /* not YYLSP_NEEDED */
-#ifdef YYLEX_PARAM
-#define YYLEX yylex(&yylval, YYLEX_PARAM)
-#else
-#define YYLEX yylex(&yylval)
-#endif
-#endif /* not YYLSP_NEEDED */
-#endif
-
-/* If nonreentrant, generate the variables here */
-
-#ifndef YYPURE
-
-int yychar; /* the lookahead symbol */
-YYSTYPE yylval; /* the semantic value of the */
- /* lookahead symbol */
-
-#ifdef YYLSP_NEEDED
-YYLTYPE yylloc; /* location data for the lookahead */
- /* symbol */
-#endif
-
-int yynerrs; /* number of parse errors so far */
-#endif /* not YYPURE */
-
-#if YYDEBUG != 0
-int yydebug; /* nonzero means print parse trace */
-/* Since this is uninitialized, it does not stop multiple parsers
- from coexisting. */
-#endif
-
-/* YYINITDEPTH indicates the initial size of the parser's stacks */
-
-#ifndef YYINITDEPTH
-#define YYINITDEPTH 200
-#endif
-
-/* YYMAXDEPTH is the maximum size the stacks can grow to
- (effective only if the built-in stack extension method is used). */
-
-#if YYMAXDEPTH == 0
-#undef YYMAXDEPTH
-#endif
-
-#ifndef YYMAXDEPTH
-#define YYMAXDEPTH 10000
-#endif
-
-/* Prevent warning if -Wstrict-prototypes. */
-#ifdef __GNUC__
-int yyparse (void);
-#endif
-
-#if __GNUC__ > 1 /* GNU C and GNU C++ define this. */
-#define __yy_memcpy(TO,FROM,COUNT) __builtin_memcpy(TO,FROM,COUNT)
-#else /* not GNU C or C++ */
-#ifndef __cplusplus
-
-/* This is the most reliable way to avoid incompatibilities
- in available built-in functions on various systems. */
-static void
-__yy_memcpy (to, from, count)
- char *to;
- char *from;
- int count;
-{
- register char *f = from;
- register char *t = to;
- register int i = count;
-
- while (i-- > 0)
- *t++ = *f++;
-}
-
-#else /* __cplusplus */
-
-/* This is the most reliable way to avoid incompatibilities
- in available built-in functions on various systems. */
-static void
-__yy_memcpy (char *to, char *from, int count)
-{
- register char *f = from;
- register char *t = to;
- register int i = count;
-
- while (i-- > 0)
- *t++ = *f++;
-}
-
-#endif
-#endif
-
-#line 196 "/usr/share/bison.simple"
-
-/* The user can define YYPARSE_PARAM as the name of an argument to be passed
- into yyparse. The argument should have type void *.
- It should actually point to an object.
- Grammar actions can access the variable by casting it
- to the proper pointer type. */
-
-#ifdef YYPARSE_PARAM
-#ifdef __cplusplus
-#define YYPARSE_PARAM_ARG void *YYPARSE_PARAM
-#define YYPARSE_PARAM_DECL
-#else /* not __cplusplus */
-#define YYPARSE_PARAM_ARG YYPARSE_PARAM
-#define YYPARSE_PARAM_DECL void *YYPARSE_PARAM;
-#endif /* not __cplusplus */
-#else /* not YYPARSE_PARAM */
-#define YYPARSE_PARAM_ARG
-#define YYPARSE_PARAM_DECL
-#endif /* not YYPARSE_PARAM */
-
-int
-yyparse(YYPARSE_PARAM_ARG)
- YYPARSE_PARAM_DECL
-{
- register int yystate;
- register int yyn;
- register short *yyssp;
- register YYSTYPE *yyvsp;
- int yyerrstatus; /* number of tokens to shift before error messages enabled */
- int yychar1 = 0; /* lookahead token as an internal (translated) token number */
-
- short yyssa[YYINITDEPTH]; /* the state stack */
- YYSTYPE yyvsa[YYINITDEPTH]; /* the semantic value stack */
-
- short *yyss = yyssa; /* refer to the stacks thru separate pointers */
- YYSTYPE *yyvs = yyvsa; /* to allow yyoverflow to reallocate them elsewhere */
-
-#ifdef YYLSP_NEEDED
- YYLTYPE yylsa[YYINITDEPTH]; /* the location stack */
- YYLTYPE *yyls = yylsa;
- YYLTYPE *yylsp;
-
-#define YYPOPSTACK (yyvsp--, yyssp--, yylsp--)
-#else
-#define YYPOPSTACK (yyvsp--, yyssp--)
-#endif
-
- int yystacksize = YYINITDEPTH;
-
-#ifdef YYPURE
- int yychar;
- YYSTYPE yylval;
- int yynerrs;
-#ifdef YYLSP_NEEDED
- YYLTYPE yylloc;
-#endif
-#endif
-
- YYSTYPE yyval; /* the variable used to return */
- /* semantic values from the action */
- /* routines */
-
- int yylen;
-
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Starting parse\n");
-#endif
-
- yystate = 0;
- yyerrstatus = 0;
- yynerrs = 0;
- yychar = YYEMPTY; /* Cause a token to be read. */
-
- /* Initialize stack pointers.
- Waste one element of value and location stack
- so that they stay on the same level as the state stack.
- The wasted elements are never initialized. */
-
- yyssp = yyss - 1;
- yyvsp = yyvs;
-#ifdef YYLSP_NEEDED
- yylsp = yyls;
-#endif
-
-/* Push a new state, which is found in yystate . */
-/* In all cases, when you get here, the value and location stacks
- have just been pushed. so pushing a state here evens the stacks. */
-yynewstate:
-
- *++yyssp = yystate;
-
- if (yyssp >= yyss + yystacksize - 1)
- {
- /* Give user a chance to reallocate the stack */
- /* Use copies of these so that the &'s don't force the real ones into memory. */
- YYSTYPE *yyvs1 = yyvs;
- short *yyss1 = yyss;
-#ifdef YYLSP_NEEDED
- YYLTYPE *yyls1 = yyls;
-#endif
-
- /* Get the current used size of the three stacks, in elements. */
- int size = yyssp - yyss + 1;
-
-#ifdef yyoverflow
- /* Each stack pointer address is followed by the size of
- the data in use in that stack, in bytes. */
-#ifdef YYLSP_NEEDED
- /* This used to be a conditional around just the two extra args,
- but that might be undefined if yyoverflow is a macro. */
- yyoverflow("parser stack overflow",
- &yyss1, size * sizeof (*yyssp),
- &yyvs1, size * sizeof (*yyvsp),
- &yyls1, size * sizeof (*yylsp),
- &yystacksize);
-#else
- yyoverflow("parser stack overflow",
- &yyss1, size * sizeof (*yyssp),
- &yyvs1, size * sizeof (*yyvsp),
- &yystacksize);
-#endif
-
- yyss = yyss1; yyvs = yyvs1;
-#ifdef YYLSP_NEEDED
- yyls = yyls1;
-#endif
-#else /* no yyoverflow */
- /* Extend the stack our own way. */
- if (yystacksize >= YYMAXDEPTH)
- {
- yyerror("parser stack overflow");
- return 2;
- }
- yystacksize *= 2;
- if (yystacksize > YYMAXDEPTH)
- yystacksize = YYMAXDEPTH;
- yyss = (short *) alloca (yystacksize * sizeof (*yyssp));
- __yy_memcpy ((char *)yyss, (char *)yyss1, size * sizeof (*yyssp));
- yyvs = (YYSTYPE *) alloca (yystacksize * sizeof (*yyvsp));
- __yy_memcpy ((char *)yyvs, (char *)yyvs1, size * sizeof (*yyvsp));
-#ifdef YYLSP_NEEDED
- yyls = (YYLTYPE *) alloca (yystacksize * sizeof (*yylsp));
- __yy_memcpy ((char *)yyls, (char *)yyls1, size * sizeof (*yylsp));
-#endif
-#endif /* no yyoverflow */
-
- yyssp = yyss + size - 1;
- yyvsp = yyvs + size - 1;
-#ifdef YYLSP_NEEDED
- yylsp = yyls + size - 1;
-#endif
-
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Stack size increased to %d\n", yystacksize);
-#endif
-
- if (yyssp >= yyss + yystacksize - 1)
- YYABORT;
- }
-
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Entering state %d\n", yystate);
-#endif
-
- goto yybackup;
- yybackup:
-
-/* Do appropriate processing given the current state. */
-/* Read a lookahead token if we need one and don't already have one. */
-/* yyresume: */
-
- /* First try to decide what to do without reference to lookahead token. */
-
- yyn = yypact[yystate];
- if (yyn == YYFLAG)
- goto yydefault;
-
- /* Not known => get a lookahead token if don't already have one. */
-
- /* yychar is either YYEMPTY or YYEOF
- or a valid token in external form. */
-
- if (yychar == YYEMPTY)
- {
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Reading a token: ");
-#endif
- yychar = YYLEX;
- }
-
- /* Convert token to internal form (in yychar1) for indexing tables with */
-
- if (yychar <= 0) /* This means end of input. */
- {
- yychar1 = 0;
- yychar = YYEOF; /* Don't call YYLEX any more */
-
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Now at end of input.\n");
-#endif
- }
- else
- {
- yychar1 = YYTRANSLATE(yychar);
-
-#if YYDEBUG != 0
- if (yydebug)
- {
- fprintf (stderr, "Next token is %d (%s", yychar, yytname[yychar1]);
- /* Give the individual parser a way to print the precise meaning
- of a token, for further debugging info. */
-#ifdef YYPRINT
- YYPRINT (stderr, yychar, yylval);
-#endif
- fprintf (stderr, ")\n");
- }
-#endif
- }
-
- yyn += yychar1;
- if (yyn < 0 || yyn > YYLAST || yycheck[yyn] != yychar1)
- goto yydefault;
-
- yyn = yytable[yyn];
-
- /* yyn is what to do for this token type in this state.
- Negative => reduce, -yyn is rule number.
- Positive => shift, yyn is new state.
- New state is final state => don't bother to shift,
- just return success.
- 0, or most negative number => error. */
-
- if (yyn < 0)
- {
- if (yyn == YYFLAG)
- goto yyerrlab;
- yyn = -yyn;
- goto yyreduce;
- }
- else if (yyn == 0)
- goto yyerrlab;
-
- if (yyn == YYFINAL)
- YYACCEPT;
-
- /* Shift the lookahead token. */
-
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Shifting token %d (%s), ", yychar, yytname[yychar1]);
-#endif
-
- /* Discard the token being shifted unless it is eof. */
- if (yychar != YYEOF)
- yychar = YYEMPTY;
-
- *++yyvsp = yylval;
-#ifdef YYLSP_NEEDED
- *++yylsp = yylloc;
-#endif
-
- /* count tokens shifted since error; after three, turn off error status. */
- if (yyerrstatus) yyerrstatus--;
-
- yystate = yyn;
- goto yynewstate;
-
-/* Do the default action for the current state. */
-yydefault:
-
- yyn = yydefact[yystate];
- if (yyn == 0)
- goto yyerrlab;
-
-/* Do a reduction. yyn is the number of a rule to reduce with. */
-yyreduce:
- yylen = yyr2[yyn];
- if (yylen > 0)
- yyval = yyvsp[1-yylen]; /* implement default value of the action */
-
-#if YYDEBUG != 0
- if (yydebug)
- {
- int i;
-
- fprintf (stderr, "Reducing via rule %d (line %d), ",
- yyn, yyrline[yyn]);
-
- /* Print the symbols being reduced, and their result. */
- for (i = yyprhs[yyn]; yyrhs[i] > 0; i++)
- fprintf (stderr, "%s ", yytname[yyrhs[i]]);
- fprintf (stderr, " -> %s\n", yytname[yyr1[yyn]]);
- }
-#endif
-
-
- switch (yyn) {
-
-case 4:
-#line 56 "pam_conv.y"
-{
- return 0;
-;
- break;}
-case 5:
-#line 62 "pam_conv.y"
-{
- char *filename;
- FILE *conf;
- int i;
-
- /* make sure we have lower case */
- for (i=0; yyvsp[-5].string[i]; ++i) {
- yyvsp[-5].string[i] = tolower(yyvsp[-5].string[i]);
- }
-
- /* $1 = service-name */
- yyerror("Appending to " PAM_D "/%s", yyvsp[-5].string);
-
- filename = malloc(strlen(yyvsp[-5].string) + sizeof(PAM_D) + 6);
- sprintf(filename, PAM_D_FILE_FMT, yyvsp[-5].string);
- conf = fopen(filename, "r");
- if (conf == NULL) {
- /* new file */
- conf = fopen(filename, "w");
- if (conf != NULL) {
- fprintf(conf, PAM_D_MAGIC_HEADER);
- fprintf(conf,
- "#\n"
- "# The PAM configuration file for the `%s' service\n"
- "#\n", yyvsp[-5].string);
- }
- } else {
- fclose(conf);
- conf = fopen(filename, "a");
- }
- if (conf == NULL) {
- yyerror("trouble opening %s - aborting", filename);
- exit(1);
- }
- free(filename);
-
- /* $2 = module-type */
- fprintf(conf, "%-10s", yyvsp[-4].string);
- free(yyvsp[-4].string);
-
- /* $3 = required etc. */
- {
- const char *trans;
-
- trans = old_to_new_ctrl_flag(yyvsp[-3].string);
- free(yyvsp[-3].string);
- fprintf(conf, " %-10s", trans);
- }
-
- /* $4 = module-path */
- fprintf(conf, " %s", yyvsp[-2].string);
- free(yyvsp[-2].string);
-
- /* $5 = arguments */
- if (yyvsp[-1].string != NULL) {
- fprintf(conf, " \\\n\t\t%s", yyvsp[-1].string);
- free(yyvsp[-1].string);
- }
-
- /* end line */
- fprintf(conf, "\n");
-
- fclose(conf);
-;
- break;}
-case 6:
-#line 126 "pam_conv.y"
-{
- yyerror("malformed line");
-;
- break;}
-case 7:
-#line 132 "pam_conv.y"
-{
- yyval.string=NULL;
-;
- break;}
-case 8:
-#line 135 "pam_conv.y"
-{
- int len;
-
- if (yyvsp[-1].string) {
- len = strlen(yyvsp[-1].string) + strlen(yyvsp[0].string) + 2;
- yyval.string = malloc(len);
- sprintf(yyval.string,"%s %s",yyvsp[-1].string,yyvsp[0].string);
- free(yyvsp[-1].string);
- free(yyvsp[0].string);
- } else {
- yyval.string = yyvsp[0].string;
- }
-;
- break;}
-case 9:
-#line 151 "pam_conv.y"
-{
- /* XXX - this could be used to check if file present */
- yyval.string = strdup(yytext);
-;
- break;}
-case 10:
-#line 157 "pam_conv.y"
-{
- yyval.string = strdup(yytext);
-;
- break;}
-}
- /* the action file gets copied in in place of this dollarsign */
-#line 498 "/usr/share/bison.simple"
-
- yyvsp -= yylen;
- yyssp -= yylen;
-#ifdef YYLSP_NEEDED
- yylsp -= yylen;
-#endif
-
-#if YYDEBUG != 0
- if (yydebug)
- {
- short *ssp1 = yyss - 1;
- fprintf (stderr, "state stack now");
- while (ssp1 != yyssp)
- fprintf (stderr, " %d", *++ssp1);
- fprintf (stderr, "\n");
- }
-#endif
-
- *++yyvsp = yyval;
-
-#ifdef YYLSP_NEEDED
- yylsp++;
- if (yylen == 0)
- {
- yylsp->first_line = yylloc.first_line;
- yylsp->first_column = yylloc.first_column;
- yylsp->last_line = (yylsp-1)->last_line;
- yylsp->last_column = (yylsp-1)->last_column;
- yylsp->text = 0;
- }
- else
- {
- yylsp->last_line = (yylsp+yylen-1)->last_line;
- yylsp->last_column = (yylsp+yylen-1)->last_column;
- }
-#endif
-
- /* Now "shift" the result of the reduction.
- Determine what state that goes to,
- based on the state we popped back to
- and the rule number reduced by. */
-
- yyn = yyr1[yyn];
-
- yystate = yypgoto[yyn - YYNTBASE] + *yyssp;
- if (yystate >= 0 && yystate <= YYLAST && yycheck[yystate] == *yyssp)
- yystate = yytable[yystate];
- else
- yystate = yydefgoto[yyn - YYNTBASE];
-
- goto yynewstate;
-
-yyerrlab: /* here on detecting error */
-
- if (! yyerrstatus)
- /* If not already recovering from an error, report this error. */
- {
- ++yynerrs;
-
-#ifdef YYERROR_VERBOSE
- yyn = yypact[yystate];
-
- if (yyn > YYFLAG && yyn < YYLAST)
- {
- int size = 0;
- char *msg;
- int x, count;
-
- count = 0;
- /* Start X at -yyn if nec to avoid negative indexes in yycheck. */
- for (x = (yyn < 0 ? -yyn : 0);
- x < (sizeof(yytname) / sizeof(char *)); x++)
- if (yycheck[x + yyn] == x)
- size += strlen(yytname[x]) + 15, count++;
- msg = (char *) malloc(size + 15);
- if (msg != 0)
- {
- strcpy(msg, "parse error");
-
- if (count < 5)
- {
- count = 0;
- for (x = (yyn < 0 ? -yyn : 0);
- x < (sizeof(yytname) / sizeof(char *)); x++)
- if (yycheck[x + yyn] == x)
- {
- strcat(msg, count == 0 ? ", expecting `" : " or `");
- strcat(msg, yytname[x]);
- strcat(msg, "'");
- count++;
- }
- }
- yyerror(msg);
- free(msg);
- }
- else
- yyerror ("parse error; also virtual memory exceeded");
- }
- else
-#endif /* YYERROR_VERBOSE */
- yyerror("parse error");
- }
-
- goto yyerrlab1;
-yyerrlab1: /* here on error raised explicitly by an action */
-
- if (yyerrstatus == 3)
- {
- /* if just tried and failed to reuse lookahead token after an error, discard it. */
-
- /* return failure if at end of input */
- if (yychar == YYEOF)
- YYABORT;
-
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Discarding token %d (%s).\n", yychar, yytname[yychar1]);
-#endif
-
- yychar = YYEMPTY;
- }
-
- /* Else will try to reuse lookahead token
- after shifting the error token. */
-
- yyerrstatus = 3; /* Each real token shifted decrements this */
-
- goto yyerrhandle;
-
-yyerrdefault: /* current state does not do anything special for the error token. */
-
-#if 0
- /* This is wrong; only states that explicitly want error tokens
- should shift them. */
- yyn = yydefact[yystate]; /* If its default is to accept any token, ok. Otherwise pop it.*/
- if (yyn) goto yydefault;
-#endif
-
-yyerrpop: /* pop the current state because it cannot handle the error token */
-
- if (yyssp == yyss) YYABORT;
- yyvsp--;
- yystate = *--yyssp;
-#ifdef YYLSP_NEEDED
- yylsp--;
-#endif
-
-#if YYDEBUG != 0
- if (yydebug)
- {
- short *ssp1 = yyss - 1;
- fprintf (stderr, "Error: state stack now");
- while (ssp1 != yyssp)
- fprintf (stderr, " %d", *++ssp1);
- fprintf (stderr, "\n");
- }
-#endif
-
-yyerrhandle:
-
- yyn = yypact[yystate];
- if (yyn == YYFLAG)
- goto yyerrdefault;
-
- yyn += YYTERROR;
- if (yyn < 0 || yyn > YYLAST || yycheck[yyn] != YYTERROR)
- goto yyerrdefault;
-
- yyn = yytable[yyn];
- if (yyn < 0)
- {
- if (yyn == YYFLAG)
- goto yyerrpop;
- yyn = -yyn;
- goto yyreduce;
- }
- else if (yyn == 0)
- goto yyerrpop;
-
- if (yyn == YYFINAL)
- YYACCEPT;
-
-#if YYDEBUG != 0
- if (yydebug)
- fprintf(stderr, "Shifting error token, ");
-#endif
-
- *++yyvsp = yylval;
-#ifdef YYLSP_NEEDED
- *++yylsp = yylloc;
-#endif
-
- yystate = yyn;
- goto yynewstate;
-}
-#line 161 "pam_conv.y"
-
-
-#include "lex.yy.c"
-
-const char *old_to_new_ctrl_flag(const char *old)
-{
- static const char *clist[] = {
- "requisite",
- "required",
- "sufficient",
- "optional",
- NULL,
- };
- int i;
-
- for (i=0; clist[i]; ++i) {
- if (strcasecmp(clist[i], old) == 0) {
- break;
- }
- }
-
- return clist[i];
-}
-
-void yyerror(const char *format, ...)
-{
- va_list args;
-
- fprintf(stderr, "line %d: ", current_line);
- va_start(args, format);
- vfprintf(stderr, format, args);
- va_end(args);
- fprintf(stderr, "\n");
-}
-
-void main()
-{
- if (mkdir(PAM_D, PAM_D_MODE) != 0) {
- yyerror(PAM_D " already exists.. aborting");
- exit(1);
- }
- yyparse();
-}
diff --git a/contrib/libpam/conf/pam_conv1/pam_conv.y b/contrib/libpam/conf/pam_conv1/pam_conv.y
deleted file mode 100644
index 8ce5ab0..0000000
--- a/contrib/libpam/conf/pam_conv1/pam_conv.y
+++ /dev/null
@@ -1,203 +0,0 @@
-%{
-
-/*
- * $Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $
- *
- * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
- *
- * This file is covered by the Linux-PAM License (which should be
- * distributed with this file.)
- */
-
- const static char bisonid[]=
- "$Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $\n"
- "Copyright (c) Andrew G. Morgan 1997-8 <morgan@linux.kernel.org>\n";
-
-#include <string.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <stdlib.h>
-
- int current_line=1;
- extern char *yytext;
-
-/* XXX - later we'll change this to be the specific conf file(s) */
-#define newpamf stderr
-
-#define PAM_D "./pam.d"
-#define PAM_D_MODE 0755
-#define PAM_D_MAGIC_HEADER \
- "#%PAM-1.0\n" \
- "#[For version 1.0 syntax, the above header is optional]\n"
-
-#define PAM_D_FILE_FMT PAM_D "/%s"
-
- const char *old_to_new_ctrl_flag(const char *old);
- void yyerror(const char *format, ...);
-%}
-
-%union {
- int def;
- char *string;
-}
-
-%token NL EOFILE TOK
-
-%type <string> tok path tokenls
-
-%start complete
-
-%%
-
-complete
-:
-| complete NL
-| complete line
-| complete EOFILE {
- return 0;
-}
-;
-
-line
-: tok tok tok path tokenls NL {
- char *filename;
- FILE *conf;
- int i;
-
- /* make sure we have lower case */
- for (i=0; $1[i]; ++i) {
- $1[i] = tolower($1[i]);
- }
-
- /* $1 = service-name */
- yyerror("Appending to " PAM_D "/%s", $1);
-
- filename = malloc(strlen($1) + sizeof(PAM_D) + 6);
- sprintf(filename, PAM_D_FILE_FMT, $1);
- conf = fopen(filename, "r");
- if (conf == NULL) {
- /* new file */
- conf = fopen(filename, "w");
- if (conf != NULL) {
- fprintf(conf, PAM_D_MAGIC_HEADER);
- fprintf(conf,
- "#\n"
- "# The PAM configuration file for the `%s' service\n"
- "#\n", $1);
- }
- } else {
- fclose(conf);
- conf = fopen(filename, "a");
- }
- if (conf == NULL) {
- yyerror("trouble opening %s - aborting", filename);
- exit(1);
- }
- free(filename);
-
- /* $2 = module-type */
- fprintf(conf, "%-10s", $2);
- free($2);
-
- /* $3 = required etc. */
- {
- const char *trans;
-
- trans = old_to_new_ctrl_flag($3);
- free($3);
- fprintf(conf, " %-10s", trans);
- }
-
- /* $4 = module-path */
- fprintf(conf, " %s", $4);
- free($4);
-
- /* $5 = arguments */
- if ($5 != NULL) {
- fprintf(conf, " \\\n\t\t%s", $5);
- free($5);
- }
-
- /* end line */
- fprintf(conf, "\n");
-
- fclose(conf);
-}
-| error NL {
- yyerror("malformed line");
-}
-;
-
-tokenls
-: {
- $$=NULL;
-}
-| tokenls tok {
- int len;
-
- if ($1) {
- len = strlen($1) + strlen($2) + 2;
- $$ = malloc(len);
- sprintf($$,"%s %s",$1,$2);
- free($1);
- free($2);
- } else {
- $$ = $2;
- }
-}
-;
-
-path
-: TOK {
- /* XXX - this could be used to check if file present */
- $$ = strdup(yytext);
-}
-
-tok
-: TOK {
- $$ = strdup(yytext);
-}
-
-%%
-
-#include "lex.yy.c"
-
-const char *old_to_new_ctrl_flag(const char *old)
-{
- static const char *clist[] = {
- "requisite",
- "required",
- "sufficient",
- "optional",
- NULL,
- };
- int i;
-
- for (i=0; clist[i]; ++i) {
- if (strcasecmp(clist[i], old) == 0) {
- break;
- }
- }
-
- return clist[i];
-}
-
-void yyerror(const char *format, ...)
-{
- va_list args;
-
- fprintf(stderr, "line %d: ", current_line);
- va_start(args, format);
- vfprintf(stderr, format, args);
- va_end(args);
- fprintf(stderr, "\n");
-}
-
-void main()
-{
- if (mkdir(PAM_D, PAM_D_MODE) != 0) {
- yyerror(PAM_D " already exists.. aborting");
- exit(1);
- }
- yyparse();
-}
diff --git a/contrib/libpam/defs/hpux.defs b/contrib/libpam/defs/hpux.defs
deleted file mode 100644
index d834198..0000000
--- a/contrib/libpam/defs/hpux.defs
+++ /dev/null
@@ -1,36 +0,0 @@
-##
-# HPUX defs contributed by Derrick J Brashear <shadow@dementia.org>
-##
-# this file indicates the compiler and the various hardware/OS dependent
-# flags for installation. It also defines the various destinations of
-# installed files on the system.
-#
-# This file is the default version. Please look in .../defs/ for your
-# preferred OS/vendor.
-
-OS=hpux9
-ARCH=hpux
-CC=gcc
-INSTALL=install
-MKDIR=mkdir -p
-CFLAGS=-g -DPAM_SHL -DHAVE_UTMP_H
-ULIBS=
-LD=ld
-LD_D=$(LD) -b
-LD_L=$(LD) -b
-USESONAME=no
-NEEDSONAME=no
-LDCONFIG=:
-AR=ar -cr
-RANLIB=ranlib
-FAKEROOT=
-PREFIX=/usr
-SUPLEMENTED=$(PREFIX)/sbin
-LIBDIR=$(PREFIX)/lib
-SECUREDIR=$(LIBDIR)/security
-INCLUDED=/usr/include/security
-CONFIGED=/etc
-SCONFIGED=/etc/security
-DYNLOAD="dld"
-DYNTYPE="sl"
-SHLIBMODE=755
diff --git a/contrib/libpam/defs/linux.defs b/contrib/libpam/defs/linux.defs
deleted file mode 100644
index 94e9968..0000000
--- a/contrib/libpam/defs/linux.defs
+++ /dev/null
@@ -1,32 +0,0 @@
-# this file indicates the compiler and the various hardware/OS dependent
-# flags for installation. It also defines the various destinations of
-# installed files on the system.
-#
-# This file is the default version. Please look in .../defs/ for your
-# preferred OS/vendor.
-
-OS=linux
-ARCH=`uname -m | sed 's/^i?86/i386/'`
-CC=gcc
-INSTALL=install
-MKDIR=mkdir -p
-CFLAGS=-O7 -pipe -g
-ULIBS=#-lefence
-LD=ld
-LD_D=gcc -shared -Xlinker -x
-LD_L=$(LD) -x -shared
-USESONAME=yes
-SOSWITCH=-soname
-NEEDSONAME=no
-LDCONFIG=/sbin/ldconfig
-AR=ar -cr
-RANLIB=ranlib
-FAKEROOT=
-PREFIX=/usr
-SUPLEMENTED=$(PREFIX)/sbin
-LIBDIR=$(PREFIX)/lib
-SECUREDIR=$(LIBDIR)/security
-INCLUDED=/usr/include/security
-CONFIGED=/etc
-SCONFIGED=/etc/security
-NSLLIB=-lnsl
diff --git a/contrib/libpam/defs/morgan.defs b/contrib/libpam/defs/morgan.defs
deleted file mode 100644
index 178de28..0000000
--- a/contrib/libpam/defs/morgan.defs
+++ /dev/null
@@ -1,35 +0,0 @@
-##
-# defs for Andrew's debugging version (which is a modified Red Hat
-# box)
-##
-# this file indicates the compiler and the various hardware/OS dependent
-# flags for installation. It also defines the various destinations of
-# installed files on the system.
-#
-# This file is the version used for Red Hat Linux.
-
-OS=linux
-ARCH=i386
-CC=gcc
-INSTALL=install
-MKDIR=mkdir -p
-CFLAGS=$(RPM_OPT_FLAGS) -pipe -g
-ULIBS=
-#-lefence
-LD=ld
-LD_D=gcc -shared -Xlinker -x
-LD_L=$(LD) -x -shared
-USESONAME=yes
-SOSWITCH=-soname
-NEEDSONAME=no
-LDCONFIG=/sbin/ldconfig
-AR=ar -cr
-RANLIB=ranlib
-FAKEROOT=$(RPM_BUILD_ROOT)
-PREFIX=
-SUPLEMENTED=$(PREFIX)/sbin
-LIBDIR=$(PREFIX)/lib
-SECUREDIR=$(LIBDIR)/security.d
-INCLUDED=/usr/include/security
-CONFIGED=/etc
-SCONFIGED=/etc/security
diff --git a/contrib/libpam/defs/redhat.defs b/contrib/libpam/defs/redhat.defs
deleted file mode 100644
index 8c7e1e1..0000000
--- a/contrib/libpam/defs/redhat.defs
+++ /dev/null
@@ -1,34 +0,0 @@
-##
-# defs for Red Hat Linux
-# Michael K. Johnson <johnsonm@redhat.com>
-##
-# this file indicates the compiler and the various hardware/OS dependent
-# flags for installation. It also defines the various destinations of
-# installed files on the system.
-#
-# This file is the version used for Red Hat Linux.
-
-OS=linux
-ARCH=$(shell rpm --showrc | grep 'build arch' | sed 's/^.*: //g')
-CC=gcc
-INSTALL=install
-MKDIR=mkdir -p
-CFLAGS=$(RPM_OPT_FLAGS) -pipe -g
-ULIBS=#-lefence
-LD=ld
-LD_D=gcc -shared -Xlinker -x
-LD_L=$(LD) -x -shared
-USESONAME=yes
-SOSWITCH=-soname
-NEEDSONAME=no
-LDCONFIG=/sbin/ldconfig
-AR=ar -cr
-RANLIB=ranlib
-FAKEROOT=$(RPM_BUILD_ROOT)
-PREFIX=
-SUPLEMENTED=$(PREFIX)/sbin
-LIBDIR=$(PREFIX)/lib
-SECUREDIR=$(LIBDIR)/security
-INCLUDED=/usr/include/security
-CONFIGED=/etc
-SCONFIGED=/etc/security
diff --git a/contrib/libpam/defs/solaris.defs b/contrib/libpam/defs/solaris.defs
deleted file mode 100644
index f9f2652..0000000
--- a/contrib/libpam/defs/solaris.defs
+++ /dev/null
@@ -1,48 +0,0 @@
-##
-# Solaris defs contributed by Josh Wilmes <josh@makita.jpl.nasa.gov>
-##
-# this file indicates the compiler and the various hardware/OS dependent
-# flags for installation. It also defines the various destinations of
-# installed files on the system.
-#
-# This file is the default version. Please look in .../defs/ for your
-# preferred OS/vendor.
-
-# Please note that the linker used must be the GNU ld, not the native Sun
-# linker. It is fairly common for the gnu linker (/usr/ccs/bin/ld) to be
-# configured as the default linker for gcc. To tell gcc to use the
-# gnu linker, you need to set the GCC_EXEC_PREFIX environment variable
-# to point at the directory where the gnu linker is installed. Here's
-# what I do:
-# $ mkdir /tmp/foo
-# $ ln -s /path/to/gnu/ld /tmp/foo/ld
-# $ export GCC_EXEC_PREFIX=/tmp/foo/
-# $ export PATH=/tmp/foo:$PATH
-
-OS=solaris
-ARCH=sun
-CC=cc
-INSTALL=install
-MKDIR=mkdir -p
-WARNINGS = -D_POSIX_SOURCE
-PIC=-KPIC
-CFLAGS=-g -D__EXTENSIONS__ -Dsolaris
-ULIBS=
-LD=ld
-LD_L=$(LD) -G
-LD_D=$(LD_L)
-RDYNAMIC=
-USESONAME=yes
-SOSWITCH=-h
-NEEDSONAME=no
-LDCONFIG=echo
-AR=ar -cr
-RANLIB=ranlib
-FAKEROOT=
-PREFIX=/usr
-SUPLEMENTED=$(PREFIX)/sbin
-LIBDIR=$(PREFIX)/lib
-SECUREDIR=$(LIBDIR)/security
-INCLUDED=/usr/include/security
-CONFIGED=/etc
-SCONFIGED=/etc/security
diff --git a/contrib/libpam/defs/sunos.defs b/contrib/libpam/defs/sunos.defs
deleted file mode 100644
index 158accc..0000000
--- a/contrib/libpam/defs/sunos.defs
+++ /dev/null
@@ -1,37 +0,0 @@
-##
-# SunOS defs contributed by Derrick J Brashear <shadow@dementia.org>
-##
-# this file indicates the compiler and the various hardware/OS dependent
-# flags for installation. It also defines the various destinations of
-# installed files on the system.
-#
-# This file is the SunOS version. Please look in .../defs/ for your
-# preferred OS/vendor.
-
-OS=sunos
-ARCH=sun
-CC=gcc
-INSTALL=install
-MKDIR=mkdir -p
-CFLAGS=-O2 -pipe -g -D__EXTENSIONS__
-ULIBS=
-LD_D=gcc -shared -Xlinker -x
-LD=ld
-LD_L=$(LD)
-USESONAME=no
-NEEDSONAME=yes
-LDCONFIG=/usr/etc/ldconfig
-AR=ar cr
-RANLIB=ranlib
-FAKEROOT=
-PREFIX=/usr
-SUPLEMENTED=$(PREFIX)/sbin
-LIBDIR=$(PREFIX)/lib
-SECUREDIR=$(LIBDIR)/security
-INCLUDED=/usr/include/security
-CONFIGED=/etc
-SCONFIGED=/etc/security
-WARNINGS= -ansi -Wall -Wwrite-strings \
- -Wpointer-arith -Wcast-qual -Wcast-align \
- -Wtraditional -Wstrict-prototypes -Wmissing-prototypes \
- -Wnested-externs -Winline -Wshadow
diff --git a/contrib/libpam/doc/modules/README b/contrib/libpam/doc/modules/README
deleted file mode 100644
index b97b2cd..0000000
--- a/contrib/libpam/doc/modules/README
+++ /dev/null
@@ -1,13 +0,0 @@
-$Id: README,v 1.2 1996/11/17 17:20:28 morgan Exp $
-
-This directory contains a number of sgml sub-files. One for each
-documented module. They contain a description of each module and give
-some indication of its reliability.
-
-Additionally, there is a 'module.sgml-template' file which should be
-used as a blank form for new module descriptions.
-
-Please feel free to submit amendments/comments etc. regarding these
-files to:
-
- Andrew G. Morgan <morgan@parc.power.net>
diff --git a/contrib/libpam/doc/modules/module.sgml-template b/contrib/libpam/doc/modules/module.sgml-template
deleted file mode 100644
index 53cd809..0000000
--- a/contrib/libpam/doc/modules/module.sgml-template
+++ /dev/null
@@ -1,170 +0,0 @@
-<!--
-
- $Id: module.sgml-template,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This template file was written by Andrew G. Morgan
- <morgan@parc.power.net>
-
-[
- Text that should be deleted/replaced, is enclosed within
- '[' .. ']'
- marks. For example, this text should be deleted!
-]
-
--->
-
-<sect1> [*Familiar full name of module*, eg. The "allow all" module.]
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-[
- insert the name of the module
-
- Blank is not permitted.
-]
-
-<tag><bf>Author[s]:</bf></tag>
-
-[
- Insert author names here
-
- Blank is not permitted. If in doubt, put "unknown" if the
- author wishes to remain anonymous, put "anonymous".
-]
-
-<tag><bf>Maintainer:</bf></tag>
-
-[
- Insert names and date-begun of most recent maintainer.
-]
-
-<tag><bf>Management groups provided:</bf></tag>
-
-[
- list the subset of four management groups supported by the
- module. Choose from: account; authentication; password;
- session.
-
- Blank entries are not permitted. Explicitly list all of the
- management groups. In the future more may be added to libpam!
-]
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-[
- Indicate whether this module contains code that can perform
- reversible (strong) encryption. This field is primarily to
- ensure that people redistributing it are not unwittingly
- breaking laws...
-
- Modules may also require the presence of some local library
- that performs the necessary encryption via some standard API.
- In this case "uses API" can be included in this field. The
- library in question should be added to the system requirements
- below.
-
- Blank = no cryptography is used by module.
-]
-
-<tag><bf>Security rating:</bf></tag>
-
-[
- Initially, this field should be left blank. If someone takes
- it upon themselves to test the strength of the module, it can
- later be filled.
-
- Blank = unknown.
-]
-
-<tag><bf>Clean code base:</bf></tag>
-
-[
- This will probably be filled by the libpam maintainer.
- It can be considered to be a public humiliation list. :*)
-
- I am of the opinion that "gcc -with_all_those_flags" is
- trying to tell us something about whether the program
- works as intended. Since there is currently no Security
- evaluation procedure for modules IMHO this is not a
- completely unreasonable indication (a lower bound anyway)
- of the reliability of a module.
-
- This field would indicate the number and flavor of
- warnings that gcc barfs up when trying to compile the
- module as part of the tree. Is this too tyrannical?
-
- Blank = Linux-PAM maintainer has not tested it :)
-]
-
-<tag><bf>System dependencies:</bf></tag>
-
-[
- here we list config files, dynamic libraries needed, system
- resources, kernel options.. etc.
-
- Blank = nothing more than libc required.
-]
-
-<tag><bf>Network aware:</bf></tag>
-
-[
- Does the module base its behavior on probing a network
- connection? Does it expect to be protected by the
- application?
-
- Blank = Ignorance of network.
-]
-
-</descrip>
-
-<sect2>Overview of module
-
-[
- some text describing the intended actions of the module
- general comments mainly (specifics in sections
- below).
-]
-
-[
-
- [ now we have a <sect2> level subsection for each of the
- management groups. Include as many as there are groups
- listed above in the synopsis ]
-
-<sect2>[ Account | Authentication | Password | Session ] component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-[
- List the supported arguments (leave their description for the
- description below.
-
- Blank = no arguments are read and nothing is logged to syslog
- about any arguments that are passed. Note, this
- behavior is contrary to the RFC!
-]
-
-<tag><bf>Description:</bf></tag>
-
-[
- This component of the module performs the task of ...
-]
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-[
- Here we list some doos and don'ts for this module.
-]
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_chroot.sgml b/contrib/libpam/doc/modules/pam_chroot.sgml
deleted file mode 100644
index 7f8c4a3..0000000
--- a/contrib/libpam/doc/modules/pam_chroot.sgml
+++ /dev/null
@@ -1,86 +0,0 @@
-<!--
- $Id: pam_chroot.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Bruce Campbell <brucec@humbug.org.au>
--->
-
-<sect1>Chroot
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_chroot/
-
-<tag><bf>Author:</bf></tag>
-Bruce Campbell &lt;brucec@humbug.org.au&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author; proposed on 20/11/96 - email for status
-
-<tag><bf>Management groups provided:</bf></tag>
-account; session; authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Unwritten.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-Expects localhost.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is intended to provide a transparent wrapper around the
-average user, one that puts them in a fake file-system (eg, their
-'<tt>/</tt>' is really <tt>/some/where/else</tt>).
-
-<p>
-Useful if you have several classes of users, and are slightly paranoid
-about security. Can be used to limit who else users can see on the
-system, and to limit the selection of programs they can run.
-
-<sect2>Account component:
-
-<p>
-<em/Need more info here./
-
-<sect2>Authentication component:
-
-<p>
-<em/Need more info here./
-
-<sect2>Session component:
-
-<p>
-<em/Need more info here./
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-Arguments and logging levels for the PAM version are being worked on.
-
-<tag><bf>Description:</bf></tag>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-Do provide a reasonable list of programs - just tossing 'cat', 'ls', 'rm',
-'cp' and 'ed' in there is a bit...
-<p>
-Don't take it to extremes (eg, you can set up a separate environment for
-each user, but its a big waste of your disk space.)
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_cracklib.sgml b/contrib/libpam/doc/modules/pam_cracklib.sgml
deleted file mode 100644
index 4700c2a0..0000000
--- a/contrib/libpam/doc/modules/pam_cracklib.sgml
+++ /dev/null
@@ -1,254 +0,0 @@
-<!--
- $Id: pam_cracklib.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
- long password amendments are from Philip W. Dalrymple III <pwd@mdtsoft.com>
--->
-
-<sect1>Cracklib pluggable password strength-checker
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-
-pam_cracklib
-
-<tag><bf>Author:</bf></tag>
-
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-
-password
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-Requires the system library <tt/libcrack/ and a system dictionary:
-<tt>/usr/lib/cracklib_dict</tt>.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module can be plugged into the <tt/password/ stack of a given
-application to provide some plug-in strength-checking for passwords.
-(XXX - note this does not necessarily work with the pam_unix module,
-although it is known to work with the pam_pwdb replacement for the
-unix module -- see example and pam_pwdb write up for more
-information).
-
-<p>
-This module works in the following manner: it first calls the
-<em>Cracklib</em> routine to check the strength of the password; if
-crack likes the password, the module does an additional set of
-strength checks. These checks are:
-<itemize>
-
-<item> <bf/Palindrome/ -
-
-Is the new password a palindrome of the old one?
-
-<item> <bf/Case Change Only/ -
-
-Is the new password the the old one with only a change of case?
-
-<item> <bf/Similar/ -
-
-Is the new password too much like the old one? This is controlled
-by one argument, <tt/difok/ which is a number of characters that if
-different between the old and new are enough to accept the new
-password, this defaults to 10 or 1/2 the size of the new password
-whichever is smaller.
-
-<item <bf/Simple/ -
-
-Is the new password too small? This is controlled by 5 arguments
-<tt/minlen/, <tt/dcredit/, <tt/ucredit/, <tt/lcredit/, and
-<tt/ocredit/. See the section on the arguments for the details of how
-these work and there defaults.
-
-<item <bf/Rotated/ -
-
-Is the new password a rotated version of the old password?
-
-</itemize>
-
-<p>
-This module with no arguments will work well for standard unix
-password encryption. With md5 encryption, passwords can be longer
-than 8 characters and the default settings for this module can make it
-hard for the user to choose a satisfactory new password. Notably, the
-requirement that the new password contain no more than 1/2 of the
-characters in the old password becomes a non-trivial constraint. For
-example, an old password of the form "the quick brown fox jumped over
-the lazy dogs" would be difficult to change... In addition, the
-default action is to allow passwords as small as 5 characters in
-length. For a md5 systems it can be a good idea to increase the
-required minimum size of a password. One can then allow more credit
-for different kinds of characters but accept that the new password may
-share most of these characters with the old password.
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/;
-<tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/;
-
-<tag><bf>Description:</bf></tag>
-
-The action of this module is to prompt the user for a password and
-check its strength against a system dictionary and a set of rules for
-identifying poor choices.
-
-<p>
-The default action is to prompt for a single password, check its
-strength and then, if it is considered strong, prompt for the password
-a second time (to verify that it was typed correctly on the first
-occasion). All being well, the password is passed on to subsequent
-modules to be installed as the new authentication token.
-
-<p>
-The default action may be modified in a number of ways using the
-arguments recognized by the module:
-<itemize>
-
-<item> <tt/debug/ -
-
-this option makes the module write information to syslog(3) indicating
-the behavior of the module (this option does <bf/not/ write password
-information to the log file).
-
-<item> <tt/type=XXX/ -
-
-the default action is for the module to use the following prompts when
-requesting passwords: ``New UNIX password: '' and ``Retype UNIX
-password: ''. Using this option you can replace the word UNIX with
-<tt/XXX/.
-
-<item> <tt/retry=N/ -
-
-the default number of times this module will request a new password
-(for strength-checking) from the user is 1. Using this argument this
-can be increased to <tt/N/.
-
-<item> <tt/difok=N/ -
-
-This argument will change the default of 10 for the number of
-characters in the new password that must not be present in the old
-password. In addition, if 1/2 of the characters in the new password
-are different then the new password will be accepted anyway.
-
-<item> <tt/minlen=N/ -
-
-The minimum acceptable size for the new password plus one. In
-addition to the number of characters in the new password, credit (of
-+1 in length) is given for each different kind of character (<em>other,
-upper, lower</em> and <em/digit/). The default for this parameter is
-9 which is good for a old style UNIX password all of the same type of
-character but may be too low to exploit the added security of a md5
-system. Note that there is a pair of length limits in
-<em>Cracklib</em> itself, a "way too short" limit of 4 which is hard
-coded in and a defined limit (6) that will be checked without
-reference to <tt>minlen</tt>. If you want to allow passwords as short
-as 5 characters you should either not use this module or recompile
-the crack library and then recompile this module.
-
-<item> <tt/dcredit=N/ -
-
-This is the maximum credit for having digits in the new password. If
-you have less than or <tt/N/ digits, each digit will count +1 towards
-meeting the current <tt/minlen/ value. The default for <tt/dcredit/
-is 1 which is the recommended value for <tt/minlen/ less than 10.
-
-<item> <tt/ucredit=N/ -
-
-This is the maximum credit for having upper case letters in the new
-password. If you have less than or <tt/N/ upper case letters each
-letter will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/ucredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10.
-
-<item> <tt/lcredit=N/ -
-
-This is the maximum credit for having lower case letters in the new
-password. If you have less than or <tt/N/ lower case letters, each
-letter will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/lcredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10.
-
-<item> <tt/ocredit=N/ -
-
-This is the maximum credit for having other characters in the new
-password. If you have less than or <tt/N/ other characters, each
-character will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/ocredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-(At the time of writing, this module can only be stacked before the
-<tt/pam_pwdb/ module. Cracklib strength checking may be compiled by
-default into the <tt/pam_unix/ module.)
-
-<p>
-For an example of the use of this module, we show how it may be
-stacked with the password component of <tt/pam_pwdb/:
-<tscreen>
-<verb>
-#
-# These lines stack two password type modules. In this example the
-# user is given 3 opportunities to enter a strong password. The
-# "use_authtok" argument ensures that the pam_pwdb module does not
-# prompt for a password, but instead uses the one provided by
-# pam_cracklib.
-#
-passwd password required pam_cracklib.so retry=3
-passwd password required pam_pwdb.so use_authtok
-</verb>
-</tscreen>
-
-<p>
-Another example (in the <tt>/etc/pam.d/passwd</tt> format) is for the
-case that you want to use md5 password encryption:
-<tscreen>
-<verb>
-#%PAM-1.0
-#
-# These lines allow a md5 systems to support passwords of at least 14
-# bytes with extra credit of 2 for digits and 2 for others the new
-# password must have at least three bytes that are not present in the
-# old password
-#
-password required pam_cracklib.so \
- difok=3 minlen=15 dcredit= 2 ocredit=2
-password required pam_pwdb.so use_authtok nullok md5
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_deny.sgml b/contrib/libpam/doc/modules/pam_deny.sgml
deleted file mode 100644
index 99f3671..0000000
--- a/contrib/libpam/doc/modules/pam_deny.sgml
+++ /dev/null
@@ -1,179 +0,0 @@
-<!--
- $Id: pam_deny.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The locking-out module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_deny
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-current <bf/Linux-PAM/ maintainer
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module can be used to deny access. It always indicates a failure
-to the application through the PAM framework. As is commented in the
-overview section <ref id="overview-section" name="above">, this module
-might be suitable for using for default (the <tt/OTHER/) entries.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component does nothing other than return a failure. The
-failure type is <tt/PAM_ACCT_EXPIRED/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Stacking this module with type <tt/account/ will prevent the user from
-gaining access to the system via applications that refer to
-<bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/.
-
-<p>
-The following example would make it impossible to login:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to disable all accounts
-#
-login account required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component does nothing other than return a failure. The failure
-type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is
-called (when the application tries to authenticate the user), and is
-<tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/
-(to establish and set the credentials of the user -- it is unlikely
-that this function will ever be called in practice).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To deny access to default applications with this component of the
-<tt/pam_deny/ module, you might include the following line in your
-<bf/Linux-PAM/ configuration file:
-<tscreen>
-<verb>
-#
-# add this line to your existing OTHER entries to prevent
-# authentication succeeding with default applications.
-#
-OTHER auth required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module denies the user the opportunity to change
-their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when
-invoked.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module should be used to prevent an application from updating the
-applicant user's password. For example, to prevent <tt/login/ from
-automatically prompting for a new password when the old one has
-expired you should include the following line in your configuration
-file:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to prevent the login
-# application from being able to change the user's password.
-#
-login password required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This aspect of the module prevents an application from starting a
-session on the host computer.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Together with another session module, that displays a message of the
-day perhaps (XXX - such a module needs to be written),
-this module can be used to block a user from starting a shell. Given
-the presence of a <tt/pam_motd/ module, we might use the following
-entries in the configuration file to inform the user it is system
-time:
-<tscreen>
-<verb>
-#
-# An example to see how to configure login to refuse the user a
-# session (politely)
-#
-login session required pam_motd.so \
- file=/etc/system_time
-login session required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_env.sgml b/contrib/libpam/doc/modules/pam_env.sgml
deleted file mode 100644
index a62f457..0000000
--- a/contrib/libpam/doc/modules/pam_env.sgml
+++ /dev/null
@@ -1,125 +0,0 @@
-<!--
- $Id: pam_env.sgml,v 1.1 1997/04/05 06:50:42 morgan Exp $
-
- This file was written by Dave Kinchlea <kinch@kinch.ark.com>
- Ed. AGM
--->
-
-<sect1>Set/unset environment variables
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_env/
-
-<tag><bf>Author:</bf></tag>
-Dave Kinchlea &lt;kinch@kinch.ark.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-Authentication (setcred)
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-<tt>/etc/security/pam_env.conf</tt>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module allows the (un)setting of environment variables. Supported
-is the use of previously set environment variables as well as
-<em>PAM_ITEM</em>s such as <tt>PAM_RHOST</tt>.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/conffile=/<em/configuration-file-name/
-
-<tag><bf>Description:</bf></tag>
-This module allows you to (un)set arbitrary environment variables
-using fixed strings, the value of previously set environment variables
-and/or <em/PAM_ITEM/s.
-
-<p>
-All is controlled via a configuration file (by default,
-<tt>/etc/security/pam_env.conf</tt> but can be overriden with
-<tt>connfile</tt> argument). Each line starts with the variable name,
-there are then two possible options for each variable <bf>DEFAULT</bf>
-and <bf>OVERRIDE</bf>. <bf>DEFAULT</bf> allows and administrator to
-set the value of the variable to some default value, if none is
-supplied then the empty string is assumed. The <bf>OVERRIDE</bf>
-option tells pam_env that it should enter in its value (overriding the
-default value) if there is one to use. <bf>OVERRIDE</bf> is not used,
-<tt>""</tt> is assumed and no override will be done.
-
-<p>
-<tscreen>
-<verb>
-VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
-</verb>
-</tscreen>
-
-<p>
-(Possibly non-existent) environment variables may be used in values
-using the <tt>&dollar;&lcub;string&rcub;</tt> syntax and (possibly
-non-existent) <em/PAM_ITEM/s may be used in values using the
-<tt>&commat;&lcub;string&rcub;</tt> syntax. Both the <tt>&dollar;</tt>
-and <tt>&commat;</tt> characters can be backslash-escaped to be used
-as literal values (as in <tt>&bsol;&dollar;</tt>. Double quotes may
-be used in values (but not environment variable names) when white
-space is needed <bf>the full value must be delimited by the quotes and
-embedded or escaped quotes are not supported</bf>.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/conffile=/<em/filename/
-- by default the file <tt>/etc/security/pam_env.conf</tt> is used as
-the configuration file. This option overrides the default. You must
-supply a complete path + file name.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-See sample <tt>pam_env.conf</tt> for more information and examples.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
-
-
-
-
-
-
-
-
-
-
diff --git a/contrib/libpam/doc/modules/pam_filter.sgml b/contrib/libpam/doc/modules/pam_filter.sgml
deleted file mode 100644
index 99f06ef..0000000
--- a/contrib/libpam/doc/modules/pam_filter.sgml
+++ /dev/null
@@ -1,150 +0,0 @@
-<!--
- $Id: pam_filter.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The filter module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-
-pam_filter
-
-<tag><bf>Author:</bf></tag>
-
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-Not yet.
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-This module compiles cleanly on Linux based systems.
-
-<tag><bf>System dependencies:</bf></tag>
-
-To function it requires <em/filters/ to be installed on the system.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module was written to offer a plug-in alternative to programs
-like ttysnoop (XXX - need a reference). Since writing a filter that
-performs this function has not occurred, it is currently only a toy.
-The single filter provided with the module simply transposes upper and
-lower case letters in the input and output streams. (This can be very
-annoying and is not kind to termcap based editors).
-
-<sect2>Account+Authentication+Password+Session components
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/; <tt/new_term/; <tt/non_term/; <tt/runX/
-
-<tag><bf>Description:</bf></tag>
-
-Each component of the module has the potential to invoke the desired
-filter. The filter is always <tt/execv(2)/d with the privilege of the
-calling application and <bf/not/ that of the user. For this reason it
-cannot usually be killed by the user without closing their session.
-
-<p>
-The behavior of the module can be significantly altered by the
-arguments passed to it in the <bf/Linux-PAM/ configuration file:
-<itemize>
-<item><tt/debug/ -
-
-this option increases the amount of information logged to
-<tt/syslog(3)/ as the module is executed.
-
-<item><tt/new_term/ -
-
-the default action of the filter is to set the <tt/PAM_TTY/ item to
-indicate the terminal that the user is using to connect to the
-application. This argument indicates that the filter should set
-<tt/PAM_TTY/ to the filtered pseudo-terminal.
-
-<item><tt/non_term/ -
-don't try to set the <tt/PAM_TTY/ item.
-
-<item><tt/runX/ -
-
-in order that the module can invoke a filter it should know when to
-invoke it. This argument is required to tell the filter when to do
-this. The arguments that follow this one are respectively the full
-pathname of the filter to be run and any command line arguments that
-the filter might expect.
-
-<p>
-Permitted values for <tt/X/ are <tt/1/ and <tt/2/. These indicate the
-precise time the that filter is to be run. To explain this concept it
-will be useful to have read the Linux-PAM Module developer's
-guide. Basically, for each management group there are up to two ways
-of calling the module's functions.
-
-In the case of the <em/authentication/ and <em/session/ components
-there are actually two separate functions. For the case of
-authentication, these functions are <tt/_authenticate/ and
-<tt/_setcred/ -- here <tt/run1/ means run the filter from the
-<tt/_authenticate/ function and <tt/run2/ means run the filter from
-<tt/_setcred/. In the case of the session modules, <tt/run1/ implies
-that the filter is invoked at the <tt/_open_session/ stage, and
-<tt/run2/ for <tt/_close_session/.
-
-<p>
-For the case of the account component. Either <tt/run1/ or <tt/run2/
-may be used.
-
-<p>
-For the case of the password component, <tt/run1/ is used to indicate
-that the filter is run on the first occasion <tt/_chauthtok/ is run
-(the <tt/PAM_PRELIM_CHECK/ phase) and <tt/run2/ is used to indicate
-that the filter is run on the second occasion (the
-<tt/PAM_UPDATE_AUTHTOK/ phase).
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-At the time of writing there is little real use to be made of this
-module. For fun you might try adding the following line to your
-login's configuration entries
-<tscreen>
-<verb>
-#
-# An example to see how to configure login to transpose upper and
-# lower case letters once the user has logged in(!)
-#
-login session required pam_filter.so \
- run1 /usr/sbin/pam_filter/upperLOWER
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_ftp.sgml b/contrib/libpam/doc/modules/pam_ftp.sgml
deleted file mode 100644
index ca2e065..0000000
--- a/contrib/libpam/doc/modules/pam_ftp.sgml
+++ /dev/null
@@ -1,93 +0,0 @@
-<!--
- $Id: pam_ftp.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>Anonymous access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_ftp.so/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-prompts for email address of user; easily spoofed (XXX - needs work)
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-The purpose of this module is to provide a pluggable anonymous ftp
-mode of access.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/users=XXX,YYY,.../;
-<tt/ignore/
-
-<tag><bf>Description:</bf></tag>
-
-This module intercepts the user's name and password. If the name is
-``<tt/ftp/'' or ``<tt/anonymous/'', the user's password is broken up
-at the `<tt/@/' delimiter into a <tt/PAM_RUSER/ and a <tt/PAM_RHOST/
-part; these pam-items being set accordingly. The username is set to
-``<tt/ftp/''. In this case the module succeeds. Alternatively, the
-module sets the <tt/PAM_AUTHTOK/ item with the entered password and
-fails.
-
-<p>
-The behavior of the module can be modified with the following flags:
-<itemize>
-<item><tt/debug/ -
-log more information to with <tt/syslog(3)/.
-
-<item><tt/users=XXX,YYY,.../ -
-instead of ``<tt/ftp/'' or ``<tt/anonymous/'', provide anonymous login
-to the comma separated list of users; ``<tt/XXX,YYY,.../''. Should the
-applicant enter one of these usernames the returned username is set to
-the first in the list; ``<tt/XXX/''.
-
-<item><tt/ignore/ -
-pay no attention to the email address of the user (if supplied).
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-An example of the use of this module is provided in the configuration
-file section <ref id="configuration" name="above">. With care, this
-module could be used to provide new/temporary account anonymous
-login.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_group.sgml b/contrib/libpam/doc/modules/pam_group.sgml
deleted file mode 100644
index 360edee..0000000
--- a/contrib/libpam/doc/modules/pam_group.sgml
+++ /dev/null
@@ -1,108 +0,0 @@
-<!--
- $Id: pam_group.sgml,v 1.2 1997/01/04 20:50:10 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The group access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_group/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-Sensitive to <em/setgid/ status of file-systems accessible to users.
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled
-with or without <tt/libpwdb/.
-
-<tag><bf>Network aware:</bf></tag>
-Only through correctly set <tt/PAM_TTY/ item.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module provides group-settings based on the user's name and the
-terminal they are requesting a given service from. It takes note of
-the time of day.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This module does not authenticate the user, but instead it grants
-group memberships (in the credential setting phase of the
-authentication module) to the user. Such memberships are based on the
-service they are applying for. The group memberships are listed in
-text form in the <tt>/etc/security/group.conf</tt> file.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For this module to function correctly there must be a correctly
-formatted <tt>/etc/security/groups.conf</tt> file present. The format
-of this file is as follows. Group memberships are given based on the
-service application satisfying any combination of lines in the
-configuration file. Each line (barring comments which are preceded by
-`<tt/#/' marks) has the following
-syntax:
-<tscreen>
-<verb>
-services ; ttys ; users ; times ; groups
-</verb>
-</tscreen>
-Here the first four fields share the syntax of the <tt>pam_time</tt>
-configuration file; <tt>/etc/security/pam_time.conf</tt>, and the last
-field, the <tt/groups/ field, is a comma (or space) separated list of
-the text-names of a selection of groups. If the users application for
-service satisfies the first four fields, the user is granted membership
-of the listed groups.
-
-<p>
-As stated in above this module's usefulness relies on the file-systems
-accessible to the user. The point being that once granted the
-membership of a group, the user may attempt to create a <em/setgid/
-binary with a restricted group ownership. Later, when the user is not
-given membership to this group, they can recover group membership with
-the precompiled binary. The reason that the file-systems that the user
-has access to are so significant, is the fact that when a system is
-mounted <em/nosuid/ the user is unable to create or execute such a
-binary file. For this module to provide any level of security, all
-file-systems that the user has write access to should be mounted
-<em/nosuid/.
-
-<p>
-The <tt>pam_group</tt> module fuctions in parallel with the
-<tt>/etc/group</tt> file. If the user is granted any groups based on
-the behavior of this module, they are granted <em>in addition</em> to
-those entries <tt>/etc/group</tt> (or equivalent).
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_krb4.sgml b/contrib/libpam/doc/modules/pam_krb4.sgml
deleted file mode 100644
index edb87d1..0000000
--- a/contrib/libpam/doc/modules/pam_krb4.sgml
+++ /dev/null
@@ -1,126 +0,0 @@
-<!--
- $Id: pam_krb4.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
--->
-
-<sect1>The Kerberos 4 module.
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_krb4/
-
-<tag><bf>Author:</bf></tag>
-Derrick J. Brashear &lt;shadow@dementia.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-uses API
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
-and a set of Kerberos include files.
-
-<tag><bf>Network aware:</bf></tag>
-Gets Kerberos ticket granting ticket via a Kerberos key distribution
-center reached via the network.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module provides an interface for doing Kerberos verification of a
-user's password, getting the user a Kerberos ticket granting ticket
-for use with the Kerberos ticket granting service, destroying the
-user's tickets at logout time, and changing a Kerberos password.
-
-<sect2> Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module currently sets the user's <tt/KRBTKFILE/
-environment variable (although there is currently no way to export
-this), as well as deleting the user's ticket file upon logout (until
-<tt/PAM_CRED_DELETE/ is supported by <em/login/).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This part of the module won't be terribly useful until we can change
-the environment from within a <tt/Linux-PAM/ module.
-
-</descrip>
-
-<sect2> Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/use_first_pass/; <tt/try_first_pass/
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module changes a user's Kerberos password
-by first getting and using the user's old password to get
-a session key for the password changing service, then sending
-a new password to that service.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This should only be used with a real Kerberos v4 <tt/kadmind/. It
-cannot be used with an AFS kaserver unless special provisions are
-made. Contact the module author for more information.
-
-</descrip>
-
-<sect2> Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/use_first_pass/; <tt/try_first_pass/
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module verifies a user's Kerberos password
-by requesting a ticket granting ticket from the Kerberos server
-and optionally using it to attempt to retrieve the local computer's
-host key and verifying using the key file on the local machine if
-one exists.
-
-It also writes out a ticket file for the user to use later, and
-deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
-is called from <em/login/).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used with a real Kerberos server using MIT
-v4 Kerberos keys. The module or the system Kerberos libraries
-may be modified to support AFS style Kerberos keys. Currently
-this is not supported to avoid cryptography constraints.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_lastlog.sgml b/contrib/libpam/doc/modules/pam_lastlog.sgml
deleted file mode 100644
index 8c0e662..0000000
--- a/contrib/libpam/doc/modules/pam_lastlog.sgml
+++ /dev/null
@@ -1,119 +0,0 @@
-<!--
- $Id: pam_mail.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The last login module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_lastlog/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-auth
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-uses information contained in the <tt>/var/log/wtmp</tt> file.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This session module maintains the <tt>/var/log/wtmp</tt> file. Adding
-an open entry when called via the <tt>pam_open_seesion()</tt> function
-and completing it when <tt>pam_close_session()</tt> is called. This
-module can also display a line of information about the last login of
-the user. If an application already performs these tasks, it is not
-necessary to use this module.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/nodate/; <tt/noterm/; <tt/nohost/; <tt/silent/;
-<tt/never/
-
-<tag><bf>Description:</bf></tag>
-
-<p>
-This module can be used to provide a ``Last login on ...''
-message. when the user logs into the system from what ever application
-uses the PAM libraries. In addition, the module maintains the
-<tt>/var/log/wtmp</tt> file.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/nodate/
-- neglect to give the date of the last login when displaying
-information about the last login on the system.
-
-<item><tt/noterm/
-- neglect to diplay the terminal name on which the last login was
-attempt.
-
-<item><tt/nohost/
-- neglect to indicate from which host the last login was attempted.
-
-<item><tt/silent/
-- neglect to inform the user about any previous login: just update
-the <tt>/var/log/wtmp</tt> file.
-
-<item><tt/never/
-- if the <tt>/var/log/wtmp</tt> file does not contain any old entries
-for the user, indicate that the user has never previously logged in
-with a ``welcome..." message.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used to indicate that the user has new mail when
-they <em/login/ to the system. Here is a sample entry for your
-<tt>/etc/pam.conf</tt> file:
-<tscreen>
-<verb>
-#
-# do we have any mail?
-#
-login session optional pam_lastlog.so
-</verb>
-</tscreen>
-
-<p>
-Note, some applications may perform this function themselves. In such
-cases, this module is not necessary.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_limits.sgml b/contrib/libpam/doc/modules/pam_limits.sgml
deleted file mode 100644
index 6b98ea6..0000000
--- a/contrib/libpam/doc/modules/pam_limits.sgml
+++ /dev/null
@@ -1,196 +0,0 @@
-<!--
- $Id: pam_limits.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
- from information compiled by Cristian Gafton (author of module)
--->
-
-<sect1>The resource limits module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_limits/
-
-<tag><bf>Authors:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
-Thanks are also due to Elliot Lee &lt;sopwith@redhat.com&gt;
-for his comments on improving this module.
-
-<tag><bf>Maintainer:</bf></tag>
-Cristian Gafton - 1996/11/20
-
-<tag><bf>Management groups provided:</bf></tag>
-session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-requires an <tt>/etc/security/limits.conf</tt> file and kernel support
-for resource limits. Also uses the library, <tt/libpwdb/.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets
-limits on the system resources that can be obtained in a
-user-session. Its actions are dictated more explicitly through the
-configuration file discussed below.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt>conf=/path/to/file.conf</tt>
-
-<tag><bf>Description:</bf></tag>
-
-Through the contents of the configuration file,
-<tt>/etc/security/limits.conf</tt>, resource limits are placed on
-users' sessions. Users of <tt/uid=0/ are not affected by this
-restriction.
-
-<p>
-The behavior of this module can be modified with the following
-arguments:
-<itemize>
-
-<item><tt/debug/ -
-verbose logging to <tt/syslog(3)/.
-
-<item><tt>conf=/path/to/file.conf</tt> -
-indicate an alternative <em/limits/ configuration file to the default.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In order to use this module the system administrator must first create
-a <em/root-only-readable/ file (default is
-<tt>/etc/security/limits.conf</tt>). This file describes the resource
-limits the superuser wishes to impose on users and groups. No limits
-are imposed on <tt/uid=0/ accounts.
-
-<p>
-Each line of the configuration file describes a limit for a user in
-the form:
-<tscreen>
-<verb>
-<domain> <type> <item> <value>
-</verb>
-</tscreen>
-
-<p>
-The fields listed above should be filled as follows...<newline>
-<tt>&lt;domain&gt;</tt> can be:
-<itemize>
-<item> a username
-<item> a groupname, with <tt>@group</tt> syntax
-<item> the wild-card <tt/*/, for default entry
-</itemize>
-
-<p>
-<tt>&lt;type&gt;</tt> can have the two values:
-<itemize>
-
-<item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits
-are set by the superuser and enforced by the Linux Kernel. The user
-cannot raise his requirement of system resources above such values.
-
-<item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits
-are ones that the user can move up or down within the permitted range
-by any pre-exisiting <em/hard/ limits. The values specified with this
-token can be thought of as <em/default/ values, for normal system
-usage.
-
-</itemize>
-
-<p>
-<tt>&lt;item&gt;</tt> can be one of the following:
-<itemize>
-<item><tt/core/ - limits the core file size (KB)
-<item><tt/data/ - max data size (KB)
-<item><tt/fsize/ - maximum filesize (KB)
-<item><tt/memlock/ - max locked-in-memory address space (KB)
-<item><tt/nofile/ - max number of open files
-<item><tt/rss/ - max resident set size (KB)
-<item><tt/stack/ - max stack size (KB)
-<item><tt/cpu/ - max CPU time (MIN)
-<item><tt/nproc/ - max number of processes
-<item><tt/as/ - address space limit
-<item><tt/maxlogins/ - max number of logins for this user.
-</itemize>
-
-<p>
-To completely disable limits for a user (or a group), a single dash
-(-) will do (Example: ``<tt/bin -/'', ``<tt/@admin -/''). Please
-remember that individual limits have priority over group limits, so if
-you impose no limits for <tt/admin/ group, but one of the members in this
-group have a limits line, the user will have its limits set according
-to this line.
-
-<p>
-Also, please note that all limit settings are set <em/per login/.
-They are not global, nor are they permanent; existing only for the
-duration of the session.
-
-<p>
-In the <em/limits/ configuration file, the ``<tt/#/'' character
-introduces a comment - after which the rest of the line is ignored.
-
-<p>
-The <tt/pam_limits/ module does its best to report configuration
-problems found in its configuration file via <tt/syslog(3)/.
-
-<p>
-The following is an example configuration file:
-<tscreen>
-<verb>
-# EXAMPLE /etc/security/limits.conf file:
-# =======================================
-# <domain> <type> <item> <value>
-* soft core 0
-* hard rss 10000
-@student hard nproc 20
-@faculty soft nproc 20
-@faculty hard nproc 50
-ftp hard nproc 0
-@student - maxlogins 4
-</verb>
-</tscreen>
-Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource
-(see <tt/@faculty/) -- this establishes the <em/default/ and permitted
-<em/extreme/ level of resources that the user can can obtain in a
-given service-session.
-
-<p>
-For the services that need resources limits (login for example) put a
-the following line in <tt>/etc/pam.conf</tt> as the last line for that
-service (usually after the pam_unix session line:
-<tscreen>
-<verb>
-#
-# Resource limits imposed on login sessions via pam_limits
-#
-login session required pam_limits.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_listfile.sgml b/contrib/libpam/doc/modules/pam_listfile.sgml
deleted file mode 100644
index fe4a0d2..0000000
--- a/contrib/libpam/doc/modules/pam_listfile.sgml
+++ /dev/null
@@ -1,138 +0,0 @@
-<!--
- $Id: pam_listfile.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The list-file module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_listfile/
-
-<tag><bf>Author:</bf></tag>
-Elliot Lee <tt>&lt;sopwith@cuc.edu&gt;</tt>
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat Software:<newline>
-Michael K. Johnson &lt;johnsonm@redhat.com&gt; 1996/11/18<newline>
-(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-clean
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-The list-file module provides a way to deny or allow services based on
-an arbitrary file.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt>onerr=succeed|fail</tt>;
-<tt>sense=allow|deny</tt>;
-<tt>file=</tt><it>filename</it>;
-<tt>item=user|tty|rhost|ruser|group|shell</tt>
-<tt>apply=user|@group</tt>
-
-<tag><bf>Description:</bf></tag>
-
-The module gets the item of the type specified -- <tt>user</tt> specifies
-the username, <tt>PAM_USER</tt>; tty specifies the name of the terminal
-over which the request has been made, <tt>PAM_TTY</tt>; rhost specifies
-the name of the remote host (if any) from which the request was made,
-<tt>PAM_RHOST</tt>; and ruser specifies the name of the remote user
-(if available) who made the request, <tt>PAM_RUSER</tt> -- and looks for
-an instance of that item in the file <it>filename</it>. <it>filename</it>
-contains one line per item listed. If the item is found, then if
-<tt>sense=allow</tt>, <tt>PAM_SUCCESS</tt> is returned, causing the
-authorization request to succeed; else if <tt>sense=deny</tt>,
-<tt>PAM_AUTH_ERR</tt> is returned, causing the authorization
-request to fail.
-
-<p>
-If an error is encountered (for instance, if <it>filename</it>
-does not exist, or a poorly-constructed argument is encountered),
-then if <tt>onerr=succeed</tt>, <tt>PAM_SUCCESS</tt> is returned,
-otherwise if <tt>onerr=fail</tt>, <tt>PAM_AUTH_ERR</tt> or
-<tt>PAM_SERVICE_ERR</tt> (as appropriate) will be returned.
-
-<p>
-An additional argument, <tt>apply=</tt>, can be used to restrict the
-application of the above to a specific user
-(<tt>apply=</tt><em>username</em>) or a given group
-(<tt>apply=@</tt><em>groupname</em>). This added restriction is only
-meaningful when used with the <tt/tty/, <tt/rhost/ and <tt/shell/
-<em/items/.
-
-<p>
-Besides this last one, all arguments should be specified; do not count
-on any default behavior, as it is subject to change.
-
-<p>
-No credentials are awarded by this module.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Classic ``ftpusers'' authentication can be implemented with this entry
-in <tt>/etc/pam.conf</tt>:
-<tscreen>
-<verb>
-#
-# deny ftp-access to users listed in the /etc/ftpusers file
-#
-ftp auth required pam_listfile.so \
- onerr=succeed item=user sense=deny file=/etc/ftpusers
-</verb>
-</tscreen>
-Note, users listed in <tt>/etc/ftpusers</tt> file are
-(counterintuitively) <bf/not/ allowed access to the ftp service.
-
-<p>
-To allow login access only for certain users, you can use an
-pam.conf entry like this:
-<tscreen>
-<verb>
-#
-# permit login to users listed in /etc/loginusers
-#
-login auth required pam_listfile.so \
- onerr=fail item=user sense=allow file=/etc/loginusers
-</verb>
-</tscreen>
-
-<p>
-For this example to work, all users who are allowed to use the login
-service should be listed in the file <tt>/etc/loginusers</tt>. Unless
-you are explicitly trying to lock out root, make sure that when you do
-this, you leave a way for root to log in, either by listing root in
-<tt>/etc/loginusers</tt>, or by listing a user who is able to <em/su/
-to the root account.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_mail.sgml b/contrib/libpam/doc/modules/pam_mail.sgml
deleted file mode 100644
index 9a99f20..0000000
--- a/contrib/libpam/doc/modules/pam_mail.sgml
+++ /dev/null
@@ -1,124 +0,0 @@
-<!--
- $Id: pam_mail.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The mail module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_mail/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-auth
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Default mail directory <tt>/var/spool/mail/</tt>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module looks at the user's mail directory and indicates
-whether the user has any mail in it.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/dir=/<em/direcory-name/; <tt/nopen/; <tt/close/;
-<tt/noenv/; <tt/empty/
-
-<tag><bf>Description:</bf></tag>
-
-This module provides the ``you have new mail'' service to the user. It
-can be plugged into any application that has credential hooks. It gives a
-single message indicating the <em/newness/ of any mail it finds in the
-user's mail folder. This module also sets the <bf/Linux-PAM/
-environment variable, <tt/MAIL/, to the user's mail directory.
-
-<p>
-Although the module supplies functions for the authentication
-management group of functions, it cannot be used to authenticate a
-user; its authentication function instructs <tt/libpam/ to simply
-ignore it when authenticating the user.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/dir=/<em/pathname/
-- look for the users' mail in an alternative directory given by
-<em/pathname/. The default location for mail is
-<tt>/var/spool/mail</tt>. Note, if the supplied <em/pathname/ is
-prefixed by a `<tt/&tilde;/', the directory is interpreted as
-indicating a file in the user's home directory.
-
-<item><tt/nopen/
-- instruct the module to <em/not/ print any mail information when the
-user's credentials are acquired. This flag is useful to get the <tt/MAIL/
-environment variable set, but to not display any information about it.
-
-<item><tt/close/
-- instruct the module to indicate if the user has any mail at the as
-the user's credentials are revoked.
-
-<item><tt/noenv/
-- do not set the <tt/MAIL/ environment variable.
-
-<item><tt/empty/
-- indicate that the user's mail directory is empty if this is found to
-be the case.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used to indicate that the user has new mail when
-they <em/login/ to the system. Here is a sample entry for your
-<tt>/etc/pam.conf</tt> file:
-<tscreen>
-<verb>
-#
-# do we have any mail?
-#
-login auth optional pam_mail.so
-</verb>
-</tscreen>
-
-<p>
-Note, some applications may perform this function themselves. In such
-cases, this module is not necessary.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_nologin.sgml b/contrib/libpam/doc/modules/pam_nologin.sgml
deleted file mode 100644
index de4b32a..0000000
--- a/contrib/libpam/doc/modules/pam_nologin.sgml
+++ /dev/null
@@ -1,75 +0,0 @@
-<!--
- $Id: pam_nologin.sgml,v 1.2 1997/01/04 21:56:55 morgan Exp $
-
- This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The no-login module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_nologin/
-
-<tag><bf>Author:</bf></tag>
-Written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
-(based on code taken from a module written by Andrew G. Morgan
-&lt;morgan@parc.power.net&gt;).
-
-<tag><bf>Maintainer:</bf></tag>
-Michael K. Johnson &lt;johnsonm@redhat.com&gt;
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-1 warning about dropping const
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Provides standard Unix <em/nologin/ authentication.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Provides standard Unix <em/nologin/ authentication. If the file
-<tt>/etc/nologin</tt> exists, only root is allowed to log in; other
-users are turned away with an error message. All users (root or
-otherwise) are shown the contents of <tt>/etc/nologin</tt>.
-
-<p>
-If the file <tt>/etc/nologin</tt> does not exist, this module succeeds
-silently.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In order to make this module effective, all login methods should
-be secured by it. It should be used as a <tt>required</tt>
-method listed before any <tt>sufficient</tt> methods in order to
-get standard Unix nologin semantics.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_permit.sgml b/contrib/libpam/doc/modules/pam_permit.sgml
deleted file mode 100644
index 84df9fc..0000000
--- a/contrib/libpam/doc/modules/pam_permit.sgml
+++ /dev/null
@@ -1,83 +0,0 @@
-<!--
- $Id: pam_permit.sgml,v 1.2 1997/02/15 18:20:12 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The promiscuous module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_permit
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan, &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Linux-PAM maintainer.
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-VERY LOW. Use with extreme caution.
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is very dangerous. It should be used with extreme
-caution. Its action is always to permit access. It does nothing else.
-
-<sect2>Account+Authentication+Password+Session components
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No matter what management group, the action of this module is to
-simply return <tt/PAM_SUCCESS/ -- operation successful.
-
-<p>
-In the case of authentication, the user's name will be acquired. Many
-applications become confused if this name is unknown.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-It is seldom a good idea to use this module. However, it does have
-some legitimate uses. For example, if the system-administrator wishes
-to turn off the account management on a workstation, and at the same
-time continue to allow logins, then she might use the following
-configuration file entry for login:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to disable account
-# management, but continue to permit users to log in...
-#
-login account required pam_permit.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_pwdb.sgml b/contrib/libpam/doc/modules/pam_pwdb.sgml
deleted file mode 100644
index c9f7bff..0000000
--- a/contrib/libpam/doc/modules/pam_pwdb.sgml
+++ /dev/null
@@ -1,245 +0,0 @@
-<!--
- $Id: pam_pwdb.sgml,v 1.3 1997/04/05 06:50:42 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The Password-Database module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_pwdb
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
-and Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Authors.
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires properly configured <tt/libpwdb/
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is a pluggable replacement for the <tt/pam_unix_../
-modules. It uses the generic interface of the <em/Password Database/
-library
-<tt><htmlurl
-url="http://parc.power.net/morgan/libpwdb/index.html"
-name="http://parc.power.net/morgan/libpwdb/index.html"></tt>.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the accounting functions of this module
-<tt/syslog(3)/ more information on its actions. (Remaining arguments
-supported by the other functions of this module are silently ignored,
-but others are logged as errors through <tt/syslog(3)/).
-
-Based on the following <tt/pwdb_element/s:
-<tt/expire/;
-<tt/last_change/;
-<tt/max_change/;
-<tt/defer_change/;
-<tt/warn_change/,
-this module performs the task of establishing the status of the user's
-account and password. In the case of the latter, it may offer advice
-to the user on changing their password or, through the
-<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until
-they have established a new password. The entries listed above are
-documented in the <em/Password Database Library Guide/ (see pointer
-above). Should the user's record not contain one or more of these
-entries, the corresponding <em/shadow/ check is not performed.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In its accounting mode, this module can be inserted as follows:
-<tscreen>
-<verb>
-#
-# Ensure users account and password are still active
-#
-login account required pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/use_first_pass/;
-<tt/try_first_pass/;
-<tt/nullok/;
-<tt/nodelay/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the authentication functions of this
-module <tt/syslog(3)/ more information on its actions.
-
-<p>
-The default action of this module is to not permit the user access to
-a service if their <em/official/ password is blank. The <tt/nullok/
-argument overrides this default.
-
-<p>
-When given the argument <tt/try_first_pass/, before prompting the user
-for their password, the module first tries the previous stacked
-<tt/auth/-module's password in case that satisfies this module as
-well. The argument <tt/use_first_pass/ forces the module to use such a
-recalled password and will never prompt the user - if no password is
-available or the password is not appropriate, the user will be denied
-access.
-
-<p>
-The argument, <tt>nodelay</tt>, can be used to discourage the
-authentication component from requesting a delay should the
-authentication as a whole fail. The default action is for the module
-to request a delay-on-failure of the order of one second.
-
-<p>
-Remaining arguments, supported by the other functions of this module,
-are silently ignored. Other arguments are logged as errors through
-<tt/syslog(3)/.
-
-<p>
-A helper binary, <tt>pwdb_chkpwd</tt>, is provided to check the user's
-password when it is stored in a read protected database. This binary
-is very simple and will only check the password of the user invoking
-it. It is called transparently on behalf of the user by the
-authenticating component of this module. In this way it is possible
-for applications like <em>xlock</em> to work without being setuid-root.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The correct functionality of this module is dictated by having an
-appropriate <tt>/etc/pwdb.conf</tt> file, the user
-databases specified there dictate the source of the authenticated
-user's record.
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/nullok/; <tt/not_set_pass/; <tt/use_authtok/;
-<tt/try_first_pass/; <tt/use_first_pass/; <tt/md5/; <tt/bigcrypt/;
-<tt/shadow/; <tt/radius/; <tt/unix/
-
-<tag><bf>Description:</bf></tag>
-
-This part of the <tt/pam_pwdb/ module performs the task of updating
-the user's password. Thanks to the flexibility of <tt/libpwdb/ this
-module is able to move the user's password from one database to
-another, perhaps securing the user's database entry in a dynamic
-manner (<em/this is very ALPHA code at the moment!/) - this is the
-purpose of the <tt/shadow/, <tt/radius/ and <tt/unix/ arguments.
-
-<p>
-In the case of conventional unix databases (which store the password
-encrypted) the <tt/md5/ argument is used to do the encryption with the
-MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call.
-As an alternative to this, the <tt/bigcrypt/ argument can be used to
-encrypt more than the first 8 characters of a password with DEC's
-(Digital Equipment Cooperation) `C2' extension to the standard UNIX
-<tt/crypt()/ algorithm.
-
-<p>
-The <tt/nullok/ module is used to permit the changing of a password
-<em/from/ an empty one. Without this argument, empty passwords are
-treated as account-locking ones.
-
-<p>
-The argument <tt/use_first_pass/ is used to lock the choice of old and
-new passwords to that dictated by the previously stacked <tt/password/
-module. The <tt/try_first_pass/ argument is used to avoid the user
-having to re-enter an old password when <tt/pam_pwdb/ follows a module
-that possibly shared the user's old password - if this old password is
-not correct the user will be prompted for the correct one. The
-argument <tt/use_authtok/ is used to <em/force/ this module to set the
-new password to the one provided by the previously stacked
-<tt/password/ module (this is used in an example of the stacking of
-the <em/Cracklib/ module documented above).
-
-<p>
-The <tt/not_set_pass/ argument is used to inform the module that it is
-not to pay attention to/make available the old or new passwords from/to
-other (stacked) password modules.
-
-<p>
-The <tt/debug/ argument makes the password functions of this module
-<tt/syslog(3)/ more information on its actions. Other arguments may be
-logged as erroneous to <tt/syslog(3)/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-An example of the stacking of this module with respect to the
-pluggable password checking module, <tt/pam_cracklib/, is given in
-that modules section above.
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No arguments are recognized by this module component. Its action is
-simply to log the username and the service-type to
-<tt/syslog(3)/. Messages are logged at the beginning and end of the
-user's session.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of the session modules is straightforward:
-<tscreen>
-<verb>
-#
-# pwdb - unix like session opening and closing
-#
-login session required pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_radius.sgml b/contrib/libpam/doc/modules/pam_radius.sgml
deleted file mode 100644
index 4d5f39a..0000000
--- a/contrib/libpam/doc/modules/pam_radius.sgml
+++ /dev/null
@@ -1,117 +0,0 @@
-<!--
- $Id: pam_radius.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Cristian Gafton <gafton@redhat.com>
--->
-
-<sect1>The RADIUS session module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_radius/
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-This module does not deal with passwords
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-gcc reports 1 warning when compiling <tt>/usr/include/rpc/clnt.h</tt>.
-Hey, is not my fault !
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-yes; this is a network module (independent of application).
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is intended to provide the session service for users
-autheticated with a RADIUS server. At the present stage, the only
-option supported is the use of the RADIUS server as an accounting
-server.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/ - verbose logging to <tt/syslog(3)/.
-
-<tag><bf>Description:</bf></tag>
-
-This module is intended to provide the session service for users
-autheticated with a RADIUS server. At the present stage, the only
-option supported is the use of the RADIUS server as an <em/accounting/
-server.
-
-<p>
-(There are few things which needs to be cleared out first in
-the PAM project until one will be able to use this module and expect
-it to magically start pppd in response to a RADIUS server command to
-use PPP for this user, or to initiate a telnet connection to another
-host, or to hang and call back the user using parameters provided in
-the RADIUS server response. Most of these things are better suited for
-the radius login application. I hope to make available Real Soon (tm)
-patches for the login apps to make it work this way.)
-
-<p>
-When opening a session, this module sends an ``Accounting-Start''
-message to the RADIUS server, which will log/update/whatever a
-database for this user. On close, an ``Accounting-Stop'' message is
-sent to the RADIUS server.
-
-<p>
-This module has no other prerequisites for making it work. One can
-install a RADIUS server just for fun and use it as a centralized
-accounting server and forget about wtmp/last/sac etc. .
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For the services that need this module (<em/login/ for example) put
-the following line in <tt>/etc/pam.conf</tt> as the last line for that
-service (usually after the pam_unix session line):
-<tscreen>
-<verb>
-login session required pam_radius.so
-</verb>
-</tscreen>
-Replace <tt/login/ for each service you are using this module.
-
-<p>
-This module make extensive use of the API provided in libpwdb
-0.54preB or later. By default, it will read the radius server
-configuration (hostname and secret) from <tt>/etc/raddb/server</tt>.
-This is a default compiled into libpwdb, and curently there is no way to
-modify this default without recompiling libpwdb. I am working on
-extending the radius support from libpwdb to provide a possibility
-to make this runtime-configurable.
-
-Also please note that libpwdb will require also the RADIUS
-dictionary to be present (<tt>/etc/raddb/dictionary</tt>).
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
-
diff --git a/contrib/libpam/doc/modules/pam_rhosts.sgml b/contrib/libpam/doc/modules/pam_rhosts.sgml
deleted file mode 100644
index 9100102..0000000
--- a/contrib/libpam/doc/modules/pam_rhosts.sgml
+++ /dev/null
@@ -1,157 +0,0 @@
-<!--
- $Id: pam_rhosts.sgml,v 1.4 1997/04/05 06:50:42 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The rhosts module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_rhosts_auth/
-
-<tag><bf>Author:</bf></tag>
-Al Longyear &lt;longyear@netcom.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-Standard <tt/inet_addr()/, <tt/gethostbyname()/ function calls.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module performs the standard network authentication for services,
-as used by traditional implementations of <em/rlogin/ and <em/rsh/
-etc.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/no_hosts_equiv/; <tt/no_rhosts/; <tt/debug/; <tt/no_warn/;
-<tt/privategroup/; <tt/promiscuous/; <tt/suppress/
-
-<tag><bf>Description:</bf></tag>
-
-The authentication mechanism of this module is based on the contents
-of two files; <tt>/etc/hosts.equiv</tt> (or <tt/_PATH_HEQUIV/ in
-<tt>#include &lt;netdb.h&gt;</tt>) and <tt>~/.rhosts</tt>. Firstly,
-hosts listed in the former file are treated as equivalent to the
-localhost. Secondly, entries in the user's own copy of the latter file
-is used to map "<tt/remote-host remote-user/" pairs to that user's
-account on the current host. Access is granted to the user if their
-host is present in <tt>/etc/hosts.equiv</tt> and their remote account
-is identical to their local one, or if their remote account has an
-entry in their personal configuration file.
-
-<p>
-Some restrictions are applied to the attributes of the user's personal
-configuration file: it must be a regular file (as defined by
-<tt/S_ISREG(x)/ of POSIX.1); it must be owned by the <em/superuser/ or
-the user; it must not be writable by any user besides its owner.
-
-<p>
-The module authenticates a remote user (internally specified by the
-item <tt/PAM_RUSER/) connecting from the remote host (internally
-specified by the item <tt/PAM_RHOST/). Accordingly, for applications
-to be compatible this authentication module they must set these items
-prior to calling <tt/pam_authenticate()/. The module is not capable
-of independently probing the network connection for such information.
-
-<p>
-In the case of <tt/root/-access, the <tt>/etc/host.equiv</tt> file is
-<em/ignored/. Instead, the superuser must have a correctly configured
-personal configuration file.
-
-<p>
-The behavior of the module is modified by flags:
-<itemize>
-<item>
-<tt/debug/ -
-log more information to <tt/syslog(3)/. (XXX - actually, this module
-does not do any logging currently, please volunteer to fix this!)
-
-<item>
-<tt/no_warn/ -
-do not give verbal warnings to the user about failures etc. (XXX -
-this module currently does not issue any warnings, please volunteer to
-fix this!)
-
-<item>
-<tt/no_hosts_equiv/ -
-ignore the contents of the <tt>/etc/hosts.equiv</tt> file.
-
-<item>
-<tt/no_rhosts/ -
-ignore the contents of all user's personal configuration file
-<tt>~/.rhosts</tt>.
-
-<item>
-<tt/privategroup/ -
-normally, the <tt>~/.rhosts</tt> file must not be writable by anyone
-other than its owner. This option overlooks group write access in the
-case that the group owner of this file has the same name as the
-user being authenticated. To lessen the security problems associated
-with this option, the module also checks that the user is the only
-member of their private group.
-
-<item>
-<tt/promiscuous/ -
-A host entry of `+' will lead to all hosts being granted
-access. Without this option, '+' entries will be ignored. Note, that
-the <tt/debug/ option will syslog a warning in this latter case.
-
-<item>
-<tt/suppress/ -
-This will prevent the module from <tt/syslog(3)/ing a warning message
-when this authentication fails. This option is mostly for keeping
-logs free of meaningless errors, in particular when the module is used
-with the <tt/sufficient/ control flag.
-
-</itemize>
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To allow users to login from trusted remote machines, you should try
-adding the following line to your <tt>/etc/pam.conf</tt> file
-<em/before/ the line that would otherwise prompt the user for a
-password:
-<tscreen>
-<verb>
-#
-# No passwords required for users from hosts listed above.
-#
-login auth sufficient pam_rhosts_auth.so no_rhosts
-</verb>
-</tscreen>
-Note, in this example, the system administrator has turned off all
-<em/personal/ <em/rhosts/ configuration files. Also note, that this module
-can be used to <em/only/ allow remote login from hosts specified in
-the <tt>/etc/host.equiv</tt> file, by replacing <tt/sufficient/ in the
-above example with <tt/required/.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_rootok.sgml b/contrib/libpam/doc/modules/pam_rootok.sgml
deleted file mode 100644
index ff6aa86..0000000
--- a/contrib/libpam/doc/modules/pam_rootok.sgml
+++ /dev/null
@@ -1,85 +0,0 @@
-<!--
- $Id: pam_rootok.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The root access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_rootok
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-<bf>Linux-PAM</bf> maintainer
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is for use in situations where the superuser wishes
-to gain access to a service without having to enter a password.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/
-
-<tag><bf>Description:</bf></tag>
-
-This module authenticates the user if their <tt/uid/ is <tt/0/.
-Applications that are created <em/setuid/-root generally retain the
-<tt/uid/ of the user but run with the authority of an enhanced
-<em/effective-/<tt/uid/. It is the real <tt/uid/ that is checked.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In the case of the <tt/su/ application the historical usage is to
-permit the superuser to adopt the identity of a lesser user without
-the use of a password. To obtain this behavior under <tt/Linux-PAM/
-the following pair of lines are needed for the corresponding entry in
-the configuration file:
-<tscreen>
-<verb>
-#
-# su authentication. Root is granted access by default.
-#
-su auth sufficient pam_rootok.so
-su auth required pam_unix_auth.so
-</verb>
-</tscreen>
-
-<p>
-Note. For programs that are run by the superuser (or started when the
-system boots) this module should not be used to authenticate users.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_securetty.sgml b/contrib/libpam/doc/modules/pam_securetty.sgml
deleted file mode 100644
index 276ae90..0000000
--- a/contrib/libpam/doc/modules/pam_securetty.sgml
+++ /dev/null
@@ -1,72 +0,0 @@
-<!--
- $Id: pam_securetty.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The securetty module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_securetty/
-
-<tag><bf>Author[s]:</bf></tag>
-Elliot Lee &lt;sopwith@cuc.edu&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat Software:<newline>
-<em/currently/ Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
-(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-<tt>/etc/securetty</tt> file
-
-<tag><bf>Network aware:</bf></tag>
-
-Requires the application to fill in the <tt>PAM_TTY</tt> item
-correctly in order to act meaningfully.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Provides standard Unix securetty checking.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Provides standard Unix securetty checking, which causes authentication
-for root to fail unless <tt>PAM_TTY</tt> is set to a string listed in
-the <tt>/etc/securetty</tt> file. For all other users, it succeeds.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For canonical usage, should be listed as a <tt>required</tt>
-authentication method before any <tt>sufficient</tt> authentication
-methods.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_time.sgml b/contrib/libpam/doc/modules/pam_time.sgml
deleted file mode 100644
index 0b3cddf..0000000
--- a/contrib/libpam/doc/modules/pam_time.sgml
+++ /dev/null
@@ -1,166 +0,0 @@
-<!--
- $Id: pam_time.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>Time control
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_time/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan <tt>&lt;morgan@parc.power.net&gt;</tt>
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-account
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires a configuration file <tt>/etc/security/time.conf</tt>
-
-<tag><bf>Network aware:</bf></tag>
-Through the <tt/PAM_TTY/ item only
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Running a well regulated system occasionally involves restricting
-access to certain services in a selective manner. This module offers
-some time control for access to services offered by a system. Its
-actions are determined with a configuration file. This module can be
-configured to deny access to (individual) users based on their name,
-the time of day, the day of week, the service they are applying for
-and their terminal from which they are making their request.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This module bases its actions on the rules listed in its configuration
-file: <tt>/etc/security/pam.conf</tt>. Each rule has the following
-form,
-<tscreen>
-<em/services/<tt/;/<em/ttys/<tt/;/<em/users/<tt/;/<em/times/
-</tscreen>
-In words, each rule occupies a line, terminated with a newline or the
-beginning of a comment; a `<tt/#/'. It contains four fields separated
-with semicolons, `<tt/;/'. The fields are as follows:
-
-<p>
-<itemize>
-<item><em/services/ -
-a logic list of service names that are affected by this rule.
-
-<item><em/ttys/ -
-a logic list of terminal names indicating those terminals covered by
-the rule.
-
-<item><em/user/ -
-a logic list of usernames to which this rule applies
-
-<p>
-By a logic list we mean a sequence of tokens (associated with the
-appropriate <tt/PAM_/ item), containing no more than one wildcard
-character; `<tt/*/', and optionally prefixed with a negation operator;
-`<tt/!/'. Such a sequence is concatenated with one of two logical
-operators: <tt/&amp;/ (logical AND) and <tt/|/ (logical OR). Two
-examples are: <tt>!morgan&amp;!root</tt>, indicating that this rule
-does not apply to the user <tt>morgan</tt> nor to <tt>root</tt>; and
-<tt>tty*&amp;!ttyp*</tt>, which indicates that the rule applies only
-to console terminals but not pseudoterminals.
-
-<item><em/times/ - a logic list of times at which this rule
-applies. The format of each element is a day/time-range. The days are
-specified by a sequence of two character entries. For example,
-<tt/MoTuSa/, indicates Monday Tuesday and Saturday. Note that
-repeated days are <em/unset/; <tt/MoTuMo/ indicates Tuesday, and
-<tt/MoWk/ means all weekdays bar Monday. The two character
-combinations accepted are,
-<tscreen>
-<verb>
-Mo Tu We Th Fr Sa Su Wk Wd Al
-</verb>
-</tscreen>
-The last two of these being <em/weekend/ days and <em/all 7 days/ of
-the week respectively.
-
-<p>
-The time range part is a pair of 24-hour times, <em/HHMM/, separated
-by a hyphen -- indicating the start and finish time for the rule. If
-the finsish time is smaller than the start time, it is assumed to
-apply on the following day. For an example, <tt/Mo1800-0300/ indicates
-that the permitted times are Monday night from 6pm to 3am the
-following morning.
-
-</itemize>
-
-<p>
-Note, that the given time restriction is only applied when the first
-three fields are satisfied by a user's application for service.
-
-<p>
-For convenience and readability a rule can be extended beyond a single
-line with a `<tt>&bsol;</tt><em/newline/'.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of this module is initiated with an entry in the
-<bf/Linux-PAM/ configuration file of the following type:
-<tscreen>
-<verb>
-#
-# apply pam_time accounting to login requests
-#
-login account required pam_time.so
-</verb>
-</tscreen>
-where, here we are applying the module to the <em/login/ application.
-
-<p>
-Some examples of rules that can be placed in the
-<tt>/etc/security/time.conf</tt> configuration file are the following:
-<descrip>
-
-<tag><tt>login ; tty* &amp ; !ttyp* ; !root ; !Al0000-2400</tt></tag>
-all users except for <tt/root/ are denied access to console-login at
-all times.
-
-<tag><tt>games ; * ; !waster ; Wd0000-2400 | Wk1800-0800</tt></tag>
-games (configured to use Linux-PAM) are only to be accessed out of
-working hours. This rule does not apply to the user <tt/waster/.
-
-</descrip>
-
-<p>
-Note, currently there is no daemon enforcing the end of a session.
-This needs to be remedied.
-
-<p>
-Poorly formatted rules are logged as errors using <tt/syslog(3)/.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_warn.sgml b/contrib/libpam/doc/modules/pam_warn.sgml
deleted file mode 100644
index 6e81f18..0000000
--- a/contrib/libpam/doc/modules/pam_warn.sgml
+++ /dev/null
@@ -1,67 +0,0 @@
-<!--
- $Id: pam_warn.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>Warning logger module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_warn/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication; password
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-logs information about the remote user and host (if pam-items are known)
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is principally for logging information about a
-proposed authentication or application to update a password.
-
-<sect2>Authentication+Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Log the service, terminal, user, remote user and remote host to
-<tt/syslog(3)/. The items are not probed for, but instead obtained
-from the standard pam-items.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-an example is provided in the configuration file section <ref
-id="configuration" name="above">.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_wheel.sgml b/contrib/libpam/doc/modules/pam_wheel.sgml
deleted file mode 100644
index 9139695..0000000
--- a/contrib/libpam/doc/modules/pam_wheel.sgml
+++ /dev/null
@@ -1,124 +0,0 @@
-<!--
- $Id: pam_wheel.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
- from notes provided by Cristian Gafton.
--->
-
-<sect1>The wheel module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_wheel/
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires libpwdb.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Only permit root access to members of the wheel (<tt/gid=0/) group.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/use_uid/;
-<tt/trust/;
-<tt/deny/;
-<tt/group=XXXX/
-
-<tag><bf>Description:</bf></tag>
-
-This module is used to enforce the so-called wheel group. By default,
-it permits root access to the system if the applicant user is a member
-of the <tt/wheel/ group (better described as the group with group-id
-<tt/0/).
-
-<p>
-The action of the module may be modified from this default by one or
-more of the following flags in the <tt>/etc/pam.conf</tt> file.
-<itemize>
-<item>
-<tt/debug/ -
-Supply more debugging information to <tt/syslog(3)/.
-
-<item>
-<tt/use_id/ -
-This option modifies the behavior of the module by using the current
-<tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user.
-This option is useful for being able to jump from one account to
-another, for example with 'su'.
-
-<item>
-<tt/trust/ -
-This option instructs the module to return <tt/PAM_SUCCESS/ should it
-find the user applying for root privilege is a member of the wheel
-group. The default action is to return <tt/PAM_IGNORE/ in this
-situation. By using the <tt/trust/ option it is possible to arrange
-for <tt/wheel/-group members to become root without typing a
-password. <bf/USE WITH CARE/.
-
-<item>
-<tt/deny/ -
-This is used to reverse the logic of the module's behavior.
-If the user is trying to get <tt/uid=0/ access and is a member of the wheel
-group, deny access (for the wheel group, this is perhaps nonsense!):
-it is intended for use in conjunction with the <tt/group=/ argument...
-
-<item>
-<tt/group=XXXX/ -
-Instead of checking the <tt/gid=0/ group, use the user's <tt/XXXX/
-group membership for the authentication. Here, <tt/XXXX/ is the name
-of the group and <bf/not/ its numeric identifier.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To restrict access to superuser status to the members of the
-<tt/wheel/ group, use the following entries in your configuration
-file:
-<tscreen>
-<verb>
-#
-# root gains access by default (rootok), only wheel members can
-# become root (wheel) but Unix authenticate non-root applicants.
-#
-su auth sufficient pam_rootok.so
-su auth required pam_wheel.so
-su auth required pam_unix_auth.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/ps/README b/contrib/libpam/doc/ps/README
deleted file mode 100644
index 6234e14..0000000
--- a/contrib/libpam/doc/ps/README
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id: README,v 1.1 1996/11/10 19:28:16 morgan Exp $
-
-this is the directory for the postscipt documentation
diff --git a/contrib/libpam/doc/specs/draft-morgan-pam-00.raw b/contrib/libpam/doc/specs/draft-morgan-pam-00.raw
deleted file mode 100644
index 6e37b86..0000000
--- a/contrib/libpam/doc/specs/draft-morgan-pam-00.raw
+++ /dev/null
@@ -1,270 +0,0 @@
-PAM working group ## A.G. Morgan
-Internet Draft: ## March 24, 1998
-Document: draft-morgan-pam-00.txt ##
-Expires: September 24, 1998 ##
-Obsoletes: ##
-
-## Pluggable Authentication Modules ##
-
-#$ Status of this memo
-
-This document is an Internet-Draft. Internet-Drafts are working
-documents of the Internet Engineering Task Force (IETF), its areas,
-and its working groups. Note that other groups may also distribute
-working documents as Internet-Drafts.
-
-Internet-Drafts are draft documents valid for a maximum of six months
-and may be updated, replaced, or obsoleted by other documents at any
-time. It is inappropriate to use Internet- Drafts as reference
-material or to cite them other than as "work in progress."
-
-To view the entire list of current Internet-Drafts, please check the
-"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
-Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
-ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim),
-ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
-
-#$ Abstract
-
-This document is concerned with the definition of a general
-infrastructure for module based authentication. The infrastructure is
-named Pluggable Authentication Modules (PAM for short).
-
-#$ Introduction
-
-Computers are tools. They provide services to people and other
-computers (collectively we shall call these "users" entities). In
-order to provide convenient, reliable and individual service to
-different entities, it is common for entities to be labelled. Having
-defined a label as refering to a some specific entity, the label is
-used for the purpose of protecting and allocating data resources.
-
-All modern operating systems have a notion of labelled entities and
-all modern operating systems face a common problem: how to
-authenticate the association of a predefined label with applicant
-entities.
-
-There are as many authentication methods as one might care to count.
-None of them are perfect and none of them are invulnerable. In
-general, any given authentication method becomes weaker over time. It
-is common then for new authentication methods to be developed in
-response to newly discovered weaknesses in the old authentication
-methods.
-
-The problem with reinventing authentication methods is the fact that
-old applications do not support them. This contributes to an inertia
-that discourages the overhaul of weakly protected systems. Another
-problem is that individuals (people) are frequently powerless to layer
-the protective authentication around their systems. They are forced
-to rely on single (lowest common denominator) authentication schemes
-even in situations where this is far from appropriate.
-
-PAM, as discussed in this document, is a generalization of the
-approach first introduced in [#$R#{OSF_RFC_PAM}]. In short, it is a
-general framework of interfaces that abstract the process of
-authentication. With PAM, a service provider can custom protect
-individual services to the level that they deam is appropriate.
-
-PAM has nothing explicit to say about transport layer encryption.
-Within the context of this document encryption and/or compression of
-data exchanges are application specific (strictly between client and
-server).
-
-#$ Definitions
-
-Here we pose the authentication problem as one of configuring defined
-interfaces between two entities.
-
-#$$#{players} Players in the authentication process
-
-PAM reserves the following words to specify unique entities in the
-authentication process:
-
- applicant
- the entity (user) initiating an application for service
- [PAM associates PAM_RUSER with this requesting user].
-
- arbitrator
- the entity (user) under who's identity the service application
- is negotiated and with who's authority service is granted.
-
- user
- the entity (user) who's identity is being authenticated
- [PAM associates PAM_USER with this identity].
-
- server
- the application that provides service, or acts as an
- authenticated gateway to the requested service. This
- application is completely responsible for the transport
- layer. PAM makes no assumptions about how data is
- exchanged between the server and the client.
-
- client
- application providing the direct/primary interface to
- applicant. This application is completely responsible
- for transporting client-side data to the server.
- PAM makes no assumptions about how data is exchanged between
- the client and the server.
-
- module
- authentication binary that provides server-side support for
- some authentication method.
-
- agent
- authentication binary that provides client-side support for
- some authentication method.
-
-#$$ Special cases
-
-In the previous section (#{players}) we identified the most general
-selection of authentication participants. In the case of network
-authentication, it is easy to ascribe identities to the defined
-players. However, there are special (less general) cases and we
-recognize them here.
-
-The primary authentication step, when a user is directly introduced
-into a computer system (log's on to a workstation) is a special case.
-In this situation, the "client" and the "server" are generally one
-application. Before authenticating such a user, the "applicant" is
-formally unknown.
-
-#$ Defined interfaces
-
-Here, we discuss the formal interfaces between the players in the
-authentication process.
-
-#$$#{applicant_client} Applicant <-> client
-
-Once the client is invoked, requests to the applicant entity are
-initiated by the client application. General clients are able to make
-the following requests to an applicant:
-
- echo text
- echo error
- prompt for echo'd text input
- prompt for concealed text input
-
-the nature of the interface provided by the client for the benefit of
-the applicant entity is client specific and not defined by PAM.
-
-#$$ Client <-> agent
-
-In general, authentication schemes require more modes of exchange than
-the four defined in the previous section (#{applicant_client}). This
-provides a role for client-loadable agents. The client and agent
-exchange binary-messages that can have one of the following forms:
-
- client -> agent
- prompt for binary data packet using a binary packet
-
- agent -> client
- set environment variable
- get environment variable
- echo text
- echo error
- prompt for echo'd text input
- prompt for concealed text input
-
-The single defined procedure for exchange is that the client first
-prompts the agent with a binary packet and expects to receive a binary
-(response) packet in return. Before returning the binary response,
-the agent may request an arbitrary number of exchanges with the client.
-
-#$$ Client <-> server
-
-Once the client has established a connection with the server (the
-nature of the transport protocol is not specified by PAM), the server
-is reponsible for driving the authentication process.
-
-General servers can request the following from the client:
-
- (directed to the applicant)
- echo text
- echo error
- prompt for echo'd text response
- prompt for concealed text response
-
- (directed to the appropriate agent)
- binary prompt for a binary response
-
-Client side agents are required to process binary prompts. Their
-binary responses are passed directly back to the server.
-
-#$$ Server <-> module
-
-Modules drive the authentication process. The server provides a
-conversation function with which it encapsulates module-generated
-requests and exchanges them with the client.
-
-General conversation functions can support the following five
-"conversation" requests:
-
- echo text
- echo error
- prompt for echo'd text response
- prompt for concealed text response
- prompt for binary packet with binary packet
-
-The server is responsible for redirecting these requests to the
-client.
-
-#$ C API for defined interfaces
-
-#$$ Applicant <-> client
-
-No API is defined for this interface. The interface is considered to
-be specific to the client application. Example applications include
-terminal login, (X)windows login, machine file transfer applications.
-
-#$$ Client <-> agent
-
-This interface is concerned with the exchange of "binary prompts". A
-binary prompt has the following form: { 4 8-bit bytes in network order
-encoding an unsigened 32 bit integer (length), 4 8-bit bytes in
-network order encoding an unsigened 32 bit integer (control),
-"length-4" 8-bit bytes bytes comprising upto 2^32-4 bytes of binary
-data }.
-
-## [ u32 | u32 | (length-4 bytes) ] ##
-## length control data ##
-
-The composition of the "data" is not specified. Valid control values
-are:
-
-##control value | used by | description ##
-##------------------------------------------------------------------##
-## | | ##
-##PAMC_CONTROL_OK | agent | agent is happy ##
-##PAMC_CONTROL_FAIL | agent | agent failed ##
-##PAMC_CONTROL_BUSY | agent | agent is busy ##
-##PAMC_CONTROL_PUTENV | agent | set envvar of client ##
-##PAMC_CONTROL_GETENV | agent | want envvar of client ##
-##PAMC_CONTROL_GETECHO | agent | echo'd prompt to applicant##
-##PAMC_CONTROL_GETNOECHO | agent | secret prompt to applicant##
-##PAMC_CONTROL_PUTTEXT | agent | echo text to applicant ##
-##PAMC_CONTROL_SELECT | client | client selects named agent##
-##PAMC_CONTROL_EXCHANGE | client+agent | data exchange packet ##
-##PAMC_CONTROL_DONE | agent | agent has completed ##
-##PAMC_CONTROL_EMPTY | agent | agent has no reply ##
-
-#$ Security considerations
-
-This document is devoted to standardizing authentication
-infrastructure: everything in this document has implications for
-security.
-
-#$ Contact
-
-The email list for discussing issues related to this document is
-<pam-list@redhat.com>.
-
-#$ References
-
-[#{OSF_RFC_PAM}] OSF RFC 86.0, "Unified Login with Pluggable Authentication
- Modules (PAM)", October 1995
-
-#$ Author's Address
-
-Andrew Morgan
-Email: morgan@ftp.kernel.org
-
diff --git a/contrib/libpam/doc/specs/formatter/Makefile b/contrib/libpam/doc/specs/formatter/Makefile
deleted file mode 100644
index d73258d..0000000
--- a/contrib/libpam/doc/specs/formatter/Makefile
+++ /dev/null
@@ -1,16 +0,0 @@
-LIBS=-lfl
-
-padout: parse.tab.o
- $(CC) -o padout parse.tab.o $(LIBS)
-
-parse.tab.o: parse.tab.c lex.yy.c
- $(CC) -c parse.tab.c
-
-parse.tab.c: parse.y
- bison parse.y
-
-lex.yy.c: parse.lex
- flex parse.lex
-
-clean:
- rm -f parse.tab.o parse.tab.c lex.yy.c padout *~ core
diff --git a/contrib/libpam/doc/specs/formatter/parse.lex b/contrib/libpam/doc/specs/formatter/parse.lex
deleted file mode 100644
index 1d5c898..0000000
--- a/contrib/libpam/doc/specs/formatter/parse.lex
+++ /dev/null
@@ -1,11 +0,0 @@
-%%
-
-\#[\$]+[a-zA-Z]*(\=[0-9]+)? return NEW_COUNTER;
-\#\{[a-zA-Z][a-zA-Z0-9\_]*\} return LABEL;
-\# return NO_INDENT;
-\#\# return RIGHT;
-\\\# return HASH;
-[^\n] return CHAR;
-[\n] return NEWLINE;
-
-%%
diff --git a/contrib/libpam/doc/specs/formatter/parse.y b/contrib/libpam/doc/specs/formatter/parse.y
deleted file mode 100644
index 6da47d1..0000000
--- a/contrib/libpam/doc/specs/formatter/parse.y
+++ /dev/null
@@ -1,293 +0,0 @@
-
-%{
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#define MAXLINE 1000
-#define INDENT_STRING " "
-#define PAPER_WIDTH 74
-
- int indent=0;
- int line=1;
- char *last_label=NULL;
-
- extern void yyerror(const char *x);
- extern char *get_label(const char *label);
- extern void set_label(const char *label, const char *target);
- char *new_counter(const char *key);
-
-#include "lex.yy.c"
-
-%}
-
-%union {
- int def;
- char *string;
-}
-
-%token NEW_COUNTER LABEL HASH CHAR NEWLINE NO_INDENT RIGHT
-%type <string> stuff text
-
-%start doc
-
-%%
-
-doc:
-| doc NEWLINE {
- printf("\n");
- ++line;
-}
-| doc stuff NEWLINE {
- if (strlen($2) > (PAPER_WIDTH-(indent ? strlen(INDENT_STRING):0))) {
- yyerror("line too long");
- }
- printf("%s%s\n", indent ? INDENT_STRING:"", $2);
- free($2);
- indent = 1;
- ++line;
-}
-| doc stuff RIGHT stuff NEWLINE {
- char fixed[PAPER_WIDTH+1];
- int len;
-
- len = PAPER_WIDTH-(strlen($2)+strlen($4));
-
- if (len >= 0) {
- memset(fixed, ' ', len);
- fixed[len] = '\0';
- } else {
- yyerror("line too wide");
- fixed[0] = '\0';
- }
- printf("%s%s%s\n", $2, fixed, $4);
- free($2);
- free($4);
- indent = 1;
- ++line;
-}
-| doc stuff RIGHT stuff RIGHT stuff NEWLINE {
- char fixed[PAPER_WIDTH+1];
- int len, l;
-
- len = PAPER_WIDTH-(strlen($2)+strlen($4));
-
- if (len < 0) {
- len = 0;
- yyerror("line too wide");
- }
-
- l = len/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s%s", $2, fixed, $4);
- free($2);
- free($4);
-
- l = (len+1)/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s\n", fixed, $6);
- free($6);
-
- indent = 1;
- ++line;
-}
-| doc stuff RIGHT stuff RIGHT stuff NEWLINE {
- char fixed[PAPER_WIDTH+1];
- int len, l;
-
- len = PAPER_WIDTH-(strlen($2)+strlen($4));
-
- if (len < 0) {
- len = 0;
- yyerror("line too wide");
- }
-
- l = len/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s%s", $2, fixed, $4);
- free($2);
- free($4);
-
- l = (len+1)/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s\n", fixed, $6);
- free($6);
-
- indent = 1;
- ++line;
-}
-;
-
-stuff: {
- $$ = strdup("");
-}
-| stuff text {
- $$ = malloc(strlen($1)+strlen($2)+1);
- sprintf($$,"%s%s", $1, $2);
- free($1);
- free($2);
-}
-;
-
-text: CHAR {
- $$ = strdup(yytext);
-}
-| text CHAR {
- $$ = malloc(strlen($1)+2);
- sprintf($$,"%s%s", $1, yytext);
- free($1);
-}
-| NO_INDENT {
- $$ = strdup("");
- indent = 0;
-}
-| HASH {
- $$ = strdup("#");
-}
-| LABEL {
- if (($$ = get_label(yytext)) == NULL) {
- set_label(yytext, last_label);
- $$ = strdup("");
- }
-}
-| NEW_COUNTER {
- $$ = new_counter(yytext);
-}
-;
-
-%%
-
-typedef struct node_s {
- struct node_s *left, *right;
- const char *key;
- char *value;
-} *node_t;
-
-node_t label_root = NULL;
-node_t counter_root = NULL;
-
-const char *find_key(node_t root, const char *key)
-{
- while (root) {
- int cmp = strcmp(key, root->key);
-
- if (cmp > 0) {
- root = root->right;
- } else if (cmp) {
- root = root->left;
- } else {
- return root->value;
- }
- }
- return NULL;
-}
-
-node_t set_key(node_t root, const char *key, const char *value)
-{
- if (root) {
- int cmp = strcmp(key, root->key);
- if (cmp > 0) {
- root->right = set_key(root->right, key, value);
- } else if (cmp) {
- root->left = set_key(root->left, key, value);
- } else {
- free(root->value);
- root->value = strdup(value);
- }
- } else {
- root = malloc(sizeof(struct node_s));
- root->right = root->left = NULL;
- root->key = strdup(key);
- root->value = strdup(value);
- }
- return root;
-}
-
-void yyerror(const char *x)
-{
- fprintf(stderr, "line %d: %s\n", line, x);
-}
-
-char *get_label(const char *label)
-{
- const char *found = find_key(label_root, label);
-
- if (found) {
- return strdup(found);
- }
- return NULL;
-}
-
-void set_label(const char *label, const char *target)
-{
- if (target == NULL) {
- yyerror("no hanging value for label");
- target = "<??>";
- }
- label_root = set_key(label_root, label, target);
-}
-
-char *new_counter(const char *key)
-{
- int i=0, j, ndollars = 0;
- const char *old;
- char *new;
-
- if (key[i++] != '#') {
- yyerror("bad index");
- return strdup("<???>");
- }
-
- while (key[i] == '$') {
- ++ndollars;
- ++i;
- }
-
- key += i;
- old = find_key(counter_root, key);
- new = malloc(20*ndollars);
-
- if (old) {
- for (j=0; ndollars > 1 && old[j]; ) {
- if (old[j++] == '.' && --ndollars <= 0) {
- break;
- }
- }
- if (j) {
- strncpy(new, old, j);
- }
- if (old[j]) {
- i = atoi(old+j);
- } else {
- new[j++] = '.';
- i = 0;
- }
- } else {
- j=0;
- while (--ndollars > 0) {
- new[j++] = '0';
- new[j++] = '.';
- }
- i = 0;
- }
- new[j] = '\0';
- sprintf(new+j, "%d", ++i);
-
- counter_root = set_key(counter_root, key, new);
-
- if (last_label) {
- free(last_label);
- }
- last_label = strdup(new);
-
- return new;
-}
-
-main()
-{
- yyparse();
-}
diff --git a/contrib/libpam/doc/txts/README b/contrib/libpam/doc/txts/README
deleted file mode 100644
index b62bc2d..0000000
--- a/contrib/libpam/doc/txts/README
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id: README,v 1.1 1996/11/10 19:18:06 morgan Exp $
-
-This is a directory for text versions of the pam documentation
diff --git a/contrib/libpam/examples/Makefile b/contrib/libpam/examples/Makefile
deleted file mode 100644
index 063f24d..0000000
--- a/contrib/libpam/examples/Makefile
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# $Id: Makefile,v 1.10 1996/11/10 19:50:59 morgan Exp $
-#
-
-dummy:
-
- @echo "*** This is not a top level Makefile!"
-
-PROGS = blank xsh check_user
-SRCS = blank.c xsh.c check_user.c
-
-# have removed the following pair since they no longer conform to
-# any recognized conventions: vpass test
-# ditto: vpass.c test.c
-
-PROGSUID =
-
-all: $(PROGS)
-
-check_user: check_user.o
- $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES)
-
-blank: blank.o
- $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES)
-
-xsh: xsh.o
- $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES)
-
-install: all
- if [ -n "$(PROGS)" ]; then cp $(PROGS) ../bin ; fi
- if [ -n "$(PROGSUID)" ]; then \
- $(INSTALL) -m 4555 -o root -g bin $(PROGSUID) ../bin ; fi
-
-clean:
- rm -f *.a *.so *.o *~ $(PROGS) $(PROGSUID)
-
-remove:
- cd ../bin ; rm -f $(PROGS) $(PROGSUID)
-
-extraclean: clean
- rm -f *.a *.out *.o *.so
- for x in $(PROGS) $(PROGSUID) ; do rm -f ../bin/$$x ; done
diff --git a/contrib/libpam/examples/blank.c b/contrib/libpam/examples/blank.c
deleted file mode 100644
index 3808e55..0000000
--- a/contrib/libpam/examples/blank.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * $Id: blank.c,v 1.7 1996/12/01 03:16:53 morgan Exp morgan $
- *
- * $Log: blank.c,v $
- * Revision 1.7 1996/12/01 03:16:53 morgan
- * added setcred closing function
- *
- * Revision 1.6 1996/11/10 19:51:40 morgan
- * minor change to avoid gcc warning
- *
- * Revision 1.5 1996/07/07 23:53:05 morgan
- * added optional fail delay (non-standard Linux-PAM)
- *
- * Revision 1.4 1996/05/02 04:44:18 morgan
- * moved conversation to a libmisc library routine.
- *
- *
- */
-
-/* Andrew Morgan (morgan@parc.power.net) -- a self contained `blank'
- * application
- *
- * I am not very proud of this code. It makes use of a possibly ill-
- * defined pamh pointer to call pam_strerror() with. The reason that
- * I was sloppy with this is historical (pam_strerror, prior to 0.59,
- * did not require a pamh argument) and if this program is used as a
- * model for anything, I should wish that you will take this error into
- * account.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <security/pam_appl.h>
-#include <security/pam_misc.h>
-
-/* ------ some local (static) functions ------- */
-
-static void bail_out(pam_handle_t *pamh, int really, int code, const char *fn)
-{
- fprintf(stderr,"==> called %s()\n got: `%s'\n", fn,
- pam_strerror(pamh, code));
- if (really && code)
- exit (1);
-}
-
-/* ------ some static data objects ------- */
-
-static struct pam_conv conv = {
- misc_conv,
- NULL
-};
-
-/* ------- the application itself -------- */
-
-void main(int argc, char **argv)
-{
- pam_handle_t *pamh=NULL;
- char *username=NULL;
- int retcode;
-
- /* did the user call with a username as an argument ? */
-
- if (argc > 2) {
- fprintf(stderr,"usage: %s [username]\n",argv[0]);
- } else if (argc == 2) {
- username = argv[1];
- }
-
- /* initialize the Linux-PAM library */
- retcode = pam_start("blank", username, &conv, &pamh);
- bail_out(pamh,1,retcode,"pam_start");
-
- /* test the environment stuff */
- {
-#define MAXENV 15
- const char *greek[MAXENV] = {
- "a=alpha", "b=beta", "c=gamma", "d=delta", "e=epsilon",
- "f=phi", "g=psi", "h=eta", "i=iota", "j=mu", "k=nu",
- "l=zeta", "h=", "d", "k=xi"
- };
- char **env;
- int i;
-
- for (i=0; i<MAXENV; ++i) {
- retcode = pam_putenv(pamh,greek[i]);
- bail_out(pamh,0,retcode,"pam_putenv");
- }
- env = pam_getenvlist(pamh);
- if (env)
- env = pam_misc_drop_env(env);
- else
- fprintf(stderr,"???\n");
- fprintf(stderr,"a test: c=[%s], j=[%s]\n"
- , pam_getenv(pamh, "c"), pam_getenv(pamh, "j"));
- }
-
- /* to avoid using goto we abuse a loop here */
- for (;;) {
- /* authenticate the user --- `0' here, could have been PAM_SILENT
- * | PAM_DISALLOW_NULL_AUTHTOK */
-
- retcode = pam_authenticate(pamh, 0);
- bail_out(pamh,0,retcode,"pam_authenticate");
-
- /* has the user proved themself valid? */
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: invalid request\n",argv[0]);
- break;
- }
-
- /* the user is valid, but should they have access at this
- time? */
-
- retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */
- bail_out(pamh,0,retcode,"pam_acct_mgmt");
-
- if (retcode == PAM_NEW_AUTHTOK_REQD) {
- fprintf(stderr,"Application must request new password...\n");
- retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK);
- bail_out(pamh,0,retcode,"pam_chauthtok");
- }
-
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: invalid request\n",argv[0]);
- break;
- }
-
- /* `0' could be as above */
- retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
- bail_out(pamh,0,retcode,"pam_setcred1");
-
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: problem setting user credentials\n"
- ,argv[0]);
- break;
- }
-
- /* open a session for the user --- `0' could be PAM_SILENT */
- retcode = pam_open_session(pamh,0);
- bail_out(pamh,0,retcode,"pam_open_session");
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: problem opening a session\n",argv[0]);
- break;
- }
-
- fprintf(stderr,"The user has been authenticated and `logged in'\n");
-
- /* close a session for the user --- `0' could be PAM_SILENT
- * it is possible that this pam_close_call is in another program..
- */
-
- retcode = pam_close_session(pamh,0);
- bail_out(pamh,0,retcode,"pam_close_session");
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: problem closing a session\n",argv[0]);
- break;
- }
-
- retcode = pam_setcred(pamh, PAM_DELETE_CRED);
- bail_out(pamh,0,retcode,"pam_setcred2");
-
- break; /* don't go on for ever! */
- }
-
- /* close the Linux-PAM library */
- retcode = pam_end(pamh, PAM_SUCCESS);
- pamh = NULL;
-
- bail_out(pamh,1,retcode,"pam_end");
-
- exit(0);
-}
diff --git a/contrib/libpam/examples/check_user.c b/contrib/libpam/examples/check_user.c
deleted file mode 100644
index 6a64c22..0000000
--- a/contrib/libpam/examples/check_user.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- $Id: check_user.c,v 1.1 1996/11/10 21:19:30 morgan Exp morgan $
-
- This program was contributed by Shane Watts <shane@icarus.bofh.asn.au>
- slight modifications by AGM.
-
- You need to add the following (or equivalent) to the /etc/pam.conf file.
- # check authorization
- check auth required pam_unix_auth.so
- check account required pam_unix_acct.so
-
- $Log: check_user.c,v $
- Revision 1.1 1996/11/10 21:19:30 morgan
- Initial revision
-
- */
-
-#include <security/pam_appl.h>
-#include <security/pam_misc.h>
-#include <stdio.h>
-
-static struct pam_conv conv = {
- misc_conv,
- NULL
-};
-
-int main(int argc, char *argv[])
-{
- pam_handle_t *pamh=NULL;
- int retval;
- const char *user="nobody";
-
- if(argc == 2) {
- user = argv[1];
- }
-
- if(argc > 2) {
- fprintf(stderr, "Usage: check_user [username]\n");
- exit(1);
- }
-
- retval = pam_start("check", user, &conv, &pamh);
-
- if (retval == PAM_SUCCESS)
- retval = pam_authenticate(pamh, 0); /* is user really user? */
-
- if (retval == PAM_SUCCESS)
- retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
-
- /* This is where we have been authorized or not. */
-
- if (retval == PAM_SUCCESS) {
- fprintf(stdout, "Authenticated\n");
- } else {
- fprintf(stdout, "Not Authenticated\n");
- }
-
- if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
- pamh = NULL;
- fprintf(stderr, "check_user: failed to release authenticator\n");
- exit(1);
- }
-
- return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */
-}
diff --git a/contrib/libpam/examples/test.c b/contrib/libpam/examples/test.c
deleted file mode 100644
index 0a1f5a6..0000000
--- a/contrib/libpam/examples/test.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * $Log: test.c,v $
- * Revision 1.3 1996/03/10 00:14:20 morgan
- * made lines less than 80 chars long.
- *
- * Revision 1.2 1996/03/09 09:16:26 morgan
- * changed the header file that it includes.
- *
- * Revision 1.1 1996/03/09 09:13:34 morgan
- * Initial revision
- */
-
-/* Marc Ewing (marc@redhat.com) - original test code
- * Alexander O. Yuriev (alex@bach.cis.temple.edu)
- * Andrew Morgan (morgan@physics.ucla.edu)
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <pwd.h>
-
-#include <security/pam_appl.h>
-
-/* this program is not written to the PAM spec: it tests the
- * pam_[sg]et_data() functions. Which is usually reserved for modules */
-
-#include <security/pam_modules.h>
-#include <security/pam_misc.h>
-
-#define USERNAMESIZE 1024
-
-static int test_conv( int num_msg,
- const struct pam_message **msgm,
- struct pam_response **response,
- void *appdata_ptr )
-{
- return 0;
-}
-
-static struct pam_conv conv = {
- test_conv,
- NULL
-};
-
-static int cleanup_func(pam_handle_t *pamh, void *data, int error_status)
-{
- printf("Cleaning up!\n");
- return PAM_SUCCESS;
-}
-
-void main( void )
-{
- pam_handle_t *pamh;
- char *name = ( char *) malloc( USERNAMESIZE + 1 );
- char *p = NULL;
- char *s = NULL;
-
- if (! name )
- {
- perror( "Ouch, don't have enough memory");
- exit( -1 );
- }
-
-
-
-
- fprintf( stdout, "Enter a name of a user to authenticate : ");
- name = fgets( name , USERNAMESIZE, stdin );
- if ( !name )
- {
- perror ( "Hey, how can authenticate "
- "someone whos name I don't know?" );
- exit ( -1 );
- }
-
- *( name + strlen ( name ) - 1 ) = 0;
-
- pam_start( "login", name, &conv, &pamh );
-
- p = x_strdup( getpass ("Password: ") );
- if ( !p )
- {
- perror ( "You love NULL pointers, "
- "don't you? I don't ");
- exit ( -1 );
- }
- pam_set_item ( pamh, PAM_AUTHTOK, p );
- pam_get_item ( pamh, PAM_USER, (void**) &s);
- pam_set_data(pamh, "DATA", "Hi there! I'm data!", cleanup_func);
- pam_get_data(pamh, "DATA", (void **) &s);
- printf("%s\n", s);
-
- fprintf( stdout, "*** Attempting to perform "
- "PAM authentication...\n");
- fprintf( stdout, "%s\n",
- pam_strerror( pam_authenticate( pamh, 0 ) ) ) ;
-
- pam_end(pamh, PAM_SUCCESS);
-}
diff --git a/contrib/libpam/examples/vpass.c b/contrib/libpam/examples/vpass.c
deleted file mode 100644
index 617a5f2..0000000
--- a/contrib/libpam/examples/vpass.c
+++ /dev/null
@@ -1,47 +0,0 @@
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <pwd.h>
-#include <sys/types.h>
-#include <security/pam_appl.h>
-
-static int test_conv(int num_msg, const struct pam_message **msgm,
- struct pam_response **response, void *appdata_ptr)
-{
- return 0;
-}
-
-static struct pam_conv conv = {
- test_conv,
- NULL
-};
-
-int main(void)
-{
- char *user;
- pam_handle_t *pamh;
- struct passwd *pw;
- uid_t uid;
- int res;
-
- uid = geteuid();
- pw = getpwuid(uid);
- if (pw) {
- user = pw->pw_name;
- } else {
- fprintf(stderr, "Invalid userid: %d\n", uid);
- exit(1);
- }
-
- pam_start("vpass", user, &conv, &pamh);
- pam_set_item(pamh, PAM_TTY, "/dev/tty");
- if ((res = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
- fprintf(stderr, "Oops: %s\n", pam_strerror(res));
- exit(1);
- }
-
- pam_end(pamh, res);
- exit(0);
-}
-
-
diff --git a/contrib/libpam/examples/xsh.c b/contrib/libpam/examples/xsh.c
deleted file mode 100644
index ad134f6..0000000
--- a/contrib/libpam/examples/xsh.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * $Id: xsh.c,v 1.4 1996/11/10 21:09:45 morgan Exp morgan $
- *
- * $Log: xsh.c,v $
- * Revision 1.4 1996/11/10 21:09:45 morgan
- * no gcc warnings
- *
- * Revision 1.3 1996/07/07 23:53:36 morgan
- * added support for non standard pam_fail_delay
- *
- * Revision 1.2 1996/05/02 04:44:48 morgan
- * moved conversaation to a libmisc routine.
- *
- * Revision 1.1 1996/04/07 08:18:55 morgan
- * Initial revision
- *
- */
-
-/* Andrew Morgan (morgan@parc.power.net) -- an example application
- * that invokes a shell, based on blank.c */
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <security/pam_appl.h>
-#include <security/pam_misc.h>
-
-/* ------ some local (static) functions ------- */
-
-static void bail_out(pam_handle_t *pamh,int really, int code, const char *fn)
-{
- fprintf(stderr,"==> called %s()\n got: `%s'\n", fn,
- pam_strerror(pamh,code));
- if (really && code)
- exit (1);
-}
-
-/* ------ some static data objects ------- */
-
-static struct pam_conv conv = {
- misc_conv,
- NULL
-};
-
-/* ------- the application itself -------- */
-
-void main(int argc, char **argv, char **envp)
-{
- pam_handle_t *pamh=NULL;
- char *username=NULL;
- int retcode;
-
- /* did the user call with a username as an argument ? */
-
- if (argc > 2) {
- fprintf(stderr,"usage: %s [username]\n",argv[0]);
- } else if (argc == 2) {
- username = argv[1];
- }
-
- /* initialize the Linux-PAM library */
- retcode = pam_start("xsh", username, &conv, &pamh);
- bail_out(pamh,1,retcode,"pam_start");
-
- /* to avoid using goto we abuse a loop here */
- for (;;) {
- /* authenticate the user --- `0' here, could have been PAM_SILENT
- * | PAM_DISALLOW_NULL_AUTHTOK */
-
- retcode = pam_authenticate(pamh, 0);
- bail_out(pamh,0,retcode,"pam_authenticate");
-
- /* has the user proved themself valid? */
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: invalid request\n",argv[0]);
- break;
- }
-
- /* the user is valid, but should they have access at this
- time? */
-
- retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */
- bail_out(pamh,0,retcode,"pam_acct_mgmt");
-
- if (retcode == PAM_NEW_AUTHTOK_REQD) {
- fprintf(stderr,"Application must request new password...\n");
- retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK);
- bail_out(pamh,0,retcode,"pam_chauthtok");
- }
-
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: invalid request\n",argv[0]);
- break;
- }
-
- /* `0' could be as above */
- retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
- bail_out(pamh,0,retcode,"pam_setcred");
-
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: problem setting user credentials\n"
- ,argv[0]);
- break;
- }
-
- /* open a session for the user --- `0' could be PAM_SILENT */
- retcode = pam_open_session(pamh,0);
- bail_out(pamh,0,retcode,"pam_open_session");
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: problem opening a session\n",argv[0]);
- break;
- }
-
- fprintf(stderr,"The user has been authenticated and `logged in'\n");
-
- /* this is always a really bad thing for security! */
- system("/bin/sh");
-
- /* close a session for the user --- `0' could be PAM_SILENT
- * it is possible that this pam_close_call is in another program..
- */
-
- retcode = pam_close_session(pamh,0);
- bail_out(pamh,0,retcode,"pam_close_session");
- if (retcode != PAM_SUCCESS) {
- fprintf(stderr,"%s: problem closing a session\n",argv[0]);
- break;
- }
-
- break; /* don't go on for ever! */
- }
-
- /* close the Linux-PAM library */
- retcode = pam_end(pamh, PAM_SUCCESS);
- pamh = NULL;
- bail_out(pamh,1,retcode,"pam_end");
-
- exit(0);
-}
diff --git a/contrib/libpam/modules/Makefile b/contrib/libpam/modules/Makefile
deleted file mode 100644
index 0066fb4..0000000
--- a/contrib/libpam/modules/Makefile
+++ /dev/null
@@ -1,132 +0,0 @@
-# $Id: Makefile,v 1.21 1997/04/05 06:44:43 morgan Exp morgan $
-#
-# Makefile
-#
-# This makefile controls the build process of shared and static PAM modules.
-#
-# $Log: Makefile,v $
-# Revision 1.21 1997/04/05 06:44:43 morgan
-# pam_env and pam_tally added
-#
-# Revision 1.20 1997/02/15 18:57:11 morgan
-# fixed bash syntax
-#
-# Revision 1.19 1997/01/04 20:21:32 morgan
-# moved responsibility of conditional compilation to modules (more flexible)
-#
-# Revision 1.18 1996/12/01 03:34:40 morgan
-# update for .54
-#
-# Revision 1.17 1996/11/10 20:20:15 morgan
-# cross platform support and new modules
-#
-# Revision 1.16 1996/09/05 06:20:45 morgan
-# added two modules: listfile and shells
-#
-# Revision 1.15 1996/08/09 05:38:28 morgan
-# added new/proposed modules.
-# fixed makefile installation dependencies
-#
-# Revision 1.14 1996/07/08 00:00:33 morgan
-# added wheel and group modules
-#
-
-MODDIRS=\
- pam_access \
- pam_afs \
- pam_afsauth \
- pam_afspass \
- pam_afstok \
- pam_cracklib \
- pam_deny \
- pam_desgold \
- pam_env \
- pam_filter \
- pam_ftp \
- pam_group \
- pam_kerberos \
- pam_krb4 \
- pam_lastlog \
- pam_listfile \
- pam_limits \
- pam_mail \
- pam_nologin \
- pam_opie \
- pam_passwd+ \
- pam_permit \
- pam_pwdb \
- pam_radius \
- pam_restrict \
- pam_rhosts \
- pam_rootok \
- pam_securetty \
- pam_shells \
- pam_sid \
- pam_skey \
- pam_skey2 \
- pam_stress \
- pam_syslog \
- pam_tally \
- pam_time \
- pam_unix \
- pam_warn \
- pam_wheel
-
-
-# ////////////////////////////////////////////////////
-# // You should not modify anything below this line //
-# ////////////////////////////////////////////////////
-
-dummy:
- @echo "*** This is not a top-level Makefile! ***"
-
-# -----------------------------------------------------------
-
-all:
- @echo modules for $(OS) are:
- @ls -d $(MODDIRS) 2>/dev/null ; echo :--------
- @echo
-ifdef STATIC
- rm -f ./_static_module_*
-endif
- @for i in $(MODDIRS) ; do \
- if [ -d $$i ]; then { \
- $(MAKE) -C $$i all ; \
- if [ $$? -ne 0 ]; then exit 1 ; fi ; \
- } elif [ -f ./.$$i ]; then { \
- cat ./.$$i ; \
- } fi ; \
- done
-
-install:
- for i in $(MODDIRS) ; do \
- if [ -d $$i ]; then { \
- $(MAKE) -C $$i install ; \
- if [ $$? -ne 0 ]; then exit 1 ; fi ; \
- } fi ; \
- done
-
-remove:
- for i in $(MODDIRS) ; do \
- if [ -d $$i ]; then { \
- $(MAKE) -C $$i remove ; \
- } fi ; \
- done
-
-lclean:
- rm -f _static_module_*
-
-clean: lclean
- for i in $(MODDIRS) ; do \
- if [ -d $$i ]; then { \
- $(MAKE) -C $$i clean ; \
- } fi ; \
- done
-
-extraclean: lclean
- for i in $(MODDIRS) ; do \
- if [ -d $$i ]; then \
- $(MAKE) -C $$i extraclean ; \
- fi ; \
- done
-
diff --git a/contrib/libpam/modules/README b/contrib/libpam/modules/README
deleted file mode 100644
index 8641594..0000000
--- a/contrib/libpam/modules/README
+++ /dev/null
@@ -1,55 +0,0 @@
-This directory contains the modules.
-
-If you want to reserve a module name please email <pam-list@redhat.com>
-and announce its name. Andrew Morgan, <morgan@parc.power.net>, will
-add it to the Makefile in the next release of Linux-PAM.
-
-As of Linux-PAM-0.40 modules can optionally conform to the static
-modules conventions.
-
-This file was updated for Linux-PAM-0.53.
-
-The conventions are as follows:
-
-There are only 6 functions that a module may declare as "public" they
-fall into 4 managment groups as follows:
-
- functions Management group
- ------------------------------------------ ----------------
- pam_sm_authenticate, pam_sm_setcred, PAM_SM_AUTH
- pam_sm_acct_mgmt, PAM_SM_ACCOUNT
- pam_sm_open_session, pam_sm_close_session, PAM_SM_SESSION
- pam_sm_chauthtok PAM_SM_PASSWORD
-
-If a module contains definitions for any of the above functions, it
-must supply definitions for all of the functions in the corresponding
-management group.
-
-The header file that defines the ANSI prototypes for these functions
-is <security/pam_modules.h> . In the case that the module wishes to
-offer the functions of a given managment group, it must #define
-PAM_SM_XXX, where XXX is one of the above four tokens. These
-definitions must occur *prior* to the
-#include <security/pam_modules.h> line.
-
-The pam_sm_... functions should be defined to be of type 'PAM_EXTERN int'.
-
-In the case that a module is being compiled with PAM_STATIC #define'd
-it should also define a globally accessible structure
-_"NAME"_modstruct containing references to each of the functions
-defined by the module. (this structure is defined in
-<security/pam_modules.h>. "NAME" is the title of the module
-(eg. "pam_deny")
-
-If a module wants to be included in the static libpam.a its Makefile
-should execute "register_static" with appropriate arguments (in this
-directory).
-
-[
-For SIMPLE working examples, see
-
- ./modules/pam_deny/* and ./modules/pam_rootok/*
-.]
-
-Andrew Morgan
-96/11/10
diff --git a/contrib/libpam/modules/dont_makefile b/contrib/libpam/modules/dont_makefile
deleted file mode 100644
index f256ce1..0000000
--- a/contrib/libpam/modules/dont_makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-#########################################################################
-# This is a makefile that does nothing. It is designed to be included
-# by module Makefile-s when they are not compatable with the local
-# system
-#########################################################################
-
-all:
- @echo "This module will not be compiled on this system"
-
-extraclean: clean
-
-install: clean
-
-clean:
- @echo "Nothing to do"
-
-#########################################################################
-# all over..
-#########################################################################
diff --git a/contrib/libpam/modules/pam_access/Makefile b/contrib/libpam/modules/pam_access/Makefile
deleted file mode 100644
index a3d684b..0000000
--- a/contrib/libpam/modules/pam_access/Makefile
+++ /dev/null
@@ -1,111 +0,0 @@
-# $Id: Makefile,v 1.1 1997/06/23 00:39:42 morgan Exp morgan $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.1 1997/06/23 00:39:42 morgan
-# Initial revision
-#
-#
-
-TITLE=pam_access
-CONFD=$(CONFIGED)/security
-export CONFD
-CONFILE=$(CONFD)/access.conf
-export CONFILE
-
-# Convenient defaults for compiling independently of the full source
-# tree.
-ifndef FULL_LINUX_PAM_SOURCE_TREE
-export DYNAMIC=-DPAM_DYNAMIC
-export CC=gcc
-export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
- -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
- -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
- -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
- -Wshadow -pedantic -fPIC
-export MKDIR=mkdir -p
-export LD_D=gcc -shared -Xlinker -x
-endif
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-DEFS=-DCONFILE=\"$(CONFILE)\"
-
-CFLAGS += $(DEFS)
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
- $(MKDIR) $(FAKEROOT)$(SCONFIGED)
- bash -f ./install_conf
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
- rm -f $(FAKEROOT)$(CONFILE)
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
- rm -f ./.ignore_age
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
diff --git a/contrib/libpam/modules/pam_access/README b/contrib/libpam/modules/pam_access/README
deleted file mode 100644
index df10c26..0000000
--- a/contrib/libpam/modules/pam_access/README
+++ /dev/null
@@ -1,40 +0,0 @@
-# Description of its configuration file (/etc/security/access.conf):
-#
-# Login access control table.
-#
-# When someone logs in, the table is scanned for the first entry that
-# matches the (user, host) combination, or, in case of non-networked
-# logins, the first entry that matches the (user, tty) combination. The
-# permissions field of that table entry determines whether the login will
-# be accepted or refused.
-#
-# Format of the login access control table is three fields separated by a
-# ":" character:
-#
-# permission : users : origins
-#
-# The first field should be a "+" (access granted) or "-" (access denied)
-# character.
-#
-# The second field should be a list of one or more login names, group
-# names, or ALL (always matches). A pattern of the form user@host is
-# matched when the login name matches the "user" part, and when the
-# "host" part matches the local machine name.
-#
-# The third field should be a list of one or more tty names (for
-# non-networked logins), host names, domain names (begin with "."), host
-# addresses, internet network numbers (end with "."), ALL (always
-# matches) or LOCAL (matches any string that does not contain a "."
-# character).
-#
-# If you run NIS you can use @netgroupname in host or user patterns; this
-# even works for @usergroup@@hostgroup patterns. Weird.
-#
-# The EXCEPT operator makes it possible to write very compact rules.
-#
-# The group file is searched only when a name does not match that of the
-# logged-in user. Both the user's primary group is matched, as well as
-# groups in which users are explicitly listed.
-#
-# Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15
-############################################################################
diff --git a/contrib/libpam/modules/pam_access/access.conf b/contrib/libpam/modules/pam_access/access.conf
deleted file mode 100644
index abfefa5..0000000
--- a/contrib/libpam/modules/pam_access/access.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# Login access control table.
-#
-# When someone logs in, the table is scanned for the first entry that
-# matches the (user, host) combination, or, in case of non-networked
-# logins, the first entry that matches the (user, tty) combination. The
-# permissions field of that table entry determines whether the login will
-# be accepted or refused.
-#
-# Format of the login access control table is three fields separated by a
-# ":" character:
-#
-# permission : users : origins
-#
-# The first field should be a "+" (access granted) or "-" (access denied)
-# character.
-#
-# The second field should be a list of one or more login names, group
-# names, or ALL (always matches). A pattern of the form user@host is
-# matched when the login name matches the "user" part, and when the
-# "host" part matches the local machine name.
-#
-# The third field should be a list of one or more tty names (for
-# non-networked logins), host names, domain names (begin with "."), host
-# addresses, internet network numbers (end with "."), ALL (always
-# matches) or LOCAL (matches any string that does not contain a "."
-# character).
-#
-# If you run NIS you can use @netgroupname in host or user patterns; this
-# even works for @usergroup@@hostgroup patterns. Weird.
-#
-# The EXCEPT operator makes it possible to write very compact rules.
-#
-# The group file is searched only when a name does not match that of the
-# logged-in user. Both the user's primary group is matched, as well as
-# groups in which users are explicitly listed.
-#
-##############################################################################
-#
-# Disallow console logins to all but a few accounts.
-#
-#-:ALL EXCEPT wheel shutdown sync:console
-#
-# Disallow non-local logins to privileged accounts (group wheel).
-#
-#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
-#
-# Some accounts are not allowed to login from anywhere:
-#
-#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
-#
-# All other accounts are allowed to login from anywhere.
-#
diff --git a/contrib/libpam/modules/pam_access/install_conf b/contrib/libpam/modules/pam_access/install_conf
deleted file mode 100755
index 0667b5e..0000000
--- a/contrib/libpam/modules/pam_access/install_conf
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-CONFILE=$FAKEROOT"$CONFILE"
-IGNORE_AGE=./.ignore_age
-CONF=./access.conf
-QUIET_INSTALL=../../.quiet_install
-MODULE=pam_access
-
-echo
-
-if [ -f "$QUIET_INSTALL" ]; then
- if [ ! -f "$CONFILE" ]; then
- yes="y"
- else
- yes="skip"
- fi
-elif [ -f "$IGNORE_AGE" ]; then
- echo "you don't want to be bothered with the age of your $CONFILE file"
- yes="n"
-elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then
- if [ -f "$CONFILE" ]; then
- echo "An older $MODULE configuration file already exists ($CONFILE)"
- echo "Do you wish to copy the $CONF file in this distribution"
- echo "to $CONFILE ? (y/n) [skip] "
- read yes
- else
- yes="y"
- fi
-else
- yes="skip"
-fi
-
-if [ "$yes" = "y" ]; then
- mkdir -p $FAKEROOT$CONFD
- echo " copying $CONF to $CONFILE"
- cp $CONF $CONFILE
-else
- echo " Skipping $CONF installation"
- if [ "$yes" = "n" ]; then
- touch "$IGNORE_AGE"
- fi
-fi
-
-echo
-
-exit 0
diff --git a/contrib/libpam/modules/pam_access/pam_access.c b/contrib/libpam/modules/pam_access/pam_access.c
deleted file mode 100644
index 1213339..0000000
--- a/contrib/libpam/modules/pam_access/pam_access.c
+++ /dev/null
@@ -1,424 +0,0 @@
-/* pam_access module */
-
-/*
- * Written by Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15
- * (I took login_access from logdaemon-5.6 and converted it to PAM
- * using parts of pam_time code.)
- *
- */
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-/* man page says above file includes this... */
-extern int gethostname(char *name, size_t len);
-
-#include <stdarg.h>
-#include <syslog.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <pwd.h>
-#include <grp.h>
-#include <errno.h>
-#include <ctype.h>
-#include <sys/utsname.h>
-
-#ifndef BROKEN_NETWORK_MATCH
-# include <netdb.h>
-# include <sys/socket.h>
-#endif
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_ACCOUNT
-
-#include <security/_pam_macros.h>
-#include <security/pam_modules.h>
-
-/* --- static functions for checking whether the user should be let in --- */
-
-static void _log_err(const char *format, ... )
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_access", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(LOG_ERR, format, args);
- va_end(args);
- closelog();
-}
-
-#define PAM_ACCESS_CONFIG CONFILE
-
-int strcasecmp(const char *s1, const char *s2);
-
-/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */
-
- /*
- * This module implements a simple but effective form of login access
- * control based on login names and on host (or domain) names, internet
- * addresses (or network numbers), or on terminal line names in case of
- * non-networked logins. Diagnostics are reported through syslog(3).
- *
- * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
- */
-
-#if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64)
-#undef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN 256
-#endif
-
- /* Delimiters for fields and for lists of users, ttys or hosts. */
-
-static char fs[] = ":"; /* field separator */
-static char sep[] = ", \t"; /* list-element separator */
-
- /* Constants to be used in assignments only, not in comparisons... */
-
-#define YES 1
-#define NO 0
-
- /*
- * A structure to bundle up all login-related information to keep the
- * functional interfaces as generic as possible.
- */
-struct login_info {
- struct passwd *user;
- char *from;
-};
-
-typedef int match_func (char *, struct login_info *);
-
-static int list_match (char *, struct login_info *,
- match_func *);
-static int user_match (char *, struct login_info *);
-static int from_match (char *, struct login_info *);
-static int string_match (char *, char *);
-
-/* login_access - match username/group and host/tty with access control file */
-
-static int login_access(struct passwd *user, char *from)
-{
- struct login_info item;
- FILE *fp;
- char line[BUFSIZ];
- char *perm; /* becomes permission field */
- char *users; /* becomes list of login names */
- char *froms; /* becomes list of terminals or hosts */
- int match = NO;
- int end;
- int lineno = 0; /* for diagnostics */
-
- /*
- * Bundle up the arguments to avoid unnecessary clumsiness lateron.
- */
- item.user = user;
- item.from = from;
-
- /*
- * Process the table one line at a time and stop at the first match.
- * Blank lines and lines that begin with a '#' character are ignored.
- * Non-comment lines are broken at the ':' character. All fields are
- * mandatory. The first field should be a "+" or "-" character. A
- * non-existing table means no access control.
- */
-
- if ((fp = fopen(PAM_ACCESS_CONFIG, "r"))!=NULL) {
- while (!match && fgets(line, sizeof(line), fp)) {
- lineno++;
- if (line[end = strlen(line) - 1] != '\n') {
- _log_err("%s: line %d: missing newline or line too long",
- PAM_ACCESS_CONFIG, lineno);
- continue;
- }
- if (line[0] == '#')
- continue; /* comment line */
- while (end > 0 && isspace(line[end - 1]))
- end--;
- line[end] = 0; /* strip trailing whitespace */
- if (line[0] == 0) /* skip blank lines */
- continue;
- if (!(perm = strtok(line, fs))
- || !(users = strtok((char *) 0, fs))
- || !(froms = strtok((char *) 0, fs))
- || strtok((char *) 0, fs)) {
- _log_err("%s: line %d: bad field count", PAM_ACCESS_CONFIG, lineno);
- continue;
- }
- if (perm[0] != '+' && perm[0] != '-') {
- _log_err("%s: line %d: bad first field", PAM_ACCESS_CONFIG, lineno);
- continue;
- }
- match = (list_match(froms, &item, from_match)
- && list_match(users, &item, user_match));
- }
- (void) fclose(fp);
- } else if (errno != ENOENT) {
- _log_err("cannot open %s: %m", PAM_ACCESS_CONFIG);
- }
- return (match == 0 || (line[0] == '+'));
-}
-
-/* list_match - match an item against a list of tokens with exceptions */
-
-static int list_match(char *list, struct login_info *item, match_func *match_fn)
-{
- char *tok;
- int match = NO;
-
- /*
- * Process tokens one at a time. We have exhausted all possible matches
- * when we reach an "EXCEPT" token or the end of the list. If we do find
- * a match, look for an "EXCEPT" list and recurse to determine whether
- * the match is affected by any exceptions.
- */
-
- for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {
- if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */
- break;
- if ((match = (*match_fn) (tok, item))) /* YES */
- break;
- }
- /* Process exceptions to matches. */
-
- if (match != NO) {
- while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT"))
- /* VOID */ ;
- if (tok == 0 || list_match((char *) 0, item, match_fn) == NO)
- return (match);
- }
- return (NO);
-}
-
-/* myhostname - figure out local machine name */
-
-static char * myhostname(void)
-{
- static char name[MAXHOSTNAMELEN + 1];
-
- gethostname(name, MAXHOSTNAMELEN);
- name[MAXHOSTNAMELEN] = 0;
- return (name);
-}
-
-/* netgroup_match - match group against machine or user */
-
-static int netgroup_match(char *group, char *machine, char *user)
-{
-#ifdef NIS
- static char *mydomain = 0;
-
- if (mydomain == 0)
- yp_get_default_domain(&mydomain);
- return (innetgr(group, machine, user, mydomain));
-#else
- _log_err("NIS netgroup support not configured");
- return (NO);
-#endif
-}
-
-/* user_match - match a username against one token */
-
-static int user_match(char *tok, struct login_info *item)
-{
- char *string = item->user->pw_name;
- struct login_info fake_item;
- struct group *group;
- int i;
- char *at;
-
- /*
- * If a token has the magic value "ALL" the match always succeeds.
- * Otherwise, return YES if the token fully matches the username, if the
- * token is a group that contains the username, or if the token is the
- * name of the user's primary group.
- */
-
- if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
- *at = 0;
- fake_item.from = myhostname();
- return (user_match(tok, item) && from_match(at + 1, &fake_item));
- } else if (tok[0] == '@') { /* netgroup */
- return (netgroup_match(tok + 1, (char *) 0, string));
- } else if (string_match(tok, string)) { /* ALL or exact match */
- return (YES);
- } else if ((group = getgrnam(tok))) { /* try group membership */
- if (item->user->pw_gid == group->gr_gid)
- return (YES);
- for (i = 0; group->gr_mem[i]; i++)
- if (strcasecmp(string, group->gr_mem[i]) == 0)
- return (YES);
- }
- return (NO);
-}
-
-/* from_match - match a host or tty against a list of tokens */
-
-static int from_match(char *tok, struct login_info *item)
-{
- char *string = item->from;
- int tok_len;
- int str_len;
-
- /*
- * If a token has the magic value "ALL" the match always succeeds. Return
- * YES if the token fully matches the string. If the token is a domain
- * name, return YES if it matches the last fields of the string. If the
- * token has the magic value "LOCAL", return YES if the string does not
- * contain a "." character. If the token is a network number, return YES
- * if it matches the head of the string.
- */
-
- if (tok[0] == '@') { /* netgroup */
- return (netgroup_match(tok + 1, string, (char *) 0));
- } else if (string_match(tok, string)) { /* ALL or exact match */
- return (YES);
- } else if (tok[0] == '.') { /* domain: match last fields */
- if ((str_len = strlen(string)) > (tok_len = strlen(tok))
- && strcasecmp(tok, string + str_len - tok_len) == 0)
- return (YES);
- } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */
- if (strchr(string, '.') == 0)
- return (YES);
-#ifdef BROKEN_NETWORK_MATCH
- } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */
- && strncmp(tok, string, tok_len) == 0) {
- return (YES);
-#else /* BROKEN_NETWORK_MATCH */
- } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
- /*
- The code below does a more correct check if the address specified
- by "string" starts from "tok".
- 1998/01/27 Andrey V. Savochkin <saw@msu.ru>
- */
- struct hostent *h;
- char hn[3+1+3+1+3+1+3+1];
- int r;
-
- h = gethostbyname(string);
- if (h == NULL)
- return (NO);
- if (h->h_addrtype != AF_INET)
- return (NO);
- if (h->h_length != 4)
- return (NO); /* only IPv4 addresses (SAW) */
- r = snprintf(hn, sizeof(hn), "%u.%u.%u.%u",
- (unsigned char)h->h_addr[0], (unsigned char)h->h_addr[1],
- (unsigned char)h->h_addr[2], (unsigned char)h->h_addr[3]);
- if (r < 0 || r >= sizeof(hn))
- return (NO);
- if (!strncmp(tok, hn, tok_len))
- return (YES);
-#endif /* BROKEN_NETWORK_MATCH */
- }
- return (NO);
-}
-
-/* string_match - match a string against one token */
-
-static int string_match(char *tok, char *string)
-{
-
- /*
- * If the token has the magic value "ALL" the match always succeeds.
- * Otherwise, return YES if the token fully matches the string.
- */
-
- if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
- return (YES);
- } else if (strcasecmp(tok, string) == 0) { /* try exact match */
- return (YES);
- }
- return (NO);
-}
-
-/* end of login_access.c */
-
-int strcasecmp(const char *s1, const char *s2)
-{
- while ((toupper(*s1)==toupper(*s2)) && (*s1) && (*s2)) {s1++; s2++;}
- return(toupper(*s1)-toupper(*s2));
-}
-
-/* --- public account management functions --- */
-
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- const char *user=NULL;
- char *from=NULL;
- struct passwd *user_pw;
-
- /* set username */
-
- if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
- || *user == '\0') {
- _log_err("cannot determine the user's name");
- return PAM_USER_UNKNOWN;
- }
-
- /* remote host name */
-
- if (pam_get_item(pamh, PAM_RHOST, (const void **)&from)
- != PAM_SUCCESS) {
- _log_err("cannot find the remote host name");
- return PAM_ABORT;
- }
-
- if (from==NULL) {
-
- /* local login, set tty name */
-
- if (pam_get_item(pamh, PAM_TTY, (const void **)&from) != PAM_SUCCESS
- || from == NULL) {
- D(("PAM_TTY not set, probing stdin"));
- from = ttyname(STDIN_FILENO);
- if (from == NULL) {
- _log_err("couldn't get the tty name");
- return PAM_ABORT;
- }
- if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) {
- _log_err("couldn't set tty name");
- return PAM_ABORT;
- }
- }
- if (strncmp("/dev/",from,5) == 0) { /* strip leading /dev/ */
- from += 5;
- }
-
- }
- if ((user_pw=getpwnam(user))==NULL) return (PAM_USER_UNKNOWN);
- if (login_access(user_pw,from)) return (PAM_SUCCESS); else {
- _log_err("access denied for user `%s' from `%s'",user,from);
- return (PAM_PERM_DENIED);
- }
-}
-
-/* end of module definition */
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_access_modstruct = {
- "pam_access",
- NULL,
- NULL,
- pam_sm_acct_mgmt,
- NULL,
- NULL,
- NULL
-};
-#endif
-
diff --git a/contrib/libpam/modules/pam_cracklib/Makefile b/contrib/libpam/modules/pam_cracklib/Makefile
deleted file mode 100644
index 668f2f8..0000000
--- a/contrib/libpam/modules/pam_cracklib/Makefile
+++ /dev/null
@@ -1,110 +0,0 @@
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10
-#
-
-ifndef FULL_LINUX_PAM_SOURCE_TREE
-#
-# here you should make default variable defines...
-#
-MKDIR=mkdir -p
-LD_D=gcc -shared -Xlinker -x
-INSTALL=install
-SECUREDIR=/usr/lib/security
-#
-HAVE_CRACKLIB=yes
-endif
-
-ifeq ($(HAVE_CRACKLIB),yes)
-
-TITLE=pam_cracklib
-CRACKLIB=-lcrack
-CRACKLIB_DICTPATH=/usr/lib/cracklib_dict
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-ifdef CRACKLIB_DICTPATH
-CFLAGS+=-DCRACKLIB_DICTPATH=\"$(CRACKLIB_DICTPATH)\"
-endif
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC) Makefile
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) $(CRACKLIB)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
-else
-
-include ../dont_makefile
-
-endif
diff --git a/contrib/libpam/modules/pam_cracklib/README b/contrib/libpam/modules/pam_cracklib/README
deleted file mode 100644
index e4b0273..0000000
--- a/contrib/libpam/modules/pam_cracklib/README
+++ /dev/null
@@ -1,21 +0,0 @@
-
-pam_cracklib:
- check the passwd against dictionary words.
-
-RECOGNIZED ARGUMENTS:
- debug verbose log
-
- type=XXX alter the message printed as a prompt to the user.
- the message printed is in the form
- "New XXX password: ".
- Default XXX=UNIX
-
- retry=N Prompt user at most N times before returning with
- error. Default N=1.
-
-MODULE SERVICES PROVIDED:
- passwd chauthtok
-
-AUTHOR:
- Cristian Gafton <gafton@sorosis.ro>
-
diff --git a/contrib/libpam/modules/pam_cracklib/pam_cracklib.c b/contrib/libpam/modules/pam_cracklib/pam_cracklib.c
deleted file mode 100644
index 3400dfb..0000000
--- a/contrib/libpam/modules/pam_cracklib/pam_cracklib.c
+++ /dev/null
@@ -1,687 +0,0 @@
-/* pam_cracklib module */
-
-/*
- * 0.85. added six new options to use this with long passwords.
- * 0.8. tidied output and improved D(()) usage for debugging.
- * 0.7. added support for more obscure checks for new passwd.
- * 0.6. root can reset user passwd to any values (it's only warned)
- * 0.5. supports retries - 'retry=N' argument
- * 0.4. added argument 'type=XXX' for 'New XXX password' prompt
- * 0.3. Added argument 'debug'
- * 0.2. new password is feeded to cracklib for verify after typed once
- * 0.1. First release
- */
-
-/*
- * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10
- * Long password support by Philip W. Dalrymple <pwd@mdtsoft.com> 1997/07/18
- * See the end of the file for Copyright Information
- *
- * Modification for long password systems (>8 chars). The original
- * module had problems when used in a md5 password system in that it
- * allowed too short passwords but required that at least half of the
- * bytes in the new password did not appear in the old one. this
- * action is still the default and the changes should not break any
- * current user. This modification adds 6 new options, one to set the
- * number of bytes in the new password that are not in the old one,
- * the other five to control the length checking, these are all
- * documented (or will be before anyone else sees this code) in the PAM
- * S.A.G. in the section on the cracklib module.
- */
-
-#include <stdio.h>
-#define __USE_BSD
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <ctype.h>
-
-extern char *FascistCheck(char *pw, const char *dictpath);
-
-#ifndef CRACKLIB_DICTPATH
-#define CRACKLIB_DICTPATH "/usr/lib/cracklib_dict"
-#endif
-
-#define PROMPT1 "New %s password: "
-#define PROMPT2 "Retype new %s password: "
-#define MISTYPED_PASS "Sorry, passwords do not match"
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-#ifndef LINUX_PAM
-#include <security/pam_appl.h>
-#endif /* LINUX_PAM */
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-Cracklib", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-#define PAM_DEBUG_ARG 0x0001
-
-/* module data - AGM: please remove these static variables... PAM was
- * designed to be reentrant based soley on a unique pamh... this
- * breaks that. */
-
-static int retry_times = 0;
-static int diff_ok = 10;
-static int min_length = 9;
-static int dig_credit = 1;
-static int up_credit = 1;
-static int low_credit = 1;
-static int oth_credit = 1;
-static char prompt_type[BUFSIZ];
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
- char *ep = NULL;
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"type=",5))
- strcpy(prompt_type, *argv+5);
- else if (!strncmp(*argv,"retry=",6)) {
- retry_times = strtol(*argv+6,&ep,10);
- if (!ep || (retry_times < 1))
- retry_times = 1;
- } else if (!strncmp(*argv,"difok=",6)) {
- diff_ok = strtol(*argv+6,&ep,10);
- if (!ep || (diff_ok < 0))
- diff_ok = 10;
- } else if (!strncmp(*argv,"minlen=",7)) {
- min_length = strtol(*argv+7,&ep,10);
- if (!ep || (min_length < 5))
- min_length = 5;
- } else if (!strncmp(*argv,"dcredit=",8)) {
- dig_credit = strtol(*argv+8,&ep,10);
- if (!ep || (dig_credit < 0))
- dig_credit = 0;
- } else if (!strncmp(*argv,"ucredit=",8)) {
- up_credit = strtol(*argv+8,&ep,10);
- if (!ep || (up_credit < 0))
- up_credit = 0;
- } else if (!strncmp(*argv,"lcredit=",8)) {
- low_credit = strtol(*argv+8,&ep,10);
- if (!ep || (low_credit < 0))
- low_credit = 0;
- } else if (!strncmp(*argv,"ocredit=",8)) {
- oth_credit = strtol(*argv+8,&ep,10);
- if (!ep || (oth_credit < 0))
- oth_credit = 0;
- } else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-/* Helper functions */
-
-/* this is a front-end for module-application conversations */
-static int converse(pam_handle_t *pamh, int ctrl, int nargs,
- struct pam_message **message,
- struct pam_response **response)
-{
- int retval;
- struct pam_conv *conv;
-
- retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
-
- if ( retval == PAM_SUCCESS ) {
- retval = conv->conv(nargs, (const struct pam_message **)message,
- response, conv->appdata_ptr);
- if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) {
- _pam_log(LOG_DEBUG, "conversation failure [%s]",
- pam_strerror(pamh, retval));
- }
- } else {
- _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]",
- pam_strerror(pamh, retval));
- }
-
- return retval; /* propagate error status */
-}
-
-static int make_remark(pam_handle_t *pamh, unsigned int ctrl,
- int type, const char *text)
-{
- struct pam_message *pmsg[1], msg[1];
- struct pam_response *resp;
- int retval;
-
- pmsg[0] = &msg[0];
- msg[0].msg = text;
- msg[0].msg_style = type;
- resp = NULL;
-
- retval = converse(pamh, ctrl, 1, pmsg, &resp);
- if (retval == PAM_SUCCESS)
- _pam_drop_reply(resp, 1);
-
- return retval;
-}
-
-/* use this to free strings. ESPECIALLY password strings */
-static char *_pam_delete(register char *xx)
-{
- _pam_overwrite(xx);
- free(xx);
- return NULL;
-}
-
-/*
- * can't be a palindrome - like `R A D A R' or `M A D A M'
- */
-static int palindrome(const char *old, const char *new)
-{
- int i, j;
-
- i = strlen (new);
-
- for (j = 0;j < i;j++)
- if (new[i - j - 1] != new[j])
- return 0;
-
- return 1;
-}
-
-/*
- * more than half of the characters are different ones.
- * or at least diff_ok are different
- * NOTE that the defaults are NOT the same as befor this
- * change. as long as there are at least 10 different bytes
- * in a new password it will now pass even if the password
- * is longer than 20 bytes (MD5)
- */
-
-static int similiar(const char *old, const char *new)
-{
- int i, j;
-
- for (i = j = 0;new[i] && old[i];i++)
- if (strchr (new, old[i]))
- j++;
-
- if (j >= diff_ok || i >= j * 2)
- return 0;
-
- return 1;
-}
-
-/*
- * a nice mix of characters.
- */
-static int simple(const char *old, const char *new)
-{
- int digits = 0;
- int uppers = 0;
- int lowers = 0;
- int others = 0;
- int size;
- int i;
-
- for (i = 0;new[i];i++) {
- if (isdigit (new[i]))
- digits++;
- else if (isupper (new[i]))
- uppers++;
- else if (islower (new[i]))
- lowers++;
- else
- others++;
- }
-
- /*
- * The scam was this - a password of only one character type
- * must be 8 letters long. Two types, 7, and so on.
- * This is now changed, the base size and the credits or defaults
- * see the docs on the module for info on these parameters, the
- * defaults cause the effect to be the same as before the change
- */
-
- if (digits > dig_credit)
- digits = dig_credit;
-
- if (uppers > up_credit)
- uppers = up_credit;
-
- if (lowers > low_credit)
- lowers = low_credit;
-
- if (others > oth_credit)
- others = oth_credit;
-
- size = min_length;
- size -= digits;
- size -= uppers;
- size -= lowers;
- size -= others;
-
- if (size <= i)
- return 0;
-
- return 1;
-}
-
-static char * str_lower(char *string)
-{
- char *cp;
-
- for (cp = string; *cp; cp++)
- *cp = tolower(*cp);
- return string;
-}
-
-static const char * password_check(const char *old, const char *new)
-{
- const char *msg = NULL;
- char *oldmono, *newmono, *wrapped;
-
- if (strcmp(new, old) == 0) {
- msg = "is the same as the old one";
- return msg;
- }
-
- newmono = str_lower(x_strdup(new));
- oldmono = str_lower(x_strdup(old));
- wrapped = malloc(strlen(oldmono) * 2 + 1);
- strcpy (wrapped, oldmono);
- strcat (wrapped, oldmono);
-
- if (palindrome(oldmono, newmono))
- msg = "is a palindrome";
-
- if (!msg && strcmp(oldmono, newmono) == 0)
- msg = "case changes only";
-
- if (!msg && similiar(oldmono, newmono))
- msg = "is too similiar to the old one";
-
- if (!msg && simple(old, new))
- msg = "is too simple";
-
- if (!msg && strstr(wrapped, newmono))
- msg = "is rotated";
-
- memset(newmono, 0, strlen(newmono));
- memset(oldmono, 0, strlen(oldmono));
- memset(wrapped, 0, strlen(wrapped));
- free(newmono);
- free(oldmono);
- free(wrapped);
-
- return msg;
-}
-
-
-static int _pam_unix_approve_pass(pam_handle_t *pamh,
- unsigned int ctrl,
- const char *pass_old,
- const char *pass_new)
-{
- const char *msg = NULL;
-
- if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
- if (ctrl && PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "bad authentication token");
- make_remark(pamh, ctrl, PAM_ERROR_MSG,
- pass_new == NULL ?
- "No password supplied":"Password unchanged" );
- return PAM_AUTHTOK_ERR;
- }
-
- /*
- * if one wanted to hardwire authentication token strength
- * checking this would be the place
- */
- msg = password_check(pass_old,pass_new);
- if (msg) {
- char remark[BUFSIZ];
-
- memset(remark,0,sizeof(remark));
- sprintf(remark,"BAD PASSWORD: %s",msg);
- if (ctrl && PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE, "new passwd fails strength check: %s",
- msg);
- make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
- return PAM_AUTHTOK_ERR;
- };
- return PAM_SUCCESS;
-
-}
-
-/* The Main Thing (by Cristian Gafton, CEO at this module :-)
- * (stolen from http://home.netscape.com)
- */
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
-
- retry_times = 1;
- memset(prompt_type,0,sizeof(prompt_type));
- ctrl = _pam_parse(argc, argv);
-
- D(("called."));
- if (!prompt_type[0])
- strcpy(prompt_type,"UNIX");
-
- if (flags & PAM_PRELIM_CHECK) {
- /* Check for passwd dictionary */
- struct stat st;
- char buf[sizeof(CRACKLIB_DICTPATH)+10];
-
- D(("prelim check"));
-
- memset(buf,0,sizeof(buf)); /* zero the buffer */
- sprintf(buf,"%s.pwd",CRACKLIB_DICTPATH);
-
- if (!stat(buf,&st) && st.st_size)
- return PAM_SUCCESS;
- else {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE,"dict path '%s'[.pwd] is invalid",
- CRACKLIB_DICTPATH);
- return PAM_ABORT;
- }
-
- /* Not reached */
- return PAM_SERVICE_ERR;
-
- } else if (flags & PAM_UPDATE_AUTHTOK) {
- int retval;
- char *token1, *token2, *oldtoken;
- const char *item;
- struct pam_message msg[1],*pmsg[1];
- struct pam_response *resp;
- const char *cracklib_dictpath = CRACKLIB_DICTPATH;
- char prompt[BUFSIZ];
-
- D(("do update"));
- retval = pam_get_item(pamh, PAM_OLDAUTHTOK,
- (const void **)&oldtoken);
- if (retval != PAM_SUCCESS) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_ERR,"Can not get old passwd");
- oldtoken=NULL;
- retval = PAM_SUCCESS;
- }
-
- do {
- /*
- * make sure nothing inappropriate gets returned
- */
- token1 = token2 = NULL;
-
- if (!retry_times) {
- D(("returning %s because maxtries reached",
- pam_strerror(pamh, retval)));
- return retval;
- }
-
- /* Planned modus operandi:
- * Get a passwd.
- * Verify it against cracklib.
- * If okay get it a second time.
- * Check to be the same with the first one.
- * set PAM_AUTHTOK and return
- */
-
- /* Prepare to ask the user for the first time */
- memset(prompt,0,sizeof(prompt));
- sprintf(prompt,PROMPT1,prompt_type);
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[0].msg = prompt;
-
- resp = NULL;
- retval = converse(pamh, ctrl, 1, pmsg, &resp);
- if (resp != NULL) {
- /* interpret the response */
- if (retval == PAM_SUCCESS) { /* a good conversation */
- token1 = x_strdup(resp[0].resp);
- if (token1 == NULL) {
- _pam_log(LOG_NOTICE,
- "could not recover authentication token 1");
- retval = PAM_AUTHTOK_RECOVER_ERR;
- }
- }
- /*
- * tidy up the conversation (resp_retcode) is ignored
- */
- _pam_drop_reply(resp, 1);
- } else {
- retval = (retval == PAM_SUCCESS) ?
- PAM_AUTHTOK_RECOVER_ERR:retval ;
- }
-
- if (retval != PAM_SUCCESS) {
- if (ctrl && PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG,"unable to obtain a password");
- continue;
- }
-
- D(("testing password, retval = %s", pam_strerror(pamh, retval)));
- /* now test this passwd against cracklib */
- {
- char *crack_msg;
- char remark[BUFSIZ];
-
- bzero(remark,sizeof(remark));
- D(("against cracklib"));
- if ((crack_msg = FascistCheck(token1, cracklib_dictpath))) {
- if (ctrl && PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG,"bad password: %s",crack_msg);
- sprintf(remark,"BAD PASSWORD: %s", crack_msg);
- make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
- if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
- retval = PAM_AUTHTOK_ERR;
- else
- retval = PAM_SUCCESS;
- } else {
- /* check it for strength too... */
- D(("for strength"));
- if (oldtoken) {
- retval = _pam_unix_approve_pass(pamh,ctrl,
- oldtoken,token1);
- if (retval != PAM_SUCCESS)
- if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
- retval = PAM_AUTHTOK_ERR;
- else
- retval = PAM_SUCCESS;
- }
- }
- }
-
- D(("after testing: retval = %s", pam_strerror(pamh, retval)));
- /* if cracklib/strength check said it is a bad passwd... */
- if ((retval != PAM_SUCCESS) && (retval != PAM_IGNORE)) {
- int temp_unused;
-
- temp_unused = pam_set_item(pamh, PAM_AUTHTOK, NULL);
- token1 = _pam_delete(token1);
- continue;
- }
-
- /* Now we have a good passwd. Ask for it once again */
-
- bzero(prompt,sizeof(prompt));
- sprintf(prompt,PROMPT2,prompt_type);
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[0].msg = prompt;
-
- resp = NULL;
- retval = converse(pamh, ctrl, 1, pmsg, &resp);
- if (resp != NULL) {
- /* interpret the response */
- if (retval == PAM_SUCCESS) { /* a good conversation */
- token2 = x_strdup(resp[0].resp);
- if (token2 == NULL) {
- _pam_log(LOG_NOTICE,
- "could not recover authentication token 2");
- retval = PAM_AUTHTOK_RECOVER_ERR;
- }
- }
- /*
- * tidy up the conversation (resp_retcode) is ignored
- */
- _pam_drop_reply(resp, 1);
- } else {
- retval = (retval == PAM_SUCCESS) ?
- PAM_AUTHTOK_RECOVER_ERR:retval ;
- }
-
- if (retval != PAM_SUCCESS) {
- if (ctrl && PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG
- ,"unable to obtain the password a second time");
- continue;
- }
-
- /* Hopefully now token1 and token2 the same password ... */
- if (strcmp(token1,token2) != 0) {
- /* tell the user */
- make_remark(pamh, ctrl, PAM_ERROR_MSG, MISTYPED_PASS);
- token1 = _pam_delete(token1);
- token2 = _pam_delete(token2);
- pam_set_item(pamh, PAM_AUTHTOK, NULL);
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE,"Password mistyped");
- retval = PAM_AUTHTOK_RECOVER_ERR;
- continue;
- }
-
- /* Yes, the password was typed correct twice
- * we store this password as an item
- */
-
- retval = pam_set_item(pamh, PAM_AUTHTOK, token1);
- /* clean it up */
- token1 = _pam_delete(token1);
- token2 = _pam_delete(token2);
- if (
- (retval != PAM_SUCCESS) ||
- (
- (
- retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item)
- ) != PAM_SUCCESS
- )
- ) {
- _pam_log(LOG_CRIT, "error manipulating password");
- continue;
- }
- item = NULL; /* break link to password */
- return PAM_SUCCESS;
-
- } while (retry_times--);
-
- } else {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE, "UNKNOWN flags setting %02X",flags);
- return PAM_SERVICE_ERR;
- }
-
- /* Not reached */
- return PAM_SERVICE_ERR;
-}
-
-
-
-#ifdef PAM_STATIC
-/* static module data */
-struct pam_module _pam_cracklib_modstruct = {
- "pam_cracklib",
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- pam_sm_chauthtok
-};
-#endif
-
-/*
- * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1996.
- * All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * The following copyright was appended for the long password support
- * added with the libpam 0.58 release:
- *
- * Modificaton Copyright (c) Philip W. Dalrymple III <pwd@mdtsoft.com>
- * 1997. All rights reserved
- *
- * THE MODIFICATION THAT PROVIDES SUPPORT FOR LONG PASSWORD TYPE CHECKING TO
- * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_deny/Makefile b/contrib/libpam/modules/pam_deny/Makefile
deleted file mode 100644
index 02506cb..0000000
--- a/contrib/libpam/modules/pam_deny/Makefile
+++ /dev/null
@@ -1,125 +0,0 @@
-#
-# $Id: Makefile,v 1.7 1997/04/05 06:43:41 morgan Exp morgan $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.7 1997/04/05 06:43:41 morgan
-# full-source-tree and fakeroot
-#
-# Revision 1.6 1997/02/15 19:04:27 morgan
-# fixed email
-#
-# Revision 1.5 1996/11/10 20:11:48 morgan
-# crossplatform support
-#
-# Revision 1.4 1996/09/05 06:50:12 morgan
-# ld --> gcc
-#
-# Revision 1.3 1996/05/26 15:48:38 morgan
-# make dynamic and static dirs
-#
-# Revision 1.2 1996/05/26 04:00:16 morgan
-# changes for automated static/dynamic modules
-#
-# Revision 1.1 1996/03/16 17:47:36 morgan
-# Initial revision
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11
-#
-
-# Convenient defaults for compiling independently of the full source
-# tree.
-ifndef FULL_LINUX_PAM_SOURCE_TREE
-export DYNAMIC=-DPAM_DYNAMIC
-export CC=gcc
-export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
- -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
- -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
- -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
- -Wshadow -pedantic -fPIC
-export MKDIR=mkdir -p
-export LD_D=gcc -shared -Xlinker -x
-endif
-
-#
-
-TITLE=pam_deny
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_deny/README b/contrib/libpam/modules/pam_deny/README
deleted file mode 100644
index 4f7f6de..0000000
--- a/contrib/libpam/modules/pam_deny/README
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: README,v 1.1 1996/03/16 18:11:12 morgan Exp $
-#
-
-this module always fails, it ignores all options.
diff --git a/contrib/libpam/modules/pam_deny/pam_deny.c b/contrib/libpam/modules/pam_deny/pam_deny.c
deleted file mode 100644
index 76ba24d..0000000
--- a/contrib/libpam/modules/pam_deny/pam_deny.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* pam_permit module */
-
-/*
- * $Id: pam_deny.c,v 1.4 1997/02/15 19:05:15 morgan Exp $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- *
- * $Log: pam_deny.c,v $
- * Revision 1.4 1997/02/15 19:05:15 morgan
- * fixed email
- *
- * Revision 1.3 1996/06/02 08:06:19 morgan
- * changes for new static protocol
- *
- * Revision 1.2 1996/05/26 04:01:12 morgan
- * added static support
- *
- * Revision 1.1 1996/03/16 17:47:36 morgan
- * Initial revision
- *
- */
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-
-/* --- authentication management functions --- */
-
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_AUTH_ERR;
-}
-
-PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_CRED_UNAVAIL;
-}
-
-/* --- account management functions --- */
-
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_ACCT_EXPIRED;
-}
-
-/* --- password management --- */
-
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_AUTHTOK_ERR;
-}
-
-/* --- session management --- */
-
-PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SYSTEM_ERR;
-}
-
-PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SYSTEM_ERR;
-}
-
-/* end of module definition */
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_deny_modstruct = {
- "pam_deny",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-#endif
diff --git a/contrib/libpam/modules/pam_env/Makefile b/contrib/libpam/modules/pam_env/Makefile
deleted file mode 100644
index df363bc..0000000
--- a/contrib/libpam/modules/pam_env/Makefile
+++ /dev/null
@@ -1,107 +0,0 @@
-#
-# $Id: Makefile,v 1.1 1997/04/05 06:42:35 morgan Exp morgan $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.1 1997/04/05 06:42:35 morgan
-# Initial revision
-#
-# Revision 1.1 1997/01/04 20:32:52 morgan
-# Initial revision
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/12/8
-# Adaptations by Dave Kinclea and Cristian Gafton
-#
-
-TITLE=pam_env
-
-CONFD=$(CONFIGED)/security
-export CONFD
-CONFILE=$(CONFD)/pam_env.conf
-export CONFILE
-
-#ifeq ($(HAVE_PWDBLIB),yes)
-#CFLAGS += -DWANT_PWDB
-#EXTRALIB = -lpwdb
-#endif
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) $(EXTRALIB)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS) $(EXTRALIB)
-endif
-
-install: all
-ifdef DYNAMIC
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
- $(MKDIR) $(FAKEROOT)$(SCONFIGED)
- bash -f ./install_conf
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_env/README b/contrib/libpam/modules/pam_env/README
deleted file mode 100644
index d6e959c..0000000
--- a/contrib/libpam/modules/pam_env/README
+++ /dev/null
@@ -1,72 +0,0 @@
-# $Date: 1997/04/05 06:42:35 $
-# $Author: morgan $
-# $Id: README,v 1.1 1997/04/05 06:42:35 morgan Exp $
-#
-# This is the configuration file for pam_env, a PAM module to load in
-# a configurable list of environment variables for a
-#
-# The original idea for this came from Andrew G. Morgan ...
-#<quote>
-# Mmm. Perhaps you might like to write a pam_env module that reads a
-# default environment from a file? I can see that as REALLY
-# useful... Note it would be an "auth" module that returns PAM_IGNORE
-# for the auth part and sets the environment returning PAM_SUCCESS in
-# the setcred function...
-#</quote>
-#
-# What I wanted was the REMOTEHOST variable set, purely for selfish
-# reasons, and AGM didn't want it added to the SimpleApps login
-# program (which is where I added the patch). So, my first concern is
-# that variable, from there there are numerous others that might/would
-# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
-#
-# Of course, these are a different kind of variable than REMOTEHOST in
-# that they are things that are likely to be configured by
-# administrators rather than set by logging in, how to treat them both
-# in the same config file?
-#
-# Here is my idea:
-#
-# Each line starts with the variable name, there are then two possible
-# options for each variable DEFAULT and OVERRIDE.
-# DEFAULT allows and administrator to set the value of the
-# variable to some default value, if none is supplied then the empty
-# string is assumed. The OVERRIDE option tells pam_env that it should
-# enter in its value (overriding the default value) if there is one
-# to use. OVERRIDE is not used, "" is assumed and no override will be
-# done.
-#
-# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
-#
-# (Possibly non-existent) environment variables may be used in values
-# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
-# be used in values using the @{string} syntax. Both the $ and @
-# characters can be backslash escaped to be used as literal values
-# values can be delimited with "", escaped " not supported.
-#
-#
-# First, some special variables
-#
-# Set the REMOTEHOST variable for any hosts that are remote, default
-# to "localhost" rather than not being set at all
-REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
-#
-# Set the DISPLAY variable if it seems reasonable
-DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
-#
-#
-# Now some simple variables
-#
-PAGER DEFAULT=less
-MANPAGER DEFAULT=less
-LESS DEFAULT="M q e h15 z23 b80"
-NNTPSERVER DEFAULT=localhost
-PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
-:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
-#
-# silly examples of escaped variables, just to show how they work.
-#
-DOLLAR DEFAULT=\$
-DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
-DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
-ATSIGN DEFAULT="" OVERRIDE=\@
diff --git a/contrib/libpam/modules/pam_env/install_conf b/contrib/libpam/modules/pam_env/install_conf
deleted file mode 100755
index 4c60840..0000000
--- a/contrib/libpam/modules/pam_env/install_conf
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-CONFILE=$FAKEROOT"$CONFILE"
-IGNORE_AGE=./.ignore_age
-QUIET_INSTALL=../../.quiet_install
-CONF=./pam_env.conf-example
-MODULE=pam_env
-
-echo
-
-if [ -f "$QUIET_INSTALL" ]; then
- if [ ! -f "$CONFILE" ]; then
- yes="y"
- else
- yes="skip"
- fi
-elif [ -f "$IGNORE_AGE" ]; then
- echo "you don't want to be bothered with the age of your $CONFILE file"
- yes="n"
-elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then
- if [ -f "$CONFILE" ]; then
- echo "An older $MODULE configuration file already exists ($CONFILE)"
- echo "Do you wish to copy the $CONF file in this distribution"
- echo "to $CONFILE ? (y/n) [skip] "
- read yes
- else
- yes="y"
- fi
-else
- yes="skip"
-fi
-
-if [ "$yes" = "y" ]; then
- mkdir -p $FAKEROOT$CONFD
- echo " copying $CONF to $CONFILE"
- cp $CONF $CONFILE
-else
- echo " Skipping $CONF installation"
- if [ "$yes" = "n" ]; then
- touch "$IGNORE_AGE"
- fi
-fi
-
-echo
-
-exit 0
diff --git a/contrib/libpam/modules/pam_env/pam_env.c b/contrib/libpam/modules/pam_env/pam_env.c
deleted file mode 100644
index bd0879c..0000000
--- a/contrib/libpam/modules/pam_env/pam_env.c
+++ /dev/null
@@ -1,779 +0,0 @@
-/* pam_mail module */
-
-/*
- * $Id: pam_env.c,v 1.1 1997/04/05 06:42:35 morgan Exp morgan $
- *
- * Written by Dave Kinchlea <kinch@kinch.ark.com> 1997/01/31
- * Inspired by Andrew Morgan <morgan@parc.power.net, who also supplied the
- * template for this file (via pam_mail)
- *
- * $Log: pam_env.c,v $
- * Revision 1.1 1997/04/05 06:42:35 morgan
- * Initial revision
- *
- * Revision 0.6 1997/02/04 17:58:27 kinch
- * Debugging code cleaned up, lots added (whereever _log_err called) some removed
- *
- * Revision 0.5 1997/02/04 17:20:30 kinch
- * Changed default config file
- * Removed bogus message in pam_sm_authenticate()
- * Added back support in pam_sm_session(), this could conceivably be used
- * both as an auth_setcred and a session module
- *
- * Revision 0.4 1997/02/04 07:34:15 kinch
- * Fixed dealing with escaped '$' and '@' characters
- * This is now an pam_sm_setcred module to work closer to the RFC model
- * though this whole thing seems to have little to do with Authentication
- *
- * Revision 0.3 1997/02/04 04:53:15 kinch
- * Removed bogus space in PAM_ENV_SILENT
- * Removed line that added a space when allowing for escaped newlines, that
- * is not what we want at all, if we want a space, we can add one.
- * Changed a PAM_ABORT to PAM_BUF_ERR for a malloc failure
- * Changed bogus PAM_RUSER to PAM_RHOST
- *
- * Revision 0.2 1997/02/03 23:31:26 kinch
- * Lots of D(()) debugging code added, probably too much actually.
- * This now seems to work for all cases I can think of
- * Lots of little code changes but nothing major and no function
- * interface changes, largest change has to do with adding the
- * logic to get &quote hack to make it through all the code. Probably
- * ought to have done this with a global flag for each of defval and
- * override - it would have been cleaner.
- *
- * Revision 0.1 1997/02/03 01:39:06 kinch
- * Initial code, it compiles cleanly but has not been tested at all.
- *
- */
-
-#ifndef DEFAULT_CONF_FILE
-#define DEFAULT_CONF_FILE "/etc/security/pam_env.conf"
-#endif
-
-#ifdef linux
-#define _GNU_SOURCE
-#include <features.h>
-#endif
-
-#include <ctype.h>
-#include <errno.h>
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#ifdef WANT_PWDB
-#include <pwdb/pwdb_public.h>
-#endif
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH /* This is primarily a AUTH_SETCRED module */
-#define PAM_SM_SESSION /* But I like to be friendly */
-#define PAM_SM_PASSWORD /* "" */
-#define PAM_SM_ACCOUNT /* "" */
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* This little structure makes it easier to keep variables together */
-
-typedef struct var {
- char *name;
- char *value;
- char *defval;
- char *override;
-} VAR;
-
-#define BUF_SIZE 1024
-#define MAX_ENV 8192
-
-#define GOOD_LINE 0
-#define BAD_LINE 100 /* This must be > the largest PAM_* error code */
-
-#define DEFINE_VAR 101
-#define UNDEFINE_VAR 102
-#define ILLEGAL_VAR 103
-
-static int _assemble_line(FILE *, char *, int);
-static int _parse_line(char *, VAR *);
-static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */
-static void _clean_var(VAR *);
-static int _expand_arg(pam_handle_t *, char **);
-static const char * _pam_get_item_byname(pam_handle_t *, const char *);
-static int _define_var(pam_handle_t *, VAR *);
-static int _undefine_var(pam_handle_t *, VAR *);
-
-/* This is a flag used to designate an empty string */
-static char quote='Z';
-
-/* some syslogging */
-
-static void _log_err(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-env", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 01
-#define PAM_NEW_CONF_FILE 02
-#define PAM_ENV_SILENT 04
-
-static int _pam_parse(int flags, int argc, const char **argv, char **conffile)
-{
- int ctrl=0;
-
-
- /* step through arguments */
- for (; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"conffile=",9)) {
- *conffile = x_strdup(9+*argv);
- if (*conffile != NULL) {
- D(("new Configuration File: %s", *conffile));
- ctrl |= PAM_NEW_CONF_FILE;
- } else {
- _log_err(LOG_CRIT,
- "Configuration file specification missing argument - ignored");
- }
- } else {
- _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-static int _parse_config_file(pam_handle_t *pamh, int ctrl, char **conffile)
-{
- int retval;
- const char *file;
- char buffer[BUF_SIZE];
- FILE *conf;
- VAR Var, *var=&Var;
-
- var->name=NULL; var->defval=NULL; var->override=NULL;
- D(("Called."));
-
- if (ctrl & PAM_NEW_CONF_FILE) {
- file = *conffile;
- } else {
- file = DEFAULT_CONF_FILE;
- }
-
- D(("Config file name is: %s", file));
-
- /*
- * Lets try to open the config file, parse it and process
- * any variables found.
- */
-
- if ((conf = fopen(file,"r")) == NULL) {
- _log_err(LOG_ERR, "Unable to open config file: %s",
- strerror(errno));
- return PAM_ABORT;
- }
-
- /* _pam_assemble_line will provide a complete line from the config file, with all
- * comments removed and any escaped newlines fixed up
- */
-
- while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) {
- D(("Read line: %s", buffer));
-
- if ((retval = _parse_line(buffer, var)) == GOOD_LINE) {
- retval = _check_var(pamh, var);
-
- if (DEFINE_VAR == retval) {
- retval = _define_var(pamh, var);
-
- } else if (UNDEFINE_VAR == retval) {
- retval = _undefine_var(pamh, var);
- }
- }
- if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval
- && BAD_LINE != retval && PAM_BAD_ITEM != retval) break;
-
- _clean_var(var);
-
- } /* while */
-
- (void) fclose(conf);
-
- /* tidy up */
- _clean_var(var); /* We could have got here prematurely, this is safe though */
- _pam_overwrite(*conffile);
- _pam_drop(*conffile);
- file = NULL;
- D(("Exit."));
- return (retval<0?PAM_ABORT:PAM_SUCCESS);
-}
-
-/*
- * This is where we read a line of the PAM config file. The line may be
- * preceeded by lines of comments and also extended with "\\\n"
- */
-
-static int _assemble_line(FILE *f, char *buffer, int buf_len)
-{
- char *p = buffer;
- char *s, *os;
- int used = 0;
-
- /* loop broken with a 'break' when a non-'\\n' ended line is read */
-
- D(("called."));
- for (;;) {
- if (used >= buf_len) {
- /* Overflow */
- D(("_assemble_line: overflow"));
- return -1;
- }
- if (fgets(p, buf_len - used, f) == NULL) {
- if (used) {
- /* Incomplete read */
- return -1;
- } else {
- /* EOF */
- return 0;
- }
- }
-
- /* skip leading spaces --- line may be blank */
-
- s = p + strspn(p, " \n\t");
- if (*s && (*s != '#')) {
- os = s;
-
- /*
- * we are only interested in characters before the first '#'
- * character
- */
-
- while (*s && *s != '#')
- ++s;
- if (*s == '#') {
- *s = '\0';
- used += strlen(os);
- break; /* the line has been read */
- }
-
- s = os;
-
- /*
- * Check for backslash by scanning back from the end of
- * the entered line, the '\n' has been included since
- * normally a line is terminated with this
- * character. fgets() should only return one though!
- */
-
- s += strlen(s);
- while (s > os && ((*--s == ' ') || (*s == '\t')
- || (*s == '\n')));
-
- /* check if it ends with a backslash */
- if (*s == '\\') {
- *s = '\0'; /* truncate the line here */
- used += strlen(os);
- p = s; /* there is more ... */
- } else {
- /* End of the line! */
- used += strlen(os);
- break; /* this is the complete line */
- }
-
- } else {
- /* Nothing in this line */
- /* Don't move p */
- }
- }
-
- return used;
-}
-
-static int _parse_line(char *buffer, VAR *var)
-{
- /*
- * parse buffer into var, legal syntax is
- * VARIABLE [DEFAULT=[[string]] [OVERRIDE=[value]]
- *
- * Any other options defined make this a bad line,
- * error logged and no var set
- */
-
- int length, quoteflg=0;
- char *ptr, **valptr, *tmpptr;
-
- D(("Called buffer = <%s>", buffer));
-
- length = strcspn(buffer," \t\n");
-
- if ((var->name = malloc(length + 1)) == NULL) {
- _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1);
- return PAM_BUF_ERR;
- }
-
- /*
- * The first thing on the line HAS to be the variable name,
- * it may be the only thing though.
- */
- strncpy(var->name, buffer, length);
- var->name[length] = '\0';
- D(("var->name = <%s>, length = %d", var->name, length));
-
- /*
- * Now we check for arguments, we only support two kinds and ('cause I am lazy)
- * each one can actually be listed any number of times
- */
-
- ptr = buffer+length;
- while ((length = strspn(ptr, " \t")) > 0) {
- ptr += length; /* remove leading whitespace */
- D((ptr));
- if (strncmp(ptr,"DEFAULT=",8) == 0) {
- ptr+=8;
- D(("Default arg found: <%s>", ptr));
- valptr=&(var->defval);
- } else if (strncmp(ptr, "OVERRIDE=", 9) == 0) {
- ptr+=9;
- D(("Override arg found: <%s>", ptr));
- valptr=&(var->override);
- } else {
- D(("Unrecognized options: <%s> - ignoring line", ptr));
- _log_err(LOG_ERR, "Unrecognized Option: %s - ignoring line", ptr);
- return BAD_LINE;
- }
-
- if ('"' != *ptr) { /* Escaped quotes not supported */
- length = strcspn(ptr, " \t\n");
- tmpptr = ptr+length;
- } else {
- tmpptr = strchr(++ptr, '"');
- if (!tmpptr) {
- D(("Unterminated quoted string: %s", ptr-1));
- _log_err(LOG_ERR, "Unterminated quoted string: %s", ptr-1);
- return BAD_LINE;
- }
- length = tmpptr - ptr;
- if (*++tmpptr && ' ' != *tmpptr && '\t' != *tmpptr && '\n' != *tmpptr) {
- D(("Quotes must cover the entire string: <%s>", ptr));
- _log_err(LOG_ERR, "Quotes must cover the entire string: <%s>", ptr);
- return BAD_LINE;
- }
- quoteflg++;
- }
- if (length) {
- if ((*valptr = malloc(length + 1)) == NULL) {
- D(("Couldn't malloc %d bytes", length+1));
- _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1);
- return PAM_BUF_ERR;
- }
- (void)strncpy(*valptr,ptr,length);
- (*valptr)[length]='\0';
- } else if (quoteflg--) {
- *valptr = &quote; /* a quick hack to handle the empty string */
- }
- ptr = tmpptr; /* Start the search where we stopped */
- } /* while */
-
- /*
- * The line is parsed, all is well.
- */
-
- D(("Exit."));
- ptr = NULL; tmpptr = NULL; valptr = NULL;
- return GOOD_LINE;
-}
-
-static int _check_var(pam_handle_t *pamh, VAR *var)
-{
- /*
- * Examine the variable and determine what action to take.
- * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take
- * or a PAM_* error code if passed back from other routines
- *
- * if no DEFAULT provided, the empty string is assumed
- * if no OVERRIDE provided, the empty string is assumed
- * if DEFAULT= and OVERRIDE evaluates to the empty string,
- * this variable should be undefined
- * if DEFAULT="" and OVERRIDE evaluates to the empty string,
- * this variable should be defined with no value
- * if OVERRIDE=value and value turns into the empty string, DEFAULT is used
- *
- * If DEFINE_VAR is to be returned, the correct value to define will
- * be pointed to by var->value
- */
-
- int retval;
-
- D(("Called."));
-
- /*
- * First thing to do is to expand any arguments, but only
- * if they are not the special quote values (cause expand_arg
- * changes memory).
- */
-
- if (var->defval && (&quote != var->defval) &&
- ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) {
- return retval;
- }
- if (var->override && (&quote != var->override) &&
- ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) {
- return retval;
- }
-
- /* Now its easy */
-
- if (var->override && *(var->override) && &quote != var->override) {
- /* if there is a non-empty string in var->override, we use it */
- D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override));
- var->value = var->override;
- retval = DEFINE_VAR;
- } else {
-
- var->value = var->defval;
- if (&quote == var->defval) {
- /*
- * This means that the empty string was given for defval value
- * which indicates that a variable should be defined with no value
- */
- *var->defval = '\0';
- D(("An empty variable: <%s>", var->name));
- retval = DEFINE_VAR;
- } else if (var->defval) {
- D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval));
- retval = DEFINE_VAR;
- } else {
- D(("UNDEFINE variable <%s>", var->name));
- retval = UNDEFINE_VAR;
- }
- }
-
- D(("Exit."));
- return retval;
-}
-
-static int _expand_arg(pam_handle_t *pamh, char **value)
-{
- const char *orig=*value, *tmpptr=NULL;
- char *ptr; /*
- * Sure would be nice to use tmpptr but it needs to be
- * a constant so that the compiler will shut up when I
- * call pam_getenv and _pam_get_item_byname -- sigh
- */
-
- char type, tmpval[BUF_SIZE]; /* No unexpanded variable can be bigger than BUF_SIZE */
- char tmp[MAX_ENV]; /* I know this shouldn't be hard-coded but it's so
- * much easier this way */
-
- D(("Remember to initialize tmp!"));
- tmp[0] = '\0';
-
- /*
- * (possibly non-existent) environment variables can be used as values
- * by prepending a "$" and wrapping in {} (ie: ${HOST}), can escape with "\"
- * (possibly non-existent) PAM items can be used as values
- * by prepending a "@" and wrapping in {} (ie: @{PAM_RHOST}, can escape
- *
- */
- D(("Expanding <%s>",orig));
- while (*orig) { /* while there is some input to deal with */
- if ('\\' == *orig) {
- ++orig;
- if ('$' != *orig && '@' != *orig) {
- D(("Unrecognized escaped character: <%c> - ignoring", *orig));
- _log_err(LOG_ERR, "Unrecognized escaped character: <%c> - ignoring",
- *orig);
- } else if ((strlen(tmp) + 1) < MAX_ENV) {
- tmp[strlen(tmp)] = *orig++; /* Note the increment */
- } else {
- /* is it really a good idea to try to log this? */
- D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
- }
- continue;
- }
- if ('$' == *orig || '@' == *orig) {
- if ('{' != *(orig+1)) {
- D(("Expandable variables must be wrapped in {} <%s> - ignoring", orig));
- _log_err(LOG_ERR, "Expandable variables must be wrapped in {} <%s> - ignoring",
- orig);
- if ((strlen(tmp) + 1) < MAX_ENV) {
- tmp[strlen(tmp)] = *orig++; /* Note the increment */
- }
- continue;
- } else {
- D(("Expandable argument: <%s>", orig));
- type = *orig;
- orig+=2; /* skip the ${ or @{ characters */
- ptr = strchr(orig, '}');
- if (ptr) {
- *ptr++ = '\0';
- } else {
- D(("Unterminated expandable variable: <%s>", orig-2));
- _log_err(LOG_ERR, "Unterminated expandable variable: <%s>", orig-2);
- return PAM_ABORT;
- }
- strcpy(tmpval, orig);
- orig=ptr;
- /*
- * so, we know we need to expand tmpval, it is either
- * an environment variable or a PAM_ITEM. type will tell us which
- */
- switch (type) {
-
- case '$':
- D(("Expanding env var: <%s>",tmpval));
- tmpptr = pam_getenv(pamh, tmpval);
- D(("Expanded to <%s>", tmpptr));
- break;
-
- case '@':
- D(("Expanding pam item: <%s>",tmpval));
- tmpptr = _pam_get_item_byname(pamh, tmpval);
- D(("Expanded to <%s>", tmpptr));
- break;
-
- default:
- D(("Impossible error, type == <%c>", type));
- _log_err(LOG_CRIT, "Impossible error, type == <%c>", type);
- return PAM_ABORT;
- } /* switch */
-
- if (tmpptr) {
- if ((strlen(tmp) + strlen(tmpptr)) < MAX_ENV) {
- strcat(tmp, tmpptr);
- } else {
- /* is it really a good idea to try to log this? */
- D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
- }
- }
- } /* if ('{' != *orig++) */
- } else { /* if ( '$' == *orig || '@' == *orig) */
- if ((strlen(tmp) + 1) < MAX_ENV) {
- tmp[strlen(tmp)] = *orig++; /* Note the increment */
- } else {
- /* is it really a good idea to try to log this? */
- D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
- }
- }
- } /* for (;*orig;) */
-
- if (strlen(tmp) > strlen(*value)) {
- free(*value);
- if ((*value = malloc(strlen(tmp) +1)) == NULL) {
- D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1));
- _log_err(LOG_ERR,"Couldn't malloc %d bytes for expanded var",
- strlen(tmp)+1);
- return PAM_BUF_ERR;
- }
- }
- strcpy(*value, tmp);
- memset(tmp,'\0',sizeof(tmp));
- D(("Exit."));
-
- return PAM_SUCCESS;
-}
-
-static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name)
-{
- /*
- * This function just allows me to use names as given in the config
- * file and translate them into the appropriate PAM_ITEM macro
- */
-
- int item;
- const char *itemval;
-
- D(("Called."));
- if (strcmp(name, "PAM_USER") == 0) {
- item = PAM_USER;
- } else if (strcmp(name, "PAM_USER_PROMPT") == 0) {
- item = PAM_USER_PROMPT;
- } else if (strcmp(name, "PAM_TTY") == 0) {
- item = PAM_TTY;
- } else if (strcmp(name, "PAM_RUSER") == 0) {
- item = PAM_RUSER;
- } else if (strcmp(name, "PAM_RHOST") == 0) {
- item = PAM_RHOST;
- } else {
- D(("Unknown PAM_ITEM: <%s>", name));
- _log_err(LOG_ERR, "Unknown PAM_ITEM: <%s>", name);
- return NULL;
- }
-
- if (pam_get_item(pamh, item, (const void **)&itemval) != PAM_SUCCESS) {
- D(("pam_get_item failed"));
- return NULL; /* let pam_get_item() log the error */
- }
- D(("Exit."));
- return itemval;
-}
-
-static int _define_var(pam_handle_t *pamh, VAR *var)
-{
- /* We have a variable to define, this is a simple function */
-
- char *envvar;
- int size, retval=PAM_SUCCESS;
-
- D(("Called."));
- size = strlen(var->name)+strlen(var->value)+2;
- if ((envvar = malloc(size)) == NULL) {
- D(("Malloc fail, size = %d", size));
- _log_err(LOG_ERR, "Malloc fail, size = %d", size);
- return PAM_BUF_ERR;
- }
- (void) sprintf(envvar,"%s=%s",var->name,var->value);
- retval = pam_putenv(pamh, envvar);
- free(envvar); envvar=NULL;
- D(("Exit."));
- return retval;
-}
-
-static int _undefine_var(pam_handle_t *pamh, VAR *var)
-{
- /* We have a variable to undefine, this is a simple function */
-
- D(("Called and exit."));
- return pam_putenv(pamh, var->name);
-}
-
-static void _clean_var(VAR *var)
-{
- if (var->name) {
- free(var->name);
- }
- if (var->defval && (&quote != var->defval)) {
- free(var->defval);
- }
- if (var->override && (&quote != var->override)) {
- free(var->override);
- }
- var->name = NULL;
- var->value = NULL; /* never has memory specific to it */
- var->defval = NULL;
- var->override = NULL;
- return;
-}
-
-
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return PAM_IGNORE;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- int retval, ctrl;
- char *conf_file=NULL;
-
- /*
- * this module sets environment variables read in from a file
- */
-
- D(("Called."));
- ctrl = _pam_parse(flags, argc, argv, &conf_file);
-
- retval = _parse_config_file(pamh, ctrl, &conf_file);
-
- /* indicate success or failure */
-
- D(("Exit."));
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- _log_err(LOG_NOTICE, "pam_sm_acct_mgmt called inappropriatly");
- return PAM_SERVICE_ERR;
-}
-
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int retval, ctrl;
- char *conf_file=NULL;
-
- /*
- * this module sets environment variables read in from a file
- */
-
- D(("Called."));
- ctrl = _pam_parse(flags, argc, argv, &conf_file);
-
- retval = _parse_config_file(pamh, ctrl, &conf_file);
-
- /* indicate success or failure */
-
- D(("Exit."));
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc,
- const char **argv)
-{
- D(("Called and Exit"));
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- _log_err(LOG_NOTICE, "pam_sm_chauthtok called inappropriatly");
- return PAM_SERVICE_ERR;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_env_modstruct = {
- "pam_env",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_env/pam_env.conf-example b/contrib/libpam/modules/pam_env/pam_env.conf-example
deleted file mode 100644
index 388e8b6..0000000
--- a/contrib/libpam/modules/pam_env/pam_env.conf-example
+++ /dev/null
@@ -1,72 +0,0 @@
-# $Date: 1997/04/05 06:42:35 $
-# $Author: morgan $
-# $Id: pam_env.conf-example,v 1.1 1997/04/05 06:42:35 morgan Exp $
-#
-# This is the configuration file for pam_env, a PAM module to load in
-# a configurable list of environment variables for a
-#
-# The original idea for this came from Andrew G. Morgan ...
-#<quote>
-# Mmm. Perhaps you might like to write a pam_env module that reads a
-# default environment from a file? I can see that as REALLY
-# useful... Note it would be an "auth" module that returns PAM_IGNORE
-# for the auth part and sets the environment returning PAM_SUCCESS in
-# the setcred function...
-#</quote>
-#
-# What I wanted was the REMOTEHOST variable set, purely for selfish
-# reasons, and AGM didn't want it added to the SimpleApps login
-# program (which is where I added the patch). So, my first concern is
-# that variable, from there there are numerous others that might/would
-# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
-#
-# Of course, these are a different kind of variable than REMOTEHOST in
-# that they are things that are likely to be configured by
-# administrators rather than set by logging in, how to treat them both
-# in the same config file?
-#
-# Here is my idea:
-#
-# Each line starts with the variable name, there are then two possible
-# options for each variable DEFAULT and OVERRIDE.
-# DEFAULT allows and administrator to set the value of the
-# variable to some default value, if none is supplied then the empty
-# string is assumed. The OVERRIDE option tells pam_env that it should
-# enter in its value (overriding the default value) if there is one
-# to use. OVERRIDE is not used, "" is assumed and no override will be
-# done.
-#
-# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
-#
-# (Possibly non-existent) environment variables may be used in values
-# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
-# be used in values using the @{string} syntax. Both the $ and @
-# characters can be backslash escaped to be used as literal values
-# values can be delimited with "", escaped " not supported.
-#
-#
-# First, some special variables
-#
-# Set the REMOTEHOST variable for any hosts that are remote, default
-# to "localhost" rather than not being set at all
-#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
-#
-# Set the DISPLAY variable if it seems reasonable
-#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
-#
-#
-# Now some simple variables
-#
-#PAGER DEFAULT=less
-#MANPAGER DEFAULT=less
-#LESS DEFAULT="M q e h15 z23 b80"
-#NNTPSERVER DEFAULT=localhost
-#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
-#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
-#
-# silly examples of escaped variables, just to show how they work.
-#
-#DOLLAR DEFAULT=\$
-#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
-#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
-#ATSIGN DEFAULT="" OVERRIDE=\@
diff --git a/contrib/libpam/modules/pam_filter/Makefile b/contrib/libpam/modules/pam_filter/Makefile
deleted file mode 100644
index dbd6452..0000000
--- a/contrib/libpam/modules/pam_filter/Makefile
+++ /dev/null
@@ -1,150 +0,0 @@
-#
-# $Id: Makefile,v 1.10 1997/04/05 06:41:09 morgan Exp $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.10 1997/04/05 06:41:09 morgan
-# fakeroot
-#
-# Revision 1.9 1997/02/15 18:58:48 morgan
-# fixed bash syntax
-#
-# Revision 1.8 1997/01/04 20:24:29 morgan
-# don't compile on solaris, make -> $(MAKE)
-#
-# Revision 1.7 1996/11/10 20:12:09 morgan
-# cross platform support
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11
-#
-
-ifeq ($(OS),solaris)
-
-include ../dont_makefile
-
-else
-
-TITLE=pam_filter
-FILTERS=upperLOWER
-FILTERSDIR=$(SUPLEMENTED)/pam_filter
-export FILTERSDIR
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
- @echo "**** This is not a top-level Makefile "
- exit
-
-#
-# this is where we compile this module
-#
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register filters
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-filters:
- @for i in $(FILTERS) ; do \
- if [ -d $$i ]; then \
- $(MAKE) -C $$i all ; \
- fi ; \
- done
-
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-endif
-
-ifdef DYNAMIC
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-endif
-
-ifdef STATIC
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- @for i in $(FILTERS) ; do \
- if [ -d $$i ]; then \
- $(MAKE) -C $$i install ; \
- fi ; \
- done
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
- $(MKDIR) $(FAKEROOT)$(INCLUDED)
- $(INSTALL) -m 644 include/pam_filter.h $(FAKEROOT)$(INCLUDED)
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
- rm -f $(FAKEROOT)$(INCLUDED)/pam_filter.h
- @for i in $(FILTERS) ; do \
- if [ -d $$i ]; then \
- $(MAKE) -C $$i remove ; \
- fi ; \
- done
-
-lclean:
- rm -f $(LIBSHARED) $(LIBOBJD) $(LIBOBJS) core *~
-
-clean: lclean
- @for i in $(FILTERS) ; do \
- if [ -d $$i ]; then \
- $(MAKE) -C $$i clean ; \
- fi ; \
- done
-
-extraclean: lclean
- @rm -f *.a *.o *.so *.bak
- for i in $(FILTERS) ; do \
- if [ -d $$i ]; then \
- $(MAKE) -C $$i extraclean ; \
- fi ; \
- done
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
-endif
diff --git a/contrib/libpam/modules/pam_filter/README b/contrib/libpam/modules/pam_filter/README
deleted file mode 100644
index 9d46a56..0000000
--- a/contrib/libpam/modules/pam_filter/README
+++ /dev/null
@@ -1,94 +0,0 @@
-#
-# $Id: README,v 1.5 1996/12/01 02:53:08 morgan Exp $
-#
-# This describes the behavior of this module with respect to the
-# /etc/pam.conf file.
-#
-# writen by Andrew Morgan <morgan@parc.power.net>
-#
-
-This module is intended to be a platform for providing access to all
-of the input/output that passes between the user and the application.
-It is only suitable for tty-based and (stdin/stdout) applications. And
-is only known to work on Linux based systems.
-
-The action of the module is dictated by the arguments it is given in
-the pam.conf file.
-
-recognized flags are:
-
- debug print some information to syslog(3)
-
- new_term set the PAM_TTY item to the new filtered
- terminal (the default is to set it
- to be that of the users terminal)
-
- non_term don't try to set the PAM_TTY item
-
- run1/run2 these arguments indicate that the
- module should separate the application
- from the user and insert a filter
- program between them. The pathname of
- the filter program follows the 'runN'
- argument. Arguments that follow this
- pathname are passed as arguments to
- the filter program.
-
- The distinction between run1 and run2
- is which of the two functions of
- the given management-type triggers the
- execution of the indicated filter.
-
- type: run1 run2
- ----- ---- ----
-
- auth pam_sm_authenticate pam_sm_setcred
-
- account [ pam_sm_acct_mgmt (either is good) ]
-
- session pam_sm_open_session pam_sm_close_session
-
- password pam_sm_chauthtok/PRELIM pam_sm_chauthtok/UPDATE
-
-Note, in the case of 'password' PRELIM/UPDATE indicates which of the
-two calls to pam_sm_chauthtok from libpam (not the application) will
-trigger the filter.
-
-What a filter program should expect:
-------------------------------------
-
-Definitions for filter programs (which may be locally designed) are
-contained in the <security/pam_filter.h> file.
-
-Arguments are not passed to the filter on the command line, since this
-is plainly visible when a user types 'ps -a'. Instead they are passed
-as the filter's environment. Other information is passed in this way
-too.
-
-Here is a list of the environment variables that a filter should
-expect:
-
- ARGS="filter_path_name argument list"
- SERVICE="service_name" (as it appears in /etc/pam.conf)
- USER="username"
- TYPE="module_fn" (the name of the function in pam_filter.so
- that invoked the filter)
-
-[This list is likely to grow. If you want something added, email me!]
-
-Among other things this module is intended to provide a useful means
-of logging the activity of users in as discrete a manner as possible.
-
-Existing filters:
------------------
-
-Currently, there is a single supplied filter (upperLOWER). The effect
-of using this filter is to transpose upper and lower case letters
-between the user and the application. This is really annoying when you
-try the 'xsh' example application! ;)
-
-TODO: provide more filters...
- Decide if providing stderr interception is really overkill.
-
-Andrew G. Morgan <morgan@parc.power.net> 1996/5/27
-
diff --git a/contrib/libpam/modules/pam_filter/include/pam_filter.h b/contrib/libpam/modules/pam_filter/include/pam_filter.h
deleted file mode 100644
index 3eb2730..0000000
--- a/contrib/libpam/modules/pam_filter/include/pam_filter.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * $Id: pam_filter.h,v 1.2 1997/02/15 19:09:09 morgan Exp $
- *
- * this file is associated with the Linux-PAM filter module.
- * it was written by Andrew G. Morgan <morgan@parc.power.net>
- *
- */
-
-#ifndef PAM_FILTER_H
-#define PAM_FILTER_H
-
-#include <sys/file.h>
-
-/*
- * this will fail if there is some problem with these file descriptors
- * being allocated by the pam_filter Linux-PAM module. The numbers
- * here are thought safe, but the filter developer should use the
- * macros, as these numbers are subject to change.
- *
- * The APPXXX_FILENO file descriptors are the STDIN/OUT/ERR_FILENO of the
- * application. The filter uses the STDIN/OUT/ERR_FILENO's to converse
- * with the user, passes (modified) user input to the application via
- * APPIN_FILENO, and receives application output from APPOUT_FILENO/ERR.
- */
-
-#define APPIN_FILENO 3 /* write here to give application input */
-#define APPOUT_FILENO 4 /* read here to get application output */
-#define APPERR_FILENO 5 /* read here to get application errors */
-
-#define APPTOP_FILE 6 /* used by select */
-
-#endif
diff --git a/contrib/libpam/modules/pam_filter/pam_filter.c b/contrib/libpam/modules/pam_filter/pam_filter.c
deleted file mode 100644
index fc3d1f2..0000000
--- a/contrib/libpam/modules/pam_filter/pam_filter.c
+++ /dev/null
@@ -1,747 +0,0 @@
-/*
- * $Id: pam_filter.c,v 1.9 1997/02/15 19:07:49 morgan Exp morgan $
- *
- * $Log: pam_filter.c,v $
- * Revision 1.9 1997/02/15 19:07:49 morgan
- * fixed email
- *
- * Revision 1.8 1996/11/10 20:59:23 morgan
- * gcc warning removed
- *
- * Revision 1.7 1996/07/08 00:01:17 morgan
- * set the PAM_TTY item now
- *
- * Revision 1.6 1996/06/02 08:08:19 morgan
- * completely re-written
- *
- *
- * written by Andrew Morgan <morgan@transmeta.com> with much help from
- * Richard Stevens' UNIX Network Programming book.
- */
-
-#include <stdlib.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <string.h>
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <termio.h>
-
-#include <signal.h>
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/pam_filter.h>
-
-/* ------ some tokens used for convenience throughout this file ------- */
-
-#define FILTER_DEBUG 01
-#define FILTER_RUN1 02
-#define FILTER_RUN2 04
-#define NEW_TERM 010
-#define NON_TERM 020
-
-/* -------------------------------------------------------------------- */
-
-/* log errors */
-
-#include <stdarg.h>
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_filter", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-#define TERMINAL_LEN 12
-
-static int master(char *terminal)
-/*
- * try to open all of the terminals in sequence return first free one,
- * or -1
- */
-{
- const char ptys[] = "pqrs", *pty = ptys;
- const char hexs[] = "0123456789abcdef", *hex;
- struct stat tstat;
- int fd;
-
- strcpy(terminal, "/dev/pty??");
-
- while (*pty) { /* step through four types */
- terminal[8] = *pty++;
- terminal[9] = '0';
- if (stat(terminal,&tstat) < 0) {
- _pam_log(LOG_WARNING, "unknown pseudo terminal; %s", terminal);
- break;
- }
- for (hex = hexs; *hex; ) { /* step through 16 of these */
- terminal[9] = *hex++;
- if ((fd = open(terminal, O_RDWR)) >= 0) {
- return fd;
- }
- }
- }
-
- /* no terminal found */
-
- return -1;
-}
-
-static int process_args(pam_handle_t *pamh
- , int argc, const char **argv, const char *type
- , char ***evp, const char **filtername)
-{
- int ctrl=0;
-
- while (argc-- > 0) {
- if (strcmp("debug",*argv) == 0) {
- ctrl |= FILTER_DEBUG;
- } else if (strcmp("new_term",*argv) == 0) {
- ctrl |= NEW_TERM;
- } else if (strcmp("non_term",*argv) == 0) {
- ctrl |= NON_TERM;
- } else if (strcmp("run1",*argv) == 0) {
- ctrl |= FILTER_RUN1;
- if (argc <= 0) {
- _pam_log(LOG_ALERT,"no run filter supplied");
- } else
- break;
- } else if (strcmp("run2",*argv) == 0) {
- ctrl |= FILTER_RUN2;
- if (argc <= 0) {
- _pam_log(LOG_ALERT,"no run filter supplied");
- } else
- break;
- } else {
- _pam_log(LOG_ERR, "unrecognized option: %s (ignored)", *argv);
- }
- ++argv; /* step along list */
- }
-
- if (argc < 0) {
- /* there was no reference to a filter */
- *filtername = NULL;
- *evp = NULL;
- } else {
- char **levp;
- const char *tmp;
- int i,size;
-
- *filtername = *++argv;
- if (ctrl & FILTER_DEBUG) {
- _pam_log(LOG_DEBUG,"will run filter %s\n", *filtername);
- }
-
- levp = (char **) malloc(5*sizeof(char *));
- if (levp == NULL) {
- _pam_log(LOG_CRIT,"no memory for environment of filter");
- return -1;
- }
-
- for (size=i=0; i<argc; ++i) {
- size += strlen(argv[i])+1;
- }
-
- /* the "ARGS" variable */
-
-#define ARGS_OFFSET 5 /* sizeof("ARGS="); */
-#define ARGS_NAME "ARGS="
-
- size += ARGS_OFFSET;
-
- levp[0] = (char *) malloc(size);
- if (levp[0] == NULL) {
- _pam_log(LOG_CRIT,"no memory for filter arguments");
- if (levp) {
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[0],ARGS_NAME,ARGS_OFFSET);
- for (i=0,size=ARGS_OFFSET; i<argc; ++i) {
- strcpy(levp[0]+size, argv[i]);
- size += strlen(argv[i]);
- levp[0][size++] = ' ';
- }
- levp[0][--size] = '\0'; /* <NUL> terminate */
-
- /* the "SERVICE" variable */
-
-#define SERVICE_OFFSET 8 /* sizeof("SERVICE="); */
-#define SERVICE_NAME "SERVICE="
-
- pam_get_item(pamh, PAM_SERVICE, (const void **)&tmp);
- size = SERVICE_OFFSET+strlen(tmp);
-
- levp[1] = (char *) malloc(size+1);
- if (levp[1] == NULL) {
- _pam_log(LOG_CRIT,"no memory for service name");
- if (levp) {
- free(levp[0]);
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[1],SERVICE_NAME,SERVICE_OFFSET);
- strcpy(levp[1]+SERVICE_OFFSET, tmp);
- levp[1][size] = '\0'; /* <NUL> terminate */
-
- /* the "USER" variable */
-
-#define USER_OFFSET 5 /* sizeof("USER="); */
-#define USER_NAME "USER="
-
- pam_get_user(pamh, &tmp, NULL);
- if (tmp == NULL) {
- tmp = "<unknown>";
- }
- size = USER_OFFSET+strlen(tmp);
-
- levp[2] = (char *) malloc(size+1);
- if (levp[2] == NULL) {
- _pam_log(LOG_CRIT,"no memory for user's name");
- if (levp) {
- free(levp[1]);
- free(levp[0]);
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[2],USER_NAME,USER_OFFSET);
- strcpy(levp[2]+USER_OFFSET, tmp);
- levp[2][size] = '\0'; /* <NUL> terminate */
-
- /* the "USER" variable */
-
-#define TYPE_OFFSET 5 /* sizeof("TYPE="); */
-#define TYPE_NAME "TYPE="
-
- size = TYPE_OFFSET+strlen(type);
-
- levp[3] = (char *) malloc(size+1);
- if (levp[3] == NULL) {
- _pam_log(LOG_CRIT,"no memory for type");
- if (levp) {
- free(levp[2]);
- free(levp[1]);
- free(levp[0]);
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[3],TYPE_NAME,TYPE_OFFSET);
- strcpy(levp[3]+TYPE_OFFSET, type);
- levp[3][size] = '\0'; /* <NUL> terminate */
-
- levp[4] = NULL; /* end list */
-
- *evp = levp;
- }
-
- if ((ctrl & FILTER_DEBUG) && *filtername) {
- char **e;
-
- _pam_log(LOG_DEBUG,"filter[%s]: %s",type,*filtername);
- _pam_log(LOG_DEBUG,"environment:");
- for (e=*evp; e && *e; ++e) {
- _pam_log(LOG_DEBUG," %s",*e);
- }
- }
-
- return ctrl;
-}
-
-static void free_evp(char *evp[])
-{
- int i;
-
- if (evp)
- for (i=0; i<4; ++i) {
- if (evp[i])
- free(evp[i]);
- }
- free(evp);
-}
-
-static int set_filter(pam_handle_t *pamh, int flags, int ctrl
- , const char **evp, const char *filtername)
-{
- int status=-1;
- char terminal[TERMINAL_LEN];
- struct termio stored_mode; /* initial terminal mode settings */
- int fd[2], child=0, child2=0, aterminal;
-
- if (filtername == NULL || *filtername != '/') {
- _pam_log(LOG_ALERT, "filtername not permitted; require full path");
- return PAM_ABORT;
- }
-
- if (!isatty(STDIN_FILENO) || !isatty(STDOUT_FILENO)) {
- aterminal = 0;
- } else {
- aterminal = 1;
- }
-
- if (aterminal) {
-
- /* open the master pseudo terminal */
-
- fd[0] = master(terminal);
- if (fd[0] < 0) {
- _pam_log(LOG_CRIT,"no master terminal");
- return PAM_AUTH_ERR;
- }
-
- /* set terminal into raw mode.. remember old mode so that we can
- revert to it after the child has quit. */
-
- /* this is termio terminal handling... */
-
- if (ioctl(STDIN_FILENO, TCGETA, (char *) &stored_mode ) < 0) {
- /* in trouble, so close down */
- close(fd[0]);
- _pam_log(LOG_CRIT, "couldn't copy terminal mode");
- return PAM_ABORT;
- } else {
- struct termio t_mode = stored_mode;
-
- t_mode.c_iflag = 0; /* no input control */
- t_mode.c_oflag &= ~OPOST; /* no ouput post processing */
-
- /* no signals, canonical input, echoing, upper/lower output */
- t_mode.c_lflag &= ~(ISIG|ICANON|ECHO|XCASE);
- t_mode.c_cflag &= ~(CSIZE|PARENB); /* no parity */
- t_mode.c_cflag |= CS8; /* 8 bit chars */
-
- t_mode.c_cc[VMIN] = 1; /* number of chars to satisfy a read */
- t_mode.c_cc[VTIME] = 0; /* 0/10th second for chars */
-
- if (ioctl(STDIN_FILENO, TCSETA, (char *) &t_mode) < 0) {
- close(fd[0]);
- _pam_log(LOG_WARNING, "couldn't put terminal in RAW mode");
- return PAM_ABORT;
- }
-
- /*
- * NOTE: Unlike the stream socket case here the child
- * opens the slave terminal as fd[1] *after* the fork...
- */
- }
- } else {
-
- /*
- * not a terminal line so just open a stream socket fd[0-1]
- * both set...
- */
-
- if ( socketpair(AF_UNIX, SOCK_STREAM, 0, fd) < 0 ) {
- _pam_log(LOG_CRIT,"couldn't open a stream pipe");
- return PAM_ABORT;
- }
- }
-
- /* start child process */
-
- if ( (child = fork()) < 0 ) {
-
- _pam_log(LOG_WARNING,"first fork failed");
- if (aterminal) {
- (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
- }
-
- return PAM_AUTH_ERR;
- }
-
- if ( child == 0 ) { /* child process *is* application */
-
- if (aterminal) {
-
- /* close the controlling tty */
-
-#if defined(__hpux) && defined(O_NOCTTY)
- int t = open("/dev/tty", O_RDWR|O_NOCTTY);
-#else
- int t = open("/dev/tty",O_RDWR);
- if (t > 0) {
- (void) ioctl(t, TIOCNOTTY, NULL);
- close(t);
- }
-#endif /* defined(__hpux) && defined(O_NOCTTY) */
-
- /* make this process it's own process leader */
- if (setsid() == -1) {
- _pam_log(LOG_WARNING,"child cannot become new session");
- return PAM_ABORT;
- }
-
- /* find slave's name */
- terminal[5] = 't'; /* want to open slave terminal */
- fd[1] = open(terminal, O_RDWR);
- close(fd[0]); /* process is the child -- uses line fd[1] */
-
- if (fd[1] < 0) {
- _pam_log(LOG_WARNING,"cannot open slave terminal; %s"
- ,terminal);
- return PAM_ABORT;
- }
-
- /* initialize the child's terminal to be the way the
- parent's was before we set it into RAW mode */
-
- if (ioctl(fd[1], TCSETA, (char *) &stored_mode) < 0) {
- _pam_log(LOG_WARNING,"cannot set slave terminal mode; %s"
- ,terminal);
- close(fd[1]);
- return PAM_ABORT;
- }
-
- } else {
-
- /* nothing to do for a simple stream socket */
-
- }
-
- /* re-assign the stdin/out to fd[1] <- (talks to filter). */
-
- if ( dup2(fd[1],STDIN_FILENO) != STDIN_FILENO ||
- dup2(fd[1],STDOUT_FILENO) != STDOUT_FILENO ||
- dup2(fd[1],STDERR_FILENO) != STDERR_FILENO ) {
- _pam_log(LOG_WARNING
- ,"unable to re-assign STDIN/OUT/ERR...'s");
- close(fd[1]);
- return PAM_ABORT;
- }
-
- /* make sure that file descriptors survive 'exec's */
-
- if ( fcntl(STDIN_FILENO, F_SETFD, 0) ||
- fcntl(STDOUT_FILENO,F_SETFD, 0) ||
- fcntl(STDERR_FILENO,F_SETFD, 0) ) {
- _pam_log(LOG_WARNING
- ,"unable to re-assign STDIN/OUT/ERR...'s");
- return PAM_ABORT;
- }
-
- /* now the user input is read from the parent/filter: forget fd */
-
- close(fd[1]);
-
- /* the current process is now aparently working with filtered
- stdio/stdout/stderr --- success! */
-
- return PAM_SUCCESS;
- }
-
- /*
- * process is the parent here. So we can close the application's
- * input/output
- */
-
- close(fd[1]);
-
- /* Clear out passwords... there is a security problem here in
- * that this process never executes pam_end. Consequently, any
- * other sensitive data in this process is *not* explicitly
- * overwritten, before the process terminates */
-
- (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
- (void) pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
-
- /* fork a copy of process to run the actual filter executable */
-
- if ( (child2 = fork()) < 0 ) {
-
- _pam_log(LOG_WARNING,"filter fork failed");
- child2 = 0;
-
- } else if ( child2 == 0 ) { /* exec the child filter */
-
- if ( dup2(fd[0],APPIN_FILENO) != APPIN_FILENO ||
- dup2(fd[0],APPOUT_FILENO) != APPOUT_FILENO ||
- dup2(fd[0],APPERR_FILENO) != APPERR_FILENO ) {
- _pam_log(LOG_WARNING
- ,"unable to re-assign APPIN/OUT/ERR...'s");
- close(fd[0]);
- exit(1);
- }
-
- /* make sure that file descriptors survive 'exec's */
-
- if ( fcntl(APPIN_FILENO, F_SETFD, 0) == -1 ||
- fcntl(APPOUT_FILENO,F_SETFD, 0) == -1 ||
- fcntl(APPERR_FILENO,F_SETFD, 0) == -1 ) {
- _pam_log(LOG_WARNING
- ,"unable to retain APPIN/OUT/ERR...'s");
- close(APPIN_FILENO);
- close(APPOUT_FILENO);
- close(APPERR_FILENO);
- exit(1);
- }
-
- /* now the user input is read from the parent through filter */
-
- execle(filtername, "<pam_filter>", NULL, evp);
-
- /* getting to here is an error */
-
- _pam_log(LOG_ALERT, "filter: %s, not executable", filtername);
-
- } else { /* wait for either of the two children to exit */
-
- while (child && child2) { /* loop if there are two children */
- int lstatus=0;
- int chid;
-
- chid = wait(&lstatus);
- if (chid == child) {
-
- if (WIFEXITED(lstatus)) { /* exited ? */
- status = WEXITSTATUS(lstatus);
- } else if (WIFSIGNALED(lstatus)) { /* killed ? */
- status = -1;
- } else
- continue; /* just stopped etc.. */
- child = 0; /* the child has exited */
-
- } else if (chid == child2) {
- /*
- * if the filter has exited. Let the child die
- * naturally below
- */
- if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus))
- child2 = 0;
- } else {
-
- _pam_log(LOG_ALERT
- ,"programming error <chid=%d,lstatus=%x>: "
- __FILE__ " line %d"
- , lstatus, __LINE__ );
- child = child2 = 0;
- status = -1;
-
- }
- }
- }
-
- close(fd[0]);
-
- /* if there is something running, wait for it to exit */
-
- while (child || child2) {
- int lstatus=0;
- int chid;
-
- chid = wait(&lstatus);
-
- if (child && chid == child) {
-
- if (WIFEXITED(lstatus)) { /* exited ? */
- status = WEXITSTATUS(lstatus);
- } else if (WIFSIGNALED(lstatus)) { /* killed ? */
- status = -1;
- } else
- continue; /* just stopped etc.. */
- child = 0; /* the child has exited */
-
- } else if (child2 && chid == child2) {
-
- if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus))
- child2 = 0;
-
- } else {
-
- _pam_log(LOG_ALERT
- ,"programming error <chid=%d,lstatus=%x>: "
- __FILE__ " line %d"
- , lstatus, __LINE__ );
- child = child2 = 0;
- status = -1;
-
- }
- }
-
- if (aterminal) {
- /* reset to initial terminal mode */
- (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
- }
-
- if (ctrl & FILTER_DEBUG) {
- _pam_log(LOG_DEBUG,"parent process exited"); /* clock off */
- }
-
- /* quit the parent process, returning the child's exit status */
-
- exit(status);
-}
-
-static int set_the_terminal(pam_handle_t *pamh)
-{
- const char *tty;
-
- if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS
- || tty == NULL) {
- tty = ttyname(STDIN_FILENO);
- if (tty == NULL) {
- _pam_log(LOG_ERR, "couldn't get the tty name");
- return PAM_ABORT;
- }
- if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) {
- _pam_log(LOG_ERR, "couldn't set tty name");
- return PAM_ABORT;
- }
- }
- return PAM_SUCCESS;
-}
-
-static int need_a_filter(pam_handle_t *pamh
- , int flags, int argc, const char **argv
- , const char *name, int which_run)
-{
- int ctrl;
- char **evp;
- const char *filterfile;
- int retval;
-
- ctrl = process_args(pamh, argc, argv, name, &evp, &filterfile);
- if (ctrl == -1) {
- return PAM_AUTHINFO_UNAVAIL;
- }
-
- /* set the tty to the old or the new one? */
-
- if (!(ctrl & NON_TERM) && !(ctrl & NEW_TERM)) {
- retval = set_the_terminal(pamh);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_ERR, "tried and failed to set PAM_TTY");
- }
- } else {
- retval = PAM_SUCCESS; /* nothing to do which is always a success */
- }
-
- if (retval == PAM_SUCCESS && (ctrl & which_run)) {
- retval = set_filter(pamh, flags, ctrl
- , (const char **)evp, filterfile);
- }
-
- if (retval == PAM_SUCCESS
- && !(ctrl & NON_TERM) && (ctrl & NEW_TERM)) {
- retval = set_the_terminal(pamh);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_ERR
- , "tried and failed to set new terminal as PAM_TTY");
- }
- }
-
- free_evp(evp);
-
- if (ctrl & FILTER_DEBUG) {
- _pam_log(LOG_DEBUG, "filter/%s, returning %d", name, retval);
- _pam_log(LOG_DEBUG, "[%s]", pam_strerror(pamh, retval));
- }
-
- return retval;
-}
-
-/* ----------------- public functions ---------------- */
-
-/*
- * here are the advertised access points ...
- */
-
-/* ------------------ authentication ----------------- */
-
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh
- , int flags, int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "authenticate", FILTER_RUN1);
-}
-
-PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv, "setcred", FILTER_RUN2);
-}
-
-/* --------------- account management ---------------- */
-
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "setcred", FILTER_RUN1|FILTER_RUN2 );
-}
-
-/* --------------- session management ---------------- */
-
-PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "open_session", FILTER_RUN1);
-}
-
-PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "close_session", FILTER_RUN2);
-}
-
-/* --------- updating authentication tokens --------- */
-
-
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- int runN;
-
- if (flags & PAM_PRELIM_CHECK)
- runN = FILTER_RUN1;
- else if (flags & PAM_UPDATE_AUTHTOK)
- runN = FILTER_RUN2;
- else {
- _pam_log(LOG_ERR, "unknown flags for chauthtok (0x%X)", flags);
- return PAM_TRY_AGAIN;
- }
-
- return need_a_filter(pamh, flags, argc, argv, "chauthtok", runN);
-}
-
-#ifdef PAM_STATIC
-
-/* ------------ stuff for static modules ------------ */
-
-struct pam_module _pam_filter_modstruct = {
- "pam_filter",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-
-#endif
diff --git a/contrib/libpam/modules/pam_filter/upperLOWER/Makefile b/contrib/libpam/modules/pam_filter/upperLOWER/Makefile
deleted file mode 100644
index 09b693b..0000000
--- a/contrib/libpam/modules/pam_filter/upperLOWER/Makefile
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# $Id: Makefile,v 1.5 1997/04/05 06:41:35 morgan Exp $
-#
-# $Log: Makefile,v $
-# Revision 1.5 1997/04/05 06:41:35 morgan
-# fakeroot
-#
-# Revision 1.4 1997/01/04 20:25:04 morgan
-# removed need for make
-#
-# Revision 1.3 1996/11/10 20:13:08 morgan
-# email address
-#
-# Revision 1.2 1996/11/10 20:12:24 morgan
-# cross platform support
-#
-# Revision 1.1 1996/06/02 08:17:02 morgan
-# Initial revision
-#
-#
-# This directory contains a pam_filter filter executable
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11
-#
-
-TITLE=upperLOWER
-
-#
-
-OBJS = $(TITLE).o
-
-####################### don't edit below #######################
-
-dummy:
- @echo "**** This is not a top-level Makefile "
-
-all: $(TITLE)
-
-$(TITLE): $(OBJS)
- $(CC) -o $(TITLE) $(OBJS)
- strip $(TITLE)
-
-install:
- $(MKDIR) $(FAKEROOT)$(FILTERSDIR)
- $(INSTALL) -m 511 $(TITLE) $(FAKEROOT)$(FILTERSDIR)
-
-remove:
- cd $(FAKEROOT)$(FILTERSDIR) && rm -f $(TITLE)
-
-clean:
- rm -f $(TITLE) $(OBJS) core *~
-
-extraclean: clean
- rm -f *.bak
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c b/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c
deleted file mode 100644
index b375c07..0000000
--- a/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * $Id: upperLOWER.c,v 1.1 1996/06/02 08:17:02 morgan Exp $
- *
- * This is a sample filter program, for use with pam_filter (a module
- * provided with Linux-PAM). This filter simply transposes upper and
- * lower case letters, it is intended for demonstration purposes and
- * it serves no purpose other than to annoy the user...
- *
- * $Log: upperLOWER.c,v $
- * Revision 1.1 1996/06/02 08:17:02 morgan
- * Initial revision
- *
- */
-
-#include <stdio.h>
-#include <syslog.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include <security/pam_filter.h>
-
-/* ---------------------------------------------------------------- */
-
-#include <stdarg.h>
-#ifdef hpux
-# define log_this syslog
-#else
-static void log_this(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("upperLOWER", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-#endif
-
-#include <ctype.h>
-
-static void do_transpose(char *buffer,int len)
-{
- int i;
- for (i=0; i<len; ++i) {
- if (islower(buffer[i])) {
- buffer[i] = toupper(buffer[i]);
- } else {
- buffer[i] = tolower(buffer[i]);
- }
- }
-}
-
-int main(int argc, char **argv, char **envp)
-{
- char buffer[BUFSIZ];
- fd_set readers;
- void (*before_user)(char *,int);
- void (*before_app)(char *,int);
-
-#ifdef DEBUG
- {
- int i;
-
- fprintf(stderr,"environment :[\r\n");
- for (i=0; envp[i]; ++i) {
- fprintf(stderr,"-> %s\r\n",envp[i]);
- }
- fprintf(stderr,"]: end\r\n");
- }
-#endif
-
- if (argc != 1) {
-#ifdef DEBUG
- fprintf(stderr,"filter invoked as conventional executable\n");
-#else
- log_this(LOG_ERR, "filter invoked as conventional executable");
-#endif
- exit(1);
- }
-
- before_user = before_app = do_transpose; /* assign filter functions */
-
- /* enter a loop that deals with the input and output of the
- user.. passing it to and from the application */
-
- FD_ZERO(&readers); /* initialize reading mask */
-
- for (;;) {
-
- FD_SET(APPOUT_FILENO, &readers); /* wake for output */
- FD_SET(APPERR_FILENO, &readers); /* wake for error */
- FD_SET(STDIN_FILENO, &readers); /* wake for input */
-
- if ( select(APPTOP_FILE,&readers,NULL,NULL,NULL) < 0 ) {
-#ifdef DEBUG
- fprintf(stderr,"select failed\n");
-#else
- log_this(LOG_WARNING,"select failed");
-#endif
- break;
- }
-
- /* application errors */
-
- if ( FD_ISSET(APPERR_FILENO,&readers) ) {
- int got = read(APPERR_FILENO, buffer, BUFSIZ);
- if (got <= 0) {
- break;
- } else {
- /* translate to give to real terminal */
- if (before_user != NULL)
- before_user(buffer, got);
- if ( write(STDERR_FILENO, buffer, got) != got ) {
- log_this(LOG_WARNING,"couldn't write %d bytes?!",got);
- break;
- }
- }
- } else if ( FD_ISSET(APPOUT_FILENO,&readers) ) { /* app output */
- int got = read(APPOUT_FILENO, buffer, BUFSIZ);
- if (got <= 0) {
- break;
- } else {
- /* translate to give to real terminal */
- if (before_user != NULL)
- before_user(buffer, got);
- if ( write(STDOUT_FILENO, buffer, got) != got ) {
- log_this(LOG_WARNING,"couldn't write %d bytes!?",got);
- break;
- }
- }
- }
-
- if ( FD_ISSET(STDIN_FILENO, &readers) ) { /* user input */
- int got = read(STDIN_FILENO, buffer, BUFSIZ);
- if (got < 0) {
- log_this(LOG_WARNING,"user input junked");
- break;
- } else if (got) {
- /* translate to give to application */
- if (before_app != NULL)
- before_app(buffer, got);
- if ( write(APPIN_FILENO, buffer, got) != got ) {
- log_this(LOG_WARNING,"couldn't pass %d bytes!?",got);
- break;
- }
- } else {
- /* nothing received -- an error? */
- log_this(LOG_WARNING,"user input null?");
- break;
- }
- }
- }
-
- exit(0);
-}
-
-
-
diff --git a/contrib/libpam/modules/pam_ftp/Makefile b/contrib/libpam/modules/pam_ftp/Makefile
deleted file mode 100644
index b5355c6..0000000
--- a/contrib/libpam/modules/pam_ftp/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-#
-# $Id: Makefile,v 1.2 1997/04/05 06:40:33 morgan Exp $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.2 1997/04/05 06:40:33 morgan
-# fakeroot
-#
-# Revision 1.1 1996/12/01 03:17:57 morgan
-# Initial revision
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/11/14
-#
-
-TITLE=pam_ftp
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_ftp/README b/contrib/libpam/modules/pam_ftp/README
deleted file mode 100644
index 597f912..0000000
--- a/contrib/libpam/modules/pam_ftp/README
+++ /dev/null
@@ -1,20 +0,0 @@
-# $Id: README,v 1.1 1996/12/01 03:17:57 morgan Exp $
-#
-
-This module is an authentication module that does not authenticate.
-Instead it always returns PAM_IGNORE, indicating that it does not want
-to affect the authentication process.
-
-Its purpose is to log a message to the syslog indicating the
-pam_item's available at the time it was invoked. It is a diagnostic
-tool.
-
-Recognized arguments:
-
- none
-
-module services provided:
-
- auth _authetication and _setcred (blank)
-
-Andrew Morgan
diff --git a/contrib/libpam/modules/pam_ftp/pam_ftp.c b/contrib/libpam/modules/pam_ftp/pam_ftp.c
deleted file mode 100644
index ca2d415..0000000
--- a/contrib/libpam/modules/pam_ftp/pam_ftp.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/* pam_ftp module */
-
-/*
- * $Id: pam_ftp.c,v 1.2 1997/02/15 16:23:59 morgan Exp morgan $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- *
- * $Log: pam_ftp.c,v $
- * Revision 1.2 1997/02/15 16:23:59 morgan
- * fixed logging to avoid a fixed buffer size
- *
- * Revision 1.1 1996/12/01 03:17:57 morgan
- * Initial revision
- *
- *
- */
-
-#define PLEASE_ENTER_PASSWORD "Password required for %s."
-#define GUEST_LOGIN_PROMPT "Guest login ok, " \
-"send your complete e-mail address as password."
-
-/* the following is a password that "can't be correct" */
-#define BLOCK_PASSWORD "\177BAD PASSWPRD\177"
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <string.h>
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-ftp", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-static int converse(pam_handle_t *pamh, int nargs
- , struct pam_message **message
- , struct pam_response **response)
-{
- int retval;
- struct pam_conv *conv;
-
- D(("begin to converse\n"));
-
- retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
- if ( retval == PAM_SUCCESS ) {
-
- retval = conv->conv(nargs, ( const struct pam_message ** ) message
- , response, conv->appdata_ptr);
-
- D(("returned from application's conversation function\n"));
-
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_DEBUG, "conversation failure [%s]"
- , pam_strerror(pamh, retval));
- }
-
- } else {
- _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]"
- , pam_strerror(pamh, retval));
- }
-
- D(("ready to return from module conversation\n"));
-
- return retval; /* propagate error status */
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 01
-#define PAM_IGNORE_EMAIL 02
-#define PAM_NO_ANON 04
-
-static int _pam_parse(int argc, const char **argv, char **users)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"users=",6)) {
- *users = x_strdup(6+*argv);
- if (*users == NULL) {
- ctrl |= PAM_NO_ANON;
- _pam_log(LOG_CRIT, "failed to duplicate user list - anon off");
- }
- } else if (!strcmp(*argv,"ignore")) {
- ctrl |= PAM_IGNORE_EMAIL;
- } else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-/*
- * check if name is in list or default list. place users name in *_user
- * return 1 if listed 0 if not.
- */
-
-static int lookup(const char *name, char *list, const char **_user)
-{
- int anon = 0;
-
- *_user = name; /* this is the default */
- if (list) {
- const char *l;
- char *x;
-
- x = list;
- while ((l = strtok(x, ","))) {
- x = NULL;
- if (!strcmp(name, l)) {
- *_user = list;
- anon = 1;
- }
- }
- } else {
-#define MAX_L 2
- static const char *l[MAX_L] = { "ftp", "anonymous" };
- int i;
-
- for (i=0; i<MAX_L; ++i) {
- if (!strcmp(l[i], name)) {
- *_user = l[0];
- anon = 1;
- break;
- }
- }
- }
-
- return anon;
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int retval, anon=0, ctrl;
- const char *user;
- char *users=NULL;
-
- /*
- * this module checks if the user name is ftp or annonymous. If
- * this is the case, it can set the PAM_RUSER to the entered email
- * address and SUCCEEDS, otherwise it FAILS.
- */
-
- ctrl = _pam_parse(argc, argv, &users);
-
- retval = pam_get_user(pamh, &user, NULL);
- if (retval != PAM_SUCCESS || user == NULL) {
- _pam_log(LOG_ERR, "no user specified");
- return PAM_USER_UNKNOWN;
- }
-
- if (!(ctrl & PAM_NO_ANON)) {
- anon = lookup(user, users, &user);
- }
-
- if (anon) {
- retval = pam_set_item(pamh, PAM_USER, (const void *)user);
- if (retval != PAM_SUCCESS || user == NULL) {
- _pam_log(LOG_ERR, "user resetting failed");
- return PAM_USER_UNKNOWN;
- }
- }
-
- /*
- * OK. we require an email address for user or the user's password.
- * - build conversation and get their input.
- */
-
- {
- struct pam_message msg[1], *mesg[1];
- struct pam_response *resp=NULL;
- const char *token;
- char *prompt=NULL;
- int i=0;
-
- mesg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- if (anon) {
- prompt = malloc(sizeof(PLEASE_ENTER_PASSWORD + strlen(user)));
- sprintf(prompt, PLEASE_ENTER_PASSWORD, user);
- msg[i].msg = prompt;
- } else {
- msg[i].msg = GUEST_LOGIN_PROMPT;
- }
-
- retval = converse(pamh, ++i, mesg, &resp);
- _pam_overwrite(prompt);
- _pam_drop(prompt);
-
- if (retval != PAM_SUCCESS) {
- if (resp != NULL)
- _pam_drop_reply(resp,i);
- return PAM_AUTHINFO_UNAVAIL;
- }
-
- if (anon) {
- /* XXX: Some effort should be made to verify this email address! */
-
- if (!(ctrl & PAM_IGNORE_EMAIL)) {
- token = strtok(resp->resp, "@");
- retval = pam_set_item(pamh, PAM_RUSER, token);
-
- if (token && retval != PAM_SUCCESS) {
- token = strtok(NULL, "@");
- retval = pam_set_item(pamh, PAM_RHOST, token);
- }
- }
- } else {
- /*
- * we have a password so set AUTHTOK
- */
-
- (void) pam_set_item(pamh, PAM_AUTHTOK, resp->resp);
-
- /*
- * this module failed, but the next one might succeed with
- * this password.
- */
-
- retval = PAM_AUTH_ERR;
- }
-
- if (resp) { /* clean up */
- _pam_drop_reply(resp, i);
- }
-
- /* success or failure */
-
- return retval;
- }
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_IGNORE;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_ftp_modstruct = {
- "pam_ftp",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_group/Makefile b/contrib/libpam/modules/pam_group/Makefile
deleted file mode 100644
index 5db53cc..0000000
--- a/contrib/libpam/modules/pam_group/Makefile
+++ /dev/null
@@ -1,114 +0,0 @@
-#
-# $Id: Makefile,v 1.6 1997/04/05 06:39:56 morgan Exp morgan $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.6 1997/04/05 06:39:56 morgan
-# fakeroot
-#
-# Revision 1.5 1997/01/04 20:28:47 morgan
-# compile with and without libpwdb
-#
-# Revision 1.4 1996/11/10 20:13:18 morgan
-# cross platform support
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/6/11
-#
-
-TITLE=pam_group
-CONFD=$(CONFIGED)/security
-export CONFD
-CONFILE=$(CONFD)/group.conf
-export CONFILE
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-DEFS=-DCONFILE=\"$(CONFILE)\"
-ifndef STATIC
-ifeq ($(HAVE_PWDBLIB),yes)
- DEFS+=-DWANT_PWDB
- ELIBS=-lpwdb
-endif
-endif
-
-CFLAGS += $(DEFS)
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) $(ELIBS)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS) $(ELIBS)
-endif
-
-install: all
-ifdef DYNAMIC
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
- $(MKDIR) $(FAKEROOT)$(SCONFIGED)
- bash -f ./install_conf
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
- rm -f $(FAKEROOT)$(CONFILE)
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
- rm -f ./.ignore_age
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_group/group.conf b/contrib/libpam/modules/pam_group/group.conf
deleted file mode 100644
index bdd76adb..0000000
--- a/contrib/libpam/modules/pam_group/group.conf
+++ /dev/null
@@ -1,60 +0,0 @@
-##
-## Note, to get this to work as it is currently typed you need
-##
-## 1. to run an application as root
-## 2. add the following groups to the /etc/group file:
-## floppy, games, sound
-##
-#
-# *** Please note that giving group membership on a session basis is
-# *** NOT inherently secure. If a user can create an executable that
-# *** is setgid a group that they are infrequently given membership
-# *** of, they can basically obtain group membership any time they
-# *** like. Example: games are alowed between the hours of 6pm and 6am
-# *** user joe logs in at 7pm writes a small C-program toplay.c that
-# *** invokes their favorite shell, compiles it and does
-# *** "chgrp games toplay; chmod g+s toplay". They are basically able
-# *** to play games any time... You have been warned. AGM
-#
-# this is an example configuration file for the pam_group module. Its
-# syntax is based on that of the pam_time module and (at some point in
-# the distant past was inspired by the 'shadow' package)
-#
-# the syntax of the lines is as follows:
-#
-# services;ttys;users;times;groups
-#
-# white space is ignored and lines maybe extended with '\\n' (escaped
-# newlines). From reading these comments, it is clear that
-# text following a '#' is ignored to the end of the line.
-#
-# the first four fields are described in the pam_time directory.
-# The only difference for these is how the time field is interpretted:
-# it is used to indicate "when" these groups are to be given to the user.
-#
-# groups
-# The (comma or space separated) list of groups that the user
-# inherits membership of. These groups are added if the previous
-# fields are satisfied by the user's request
-#
-
-#
-# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
-# the user 'us' is given access to the floppy (through membership of
-# the floppy group)
-#
-
-#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
-
-#
-# another example: running 'xsh' on tty* (any ttyXXX device),
-# the user 'sword' is given access to games (through membership of
-# the floppy group) after work hours
-#
-
-#xsh; tty* ;sword;!Wk0900-1800;games, sound
-#xsh; tty* ;*;Al0900-1800;floppy
-
-#
-# End of group.conf file
-#
diff --git a/contrib/libpam/modules/pam_group/install_conf b/contrib/libpam/modules/pam_group/install_conf
deleted file mode 100755
index 03bb7ed..0000000
--- a/contrib/libpam/modules/pam_group/install_conf
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-CONFILE=$FAKEROOT"$CONFILE"
-IGNORE_AGE=./.ignore_age
-QUIET_INSTALL=../../.quiet_install
-CONF=./group.conf
-MODULE=pam_group
-
-echo
-
-if [ -f "$QUIET_INSTALL" ]; then
- if [ ! -f "$CONFILE" ]; then
- yes="y"
- else
- yes="skip"
- fi
-elif [ -f "$IGNORE_AGE" ]; then
- echo "you don't want to be bothered with the age of your $CONFILE file"
- yes="n"
-elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then
- if [ -f "$CONFILE" ]; then
- echo "An older $MODULE configuration file already exists ($CONFILE)"
- echo "Do you wish to copy the $CONF file in this distribution"
- echo "to $CONFILE ? (y/n) [skip] "
- read yes
- else
- yes="y"
- fi
-else
- yes="skip"
-fi
-
-if [ "$yes" = "y" ]; then
- mkdir -p $FAKEROOT$CONFD
- echo " copying $CONF to $CONFILE"
- cp $CONF $CONFILE
-else
- echo " Skipping $CONF installation"
- if [ "$yes" = "n" ]; then
- touch "$IGNORE_AGE"
- fi
-fi
-
-echo
-
-exit 0
diff --git a/contrib/libpam/modules/pam_group/pam_group.c b/contrib/libpam/modules/pam_group/pam_group.c
deleted file mode 100644
index 9e2cf88..0000000
--- a/contrib/libpam/modules/pam_group/pam_group.c
+++ /dev/null
@@ -1,862 +0,0 @@
-/* pam_group module */
-
-/*
- * $Id: pam_group.c,v 1.7 1997/02/15 17:31:48 morgan Exp morgan $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/7/6
- *
- * $Log: pam_group.c,v $
- * Revision 1.7 1997/02/15 17:31:48 morgan
- * time parsing more robust
- *
- * Revision 1.6 1997/01/04 21:57:49 morgan
- * fixed warning about setgroups not being defined
- *
- * Revision 1.5 1997/01/04 20:26:49 morgan
- * can be compiled with and without libpwdb. fixed buffer underwriting
- * pays attention to PAM_CRED flags(!)
- *
- * Revision 1.4 1996/12/01 02:54:37 morgan
- * mostly debugging now uses D(())
- *
- * Revision 1.3 1996/11/10 21:01:22 morgan
- * compatability and pam_get_user changes
- */
-
-const static char rcsid[] =
-"$Id: pam_group.c,v 1.7 1997/02/15 17:31:48 morgan Exp morgan $;\n"
-"Version 0.5 for Linux-PAM\n"
-"Copyright (c) Andrew G. Morgan 1996 <morgan@parc.power.net>\n";
-
-#include <sys/file.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <time.h>
-#include <syslog.h>
-#include <string.h>
-
-#define __USE_BSD
-#include <grp.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-#ifdef WANT_PWDB
-#include <pwdb/pwdb_public.h>
-#endif
-
-#define PAM_GROUP_CONF CONFILE /* from external define */
-#define PAM_GROUP_BUFLEN 1000
-#define FIELD_SEPARATOR ';' /* this is new as of .02 */
-
-typedef enum { FALSE, TRUE } boolean;
-typedef enum { AND, OR } operator;
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* --- static functions for checking whether the user should be let in --- */
-
-static void _log_err(const char *format, ... )
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_group", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(LOG_CRIT, format, args);
- va_end(args);
- closelog();
-}
-
-static void shift_bytes(char *mem, int from, int by)
-{
- while (by-- > 0) {
- *mem = mem[from];
- ++mem;
- }
-}
-
-static int read_field(int fd, char **buf, int *from, int *to)
-{
- /* is buf set ? */
-
- if (! *buf) {
- *buf = (char *) malloc(PAM_GROUP_BUFLEN);
- if (! *buf) {
- _log_err("out of memory");
- return -1;
- }
- *from = *to = 0;
- fd = open(PAM_GROUP_CONF, O_RDONLY);
- }
-
- /* do we have a file open ? return error */
-
- if (fd < 0 && *to <= 0) {
- _log_err( PAM_GROUP_CONF " not opened");
- memset(*buf, 0, PAM_GROUP_BUFLEN);
- _pam_drop(*buf);
- return -1;
- }
-
- /* check if there was a newline last time */
-
- if ((*to > *from) && (*to > 0)
- && ((*buf)[*from] == '\0')) { /* previous line ended */
- (*from)++;
- (*buf)[0] = '\0';
- return fd;
- }
-
- /* ready for more data: first shift the buffer's remaining data */
-
- *to -= *from;
- shift_bytes(*buf, *from, *to);
- *from = 0;
- (*buf)[*to] = '\0';
-
- while (fd >= 0 && *to < PAM_GROUP_BUFLEN) {
- int i;
-
- /* now try to fill the remainder of the buffer */
-
- i = read(fd, *to + *buf, PAM_GROUP_BUFLEN - *to);
- if (i < 0) {
- _log_err("error reading " PAM_GROUP_CONF);
- return -1;
- } else if (!i) {
- fd = -1; /* end of file reached */
- } else
- *to += i;
-
- /*
- * contract the buffer. Delete any comments, and replace all
- * multiple spaces with single commas
- */
-
- i = 0;
-#ifdef DEBUG_DUMP
- D(("buffer=<%s>",*buf));
-#endif
- while (i < *to) {
- if ((*buf)[i] == ',') {
- int j;
-
- for (j=++i; j<*to && (*buf)[j] == ','; ++j);
- if (j!=i) {
- shift_bytes(i + (*buf), j-i, (*to) - j);
- *to -= j-i;
- }
- }
- switch ((*buf)[i]) {
- int j,c;
- case '#':
- for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j);
- if (j >= *to) {
- (*buf)[*to = ++i] = '\0';
- } else if (c == '\n') {
- shift_bytes(i + (*buf), j-i, (*to) - j);
- *to -= j-i;
- ++i;
- } else {
- _log_err("internal error in " __FILE__
- " at line %d", __LINE__ );
- return -1;
- }
- break;
- case '\\':
- if ((*buf)[i+1] == '\n') {
- shift_bytes(i + *buf, 2, *to - (i+2));
- *to -= 2;
- }
- break;
- case '!':
- case ' ':
- case '\t':
- if ((*buf)[i] != '!')
- (*buf)[i] = ',';
- /* delete any trailing spaces */
- for (j=++i; j < *to && ( (c = (*buf)[j]) == ' '
- || c == '\t' ); ++j);
- shift_bytes(i + *buf, j-i, (*to)-j );
- *to -= j-i;
- break;
- default:
- ++i;
- }
- }
- }
-
- (*buf)[*to] = '\0';
-
- /* now return the next field (set the from/to markers) */
- {
- int i;
-
- for (i=0; i<*to; ++i) {
- switch ((*buf)[i]) {
- case '#':
- case '\n': /* end of the line/file */
- (*buf)[i] = '\0';
- *from = i;
- return fd;
- case FIELD_SEPARATOR: /* end of the field */
- (*buf)[i] = '\0';
- *from = ++i;
- return fd;
- }
- }
- *from = i;
- (*buf)[*from] = '\0';
- }
-
- if (*to <= 0) {
- D(("[end of text]"));
- *buf = NULL;
- }
- return fd;
-}
-
-/* read a member from a field */
-
-static int logic_member(const char *string, int *at)
-{
- int len,c,to;
- int done=0;
- int token=0;
-
- len=0;
- to=*at;
- do {
- c = string[to++];
-
- switch (c) {
-
- case '\0':
- --to;
- done = 1;
- break;
-
- case '&':
- case '|':
- case '!':
- if (token) {
- --to;
- }
- done = 1;
- break;
-
- default:
- if (isalpha(c) || c == '*' || isdigit(c) || c == '_'
- || c == '-' || c == '.') {
- token = 1;
- } else if (token) {
- --to;
- done = 1;
- } else {
- ++*at;
- }
- }
- } while (!done);
-
- return to - *at;
-}
-
-typedef enum { VAL, OP } expect;
-
-static boolean logic_field(const void *me, const char *x, int rule,
- boolean (*agrees)(const void *, const char *
- , int, int))
-{
- boolean left=FALSE, right, not=FALSE;
- operator oper=OR;
- int at=0, l;
- expect next=VAL;
-
- while ((l = logic_member(x,&at))) {
- int c = x[at];
-
- if (next == VAL) {
- if (c == '!')
- not = !not;
- else if (isalpha(c) || c == '*') {
- right = not ^ agrees(me, x+at, l, rule);
- if (oper == AND)
- left &= right;
- else
- left |= right;
- next = OP;
- } else {
- _log_err("garbled syntax; expected name (rule #%d)", rule);
- return FALSE;
- }
- } else { /* OP */
- switch (c) {
- case '&':
- oper = AND;
- break;
- case '|':
- oper = OR;
- break;
- default:
- _log_err("garbled syntax; expected & or | (rule #%d)"
- , rule);
- D(("%c at %d",c,at));
- return FALSE;
- }
- next = VAL;
- }
- at += l;
- }
-
- return left;
-}
-
-static boolean is_same(const void *A, const char *b, int len, int rule)
-{
- int i;
- const char *a;
-
- a = A;
- for (i=0; len > 0; ++i, --len) {
- if (b[i] != a[i]) {
- if (b[i++] == '*') {
- return (!--len || !strncmp(b+i,a+strlen(a)-len,len));
- } else
- return FALSE;
- }
- }
- return ( !len );
-}
-
-typedef struct {
- int day; /* array of 7 bits, one set for today */
- int minute; /* integer, hour*100+minute for now */
-} TIME;
-
-struct day {
- const char *d;
- int bit;
-} static const days[11] = {
- { "su", 01 },
- { "mo", 02 },
- { "tu", 04 },
- { "we", 010 },
- { "th", 020 },
- { "fr", 040 },
- { "sa", 0100 },
- { "wk", 076 },
- { "wd", 0101 },
- { "al", 0177 },
- { NULL, 0 }
-};
-
-static TIME time_now(void)
-{
- struct tm *local;
- time_t the_time;
- TIME this;
-
- the_time = time((time_t *)0); /* get the current time */
- local = localtime(&the_time);
- this.day = days[local->tm_wday].bit;
- this.minute = local->tm_hour*100 + local->tm_min;
-
- D(("day: 0%o, time: %.4d", this.day, this.minute));
- return this;
-}
-
-/* take the current date and see if the range "date" passes it */
-static boolean check_time(const void *AT, const char *times, int len, int rule)
-{
- boolean not,pass;
- int marked_day, time_start, time_end;
- const TIME *at;
- int i,j=0;
-
- at = AT;
- D(("checking: 0%o/%.4d vs. %s", at->day, at->minute, times));
-
- if (times == NULL) {
- /* this should not happen */
- _log_err("internal error: " __FILE__ " line %d", __LINE__);
- return FALSE;
- }
-
- if (times[j] == '!') {
- ++j;
- not = TRUE;
- } else {
- not = FALSE;
- }
-
- for (marked_day = 0; len > 0 && isalpha(times[j]); --len) {
- int this_day=-1;
-
- D(("%c%c ?", times[j], times[j+1]));
- for (i=0; days[i].d != NULL; ++i) {
- if (tolower(times[j]) == days[i].d[0]
- && tolower(times[j+1]) == days[i].d[1] ) {
- this_day = days[i].bit;
- break;
- }
- }
- j += 2;
- if (this_day == -1) {
- _log_err("bad day specified (rule #%d)", rule);
- return FALSE;
- }
- marked_day ^= this_day;
- }
- if (marked_day == 0) {
- _log_err("no day specified");
- return FALSE;
- }
- D(("day range = 0%o", marked_day));
-
- time_start = 0;
- for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) {
- time_start *= 10;
- time_start += times[i+j]-'0'; /* is this portable? */
- }
- j += i;
-
- if (times[j] == '-') {
- time_end = 0;
- for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) {
- time_end *= 10;
- time_end += times[i+j]-'0'; /* is this portable? */
- }
- j += i;
- } else
- time_end = -1;
-
- D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j]));
- if (i != 5 || time_end == -1) {
- _log_err("no/bad times specified (rule #%d)", rule);
- return TRUE;
- }
- D(("times(%d to %d)", time_start,time_end));
- D(("marked_day = 0%o", marked_day));
-
- /* compare with the actual time now */
-
- pass = FALSE;
- if (time_start < time_end) { /* start < end ? --> same day */
- if ((at->day & marked_day) && (at->minute >= time_start)
- && (at->minute < time_end)) {
- D(("time is listed"));
- pass = TRUE;
- }
- } else { /* spans two days */
- if ((at->day & marked_day) && (at->minute >= time_start)) {
- D(("caught on first day"));
- pass = TRUE;
- } else {
- marked_day <<= 1;
- marked_day |= (marked_day & 0200) ? 1:0;
- D(("next day = 0%o", marked_day));
- if ((at->day & marked_day) && (at->minute <= time_end)) {
- D(("caught on second day"));
- pass = TRUE;
- }
- }
- }
-
- return (not ^ pass);
-}
-
-static int find_member(const char *string, int *at)
-{
- int len,c,to;
- int done=0;
- int token=0;
-
- len=0;
- to=*at;
- do {
- c = string[to++];
-
- switch (c) {
-
- case '\0':
- --to;
- done = 1;
- break;
-
- case '&':
- case '|':
- case '!':
- if (token) {
- --to;
- }
- done = 1;
- break;
-
- default:
- if (isalpha(c) || isdigit(c) || c == '_' || c == '*'
- || c == '-') {
- token = 1;
- } else if (token) {
- --to;
- done = 1;
- } else {
- ++*at;
- }
- }
- } while (!done);
-
- return to - *at;
-}
-
-#define GROUP_BLK 10
-#define blk_size(len) (((len-1 + GROUP_BLK)/GROUP_BLK)*GROUP_BLK)
-
-static int mkgrplist(char *buf, gid_t **list, int len)
-{
- int l,at=0;
- int blks;
-
- blks = blk_size(len);
- D(("cf. blks=%d and len=%d", blks,len));
-
- while ((l = find_member(buf,&at))) {
- int edge;
-
- if (len >= blks) {
- gid_t *tmp;
-
- D(("allocating new block"));
- tmp = (gid_t *) realloc((*list)
- , sizeof(gid_t) * (blks += GROUP_BLK));
- if (tmp != NULL) {
- (*list) = tmp;
- } else {
- _log_err("out of memory for group list");
- free(*list);
- (*list) = NULL;
- return -1;
- }
- }
-
- /* '\0' terminate the entry */
-
- edge = (buf[at+l]) ? 1:0;
- buf[at+l] = '\0';
- D(("found group: %s",buf+at));
-
- /* this is where we convert a group name to a gid_t */
-#ifdef WANT_PWDB
- {
- int retval;
- const struct pwdb *pw=NULL;
-
- retval = pwdb_locate("group", PWDB_DEFAULT, buf+at
- , PWDB_ID_UNKNOWN, &pw);
- if (retval != PWDB_SUCCESS) {
- _log_err("bad group: %s; %s", buf+at, pwdb_strerror(retval));
- } else {
- const struct pwdb_entry *pwe=NULL;
-
- D(("group %s exists", buf+at));
- retval = pwdb_get_entry(pw, "gid", &pwe);
- if (retval == PWDB_SUCCESS) {
- D(("gid = %d [%p]",* (const gid_t *) pwe->value,list));
- (*list)[len++] = * (const gid_t *) pwe->value;
- pwdb_entry_delete(&pwe); /* tidy up */
- } else {
- _log_err("%s group entry is bad; %s"
- , pwdb_strerror(retval));
- }
- pw = NULL; /* break link - cached for later use */
- }
- }
-#else
- {
- const struct group *grp;
-
- grp = getgrnam(buf+at);
- if (grp == NULL) {
- _log_err("bad group: %s", buf+at);
- } else {
- D(("group %s exists", buf+at));
- (*list)[len++] = grp->gr_gid;
- }
- }
-#endif
-
- /* next entry along */
-
- at += l + edge;
- }
- D(("returning with [%p/len=%d]->%p",list,len,*list));
- return len;
-}
-
-
-static int check_account(const char *service, const char *tty
- , const char *user)
-{
- int from=0,to=0,fd=-1;
- char *buffer=NULL;
- int count=0;
- TIME here_and_now;
- int retval=PAM_SUCCESS;
- gid_t *grps;
- int no_grps;
-
- /*
- * first we get the current list of groups - the application
- * will have previously done an initgroups(), or equivalent.
- */
-
- D(("counting supplementary groups"));
- no_grps = getgroups(0, NULL); /* find the current number of groups */
- if (no_grps > 0) {
- grps = calloc( blk_size(no_grps) , sizeof(gid_t) );
- D(("copying current list into grps [%d big]",blk_size(no_grps)));
- (void) getgroups(no_grps, grps);
-#ifdef DEBUG
- {
- int z;
- for (z=0; z<no_grps; ++z) {
- D(("gid[%d]=%d", z, grps[z]));
- }
- }
-#endif
- } else {
- D(("no supplementary groups known"));
- no_grps = 0;
- grps = NULL;
- }
-
- here_and_now = time_now(); /* find current time */
-
- /* parse the rules in the configuration file */
- do {
- int good=TRUE;
-
- /* here we get the service name field */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- /* empty line .. ? */
- continue;
- }
- ++count;
- D(("working on rule #%d",count));
-
- good = logic_field(service, buffer, count, is_same);
- D(("with service: %s", good ? "passes":"fails" ));
-
- /* here we get the terminal name field */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- _log_err(PAM_GROUP_CONF "; no tty entry #%d", count);
- continue;
- }
- good &= logic_field(tty, buffer, count, is_same);
- D(("with tty: %s", good ? "passes":"fails" ));
-
- /* here we get the username field */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- _log_err(PAM_GROUP_CONF "; no user entry #%d", count);
- continue;
- }
- good &= logic_field(user, buffer, count, is_same);
- D(("with user: %s", good ? "passes":"fails" ));
-
- /* here we get the time field */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- _log_err(PAM_GROUP_CONF "; no time entry #%d", count);
- continue;
- }
-
- good &= logic_field(&here_and_now, buffer, count, check_time);
- D(("with time: %s", good ? "passes":"fails" ));
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- _log_err(PAM_GROUP_CONF "; no listed groups for rule #%d"
- , count);
- continue;
- }
-
- /*
- * so we have a list of groups, we need to turn it into
- * something to send to setgroups(2)
- */
-
- if (good) {
- D(("adding %s to gid list", buffer));
- good = mkgrplist(buffer, &grps, no_grps);
- if (good < 0) {
- no_grps = 0;
- } else {
- no_grps = good;
- }
- }
-
- /* check the line is terminated correctly */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (buffer && buffer[0]) {
- _log_err(PAM_GROUP_CONF "; poorly terminated rule #%d", count);
- }
-
- if (good > 0) {
- D(("rule #%d passed, added %d groups", count, good));
- } else if (good < 0) {
- retval = PAM_BUF_ERR;
- } else {
- D(("rule #%d failed", count));
- }
-
- } while (buffer);
-
- /* now set the groups for the user */
-
- if (no_grps > 0) {
- int err;
- D(("trying to set %d groups", no_grps));
-#ifdef DEBUG
- for (err=0; err<no_grps; ++err) {
- D(("gid[%d]=%d", err, grps[err]));
- }
-#endif
- if ((err = setgroups(no_grps, grps))) {
- D(("but couldn't set groups %d", err));
- _log_err("unable to set the group membership for user (err=%d)"
- , err);
- retval = PAM_CRED_ERR;
- }
- }
-
- if (grps) { /* tidy up */
- memset(grps, 0, sizeof(gid_t) * blk_size(no_grps));
- _pam_drop(grps);
- no_grps = 0;
- }
-
- return retval;
-}
-
-/* --- public authentication management functions --- */
-
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- return PAM_IGNORE;
-}
-
-PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- const char *service=NULL, *tty=NULL;
- const char *user=NULL;
- int retval;
- unsigned setting;
-
- /* only interested in establishing credentials */
-
- setting = flags;
- if (!(setting & PAM_ESTABLISH_CRED)) {
- D(("ignoring call - not for establishing credentials"));
- return PAM_SUCCESS; /* don't fail because of this */
- }
-
- /* set service name */
-
- if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
- != PAM_SUCCESS || service == NULL) {
- _log_err("cannot find the current service name");
- return PAM_ABORT;
- }
-
- /* set username */
-
- if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
- || *user == '\0') {
- _log_err("cannot determine the user's name");
- return PAM_USER_UNKNOWN;
- }
-
- /* set tty name */
-
- if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS
- || tty == NULL) {
- D(("PAM_TTY not set, probing stdin"));
- tty = ttyname(STDIN_FILENO);
- if (tty == NULL) {
- _log_err("couldn't get the tty name");
- return PAM_ABORT;
- }
- if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) {
- _log_err("couldn't set tty name");
- return PAM_ABORT;
- }
- }
-
- if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */
- tty += 5;
- }
-
- /* good, now we have the service name, the user and the terminal name */
-
- D(("service=%s", service));
- D(("user=%s", user));
- D(("tty=%s", tty));
-
-#ifdef WANT_PWDB
-
- /* We initialize the pwdb library and check the account */
- retval = pwdb_start(); /* initialize */
- if (retval == PWDB_SUCCESS) {
- retval = check_account(service,tty,user); /* get groups */
- (void) pwdb_end(); /* tidy up */
- } else {
- D(("failed to initialize pwdb; %s", pwdb_strerror(retval)));
- _log_err("unable to initialize libpwdb");
- retval = PAM_ABORT;
- }
-
-#else /* WANT_PWDB */
- retval = check_account(service,tty,user); /* get groups */
-#endif /* WANT_PWDB */
-
- return retval;
-}
-
-/* end of module definition */
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_group_modstruct = {
- "pam_group",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL
-};
-#endif
diff --git a/contrib/libpam/modules/pam_lastlog/Makefile b/contrib/libpam/modules/pam_lastlog/Makefile
deleted file mode 100644
index e51a72d..0000000
--- a/contrib/libpam/modules/pam_lastlog/Makefile
+++ /dev/null
@@ -1,106 +0,0 @@
-#
-# $Id: Makefile,v 1.2 1997/04/05 06:17:14 morgan Exp morgan $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.2 1997/04/05 06:17:14 morgan
-# fakeroot fixed
-#
-# Revision 1.1 1997/01/04 20:29:28 morgan
-# Initial revision
-#
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/12/8
-#
-
-# Convenient defaults for compiling independently of the full source
-# tree.
-ifndef FULL_LINUX_PAM_SOURCE_TREE
-export DYNAMIC=-DPAM_DYNAMIC
-export CC=gcc
-export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
- -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
- -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
- -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
- -Wshadow -pedantic -fPIC
-export MKDIR=mkdir -p
-export LD_D=gcc -shared -Xlinker -x
-endif
-
-TITLE=pam_lastlog
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-
-####################### don't edit below #######################
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_lastlog/pam_lastlog.c b/contrib/libpam/modules/pam_lastlog/pam_lastlog.c
deleted file mode 100644
index 96714f6..0000000
--- a/contrib/libpam/modules/pam_lastlog/pam_lastlog.c
+++ /dev/null
@@ -1,469 +0,0 @@
-/* pam_lastlog module */
-
-/*
- * $Id: pam_lastlog.c,v 1.3 1997/04/05 06:18:21 morgan Exp morgan $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- *
- * This module does the necessary work to display the last login
- * time+date for this user, it then updates this entry for the
- * present (login) service.
- *
- * $Log: pam_lastlog.c,v $
- * Revision 1.3 1997/04/05 06:18:21 morgan
- * removed xstrdup - unused
- *
- * Revision 1.2 1997/02/15 17:18:21 morgan
- * removed fixed buffer in logging
- *
- * Revision 1.1 1997/01/04 20:29:28 morgan
- * Initial revision
- *
- */
-
-#include <fcntl.h>
-#include <time.h>
-#ifdef HAVE_UTMP_H
-# include <utmp.h>
-#else
-# include <lastlog.h>
-#endif
-#include <pwd.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <syslog.h>
-#include <unistd.h>
-
-#ifdef WANT_PWDB
-#include <pwdb/pwdb_public.h> /* use POSIX front end */
-#endif
-
-#if defined(hpux) || defined(sunos) || defined(solaris)
-# ifndef _PATH_LASTLOG
-# define _PATH_LASTLOG "/usr/adm/lastlog"
-# endif /* _PATH_LASTLOG */
-# ifndef UT_HOSTSIZE
-# define UT_HOSTSIZE 16
-# endif /* UT_HOSTSIZE */
-# ifndef UT_LINESIZE
-# define UT_LINESIZE 12
-# endif /* UT_LINESIZE */
-#endif
-#if defined(hpux)
-struct lastlog {
- time_t ll_time;
- char ll_line[UT_LINESIZE];
- char ll_host[UT_HOSTSIZE]; /* same as in utmp */
-};
-#endif /* hpux */
-
-/* XXX - time before ignoring lock. Is 1 sec enough? */
-#define LASTLOG_IGNORE_LOCK_TIME 1
-
-#define DEFAULT_HOST "" /* "[no.where]" */
-#define DEFAULT_TERM "" /* "tt???" */
-#define LASTLOG_NEVER_WELCOME "Welcome to your new account!"
-#define LASTLOG_INTRO "Last login:"
-#define LASTLOG_TIME " %s"
-#define _LASTLOG_HOST_FORMAT " from %%.%ds"
-#define _LASTLOG_LINE_FORMAT " on %%.%ds"
-#define LASTLOG_TAIL ""
-#define LASTLOG_MAXSIZE (sizeof(LASTLOG_INTRO)+0 \
- +sizeof(LASTLOG_TIME)+strlen(the_time) \
- +sizeof(_LASTLOG_HOST_FORMAT)+UT_HOSTSIZE \
- +sizeof(_LASTLOG_LINE_FORMAT)+UT_LINESIZE \
- +sizeof(LASTLOG_TAIL))
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_SESSION
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* some syslogging */
-
-static void _log_err(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-lastlog", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-
-#define LASTLOG_DATE 01 /* display the date of the last login */
-#define LASTLOG_HOST 02 /* display the last host used (if set) */
-#define LASTLOG_LINE 04 /* display the last terminal used */
-#define LASTLOG_NEVER 010 /* display a welcome message for first login */
-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
-#define LASTLOG_QUIET 040 /* keep quiet about things */
-
-static int _pam_parse(int flags, int argc, const char **argv)
-{
- int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE);
-
- /* does the appliction require quiet? */
- if (flags & PAM_SILENT) {
- ctrl |= LASTLOG_QUIET;
- }
-
- /* step through arguments */
- for (; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug")) {
- ctrl |= LASTLOG_DEBUG;
- } else if (!strcmp(*argv,"nodate")) {
- ctrl |= ~LASTLOG_DATE;
- } else if (!strcmp(*argv,"noterm")) {
- ctrl |= ~LASTLOG_LINE;
- } else if (!strcmp(*argv,"nohost")) {
- ctrl |= ~LASTLOG_HOST;
- } else if (!strcmp(*argv,"silent")) {
- ctrl |= LASTLOG_QUIET;
- } else if (!strcmp(*argv,"never")) {
- ctrl |= LASTLOG_NEVER;
- } else {
- _log_err(LOG_ERR,"unknown option; %s",*argv);
- }
- }
-
- D(("ctrl = %o", ctrl));
- return ctrl;
-}
-
-/* a front end for conversations */
-
-static int converse(pam_handle_t *pamh, int ctrl, int nargs
- , struct pam_message **message
- , struct pam_response **response)
-{
- int retval;
- struct pam_conv *conv;
-
- D(("begin to converse"));
-
- retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
- if ( retval == PAM_SUCCESS ) {
-
- retval = conv->conv(nargs, ( const struct pam_message ** ) message
- , response, conv->appdata_ptr);
-
- D(("returned from application's conversation function"));
-
- if (retval != PAM_SUCCESS && (ctrl & LASTLOG_DEBUG) ) {
- _log_err(LOG_DEBUG, "conversation failure [%s]"
- , pam_strerror(pamh, retval));
- }
-
- } else {
- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
- , pam_strerror(pamh, retval));
- }
-
- D(("ready to return from module conversation"));
-
- return retval; /* propagate error status */
-}
-
-static int make_remark(pam_handle_t *pamh, int ctrl, const char *remark)
-{
- int retval;
-
- if (!(ctrl & LASTLOG_QUIET)) {
- struct pam_message msg[1], *mesg[1];
- struct pam_response *resp=NULL;
-
- mesg[0] = &msg[0];
- msg[0].msg_style = PAM_TEXT_INFO;
- msg[0].msg = remark;
-
- retval = converse(pamh, ctrl, 1, mesg, &resp);
-
- msg[0].msg = NULL;
- if (resp) {
- _pam_drop_reply(resp, 1);
- }
- } else {
- D(("keeping quiet"));
- retval = PAM_SUCCESS;
- }
-
- D(("returning %s", pam_strerror(pamh, retval)));
- return retval;
-}
-
-/*
- * Values for the announce flags..
- */
-
-static int last_login_date(pam_handle_t *pamh, int announce, uid_t uid)
-{
- struct flock last_lock;
- struct lastlog last_login;
- int retval = PAM_SESSION_ERR;
- int last_fd;
-
- /* obtain the last login date and all the relevant info */
- last_fd = open(_PATH_LASTLOG, O_RDWR);
- if (last_fd < 0) {
- D(("unable to open the %s file", _PATH_LASTLOG));
- if (announce & LASTLOG_DEBUG) {
- _log_err(LOG_DEBUG, "unable to open %s file", _PATH_LASTLOG);
- }
- retval = PAM_PERM_DENIED;
- } else {
- int win;
-
- /* read the lastlogin file - for this uid */
- (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET);
-
- memset(&last_lock, 0, sizeof(last_lock));
- last_lock.l_type = F_RDLCK;
- last_lock.l_whence = SEEK_SET;
- last_lock.l_start = sizeof(last_login) * (off_t) uid;
- last_lock.l_len = sizeof(last_login);
-
- if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) {
- D(("locking %s failed..(waiting a little)", _PATH_LASTLOG));
- _log_err(LOG_ALERT, "%s file is locked/read", _PATH_LASTLOG);
- sleep(LASTLOG_IGNORE_LOCK_TIME);
- }
-
- win = ( read(last_fd, &last_login, sizeof(last_login))
- == sizeof(last_login) );
-
- last_lock.l_type = F_UNLCK;
- (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
-
- if (!win) {
- D(("First login for user uid=%d", _PATH_LASTLOG, uid));
- if (announce & LASTLOG_DEBUG) {
- _log_err(LOG_DEBUG, "creating lastlog for uid %d", uid);
- }
- memset(&last_login, 0, sizeof(last_login));
- }
-
- /* rewind */
- (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET);
-
- if (!(announce & LASTLOG_QUIET)) {
- if (last_login.ll_time) {
- char *the_time;
- char *remark;
-
- the_time = ctime(&last_login.ll_time);
- the_time[-1+strlen(the_time)] = '\0'; /* delete '\n' */
-
- remark = malloc(LASTLOG_MAXSIZE);
- if (remark == NULL) {
- D(("no memory for last login remark"));
- retval = PAM_BUF_ERR;
- } else {
- int at;
-
- /* printing prefix */
- at = sprintf(remark, "%s", LASTLOG_INTRO);
-
- /* we want the date? */
- if (announce & LASTLOG_DATE) {
- at += sprintf(remark+at, LASTLOG_TIME, the_time);
- }
-
- /* we want & have the host? */
- if ((announce & LASTLOG_HOST)
- && (last_login.ll_host[0] != '\0')) {
- char format[2*sizeof(_LASTLOG_HOST_FORMAT)];
-
- (void) sprintf(format, _LASTLOG_HOST_FORMAT
- , UT_HOSTSIZE);
- D(("format: %s", format));
- at += sprintf(remark+at, format, last_login.ll_host);
- _pam_overwrite(format);
- }
-
- /* we want and have the terminal? */
- if ((announce & LASTLOG_LINE)
- && (last_login.ll_line[0] != '\0')) {
- char format[2*sizeof(_LASTLOG_LINE_FORMAT)];
-
- (void) sprintf(format, _LASTLOG_LINE_FORMAT
- , UT_LINESIZE);
- D(("format: %s", format));
- at += sprintf(remark+at, format, last_login.ll_line);
- _pam_overwrite(format);
- }
-
- /* display requested combo */
- sprintf(remark+at, "%s", LASTLOG_TAIL);
-
- retval = make_remark(pamh, announce, remark);
-
- /* free all the stuff malloced */
- _pam_overwrite(remark);
- _pam_drop(remark);
- }
- } else if ((!last_login.ll_time) && (announce & LASTLOG_NEVER)) {
- D(("this is the first time this user has logged in"));
- retval = make_remark(pamh, announce, LASTLOG_NEVER_WELCOME);
- }
- } else {
- D(("no text was requested"));
- retval = PAM_SUCCESS;
- }
-
- /* write latest value */
- {
- const char *remote_host=NULL
- , *terminal_line=DEFAULT_TERM;
-
- /* set this login date */
- D(("set the most recent login time"));
-
- (void) time(&last_login.ll_time); /* set the time */
-
- /* set the remote host */
- (void) pam_get_item(pamh, PAM_RHOST, (const void **)&remote_host);
- if (remote_host == NULL) {
- remote_host = DEFAULT_HOST;
- }
-
- /* copy to last_login */
- strncpy(last_login.ll_host, remote_host
- , sizeof(last_login.ll_host));
- remote_host = NULL;
-
- /* set the terminal line */
- (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal_line);
- D(("terminal = %s", terminal_line));
- if (terminal_line == NULL) {
- terminal_line = DEFAULT_TERM;
- } else if ( !strncmp("/dev/", terminal_line, 5) ) {
- /* strip leading "/dev/" from tty.. */
- terminal_line += 5;
- }
- D(("terminal = %s", terminal_line));
-
- /* copy to last_login */
- strncpy(last_login.ll_line, terminal_line
- , sizeof(last_login.ll_line));
- terminal_line = NULL;
-
- D(("locking last_log file"));
-
- /* now we try to lock this file-record exclusively; non-blocking */
- memset(&last_lock, 0, sizeof(last_lock));
- last_lock.l_type = F_WRLCK;
- last_lock.l_whence = SEEK_SET;
- last_lock.l_start = sizeof(last_login) * (off_t) uid;
- last_lock.l_len = sizeof(last_login);
-
- if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) {
- D(("locking %s failed..(waiting a little)", _PATH_LASTLOG));
- _log_err(LOG_ALERT, "%s file is locked/write", _PATH_LASTLOG);
- sleep(LASTLOG_IGNORE_LOCK_TIME);
- }
-
- D(("writing to the last_log file"));
- (void) write(last_fd, &last_login, sizeof(last_login));
-
- last_lock.l_type = F_UNLCK;
- (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
- D(("unlocked"));
-
- close(last_fd); /* all done */
- }
- D(("all done with last login"));
- }
-
- /* reset the last login structure */
- memset(&last_login, 0, sizeof(last_login));
-
- return retval;
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc
- , const char **argv)
-{
- int retval, ctrl;
- const char *user;
- const struct passwd *pwd;
- uid_t uid;
-
- /*
- * this module gets the uid of the PAM_USER. Uses it to display
- * last login info and then updates the lastlog for that user.
- */
-
- ctrl = _pam_parse(flags, argc, argv);
-
- /* which user? */
-
- retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
- if (retval != PAM_SUCCESS || user == NULL || *user == '\0') {
- _log_err(LOG_NOTICE, "user unknown");
- return PAM_USER_UNKNOWN;
- }
-
- /* what uid? */
-
- pwd = getpwnam(user);
- if (pwd == NULL) {
- D(("couldn't identify user %s", user));
- return PAM_CRED_INSUFFICIENT;
- }
- uid = pwd->pw_uid;
- pwd = NULL; /* tidy up */
-
- /* process the current login attempt (indicate last) */
-
- retval = last_login_date(pamh, ctrl, uid);
-
- /* indicate success or failure */
-
- uid = -1; /* forget this */
-
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_lastlog_modstruct = {
- "pam_lastlog",
- NULL,
- NULL,
- NULL,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_limits/Makefile b/contrib/libpam/modules/pam_limits/Makefile
deleted file mode 100644
index f6a0e07..0000000
--- a/contrib/libpam/modules/pam_limits/Makefile
+++ /dev/null
@@ -1,102 +0,0 @@
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10
-#
-
-ifeq ($(OS),linux)
-ifeq ($(HAVE_PWDBLIB),yes)
-TITLE=pam_limits
-CONFD=$(CONFIGED)/security
-export CONFD
-CONFILE=$(CONFD)/limits.conf
-export CONFILE
-
-CFLAGS+=-DLIMITS_FILE=\"$(CONFILE)\"
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) -lpwdb
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
-ifdef DYNAMIC
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
- $(MKDIR) $(FAKEROOT)$(SCONFIGED)
- bash -f ./install_conf
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
-else
-include ../dont_makefile
-endif
-else
-include ../dont_makefile
-endif
diff --git a/contrib/libpam/modules/pam_limits/README b/contrib/libpam/modules/pam_limits/README
deleted file mode 100644
index 06a6857..0000000
--- a/contrib/libpam/modules/pam_limits/README
+++ /dev/null
@@ -1,87 +0,0 @@
-
-pam_limits module:
- Imposing user limits on login.
-
-THEORY OF OPERATION:
-
-First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE
-defined Makefile) that describes the resource limits you wish to impose. No
-limits are imposed on UID 0 accounts.
-
-Each line describes a limit for a user in the form:
-
-<domain> <type> <item> <value>
-
-Where:
-<domain> can be:
- - an user name
- - a group name, with @group syntax
- - the wildcard *, for default entry
-
-<type> can have the two values:
- - "soft" for enforcinf the soft limits
- - "hard" for enforcing hard limits
-
-<item> can be one of the following:
- - core - limits the core file size (KB)
- - data - max data size (KB)
- - fsize - maximum filesize (KB)
- - memlock - max locked-in-memory address space (KB)
- - nofile - max number of open files
- - rss - max resident set size (KB)
- - stack - max stack size (KB)
- - cpu - max CPU time (MIN)
- - nproc - max number of processes
- - as - address space limit
- - maxlogins - max number of logins for this user
- - maxsyslogins - max number of logins on the system
-
-To completely disable limits for a user (or a group), a single dash (-)
-will do (Example: 'bin -', '@admin -'). Please remember that individual
-limits have priority over group limits, so if you impose no limits for admin
-group, but one of the members in this group have a limits line, the user
-will have its limits set according to this line.
-
-Also, please note that all limit settings are set PER LOGIN. They are
-not global, nor are they permanent (the session only)
-
-In the LIMITS_FILE, the # character introduces a comment - the rest of the
-line is ignored.
-
-The pam_limits module does its best to report configuration problems found
-in LIMITS_FILE via syslog.
-
-EXAMPLE configuration file:
-===========================
-* soft core 0
-* hard rss 10000
-@student hard nproc 20
-@faculty soft nproc 20
-@faculty hard nproc 50
-ftp hard nproc 0
-@student - maxlogins 4
-
-
-ARGUMENTS RECOGNIZED:
- debug verbose logging
-
- conf=/path/to/file the limits configuration file if different from the
- one set at compile time.
-
-MODULE SERVICES PROVIDED:
- session _open_session and _close_session (blank)
-
-USAGE:
- For the services you need resources limits (login for example) put a
- the following line in /etc/pam.conf as the last line for that
- service (usually after the pam_unix session line:
-
- login session required /lib/security/pam_limits.so
-
- Replace "login" for each service you are using this module, replace
- "/lib/security" path with your real modules path.
-
-AUTHOR:
- Cristian Gafton <gafton@redhat.com>
- Thanks to Elliot Lee <sopwith@redhat.com> for his comments on
- improving this module.
diff --git a/contrib/libpam/modules/pam_limits/install_conf b/contrib/libpam/modules/pam_limits/install_conf
deleted file mode 100755
index d92c1f9..0000000
--- a/contrib/libpam/modules/pam_limits/install_conf
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-CONFILE=$FAKEROOT"$CONFILE"
-IGNORE_AGE=./.ignore_age
-QUIET_INSTALL=../../.quiet_install
-CONF=./limits.skel
-MODULE=pam_limits
-
-echo
-
-if [ -f "$QUIET_INSTALL" ]; then
- if [ ! -f "$CONFILE" ]; then
- yes="y"
- else
- yes="skip"
- fi
-elif [ -f "$IGNORE_AGE" ]; then
- echo "you don't want to be bothered with the age of your $CONFILE file"
- yes="n"
-elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then
- if [ -f "$CONFILE" ]; then
- echo "An older $MODULE configuration file already exists ($CONFILE)"
- echo "Do you wish to copy the $CONF file in this distribution"
- echo "to $CONFILE ? (y/n) [skip] "
- read yes
- else
- yes="y"
- fi
-else
- yes="skip"
-fi
-
-if [ "$yes" = "y" ]; then
- mkdir -p $FAKEROOT$CONFD
- echo " copying $CONF to $CONFILE"
- cp $CONF $CONFILE
-else
- echo " Skipping $CONF installation"
- if [ "$yes" = "n" ]; then
- touch "$IGNORE_AGE"
- fi
-fi
-
-echo
-
-exit 0
diff --git a/contrib/libpam/modules/pam_limits/limits.skel b/contrib/libpam/modules/pam_limits/limits.skel
deleted file mode 100644
index ea57e42..0000000
--- a/contrib/libpam/modules/pam_limits/limits.skel
+++ /dev/null
@@ -1,41 +0,0 @@
-# /etc/security/limits.conf
-#
-#Each line describes a limit for a user in the form:
-#
-#<domain> <type> <item> <value>
-#
-#Where:
-#<domain> can be:
-# - an user name
-# - a group name, with @group syntax
-# - the wildcard *, for default entry
-#
-#<type> can have the two values:
-# - "soft" for enforcing the soft limits
-# - "hard" for enforcing hard limits
-#
-#<item> can be one of the following:
-# - core - limits the core file size (KB)
-# - data - max data size (KB)
-# - fsize - maximum filesize (KB)
-# - memlock - max locked-in-memory address space (KB)
-# - nofile - max number of open files
-# - rss - max resident set size (KB)
-# - stack - max stack size (KB)
-# - cpu - max CPU time (MIN)
-# - nproc - max number of processes
-# - as - address space limit
-# - maxlogins - max number of logins for this user
-#
-#<domain> <type> <item> <value>
-#
-
-#* soft core 0
-#* hard rss 10000
-#@student hard nproc 20
-#@faculty soft nproc 20
-#@faculty hard nproc 50
-#ftp hard nproc 0
-#@student - maxlogins 4
-
-# End of file
diff --git a/contrib/libpam/modules/pam_limits/pam_limits.c b/contrib/libpam/modules/pam_limits/pam_limits.c
deleted file mode 100644
index 179c430..0000000
--- a/contrib/libpam/modules/pam_limits/pam_limits.c
+++ /dev/null
@@ -1,592 +0,0 @@
-/*
- * pam_limits - impose resource limits when opening a user session
- *
- * 1.5 - Elliot Lee's "max system logins patch"
- * 1.4 - addressed bug in configuration file parser
- * 1.3 - modified the configuration file format
- * 1.2 - added 'debug' and 'conf=' arguments
- * 1.1 - added @group support
- * 1.0 - initial release - Linux ONLY
- *
- * See end for Copyright information
- */
-
-#if !(defined(linux))
-#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!!
-#endif
-
-#include <stdio.h>
-#include <unistd.h>
-#define __USE_POSIX2
-#include <string.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/resource.h>
-#include <utmp.h>
-#ifndef UT_USER /* some systems have ut_name instead of ut_user */
-#define UT_USER ut_user
-#endif
-
-/* Module defines */
-#define LINE_LENGTH 1024
-
-#define LIMITS_DEF_USER 0 /* limit was set by an user entry */
-#define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */
-#define LIMITS_DEF_DEFAULT 2 /* limit was set by an default entry */
-#define LIMITS_DEF_NONE 3 /* this limit was not set yet */
-
-/* internal data */
-static char conf_file[BUFSIZ];
-
-struct user_limits_struct {
- int src_soft;
- int src_hard;
- struct rlimit limit;
-};
-
-static struct user_limits_struct limits[RLIM_NLIMITS];
-static int login_limit; /* the max logins limit */
-static int login_limit_def; /* which entry set the login limit */
-static int flag_numsyslogins; /* whether to limit logins only for a
- specific user or to count all logins */
-
-#define LIMIT_LOGIN RLIM_NLIMITS+1
-#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
-#define LIMIT_SOFT 1
-#define LIMIT_HARD 2
-
-#define PAM_SM_SESSION
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <pwdb/pwdb_map.h>
-
-/* logging */
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_limits", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x0001
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"conf=",5))
- strcpy(conf_file,*argv+5);
- else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-
-/* limits stuff */
-#ifndef LIMITS_FILE
-#define LIMITS_FILE "/etc/security/limits.conf"
-#endif
-
-#define LIMIT_ERR 1 /* error setting a limit */
-#define LOGIN_ERR 2 /* too many logins err */
-
-/* Counts the number of user logins and check against the limit*/
-static int check_logins(const char *name, int limit, int ctrl)
-{
- struct utmp *ut;
- unsigned int count;
-
- if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "checking logins for '%s' / %d\n", name,limit);
- }
-
- if (limit < 0)
- return 0; /* no limits imposed */
- if (limit == 0) /* maximum 0 logins ? */ {
- _pam_log(LOG_WARNING, "No logins allowed for '%s'\n", name);
- return LOGIN_ERR;
- }
-
- setutent();
- count = 0;
- while((ut = getutent())) {
-#ifdef USER_PROCESS
- if (ut->ut_type != USER_PROCESS)
- continue;
-#endif
- if (ut->UT_USER[0] == '\0')
- continue;
- if (!flag_numsyslogins
- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0)
- continue;
- if (++count >= limit)
- break;
- }
- endutent();
- if (count >= limit) {
- if (name) {
- _pam_log(LOG_WARNING, "Too many logins (max %d) for %s",
- limit, name);
- } else {
- _pam_log(LOG_WARNING, "Too many system logins (max %d)", limit);
- }
- return LOGIN_ERR;
- }
- return 0;
-}
-
-/* checks if a user is on a list of members of the GID 0 group */
-static int is_on_list(char * const *list, const char *member)
-{
- while (*list) {
- if (strcmp(*list, member) == 0)
- return 1;
- list++;
- }
- return 0;
-}
-
-/* Checks if a user is a member of a group */
-static int is_on_group(const char *user_name, const char *group_name)
-{
- struct passwd *pwd;
- struct group *grp, *pgrp;
- char uname[LINE_LENGTH], gname[LINE_LENGTH];
-
- if (!strlen(user_name))
- return 0;
- if (!strlen(group_name))
- return 0;
- memset(uname, 0, sizeof(uname));
- strncpy(uname, user_name, LINE_LENGTH);
- memset(gname, 0, sizeof(gname));
- strncpy(gname, group_name, LINE_LENGTH);
-
- setpwent();
- pwd = getpwnam(uname);
- endpwent();
- if (!pwd)
- return 0;
-
- /* the info about this group */
- setgrent();
- grp = getgrnam(gname);
- endgrent();
- if (!grp)
- return 0;
-
- /* first check: is a member of the group_name group ? */
- if (is_on_list(grp->gr_mem, uname))
- return 1;
-
- /* next check: user primary group is group_name ? */
- setgrent();
- pgrp = getgrgid(pwd->pw_gid);
- endgrent();
- if (!pgrp)
- return 0;
- if (!strcmp(pgrp->gr_name, gname))
- return 1;
-
- return 0;
-}
-
-static int init_limits(void)
-{
- int retval = PAM_SUCCESS;
-
- D(("called."));
-
- retval |= getrlimit(RLIMIT_CPU, &limits[RLIMIT_CPU].limit);
- limits[RLIMIT_CPU].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_CPU].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_FSIZE, &limits[RLIMIT_FSIZE].limit);
- limits[RLIMIT_FSIZE].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_FSIZE].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_DATA, &limits[RLIMIT_DATA].limit);
- limits[RLIMIT_DATA].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_DATA].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_STACK, &limits[RLIMIT_STACK].limit);
- limits[RLIMIT_STACK].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_STACK].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_CORE, &limits[RLIMIT_CORE].limit);
- limits[RLIMIT_CORE].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_CORE].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_RSS, &limits[RLIMIT_RSS].limit);
- limits[RLIMIT_RSS].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_RSS].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_NPROC, &limits[RLIMIT_NPROC].limit);
- limits[RLIMIT_NPROC].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_NPROC].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_NOFILE, &limits[RLIMIT_NOFILE].limit);
- limits[RLIMIT_NOFILE].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_NOFILE].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_MEMLOCK, &limits[RLIMIT_MEMLOCK].limit);
- limits[RLIMIT_MEMLOCK].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_MEMLOCK].src_hard = LIMITS_DEF_NONE;
-
- retval |= getrlimit(RLIMIT_AS, &limits[RLIMIT_AS].limit);
- limits[RLIMIT_AS].src_soft = LIMITS_DEF_NONE;
- limits[RLIMIT_AS].src_hard = LIMITS_DEF_NONE;
-
- login_limit = -2;
- login_limit_def = LIMITS_DEF_NONE;
- return retval;
-}
-
-static void process_limit(int source, const char *lim_type,
- const char *lim_item, const char *lim_value,
- int ctrl)
-{
- int limit_item;
- int limit_type = 0;
- long limit_value;
- char **endptr = (char **) &lim_value;
- const char *value_orig = lim_value;
-
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "%s: processing(%d) %s %s %s\n",
- __FUNCTION__,source,lim_type,lim_item,lim_value);
-
- if (strcmp(lim_item, "cpu") == 0)
- limit_item = RLIMIT_CPU;
- else if (strcmp(lim_item, "fsize") == 0)
- limit_item = RLIMIT_FSIZE;
- else if (strcmp(lim_item, "data") == 0)
- limit_item = RLIMIT_DATA;
- else if (strcmp(lim_item, "stack") == 0)
- limit_item = RLIMIT_STACK;
- else if (strcmp(lim_item, "core") == 0)
- limit_item = RLIMIT_CORE;
- else if (strcmp(lim_item, "rss") == 0)
- limit_item = RLIMIT_RSS;
- else if (strcmp(lim_item, "nproc") == 0)
- limit_item = RLIMIT_NPROC;
- else if (strcmp(lim_item, "nofile") == 0)
- limit_item = RLIMIT_NOFILE;
- else if (strcmp(lim_item, "memlock") == 0)
- limit_item = RLIMIT_MEMLOCK;
- else if (strcmp(lim_item, "as") == 0)
- limit_item = RLIMIT_AS;
- else if (strcmp(lim_item, "maxlogins") == 0) {
- limit_item = LIMIT_LOGIN;
- flag_numsyslogins = 0;
- } else if (strcmp(lim_item, "maxsyslogins") == 0) {
- limit_item = LIMIT_NUMSYSLOGINS;
- flag_numsyslogins = 1;
- } else {
- _pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item);
- return;
- }
-
- if (strcmp(lim_type,"soft")==0)
- limit_type=LIMIT_SOFT;
- else if (strcmp(lim_type, "hard")==0)
- limit_type=LIMIT_HARD;
- else if (strcmp(lim_type,"-")==0)
- limit_type=LIMIT_SOFT | LIMIT_HARD;
- else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) {
- _pam_log(LOG_DEBUG,"unknown limit type '%s'", lim_type);
- return;
- }
-
- limit_value = strtol(lim_value, endptr, 10);
- if (limit_value == 0 && value_orig == *endptr) { /* no chars read */
- if (strcmp(lim_value,"-") != 0) {
- _pam_log(LOG_DEBUG,"wrong limit value '%s'", lim_value);
- return;
- } else
- if (limit_item != LIMIT_LOGIN) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG,
- "'-' limit value valid for maxlogins type only");
- return;
- } else
- limit_value = -1;
- }
-
- switch(limit_item) {
- case RLIMIT_CPU:
- limit_value *= 60;
- break;
- case RLIMIT_FSIZE:
- case RLIMIT_DATA:
- case RLIMIT_STACK:
- case RLIMIT_CORE:
- case RLIMIT_RSS:
- case RLIMIT_MEMLOCK:
- case RLIMIT_AS:
- limit_value *= 1024;
- break;
- }
-
- if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) {
- if (limit_type & LIMIT_SOFT)
- if (limits[limit_item].src_soft < source)
- return;
- else {
- limits[limit_item].limit.rlim_cur = limit_value;
- limits[limit_item].src_soft = source;
- }
- if (limit_type & LIMIT_HARD)
- if (limits[limit_item].src_hard < source)
- return;
- else {
- limits[limit_item].limit.rlim_max = limit_value;
- limits[limit_item].src_hard = source;
- }
- } else
- if (login_limit_def < source)
- return;
- else {
- login_limit = limit_value;
- login_limit_def = source;
- }
-
- return;
-}
-
-static int parse_config_file(const char *uname, int ctrl)
-{
- FILE *fil;
- char buf[LINE_LENGTH];
-
-#define CONF_FILE (conf_file[0])?conf_file:LIMITS_FILE
- /* check for the LIMITS_FILE */
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG,"reading settings from '%s'", CONF_FILE);
- fil = fopen(CONF_FILE, "r");
- if (fil == NULL) {
- _pam_log (LOG_WARNING, "can not read settings from %s", CONF_FILE);
- return PAM_SERVICE_ERR;
- }
-#undef CONF_FILE
-
- /* init things */
- memset(buf, 0, sizeof(buf));
- /* start the show */
- while (fgets(buf, LINE_LENGTH, fil) != NULL) {
- char domain[LINE_LENGTH];
- char ltype[LINE_LENGTH];
- char item[LINE_LENGTH];
- char value[LINE_LENGTH];
- int i,j;
- char *tptr;
-
- tptr = buf;
- /* skip the leading white space */
- while (*tptr && isspace(*tptr))
- tptr++;
- strcpy(buf, (const char *)tptr);
-
- /* Rip off the comments */
- tptr = strchr(buf,'#');
- if (tptr)
- *tptr = '\0';
- /* Rip off the newline char */
- tptr = strchr(buf,'\n');
- if (tptr)
- *tptr = '\0';
- /* Anything left ? */
- if (!strlen(buf)) {
- memset(buf, 0, sizeof(buf));
- continue;
- }
-
- memset(domain, 0, sizeof(domain));
- memset(ltype, 0, sizeof(ltype));
- memset(item, 0, sizeof(item));
- memset(value, 0, sizeof(value));
-
- i = sscanf(buf,"%s%s%s%s", domain, ltype, item, value);
- for(j=0; j < strlen(domain); j++)
- domain[j]=tolower(domain[j]);
- for(j=0; j < strlen(ltype); j++)
- ltype[j]=tolower(ltype[j]);
- for(j=0; j < strlen(item); j++)
- item[j]=tolower(item[j]);
- for(j=0; j < strlen(value); j++)
- value[j]=tolower(value[j]);
-
- if (i == 4) { /* a complete line */
- if (strcmp(uname, domain) == 0) /* this user have a limit */
- process_limit(LIMITS_DEF_USER, ltype, item, value, ctrl);
- else if (domain[0]=='@') {
- if (is_on_group(uname, domain+1))
- process_limit(LIMITS_DEF_GROUP, ltype, item, value, ctrl);
- } else if (strcmp(domain, "*") == 0)
- process_limit(LIMITS_DEF_DEFAULT, ltype, item, value, ctrl);
- } else
- _pam_log(LOG_DEBUG,"invalid line '%s'", buf);
- }
- fclose(fil);
- return PAM_SUCCESS;
-}
-
-static int setup_limits(const char * uname, int ctrl)
-{
- int i;
- int retval = PAM_SUCCESS;
-
- for (i=0; i<RLIM_NLIMITS; i++) {
- if (limits[i].limit.rlim_cur > limits[i].limit.rlim_max)
- limits[i].limit.rlim_cur = limits[i].limit.rlim_max;
- retval |= setrlimit(i, &limits[i].limit);
- }
-
- if (retval != PAM_SUCCESS)
- retval = LIMIT_ERR;
- if (login_limit > 0) {
- if (check_logins(uname, login_limit, ctrl) == LOGIN_ERR)
- retval |= LOGIN_ERR;
- } else if (login_limit == 0)
- retval |= LOGIN_ERR;
- return retval;
-}
-
-/* now the session stuff */
-PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- int retval;
- char *user_name;
- struct passwd *pwd;
- int ctrl;
-
- D(("called."));
-
- memset(conf_file, 0, sizeof(conf_file));
-
- ctrl = _pam_parse(argc, argv);
- retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _pam_log(LOG_CRIT, "open_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- setpwent();
- pwd = getpwnam(user_name);
- endpwent();
- if (!pwd) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_WARNING, "open_session username '%s' does not exist",
- user_name);
- return PAM_SESSION_ERR;
- }
-
- /* do not impose limits on UID 0 accounts */
- if (!pwd->pw_uid) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "user '%s' have UID 0 - no limits imposed",
- user_name);
- return PAM_SUCCESS;
- }
-
- retval = init_limits();
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_WARNING, "can not initialize");
- return PAM_IGNORE;
- }
-
- retval = parse_config_file(pwd->pw_name,ctrl);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_WARNING, "error parsing the configuration file");
- return PAM_IGNORE;
- }
-
- retval = setup_limits(pwd->pw_name, ctrl);
- if (retval & LOGIN_ERR) {
- printf("\nToo many logins for '%s'\n",pwd->pw_name);
- sleep(2);
- return PAM_PERM_DENIED;
- }
-
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- /* nothing to do */
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_limits_modstruct = {
- "pam_limits",
- NULL,
- NULL,
- NULL,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL
-};
-#endif
-
-/*
- * Copyright (c) Cristian Gafton, 1996-1997, <gafton@redhat.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_listfile/Makefile b/contrib/libpam/modules/pam_listfile/Makefile
deleted file mode 100644
index 0294039..0000000
--- a/contrib/libpam/modules/pam_listfile/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-
-TITLE=pam_listfile
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_listfile/README b/contrib/libpam/modules/pam_listfile/README
deleted file mode 100644
index b65e7db..0000000
--- a/contrib/libpam/modules/pam_listfile/README
+++ /dev/null
@@ -1,25 +0,0 @@
-SUMMARY:
- pam_listfile:
- Checks a specified item against a list in a file.
- Options:
- * item=[tty|user|rhost|ruser|group|shell]
- * sense=[allow|deny] (action to take if found in file,
- if the item is NOT found in the file, then
- the opposite action is requested)
- * file=/the/file/to/get/the/list/from
- * onerr=[succeed|fail] (if something weird happens
- such as unable to open the file, what to do?)
- * apply=[user|@group]
- restrict the user class for which the restriction
- apply. Note that with item=[user|ruser|group] this
- does not make sense, but for item=[tty|rhost|shell]
- it have a meaning. (Cristian Gafton)
-
- Also checks to make sure that the list file is a plain
- file and not world writable.
-
- - Elliot Lee <sopwith@redhat.com>, Red Hat Software.
- v0.9 August 16, 1996.
-
-BUGS:
- Bugs?
diff --git a/contrib/libpam/modules/pam_listfile/pam_listfile.c b/contrib/libpam/modules/pam_listfile/pam_listfile.c
deleted file mode 100644
index e54b12a..0000000
--- a/contrib/libpam/modules/pam_listfile/pam_listfile.c
+++ /dev/null
@@ -1,436 +0,0 @@
-/*
- * $Id: pam_listfile.c,v 1.6 1997/04/05 06:38:35 morgan Exp $
- *
- * $Log: pam_listfile.c,v $
- * Revision 1.6 1997/04/05 06:38:35 morgan
- * reformat mostly
- *
- * Revision 1.5 1997/02/15 17:29:41 morgan
- * removed fixed length buffer in logging
- *
- * Revision 1.4 1997/01/04 20:32:10 morgan
- * ammendments for pam_listfile handling
- *
- * Revision 1.3 1996/11/10 21:02:08 morgan
- * compiles with .53
- *
- * Revision 1.2 1996/09/05 06:22:58 morgan
- * Michael's patches
- *
- */
-
-/*
- * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
- * July 25, 1996.
- * This code shamelessly ripped from the pam_rootok module.
- */
-
-#ifdef linux
-# define _SVID_SOURCE
-# define _BSD_SOURCE
-# define __USE_BSD
-# define __USE_SVID
-# define __USE_MISC
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <string.h>
-#include <pwd.h>
-#include <grp.h>
-
-#ifdef DEBUG
-#include <assert.h>
-#endif
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-listfile", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* checks if a user is on a list of members */
-static int is_on_list(char * const *list, const char *member)
-{
- while (*list) {
- if (strcmp(*list, member) == 0)
- return 1;
- list++;
- }
- return 0;
-}
-
-/* Checks if a user is a member of a group */
-static int is_on_group(const char *user_name, const char *group_name)
-{
- struct passwd *pwd;
- struct group *grp, *pgrp;
- char uname[BUFSIZ], gname[BUFSIZ];
-
- if (!strlen(user_name))
- return 0;
- if (!strlen(group_name))
- return 0;
- bzero(uname, sizeof(uname));
- strncpy(uname, user_name, BUFSIZ-1);
- bzero(gname, sizeof(gname));
- strncpy(gname, group_name, BUFSIZ-1);
-
- setpwent();
- pwd = getpwnam(uname);
- endpwent();
- if (!pwd)
- return 0;
-
- /* the info about this group */
- setgrent();
- grp = getgrnam(gname);
- endgrent();
- if (!grp)
- return 0;
-
- /* first check: is a member of the group_name group ? */
- if (is_on_list(grp->gr_mem, uname))
- return 1;
-
- /* next check: user primary group is group_name ? */
- setgrent();
- pgrp = getgrgid(pwd->pw_gid);
- endgrent();
- if (!pgrp)
- return 0;
- if (!strcmp(pgrp->gr_name, gname))
- return 1;
-
- return 0;
-}
-
-/* --- authentication management functions (only) --- */
-
-/* Extended Items that are not directly available via pam_get_item() */
-#define EI_GROUP (1 << 0)
-#define EI_SHELL (1 << 1)
-
-/* Constants for apply= parameter */
-#define APPLY_TYPE_NULL 0
-#define APPLY_TYPE_NONE 1
-#define APPLY_TYPE_USER 2
-#define APPLY_TYPE_GROUP 3
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2;
- const char *citemp;
- char *ifname=NULL;
- char aline[256];
- char mybuf[256],myval[256];
- struct stat fileinfo;
- FILE *inf;
- char apply_val[256];
- int apply_type;
-
- /* Stuff for "extended" items */
- struct passwd *userinfo;
- struct group *grpinfo;
- char *itemlist[256]; /* Maximum of 256 items */
-
- D(("called."));
-
- apply_type=APPLY_TYPE_NULL;
- memset(apply_val,0,sizeof(apply_val));
-
- for(i=0; i < argc; i++) {
- {
- char *junk;
- junk = (char *) malloc(strlen(argv[i])+1);
- if (junk == NULL) {
- return PAM_BUF_ERR;
- }
- strcpy(junk,argv[i]);
- strncpy(mybuf,strtok(junk,"="),255);
- strncpy(myval,strtok(NULL,"="),255);
- free(junk);
- }
- if(!strcmp(mybuf,"onerr"))
- if(!strcmp(myval,"succeed"))
- onerr = PAM_SUCCESS;
- else if(!strcmp(myval,"fail"))
- onerr = PAM_SERVICE_ERR;
- else
- return PAM_SERVICE_ERR;
- else if(!strcmp(mybuf,"sense"))
- if(!strcmp(myval,"allow"))
- sense=0;
- else if(!strcmp(myval,"deny"))
- sense=1;
- else
- return onerr;
- else if(!strcmp(mybuf,"file")) {
- ifname = (char *)malloc(strlen(myval)+1);
- strcpy(ifname,myval);
- } else if(!strcmp(mybuf,"item"))
- if(!strcmp(myval,"user"))
- citem = PAM_USER;
- else if(!strcmp(myval,"tty"))
- citem = PAM_TTY;
- else if(!strcmp(myval,"rhost"))
- citem = PAM_RHOST;
- else if(!strcmp(myval,"ruser"))
- citem = PAM_RUSER;
- else { /* These items are related to the user, but are not
- directly gettable with pam_get_item */
- citem = PAM_USER;
- if(!strcmp(myval,"group"))
- extitem = EI_GROUP;
- else if(!strcmp(myval,"shell"))
- extitem = EI_SHELL;
- else
- citem = 0;
- } else if(!strcmp(mybuf,"apply")) {
- apply_type=APPLY_TYPE_NONE;
- if (myval[0]=='@') {
- apply_type=APPLY_TYPE_GROUP;
- strncpy(apply_val,myval+1,sizeof(apply_val)-1);
- } else {
- apply_type=APPLY_TYPE_USER;
- strncpy(apply_val,myval,sizeof(apply_val)-1);
- }
- } else {
- _pam_log(LOG_ERR,"Unknown option: %s",mybuf);
- return onerr;
- }
- }
-
- if(!citem) {
- _pam_log(LOG_ERR,"Unknown item or item not specified");
- return onerr;
- } else if(!ifname) {
- _pam_log(LOG_ERR,"List filename not specified");
- return onerr;
- } else if(sense == 2) {
- _pam_log(LOG_ERR,"Unknown sense or sense not specified");
- return onerr;
- } else if(
- (apply_type==APPLY_TYPE_NONE) ||
- ((apply_type!=APPLY_TYPE_NULL) && (*apply_val=='\0'))
- ) {
- _pam_log(LOG_ERR,"Invalid usage for apply= parameter");
- return onerr;
- }
-
- /* Check if it makes sense to use the apply= parameter */
- if (apply_type != APPLY_TYPE_NULL) {
- if((citem==PAM_USER) || (citem==PAM_RUSER)) {
- _pam_log(LOG_WARNING,"Non-sense use for apply= parameter");
- apply_type=APPLY_TYPE_NULL;
- }
- if(extitem && (extitem==EI_GROUP)) {
- _pam_log(LOG_WARNING,"Non-sense use for apply= parameter");
- apply_type=APPLY_TYPE_NULL;
- }
- }
-
- /* Short-circuit - test if this session apply for this user */
- {
- const char *user_name;
- int rval;
-
- rval=pam_get_user(pamh,&user_name,NULL);
- if((rval==PAM_SUCCESS) && user_name[0]) {
- /* Got it ? Valid ? */
- if(apply_type==APPLY_TYPE_USER) {
- if(strcmp(user_name, apply_val)) {
- /* Does not apply to this user */
-#ifdef DEBUG
- _pam_log(LOG_DEBUG,"don't apply: apply=%s, user=%s",
- apply_val,user_name);
-#endif /* DEBUG */
- return PAM_IGNORE;
- }
- } else if(apply_type==APPLY_TYPE_GROUP) {
- if(!is_on_group(user_name,apply_val)) {
- /* Not a member of apply= group */
-#ifdef DEBUG
- _pam_log(LOG_DEBUG,"don't apply: %s not a member of group %s",
- user_name,apply_val);
-#endif /* DEBUG */
- return PAM_IGNORE;
- }
- }
- }
- }
-
- retval = pam_get_item(pamh,citem,(const void **)&citemp);
- if(retval != PAM_SUCCESS) {
- return onerr;
- }
- if((citem == PAM_USER) && !citemp) {
- pam_get_user(pamh,&citemp,NULL);
- if (retval != PAM_SUCCESS)
- return PAM_SERVICE_ERR;
- }
-
- if(!citemp || (strlen(citemp) <= 0)) {
- /* The item was NULL - we are sure not to match */
- return sense?PAM_SUCCESS:PAM_AUTH_ERR;
- }
-
- if(extitem) {
- switch(extitem) {
- case EI_GROUP:
- setpwent();
- userinfo = getpwnam(citemp);
- setgrent();
- grpinfo = getgrgid(userinfo->pw_gid);
- itemlist[0] = x_strdup(grpinfo->gr_name);
- setgrent();
- for (i=1; (i < sizeof(itemlist)/sizeof(itemlist[0])-1) &&
- (grpinfo = getgrent()); ) {
- if (is_on_list(grpinfo->gr_mem,citemp)) {
- itemlist[i++] = x_strdup(grpinfo->gr_name);
- }
- }
- itemlist[i] = NULL;
- endgrent();
- endpwent();
- break;
- case EI_SHELL:
- setpwent();
- userinfo = getpwnam(citemp); /* Assume that we have already gotten
- PAM_USER in pam_get_item() - a valid
- assumption since citem gets set to
- PAM_USER in the extitem switch */
- citemp = userinfo->pw_shell;
- endpwent();
- break;
- default:
- _pam_log(LOG_ERR,"Internal weirdness, unknown extended item %d",
- extitem);
- return onerr;
- }
- }
-#ifdef DEBUG
- _pam_log(LOG_INFO,"Got file = %s, item = %d, value = %s, sense = %d",
- ifname, citem, citemp, sense);
-#endif
- if(lstat(ifname,&fileinfo)) {
- _pam_log(LOG_ERR,
- "Couldn't open %s",ifname);
- return onerr;
- }
-
- if((fileinfo.st_mode & S_IWOTH)
- || !S_ISREG(fileinfo.st_mode)) {
- /* If the file is world writable or is not a
- normal file, return error */
- _pam_log(LOG_ERR,
- "%s is either world writable or not a normal file",
- ifname);
- return PAM_AUTH_ERR;
- }
-
- inf = fopen(ifname,"r");
- if(inf == NULL) { /* Check that we opened it successfully */
- if (onerr == PAM_SERVICE_ERR) {
- /* Only report if it's an error... */
- _pam_log(LOG_ERR, "Error opening %s", ifname);
- }
- return onerr;
- }
- /* There should be no more errors from here on */
- retval=PAM_AUTH_ERR;
- /* This loop assumes that PAM_SUCCESS == 0
- and PAM_AUTH_ERR != 0 */
-#ifdef DEBUG
- assert(PAM_SUCCESS == 0);
- assert(PAM_AUTH_ERR != 0);
-#endif
- if(extitem == EI_GROUP) {
- while((fgets(aline,255,inf) != NULL)
- && retval) {
- if(aline[strlen(aline) - 1] == '\n')
- aline[strlen(aline) - 1] = '\0';
- for(i=0;itemlist[i];)
- /* If any of the items match, strcmp() == 0, and we get out
- of this loop */
- retval = (strcmp(aline,itemlist[i++]) && retval);
- }
- for(i=0;itemlist[i];)
- free(itemlist[i++]);
- } else {
- while((fgets(aline,255,inf) != NULL)
- && retval) {
- if(aline[strlen(aline) - 1] == '\n')
- aline[strlen(aline) - 1] = '\0';
- retval = strcmp(aline,citemp);
- }
- }
- fclose(inf);
- free(ifname);
- if(retval) {
-#ifdef DEBUG
- syslog(LOG_INFO,"Returning %d, retval = %d",
- sense?PAM_AUTH_ERR:PAM_SUCCESS, retval);
-#endif
- return sense?PAM_SUCCESS:PAM_AUTH_ERR;
- }
- else {
-#ifdef DEBUG
- syslog(LOG_INFO,"Returning %d, retval = %d",
- sense?PAM_SUCCESS:PAM_AUTH_ERR, retval);
-#endif
- return sense?PAM_AUTH_ERR:PAM_SUCCESS;
- }
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_listfile_modstruct = {
- "pam_listfile",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
-
diff --git a/contrib/libpam/modules/pam_mail/Makefile b/contrib/libpam/modules/pam_mail/Makefile
deleted file mode 100644
index 5a402ea..0000000
--- a/contrib/libpam/modules/pam_mail/Makefile
+++ /dev/null
@@ -1,107 +0,0 @@
-#
-# $Id: Makefile,v 1.3 1997/04/05 06:37:45 morgan Exp $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.3 1997/04/05 06:37:45 morgan
-# fakeroot
-#
-# Revision 1.2 1997/02/15 16:07:22 morgan
-# optional libpwdb compilation
-#
-# Revision 1.1 1997/01/04 20:32:52 morgan
-# Initial revision
-#
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/12/8
-#
-
-TITLE=pam_mail
-
-ifndef STATIC
-ifeq ($(HAVE_PWDBLIB),yes)
-CFLAGS += -DWANT_PWDB
-EXTRALIB = -lpwdb
-endif
-endif
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) $(EXTRALIB)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS) $(EXTRALIB)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_mail/pam_mail.c b/contrib/libpam/modules/pam_mail/pam_mail.c
deleted file mode 100644
index 15160f3..0000000
--- a/contrib/libpam/modules/pam_mail/pam_mail.c
+++ /dev/null
@@ -1,401 +0,0 @@
-/* pam_mail module */
-
-/*
- * $Id: pam_mail.c,v 1.2 1997/02/15 16:06:14 morgan Exp morgan $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- * $HOME additions by David Kinchlea <kinch@kinch.ark.com> 1997/1/7
- *
- * $Log: pam_mail.c,v $
- * Revision 1.2 1997/02/15 16:06:14 morgan
- * session -> setcred, also added "~"=$HOME
- *
- * Revision 1.1 1997/01/04 20:33:02 morgan
- * Initial revision
- */
-
-#define DEFAULT_MAIL_DIRECTORY "/var/spool/mail"
-#define MAIL_FILE_FORMAT "%s/%s"
-#define MAIL_ENV_NAME "MAIL"
-#define MAIL_ENV_FORMAT MAIL_ENV_NAME "=%s"
-#define YOUR_MAIL_FORMAT "You have %s mail in %s"
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <ctype.h>
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#ifdef WANT_PWDB
-#include <pwdb/pwdb_public.h>
-#endif
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* some syslogging */
-
-static void _log_err(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-mail", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 01
-#define PAM_NO_LOGIN 02
-#define PAM_LOGOUT_TOO 04
-#define PAM_NEW_MAIL_DIR 010
-#define PAM_MAIL_SILENT 020
-#define PAM_NO_ENV 040
-#define PAM_HOME_MAIL 0100
-#define PAM_EMPTY_TOO 0200
-
-static int _pam_parse(int flags, int argc, const char **argv, char **maildir)
-{
- int ctrl=0;
-
- if (flags & PAM_SILENT) {
- ctrl |= PAM_MAIL_SILENT;
- }
-
- /* step through arguments */
- for (; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"dir=",4)) {
- *maildir = x_strdup(4+*argv);
- if (*maildir != NULL) {
- D(("new mail directory: %s", *maildir));
- ctrl |= PAM_NEW_MAIL_DIR;
- } else {
- _log_err(LOG_CRIT,
- "failed to duplicate mail directory - ignored");
- }
- } else if (!strcmp(*argv,"close")) {
- ctrl |= PAM_LOGOUT_TOO;
- } else if (!strcmp(*argv,"nopen")) {
- ctrl |= PAM_NO_LOGIN;
- } else if (!strcmp(*argv,"noenv")) {
- ctrl |= PAM_NO_ENV;
- } else if (!strcmp(*argv,"empty")) {
- ctrl |= PAM_EMPTY_TOO;
- } else {
- _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-/* a front end for conversations */
-
-static int converse(pam_handle_t *pamh, int ctrl, int nargs
- , struct pam_message **message
- , struct pam_response **response)
-{
- int retval;
- struct pam_conv *conv;
-
- D(("begin to converse"));
-
- retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
- if ( retval == PAM_SUCCESS ) {
-
- retval = conv->conv(nargs, ( const struct pam_message ** ) message
- , response, conv->appdata_ptr);
-
- D(("returned from application's conversation function"));
-
- if (retval != PAM_SUCCESS && (PAM_DEBUG_ARG & ctrl) ) {
- _log_err(LOG_DEBUG, "conversation failure [%s]"
- , pam_strerror(pamh, retval));
- }
-
- } else {
- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
- , pam_strerror(pamh, retval));
- }
-
- D(("ready to return from module conversation"));
-
- return retval; /* propagate error status */
-}
-
-static int get_folder(pam_handle_t *pamh, int ctrl
- , char **path_mail, char **folder_p)
-{
- int retval;
- const char *user, *path;
- char *folder;
- const struct passwd *pwd=NULL;
-
- retval = pam_get_user(pamh, &user, NULL);
- if (retval != PAM_SUCCESS || user == NULL) {
- _log_err(LOG_ERR, "no user specified");
- return PAM_USER_UNKNOWN;
- }
-
- if (ctrl & PAM_NEW_MAIL_DIR) {
- path = *path_mail;
- if (*path == '~') { /* support for $HOME delivery */
- pwd = getpwnam(user);
- if (pwd == NULL) {
- _log_err(LOG_ERR, "user [%s] unknown", user);
- _pam_overwrite(*path_mail);
- _pam_drop(*path_mail);
- return PAM_USER_UNKNOWN;
- }
- /*
- * "~/xxx" and "~xxx" are treated as same
- */
- if (!*++path || (*path == '/' && !*++path)) {
- _log_err(LOG_ALERT, "badly formed mail path [%s]", *path_mail);
- _pam_overwrite(*path_mail);
- _pam_drop(*path_mail);
- return PAM_ABORT;
- }
- ctrl |= PAM_HOME_MAIL;
- }
- } else {
- path = DEFAULT_MAIL_DIRECTORY;
- }
-
- /* put folder together */
-
- if (ctrl & PAM_HOME_MAIL) {
- folder = malloc(sizeof(MAIL_FILE_FORMAT)
- +strlen(pwd->pw_dir)+strlen(path));
- } else {
- folder = malloc(sizeof(MAIL_FILE_FORMAT)+strlen(path)+strlen(user));
- }
-
- if (folder != NULL) {
- if (ctrl & PAM_HOME_MAIL) {
- sprintf(folder, MAIL_FILE_FORMAT, pwd->pw_dir, path);
- } else {
- sprintf(folder, MAIL_FILE_FORMAT, path, user);
- }
- D(("folder =[%s]", folder));
- }
-
- /* tidy up */
-
- _pam_overwrite(*path_mail);
- _pam_drop(*path_mail);
- user = NULL;
-
- if (folder == NULL) {
- _log_err(LOG_CRIT, "out of memory for mail folder");
- return PAM_BUF_ERR;
- }
-
- *folder_p = folder;
- folder = NULL;
-
- return PAM_SUCCESS;
-}
-
-static const char *get_mail_status(int ctrl, const char *folder)
-{
- const char *type;
- struct stat mail_st;
-
- if (stat(folder, &mail_st) == 0 && mail_st.st_size > 0) {
- type = (mail_st.st_atime < mail_st.st_mtime) ? "new":"old" ;
- } else if (ctrl & PAM_EMPTY_TOO) {
- type = "no";
- } else {
- type = NULL;
- }
-
- memset(&mail_st, 0, sizeof(mail_st));
- D(("user has %s mail in %s folder", type, folder));
- return type;
-}
-
-static int report_mail(pam_handle_t *pamh, int ctrl
- , const char *type, const char *folder)
-{
- int retval;
-
- if (!(ctrl & PAM_MAIL_SILENT)) {
- char *remark;
-
- remark = malloc(sizeof(YOUR_MAIL_FORMAT)+strlen(type)+strlen(folder));
- if (remark == NULL) {
- retval = PAM_BUF_ERR;
- } else {
- struct pam_message msg[1], *mesg[1];
- struct pam_response *resp=NULL;
-
- sprintf(remark, YOUR_MAIL_FORMAT, type, folder);
-
- mesg[0] = &msg[0];
- msg[0].msg_style = PAM_TEXT_INFO;
- msg[0].msg = remark;
-
- retval = converse(pamh, ctrl, 1, mesg, &resp);
-
- _pam_overwrite(remark);
- _pam_drop(remark);
- if (resp)
- _pam_drop_reply(resp, 1);
- }
- } else {
- D(("keeping quiet"));
- retval = PAM_SUCCESS;
- }
-
- D(("returning %s", pam_strerror(pamh, retval)));
- return retval;
-}
-
-/* --- authentication management functions (only) --- */
-
-/*
- * Cannot use mail to authenticate yourself
- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_IGNORE;
-}
-
-/*
- * MAIL is a "credential"
- */
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc
- , const char **argv)
-{
- int retval, ctrl;
- char *path_mail=NULL, *folder;
- const char *type;
-
- /*
- * this module (un)sets the MAIL environment variable, and checks if
- * the user has any new mail.
- */
-
- ctrl = _pam_parse(flags, argc, argv, &path_mail);
-
- /* Do we have anything to do? */
-
- if (!(flags & (PAM_ESTABLISH_CRED|PAM_DELETE_CRED))) {
- return PAM_SUCCESS;
- }
-
- /* which folder? */
-
- retval = get_folder(pamh, ctrl, &path_mail, &folder);
- if (retval != PAM_SUCCESS) {
- D(("failed to find folder"));
- return retval;
- }
-
- /* set the MAIL variable? */
-
- if (!(ctrl & PAM_NO_ENV) && (flags & PAM_ESTABLISH_CRED)) {
- char *tmp;
-
- tmp = malloc(strlen(folder)+sizeof(MAIL_ENV_FORMAT));
- if (tmp != NULL) {
- sprintf(tmp, MAIL_ENV_FORMAT, folder);
- D(("setting env: %s", tmp));
- retval = pam_putenv(pamh, tmp);
- _pam_overwrite(tmp);
- _pam_drop(tmp);
- if (retval != PAM_SUCCESS) {
- _pam_overwrite(folder);
- _pam_drop(folder);
- _log_err(LOG_CRIT, "unable to set " MAIL_ENV_NAME " variable");
- return retval;
- }
- } else {
- _log_err(LOG_CRIT, "no memory for " MAIL_ENV_NAME " variable");
- _pam_overwrite(folder);
- _pam_drop(folder);
- return retval;
- }
- } else {
- D(("not setting " MAIL_ENV_NAME " variable"));
- }
-
- /*
- * OK. we've got the mail folder... what about its status?
- */
-
- if (((flags & PAM_ESTABLISH_CRED) && !(ctrl & PAM_NO_LOGIN))
- || ((flags & PAM_DELETE_CRED) && (ctrl & PAM_LOGOUT_TOO))) {
- type = get_mail_status(ctrl, folder);
- if (type != NULL) {
- retval = report_mail(pamh, ctrl, type, folder);
- type = NULL;
- }
- }
-
- /*
- * Delete environment variable?
- */
-
- if (flags & PAM_DELETE_CRED) {
- (void) pam_putenv(pamh, MAIL_ENV_NAME);
- }
-
- _pam_overwrite(folder); /* clean up */
- _pam_drop(folder);
-
- /* indicate success or failure */
-
- return retval;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_mail_modstruct = {
- "pam_mail",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_nologin/README b/contrib/libpam/modules/pam_nologin/README
deleted file mode 100644
index ab7ccd7..0000000
--- a/contrib/libpam/modules/pam_nologin/README
+++ /dev/null
@@ -1,12 +0,0 @@
-# $Id: README,v 1.1 1996/10/25 03:19:36 morgan Exp $
-#
-
-This module always lets root in; it lets other users in only if the file
-/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's
-contents are displayed to the user.
-
-module services provided:
-
- auth _authentication and _setcred (blank)
-
-Michael K. Johnson
diff --git a/contrib/libpam/modules/pam_nologin/pam_nologin.c b/contrib/libpam/modules/pam_nologin/pam_nologin.c
deleted file mode 100644
index 2788dcf..0000000
--- a/contrib/libpam/modules/pam_nologin/pam_nologin.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* pam_nologin module */
-
-/*
- * $Id: pam_nologin.c,v 1.4 1997/04/05 06:36:47 morgan Exp morgan $
- *
- * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24
- *
- * $Log: pam_nologin.c,v $
- * Revision 1.4 1997/04/05 06:36:47 morgan
- * display message when the user is unknown
- *
- * Revision 1.3 1996/12/01 03:00:54 morgan
- * added prototype to conversation, gave static structure name of module
- *
- * Revision 1.2 1996/11/10 21:02:31 morgan
- * compile against .53
- *
- * Revision 1.1 1996/10/25 03:19:36 morgan
- * Initial revision
- *
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <pwd.h>
-
-#include <security/_pam_macros.h>
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- int retval = PAM_SUCCESS;
- int fd;
- const char *username;
- char *mtmp=NULL;
- struct passwd *user_pwd;
- struct pam_conv *conversation;
- struct pam_message message;
- struct pam_message *pmessage = &message;
- struct pam_response *resp = NULL;
- struct stat st;
-
- if ((fd = open("/etc/nologin", O_RDONLY, 0)) >= 0) {
- /* root can still log in; lusers cannot */
- if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS)
- || !username) {
- return PAM_SERVICE_ERR;
- }
- user_pwd = getpwnam(username);
- if (user_pwd && user_pwd->pw_uid == 0) {
- message.msg_style = PAM_TEXT_INFO;
- } else {
- if (!user_pwd) {
- retval = PAM_USER_UNKNOWN;
- } else {
- retval = PAM_AUTH_ERR;
- }
- message.msg_style = PAM_ERROR_MSG;
- }
-
- /* fill in message buffer with contents of /etc/nologin */
- if (fstat(fd, &st) < 0) /* give up trying to display message */
- return retval;
- message.msg = mtmp = malloc(st.st_size+1);
- /* if malloc failed... */
- if (!message.msg) return retval;
- read(fd, mtmp, st.st_size);
- mtmp[st.st_size] = '\000';
-
- /* Use conversation function to give user contents of /etc/nologin */
- pam_get_item(pamh, PAM_CONV, (const void **)&conversation);
- conversation->conv(1, (const struct pam_message **)&pmessage,
- &resp, conversation->appdata_ptr);
- free(mtmp);
- if (resp)
- _pam_drop_reply(resp, 1);
- }
-
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_nologin_modstruct = {
- "pam_nologin",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_permit/Makefile b/contrib/libpam/modules/pam_permit/Makefile
deleted file mode 100644
index 823b624..0000000
--- a/contrib/libpam/modules/pam_permit/Makefile
+++ /dev/null
@@ -1,126 +0,0 @@
-#
-# $Id: Makefile,v 1.8 1997/04/05 06:33:25 morgan Exp morgan $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.8 1997/04/05 06:33:25 morgan
-# fakeroot
-#
-# Revision 1.7 1997/02/15 19:02:27 morgan
-# updated email address
-#
-# Revision 1.6 1996/11/10 20:14:34 morgan
-# cross platform support
-#
-# Revision 1.5 1996/09/05 06:32:45 morgan
-# ld --> gcc
-#
-# Revision 1.4 1996/05/26 15:49:25 morgan
-# make dynamic and static dirs
-#
-# Revision 1.3 1996/05/26 04:04:26 morgan
-# automated static support
-#
-# Revision 1.2 1996/03/16 17:56:38 morgan
-# tidied up
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11
-#
-
-# Convenient defaults for compiling independently of the full source
-# tree.
-ifndef FULL_LINUX_PAM_SOURCE_TREE
-export DYNAMIC=-DPAM_DYNAMIC
-export CC=gcc
-export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
- -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
- -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
- -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
- -Wshadow -pedantic -fPIC
-export MKDIR=mkdir -p
-export LD_D=gcc -shared -Xlinker -x
-endif
-
-#
-#
-
-TITLE=pam_permit
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(TARGET_ARCH) -c $< -o $@
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-endif
-
-ifdef DYNAMIC
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-endif
-
-ifdef STATIC
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_permit/README b/contrib/libpam/modules/pam_permit/README
deleted file mode 100644
index da179a3..0000000
--- a/contrib/libpam/modules/pam_permit/README
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: README,v 1.1 1996/03/16 18:12:51 morgan Exp $
-#
-
-this module always returns PAM_SUCCESS, it ignores all options.
diff --git a/contrib/libpam/modules/pam_permit/pam_permit.c b/contrib/libpam/modules/pam_permit/pam_permit.c
deleted file mode 100644
index 1bdd564..0000000
--- a/contrib/libpam/modules/pam_permit/pam_permit.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/* pam_permit module */
-
-/*
- * $Id: pam_permit.c,v 1.5 1997/02/15 19:03:15 morgan Exp $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- *
- * $Log: pam_permit.c,v $
- * Revision 1.5 1997/02/15 19:03:15 morgan
- * fixed email address
- *
- * Revision 1.4 1997/02/15 16:03:10 morgan
- * force a name for user
- *
- * Revision 1.3 1996/06/02 08:10:14 morgan
- * updated for new static protocol
- *
- */
-
-#define DEFAULT_USER "nobody"
-
-#include <stdio.h>
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* --- authentication management functions --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int retval;
- const char *user=NULL;
-
- /*
- * authentication requires we know who the user wants to be
- */
- retval = pam_get_user(pamh, &user, NULL);
- if (retval != PAM_SUCCESS) {
- D(("get user returned error: %s", pam_strerror(pamh,retval)));
- return retval;
- }
- if (user == NULL || *user == '\0') {
- D(("username not known"));
- pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
- }
- user = NULL; /* clean up */
-
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-/* --- account management functions --- */
-
-PAM_EXTERN
-int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-/* --- password management --- */
-
-PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-/* --- session management --- */
-
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-/* end of module definition */
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_permit_modstruct = {
- "pam_permit",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-
-#endif
diff --git a/contrib/libpam/modules/pam_pwdb/BUGS b/contrib/libpam/modules/pam_pwdb/BUGS
deleted file mode 100644
index 397f367..0000000
--- a/contrib/libpam/modules/pam_pwdb/BUGS
+++ /dev/null
@@ -1,8 +0,0 @@
-$Id: BUGS,v 1.2 1996/09/05 06:36:16 morgan Exp $
-
-$Log: BUGS,v $
-Revision 1.2 1996/09/05 06:36:16 morgan
-revised for .52 to be released
-
-
-As of Linux-PAM-0.52 this is new. No known bugs yet.
diff --git a/contrib/libpam/modules/pam_pwdb/CHANGELOG b/contrib/libpam/modules/pam_pwdb/CHANGELOG
deleted file mode 100644
index 0cb2187..0000000
--- a/contrib/libpam/modules/pam_pwdb/CHANGELOG
+++ /dev/null
@@ -1,10 +0,0 @@
-$Header: /home/morgan/pam/Linux-PAM-0.52/modules/pam_unix/RCS/CHANGELOG,v 1.1 1996/08/29 13:23:29 morgan Exp $
-
-Tue Apr 23 12:28:09 EDT 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu)
-
- * PAM_DISALLOW_NULL_AUTHTOK implemented in the authentication module
- * pam_sm_open_session() and pam_sm_close_session() implemented
- A new "trace" flag added to flags of /etc/pam.conf. Using this
- flag system administrator is able to make pam_unix module provide
- very extensive audit trail sent so syslog with LOG_AUTHPRIV level.
- * pam_sm_set_cred() is done
diff --git a/contrib/libpam/modules/pam_pwdb/Makefile b/contrib/libpam/modules/pam_pwdb/Makefile
deleted file mode 100644
index 7428bb4..0000000
--- a/contrib/libpam/modules/pam_pwdb/Makefile
+++ /dev/null
@@ -1,155 +0,0 @@
-# $Id: Makefile,v 1.7 1997/04/05 06:28:50 morgan Exp morgan $
-#
-# This Makefile controls a build process of the pam_unix module
-# for Linux-PAM. You should not modify this Makefile.
-#
-# rewritten to compile new module Andrew Morgan
-# <morgan@parc.power.net> 1996/11/6
-#
-
-#
-# Note, the STATIC module is commented out because it doesn't work.
-# please fix!
-#
-
-ifndef FULL_LINUX_PAM_SOURCE_TREE
-export DYNAMIC=-DPAM_DYNAMIC
-export CC=gcc
-export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
- -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
- -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
- -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
- -Wshadow -pedantic -fPIC
-export MKDIR=mkdir -p
-export LD_D=gcc -shared -Xlinker -x
-export HAVE_PWDBLIB=yes
-endif
-
-ifeq ($(HAVE_PWDBLIB),yes)
-
-TITLE=pam_pwdb
-CHKPWD=pwdb_chkpwd
-
-# compilation flags
-EXTRAS=
-# extra object files
-PLUS=
-# extra files that may be needed to be created
-CREATE=
-
-# NOTE: this module links dynamically to the libpwdb library.
-EXTRALS += -lpwdb
-EXTRAS += -DCHKPWD_HELPER=\"$(SUPLEMENTED)/$(CHKPWD)\"
-
-########################### don't edit below ##########################
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-#LIBOBJS = $(addprefix static/,$(LIBOBJ))
-LIBDEPS = pam_unix_acct.-c pam_unix_auth.-c pam_unix_passwd.-c \
- pam_unix_sess.-c pam_unix_pwupd.-c support.-c bigcrypt.-c
-
-PLUS += md5.o md5_crypt.o
-CFLAGS += $(EXTRAS)
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-#ifdef STATIC
-#LIBSTATIC = lib$(TITLE).o
-#endif
-
-all: info dirs $(PLUS) $(LIBSHARED) $(LIBSTATIC) register $(CHKPWD)
-
-dynamic/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS)
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-#static/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS)
-# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-info:
- @echo
- @echo "*** Building PAM_pwdb module..."
- @echo
-
-$(CHKPWD): pwdb_chkpwd.o md5.o md5_crypt.o
- $(CC) -o $(CHKPWD) $^ -lpwdb
-
-pwdb_chkpwd.o: pwdb_chkpwd.c pam_unix_md.-c bigcrypt.-c
-
-dirs:
-ifdef DYNAMIC
- @$(MKDIR) ./dynamic
-endif
-#ifdef STATIC
-# @$(MKDIR) ./static
-#endif
-
-register:
-#ifdef STATIC
-# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-#endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) $(PLUS) $(EXTRALS)
-endif
-
-#ifdef STATIC
-#$(LIBOBJS): $(LIBSRC)
-#
-#$(LIBSTATIC): $(LIBOBJS)
-# $(LD) -r -o $@ $(LIBOBJS) $(PLUS) $(EXTRALS)
-#endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
- $(MKDIR) $(FAKEROOT)$(SUPLEMENTED)
- $(INSTALL) -m 4555 -o root -g root $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED)
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
- rm -f $(FAKEROOT)$(SUPLEMENTED)/$(CHKPWD)
-
-clean:
- rm -f $(CHKPWD) $(LIBOBJD) $(LIBOBJS) $(MOREDELS) core *~ *.o *.so
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak
-
-else
-
-include ../dont_makefile
-
-endif
-
-#####################################################################
-# $Log: Makefile,v $
-# Revision 1.7 1997/04/05 06:28:50 morgan
-# fakeroot
-#
-# Revision 1.6 1997/02/15 17:25:32 morgan
-# update for .56 . extra commands for new helper binary
-#
-# Revision 1.5 1997/01/04 20:39:08 morgan
-# conditional on having libpwdb
-#
-# Revision 1.4 1996/12/01 03:02:03 morgan
-# changed banner, removed linking libraries
-#
-# Revision 1.3 1996/11/10 20:14:42 morgan
-# cross platform support
-#
-# Revision 1.2 1996/09/05 06:36:49 morgan
-# options added and use of LD altered
-#
-# Revision 1.1 1996/08/29 13:23:29 morgan
-# Initial revision
-#
-#
diff --git a/contrib/libpam/modules/pam_pwdb/README b/contrib/libpam/modules/pam_pwdb/README
deleted file mode 100644
index 351a706..0000000
--- a/contrib/libpam/modules/pam_pwdb/README
+++ /dev/null
@@ -1,41 +0,0 @@
-This is the pam_unix module. It has been significantly rewritten since
-.51 was released (due mostly to the efforts of Cristian Gafton), and
-now takes more options and correctly updates vanilla UNIX/shadow/md5
-passwords.
-
-[Please read the source and make a note of all the warnings there, as
-the license suggests -- use at your own risk.]
-
-So far as I am concerned this module is now pretty stable. If you find
-any bugs, PLEASE tell me! <morgan@parc.power.net>
-
-Options recognized by this module are as follows:
-
- debug - log more debugging info
- audit - a little more extreme than debug
- use_first_pass - don't prompt the user for passwords
- take them from PAM_ items instead
- try_first_pass - don't prompt the user for the passwords
- unless PAM_(OLD)AUTHTOK is unset
- use_authtok - like try_first_pass, but *fail* if the new
- PAM_AUTHTOK has not been previously set.
- (intended for stacking password modules only)
- not_set_pass - don't set the PAM_ items with the passwords
- used by this module.
- shadow - try to maintian a shadow based system.
- unix - when changing passwords, they are placed
- in the /etc/passwd file
- md5 - when a user changes their password next,
- encrypt it with the md5 algorithm.
- bigcrypt - when a user changes their password next,
- excrypt it with the DEC C2-algorithm(0).
- nodelay - used to prevent failed authentication
- resulting in a delay of about 1 second.
-
-There is some support for building a shadow file on-the-fly from an
-/etc/passwd file. This is VERY alpha. If you want to play with it you
-should read the source to find the appropriate #define that you will
-need.
-
----------------------
-Andrew Morgan <morgan@parc.power.net>
diff --git a/contrib/libpam/modules/pam_pwdb/TODO b/contrib/libpam/modules/pam_pwdb/TODO
deleted file mode 100644
index 23eb4c1..0000000
--- a/contrib/libpam/modules/pam_pwdb/TODO
+++ /dev/null
@@ -1,34 +0,0 @@
-$Id: TODO,v 1.3 1996/11/10 21:03:21 morgan Exp $
-
- * get NIS working
- * .. including "nonis" argument
- * add helper binary
-
-Wed Sep 4 23:40:09 PDT 1996 Andrew G. Morgan
-
- * verify that it works for everyone
- * look more seriously at the issue of generating a shadow
- system on the fly
- * add some more password flavors
-
-Thu Aug 29 06:26:42 PDT 1996 Andrew G. Morgan
-
- * check that complete rewrite works! ;^)
- * complete shadow support to the password changing code.
- Also some code needed here for session managment?
- (both pam.conf argument to turn it on/off, and some
- conditional compilation.)
- * md5 passwords...
- * make the exclusive nature of the arguments work. That is,
- only recognize the flags when appropriate.
-
-Wed May 8 19:08:49 EDT 1996 Alexander O. Yuriev
-
- * support.c should go.
-
-Tue Apr 23 21:43:55 EDT 1996 Alexander O. Yuriev
-
- * pam_sm_chauth_tok() should be written
- * QUICK FIX: pam_sm_setcred() probably returns incorrect error code
-
-
diff --git a/contrib/libpam/modules/pam_pwdb/bigcrypt.-c b/contrib/libpam/modules/pam_pwdb/bigcrypt.-c
deleted file mode 100644
index 321f249..0000000
--- a/contrib/libpam/modules/pam_pwdb/bigcrypt.-c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * This function implements the "bigcrypt" algorithm specifically for
- * Linux-PAM.
- *
- * This algorithm is algorithm 0 (default) shipped with the C2 secure
- * implementation of Digital UNIX.
- *
- * Disclaimer: This work is not based on the source code to Digital
- * UNIX, nor am I connected to Digital Equipment Corp, in any way
- * other than as a customer. This code is based on published
- * interfaces and reasonable guesswork.
- *
- * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8
- * characters or less. Each block is encrypted using the standard UNIX
- * libc crypt function. The result of the encryption for one block
- * provides the salt for the suceeding block.
- *
- * Restrictions: The buffer used to hold the encrypted result is
- * statically allocated. (see MAX_PASS_LEN below). This is necessary,
- * as the returned pointer points to "static data that are overwritten
- * by each call", (XPG3: XSI System Interface + Headers pg 109), and
- * this is a drop in replacement for crypt();
- *
- * Andy Phillips <atp@mssl.ucl.ac.uk>
- */
-
-/*
- * Max cleartext password length in segments of 8 characters this
- * function can deal with (16 segments of 8 chars= max 128 character
- * password).
- */
-
-#define MAX_PASS_LEN 16
-#define SEGMENT_SIZE 8
-#define SALT_SIZE 2
-#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE)
-#define ESEGMENT_SIZE 11
-#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1)
-
-static char *bigcrypt(const char *key, const char *salt)
-{
- static char dec_c2_cryptbuf[CBUF_SIZE]; /* static storage area */
-
- unsigned long int keylen,n_seg,j;
- char *cipher_ptr,*plaintext_ptr,*tmp_ptr,*salt_ptr;
- char keybuf[KEYBUF_SIZE+1];
-
- D(("called with key='%s', salt='%s'.", key, salt));
-
- /* reset arrays */
- memset(keybuf, 0, KEYBUF_SIZE+1);
- memset(dec_c2_cryptbuf, 0, CBUF_SIZE);
-
- /* fill KEYBUF_SIZE with key */
- strncpy(keybuf, key, KEYBUF_SIZE);
-
- /* deal with case that we are doing a password check for a
- conventially encrypted password: the salt will be
- SALT_SIZE+ESEGMENT_SIZE long. */
- if (strlen(salt) == (SALT_SIZE+ESEGMENT_SIZE))
- keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */
-
- keylen = strlen(keybuf);
-
- if (!keylen) {
- n_seg = 1;
- } else {
- /* work out how many segments */
- n_seg = 1 + ((keylen-1)/SEGMENT_SIZE);
- }
-
- if (n_seg > MAX_PASS_LEN)
- n_seg = MAX_PASS_LEN; /* truncate at max length */
-
- /* set up some pointers */
- cipher_ptr = dec_c2_cryptbuf;
- plaintext_ptr = keybuf;
-
- /* do the first block with supplied salt */
- tmp_ptr = crypt(plaintext_ptr,salt); /* libc crypt() */
-
- /* and place in the static area */
- strncpy(cipher_ptr, tmp_ptr, 13);
- cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
- plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */
-
- /* change the salt (1st 2 chars of previous block) - this was found
- by dowsing */
-
- salt_ptr = cipher_ptr - ESEGMENT_SIZE;
-
- /* so far this is identical to "return crypt(key, salt);", if
- there is more than one block encrypt them... */
-
- if (n_seg > 1) {
- for (j=2; j <= n_seg; j++) {
-
- tmp_ptr = crypt(plaintext_ptr, salt_ptr);
-
- /* skip the salt for seg!=0 */
- strncpy(cipher_ptr, (tmp_ptr+SALT_SIZE), ESEGMENT_SIZE);
-
- cipher_ptr += ESEGMENT_SIZE;
- plaintext_ptr += SEGMENT_SIZE;
- salt_ptr = cipher_ptr - ESEGMENT_SIZE;
- }
- }
-
- D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf));
-
- /* this is the <NUL> terminated encrypted password */
-
- return dec_c2_cryptbuf;
-}
diff --git a/contrib/libpam/modules/pam_pwdb/md5.c b/contrib/libpam/modules/pam_pwdb/md5.c
deleted file mode 100644
index fdfbdd8..0000000
--- a/contrib/libpam/modules/pam_pwdb/md5.c
+++ /dev/null
@@ -1,259 +0,0 @@
-/* $Id: md5.c,v 1.1 1996/09/05 06:43:31 morgan Exp $
- *
- * This code implements the MD5 message-digest algorithm.
- * The algorithm is due to Ron Rivest. This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to MD5Init, call MD5Update as
- * needed on buffers full of bytes, and then call MD5Final, which
- * will fill a supplied 16-byte array with the digest.
- *
- * $Log: md5.c,v $
- * Revision 1.1 1996/09/05 06:43:31 morgan
- * Initial revision
- *
- */
-
-#include <string.h>
-#include "md5.h"
-
-#ifndef HIGHFIRST
-#define byteReverse(buf, len) /* Nothing */
-#else
-void byteReverse(unsigned char *buf, unsigned longs);
-
-#ifndef ASM_MD5
-/*
- * Note: this code is harmless on little-endian machines.
- */
-void byteReverse(unsigned char *buf, unsigned longs)
-{
- uint32 t;
- do {
- t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
- ((unsigned) buf[1] << 8 | buf[0]);
- *(uint32 *) buf = t;
- buf += 4;
- } while (--longs);
-}
-#endif
-#endif
-
-/*
- * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
- * initialization constants.
- */
-void MD5Init(struct MD5Context *ctx)
-{
- ctx->buf[0] = 0x67452301U;
- ctx->buf[1] = 0xefcdab89U;
- ctx->buf[2] = 0x98badcfeU;
- ctx->buf[3] = 0x10325476U;
-
- ctx->bits[0] = 0;
- ctx->bits[1] = 0;
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void MD5Update(struct MD5Context *ctx, unsigned const char *buf, unsigned len)
-{
- uint32 t;
-
- /* Update bitcount */
-
- t = ctx->bits[0];
- if ((ctx->bits[0] = t + ((uint32) len << 3)) < t)
- ctx->bits[1]++; /* Carry from low to high */
- ctx->bits[1] += len >> 29;
-
- t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */
-
- /* Handle any leading odd-sized chunks */
-
- if (t) {
- unsigned char *p = (unsigned char *) ctx->in + t;
-
- t = 64 - t;
- if (len < t) {
- memcpy(p, buf, len);
- return;
- }
- memcpy(p, buf, t);
- byteReverse(ctx->in, 16);
- MD5Transform(ctx->buf, (uint32 *) ctx->in);
- buf += t;
- len -= t;
- }
- /* Process data in 64-byte chunks */
-
- while (len >= 64) {
- memcpy(ctx->in, buf, 64);
- byteReverse(ctx->in, 16);
- MD5Transform(ctx->buf, (uint32 *) ctx->in);
- buf += 64;
- len -= 64;
- }
-
- /* Handle any remaining bytes of data. */
-
- memcpy(ctx->in, buf, len);
-}
-
-/*
- * Final wrapup - pad to 64-byte boundary with the bit pattern
- * 1 0* (64-bit count of bits processed, MSB-first)
- */
-void MD5Final(unsigned char digest[16], struct MD5Context *ctx)
-{
- unsigned count;
- unsigned char *p;
-
- /* Compute number of bytes mod 64 */
- count = (ctx->bits[0] >> 3) & 0x3F;
-
- /* Set the first char of padding to 0x80. This is safe since there is
- always at least one byte free */
- p = ctx->in + count;
- *p++ = 0x80;
-
- /* Bytes of padding needed to make 64 bytes */
- count = 64 - 1 - count;
-
- /* Pad out to 56 mod 64 */
- if (count < 8) {
- /* Two lots of padding: Pad the first block to 64 bytes */
- memset(p, 0, count);
- byteReverse(ctx->in, 16);
- MD5Transform(ctx->buf, (uint32 *) ctx->in);
-
- /* Now fill the next block with 56 bytes */
- memset(ctx->in, 0, 56);
- } else {
- /* Pad block to 56 bytes */
- memset(p, 0, count - 8);
- }
- byteReverse(ctx->in, 14);
-
- /* Append length in bits and transform */
- ((uint32 *) ctx->in)[14] = ctx->bits[0];
- ((uint32 *) ctx->in)[15] = ctx->bits[1];
-
- MD5Transform(ctx->buf, (uint32 *) ctx->in);
- byteReverse((unsigned char *) ctx->buf, 4);
- memcpy(digest, ctx->buf, 16);
- memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
-}
-
-#ifndef ASM_MD5
-
-/* The four core functions - F1 is optimized somewhat */
-
-/* #define F1(x, y, z) (x & y | ~x & z) */
-#define F1(x, y, z) (z ^ (x & (y ^ z)))
-#define F2(x, y, z) F1(z, x, y)
-#define F3(x, y, z) (x ^ y ^ z)
-#define F4(x, y, z) (y ^ (x | ~z))
-
-/* This is the central step in the MD5 algorithm. */
-#define MD5STEP(f, w, x, y, z, data, s) \
- ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
-
-/*
- * The core of the MD5 algorithm, this alters an existing MD5 hash to
- * reflect the addition of 16 longwords of new data. MD5Update blocks
- * the data and converts bytes into longwords for this routine.
- */
-void MD5Transform(uint32 buf[4], uint32 const in[16])
-{
- register uint32 a, b, c, d;
-
- a = buf[0];
- b = buf[1];
- c = buf[2];
- d = buf[3];
-
- MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7);
- MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12);
- MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17);
- MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22);
- MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7);
- MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12);
- MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17);
- MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22);
- MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7);
- MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12);
- MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17);
- MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22);
- MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7);
- MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12);
- MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17);
- MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22);
-
- MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5);
- MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9);
- MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14);
- MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20);
- MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5);
- MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9);
- MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14);
- MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20);
- MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5);
- MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9);
- MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14);
- MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20);
- MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5);
- MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9);
- MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14);
- MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20);
-
- MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4);
- MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11);
- MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16);
- MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23);
- MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4);
- MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11);
- MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16);
- MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23);
- MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4);
- MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11);
- MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16);
- MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23);
- MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4);
- MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11);
- MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16);
- MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23);
-
- MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6);
- MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10);
- MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15);
- MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21);
- MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6);
- MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10);
- MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15);
- MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21);
- MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6);
- MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10);
- MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15);
- MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21);
- MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6);
- MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10);
- MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15);
- MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21);
-
- buf[0] += a;
- buf[1] += b;
- buf[2] += c;
- buf[3] += d;
-}
-
-#endif
diff --git a/contrib/libpam/modules/pam_pwdb/md5.h b/contrib/libpam/modules/pam_pwdb/md5.h
deleted file mode 100644
index 4949ade..0000000
--- a/contrib/libpam/modules/pam_pwdb/md5.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef MD5_H
-#define MD5_H
-
-#ifdef __alpha
-typedef unsigned int uint32;
-#else
-typedef unsigned long uint32;
-#endif
-
-struct MD5Context {
- uint32 buf[4];
- uint32 bits[2];
- unsigned char in[64];
-};
-
-void MD5Init(struct MD5Context *);
-void MD5Update(struct MD5Context *, unsigned const char *, unsigned);
-void MD5Final(unsigned char digest[16], struct MD5Context *);
-void MD5Transform(uint32 buf[4], uint32 const in[16]);
-int i64c(int i);
-
-char *crypt_md5(const char *pw, const char *salt);
-
-/*
-* This is needed to make RSAREF happy on some MS-DOS compilers.
-*/
-
-typedef struct MD5Context MD5_CTX;
-
-#endif /* MD5_H */
diff --git a/contrib/libpam/modules/pam_pwdb/md5_crypt.c b/contrib/libpam/modules/pam_pwdb/md5_crypt.c
deleted file mode 100644
index 88be13b..0000000
--- a/contrib/libpam/modules/pam_pwdb/md5_crypt.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* $Id: md5_crypt.c,v 1.1 1996/09/05 06:43:31 morgan Exp $
- *
- * ----------------------------------------------------------------------------
- * "THE BEER-WARE LICENSE" (Revision 42):
- * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
- * can do whatever you want with this stuff. If we meet some day, and you think
- * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
- * ----------------------------------------------------------------------------
- *
- * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp
- *
- * $Log: md5_crypt.c,v $
- * Revision 1.1 1996/09/05 06:43:31 morgan
- * Initial revision
- *
- */
-
-#include <string.h>
-#include "md5.h"
-
-static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
- "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
-static void
-to64(char *s, unsigned long v, int n)
-{
- while (--n >= 0) {
- *s++ = itoa64[v&0x3f];
- v >>= 6;
- }
-}
-
-/*
- * i64c - convert an integer to a radix 64 character
- */
-int i64c(int i)
-{
- if (i < 0)
- return ('.');
- else if (i > 63)
- return ('z');
- if (i == 0)
- return ('.');
- if (i == 1)
- return ('/');
- if (i >= 2 && i <= 11)
- return ('0' - 2 + i);
- if (i >= 12 && i <= 37)
- return ('A' - 12 + i);
- if (i >= 38 && i <= 63)
- return ('a' - 38 + i);
- return ('\0');
-}
-
-/*
- * UNIX password
- *
- * Use MD5 for what it is best at...
- */
-
-char * crypt_md5(const char *pw, const char *salt)
-{
- const char *magic = "$1$";
- /* This string is magic for this algorithm. Having
- * it this way, we can get get better later on */
- static char passwd[120], *p;
- static const char *sp,*ep;
- unsigned char final[16];
- int sl,pl,i,j;
- MD5_CTX ctx,ctx1;
- unsigned long l;
-
- /* Refine the Salt first */
- sp = salt;
-
- /* If it starts with the magic string, then skip that */
- if(!strncmp(sp,magic,strlen(magic)))
- sp += strlen(magic);
-
- /* It stops at the first '$', max 8 chars */
- for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++)
- continue;
-
- /* get the length of the true salt */
- sl = ep - sp;
-
- MD5Init(&ctx);
-
- /* The password first, since that is what is most unknown */
- MD5Update(&ctx,(unsigned const char *)pw,strlen(pw));
-
- /* Then our magic string */
- MD5Update(&ctx,(unsigned const char *)magic,strlen(magic));
-
- /* Then the raw salt */
- MD5Update(&ctx,(unsigned const char *)sp,sl);
-
- /* Then just as many characters of the MD5(pw,salt,pw) */
- MD5Init(&ctx1);
- MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw));
- MD5Update(&ctx1,(unsigned const char *)sp,sl);
- MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw));
- MD5Final(final,&ctx1);
- for(pl = strlen(pw); pl > 0; pl -= 16)
- MD5Update(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl);
-
- /* Don't leave anything around in vm they could use. */
- memset(final,0,sizeof final);
-
- /* Then something really weird... */
- for (j=0,i = strlen(pw); i ; i >>= 1)
- if(i&1)
- MD5Update(&ctx, (unsigned const char *)final+j, 1);
- else
- MD5Update(&ctx, (unsigned const char *)pw+j, 1);
-
- /* Now make the output string */
- strcpy(passwd,magic);
- strncat(passwd,sp,sl);
- strcat(passwd,"$");
-
- MD5Final(final,&ctx);
-
- /*
- * and now, just to make sure things don't run too fast
- * On a 60 Mhz Pentium this takes 34 msec, so you would
- * need 30 seconds to build a 1000 entry dictionary...
- */
- for(i=0;i<1000;i++) {
- MD5Init(&ctx1);
- if(i & 1)
- MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw));
- else
- MD5Update(&ctx1,(unsigned const char *)final,16);
-
- if(i % 3)
- MD5Update(&ctx1,(unsigned const char *)sp,sl);
-
- if(i % 7)
- MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw));
-
- if(i & 1)
- MD5Update(&ctx1,(unsigned const char *)final,16);
- else
- MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw));
- MD5Final(final,&ctx1);
- }
-
- p = passwd + strlen(passwd);
-
- l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
- l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
- l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
- l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
- l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
- l = final[11] ; to64(p,l,2); p += 2;
- *p = '\0';
-
- /* Don't leave anything around in vm they could use. */
- memset(final,0,sizeof final);
-
- return passwd;
-}
-
diff --git a/contrib/libpam/modules/pam_pwdb/pam_pwdb.c b/contrib/libpam/modules/pam_pwdb/pam_pwdb.c
deleted file mode 100644
index a612f74..0000000
--- a/contrib/libpam/modules/pam_pwdb/pam_pwdb.c
+++ /dev/null
@@ -1,257 +0,0 @@
-/*
- * $Id: pam_pwdb.c,v 1.3 1997/01/04 20:38:33 morgan Exp morgan $
- *
- * This is the single file that will be compiled for pam_unix.
- * it includes each of the modules that have beed defined in the .-c
- * files in this directory.
- *
- * It is a little ugly to do it this way, but it is a simple way of
- * defining static functions only once, and yet keeping the separate
- * files modular. If you can think of something better, please email
- * Andrew Morgan <morgan@linux.kernel.org>
- *
- * See the end of this file for Copyright information.
- */
-
-/*
- * $Log: pam_pwdb.c,v $
- * Revision 1.3 1997/01/04 20:38:33 morgan
- * this is not the unix module!
- *
- * Revision 1.2 1996/12/01 03:03:43 morgan
- * debugging code uses _pam_malloc
- *
- * Revision 1.1 1996/11/10 21:21:24 morgan
- * Initial revision
- *
- * Revision 1.3 1996/09/05 06:44:33 morgan
- * more debugging, fixed static structure name
- *
- * Revision 1.2 1996/09/01 01:05:12 morgan
- * Cristian Gafton's patches.
- *
- * Revision 1.1 1996/08/29 13:22:19 morgan
- * Initial revision
- *
- */
-
-static const char rcsid[] =
-"$Id: pam_pwdb.c,v 1.3 1997/01/04 20:38:33 morgan Exp morgan $\n"
-" - PWDB Pluggable Authentication module. <morgan@linux.kernel.org>"
-;
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <sys/types.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <errno.h>
-#include <string.h>
-#include <syslog.h>
-#include <time.h> /* for time() */
-#include <fcntl.h>
-#include <ctype.h>
-
-#define _SVID_SOURCE
-#define __USE_BSD
-#define _BSD_COMPAT
-#include <sys/time.h>
-#include <unistd.h>
-
-#include <pwdb/pwdb_public.h>
-
-/* indicate the following groups are defined */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/_pam_macros.h>
-#include <security/pam_modules.h>
-
-#ifndef LINUX_PAM
-#include <security/pam_appl.h>
-#endif /* LINUX_PAM */
-
-#include "./support.-c"
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * authentication module.
- */
-
-#include "./pam_unix_auth.-c"
-
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_auth( pamh, ctrl );
- pwdb_end();
-
- return retval;
-}
-
-PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_set_credentials(pamh, ctrl) ;
- pwdb_end();
-
- return retval;
-}
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * account management module.
- */
-
-#include "./pam_unix_acct.-c"
-
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_acct_mgmt(pamh, ctrl);
- pwdb_end();
-
- D(("done."));
-
- return retval;
-}
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * session module.
- */
-
-#include "./pam_unix_sess.-c"
-
-PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_open_session(pamh, ctrl);
- pwdb_end();
-
- return retval;
-}
-
-PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_close_session(pamh, ctrl);
- pwdb_end();
-
- return retval;
-}
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * password changing module.
- */
-
-#include "./pam_unix_passwd.-c"
-
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_chauthtok(pamh, ctrl);
- pwdb_end();
-
- return retval;
-}
-
-/* static module data */
-
-#ifdef PAM_STATIC
-struct pam_module _pam_pwdb_modstruct = {
- "pam_pwdb",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-
-#endif
-
-/*
- * Copyright (c) Andrew G. Morgan, 1996. All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c
deleted file mode 100644
index dbd1385..0000000
--- a/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c
+++ /dev/null
@@ -1,292 +0,0 @@
-/*
- * $Id: pam_unix_acct.-c,v 1.6 1997/01/04 20:37:15 morgan Exp morgan $
- *
- * $Log: pam_unix_acct.-c,v $
- * Revision 1.6 1997/01/04 20:37:15 morgan
- * extra debugging
- *
- * Revision 1.5 1996/12/01 03:05:54 morgan
- * debugging with _pam_macros.h
- *
- * Revision 1.4 1996/11/10 21:03:57 morgan
- * pwdb conversion
- *
- * Revision 1.3 1996/09/05 06:45:45 morgan
- * tidied shadow acct management
- *
- * Revision 1.2 1996/09/01 01:13:14 morgan
- * Cristian Gafton's patches
- *
- * Revision 1.1 1996/08/29 13:27:51 morgan
- * Initial revision
- *
- *
- * See end of file for copyright information
- */
-
-static const char rcsid_acct[] =
-"$Id: pam_unix_acct.-c,v 1.6 1997/01/04 20:37:15 morgan Exp morgan $\n"
-" - PAM_PWDB account management <gafton@redhat.com>";
-
-/* the shadow suite has accout managment.. */
-
-static int _shadow_acct_mgmt_exp(pam_handle_t *pamh, unsigned int ctrl,
- const struct pwdb *pw, const char *uname)
-{
- const struct pwdb_entry *pwe = NULL;
- time_t curdays;
- int last_change, max_change;
- int retval;
-
- D(("called."));
-
- /* Now start the checks */
-
- curdays = time(NULL)/(60*60*24); /* today */
-
- /* First: has account expired ? (CG)
- * - expire < curdays
- * - or (last_change + max_change + defer_change) < curdays
- * - in both cases, deny access
- */
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "expire", &pwe);
- if (retval == PWDB_SUCCESS) {
- int expire;
-
- expire = *( (const int *) pwe->value );
- (void) pwdb_entry_delete(&pwe); /* no longer needed */
-
- if ((curdays > expire) && (expire > 0)) {
-
- _log_err(LOG_NOTICE
- , "acct: account %s has expired (account expired)"
- , uname);
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "Your account has expired; "
- "please contact your system administrator");
-
- D(("account expired"));
- return PAM_ACCT_EXPIRED;
- }
- }
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "last_change", &pwe);
- if ( retval == PWDB_SUCCESS ) {
- last_change = *( (const int *) pwe->value );
- } else {
- last_change = curdays;
- }
- (void) pwdb_entry_delete(&pwe);
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "max_change", &pwe);
- if ( retval == PWDB_SUCCESS ) {
- max_change = *( (const int *) pwe->value );
- } else {
- max_change = -1;
- }
- (void) pwdb_entry_delete(&pwe);
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "defer_change", &pwe);
- if (retval == PWDB_SUCCESS) {
- int defer_change;
-
- defer_change = *( (const int *) pwe->value );
- (void) pwdb_entry_delete(&pwe);
-
- if ((curdays > (last_change + max_change + defer_change))
- && (max_change != -1) && (defer_change != -1)
- && (last_change > 0)) {
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_NOTICE, "acct: account %s has expired "
- "(failed to change password)", uname);
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "Your password has expired; "
- "please see your system administrator");
-
- D(("account expired2"));
- return PAM_ACCT_EXPIRED;
- }
- }
-
- /* Now test if the password is expired, but the user still can
- * change their password. (CG)
- * - last_change = 0
- * - last_change + max_change < curdays
- */
-
- D(("when was the last change"));
- if (last_change == 0) {
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_NOTICE
- , "acct: expired password for user %s (root enforced)"
- , uname);
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "You are required to change your password immediately"
- );
-
- D(("need a new password"));
- return PAM_NEW_AUTHTOK_REQD;
- }
-
- if (((last_change + max_change) < curdays) &&
- (max_change < 99999) && (max_change > 0)) {
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_DEBUG
- , "acct: expired password for user %s (password aged)"
- , uname);
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "Your password has expired; please change it!");
-
- D(("need a new password 2"));
- return PAM_NEW_AUTHTOK_REQD;
- }
-
- /*
- * Now test if the password is about to expire (CG)
- * - last_change + max_change - curdays <= warn_change
- */
-
- retval = pwdb_get_entry(pw, "warn_change", &pwe);
- if ( retval == PWDB_SUCCESS ) {
- int warn_days, daysleft;
-
- daysleft = last_change + max_change - curdays;
- warn_days = *((const int *) pwe->value);
- (void) pwdb_entry_delete(&pwe);
-
- if ((daysleft <= warn_days) && (warn_days > 0)) {
- char *s;
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_DEBUG
- , "acct: password for user %s will expire in %d days"
- , uname, daysleft);
- }
-
-#define LocalComment "Warning: your password will expire in %d day%s"
- if ((s = (char *) malloc(30+sizeof(LocalComment))) == NULL) {
- _log_err(LOG_CRIT, "malloc failure in " __FILE__);
- retval = PAM_BUF_ERR;
- } else {
-
- sprintf(s, LocalComment, daysleft, daysleft == 1 ? "":"s");
-
- make_remark(pamh, ctrl, PAM_TEXT_INFO, s);
- free(s);
- }
-#undef LocalComment
- }
- } else {
- retval = PAM_SUCCESS;
- }
-
- D(("all done"));
- return retval;
-}
-
-
-/*
- * this function checks for the account details. The user may not be
- * permitted to log in at this time etc.. Within the context of
- * vanilla Unix, this function simply does nothing. The shadow suite
- * added password/account expiry, but PWDB takes care of this
- * transparently.
- */
-
-static int _unix_acct_mgmt(pam_handle_t *pamh, unsigned int ctrl)
-{
- const struct pwdb *pw = NULL;
-
- char *uname=NULL;
- int retval;
-
- D(("called."));
-
- /* identify user */
-
- retval = pam_get_item(pamh,PAM_USER,(const void **)&uname);
- D(("user = `%s'", uname));
- if (retval != PAM_SUCCESS || uname == NULL) {
- _log_err(LOG_ALERT
- , "acct; could not identify user (from uid=%d)"
- , getuid());
- return PAM_USER_UNKNOWN;
- }
-
- /* get database information for user */
-
- retval = pwdb_locate("user", PWDB_DEFAULT, uname, PWDB_ID_UNKNOWN, &pw);
- if (retval != PWDB_SUCCESS || pw == NULL) {
-
- _log_err(LOG_ALERT, "acct; %s (%s from uid=%d)"
- , pwdb_strerror(retval), uname, getuid());
- if ( pw ) {
- (void) pwdb_delete(&pw);
- }
- return PAM_USER_UNKNOWN;
- }
-
- /* now check the user's times etc.. */
-
- retval = _shadow_acct_mgmt_exp(pamh, ctrl, pw, uname);
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "expiry check failed for '%s'", uname);
- }
-
- /* Done with pw */
-
- (void) pwdb_delete(&pw);
-
- /* all done */
-
- D(("done."));
- return retval;
-}
-
-/*
- * Copyright (c) Elliot Lee, 1996.
- * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996.
- * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c
deleted file mode 100644
index 4a1eed0..0000000
--- a/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * $Id: pam_unix_auth.-c,v 1.4 1996/12/01 03:05:54 morgan Exp $
- *
- * $Log: pam_unix_auth.-c,v $
- * Revision 1.4 1996/12/01 03:05:54 morgan
- * debugging with _pam_macros.h
- *
- * Revision 1.3 1996/11/10 21:04:29 morgan
- * pwdb conversion
- *
- * Revision 1.2 1996/09/05 06:46:53 morgan
- * fixed comments. Added check for null passwd.
- * changed data item name
- *
- * Revision 1.1 1996/08/29 13:27:51 morgan
- * Initial revision
- *
- * See end of file for Copyright information.
- */
-
-static const char rcsid_auth[] =
-"$Id: pam_unix_auth.-c,v 1.4 1996/12/01 03:05:54 morgan Exp $: pam_unix_auth.-c,v 1.2 1996/09/05 06:46:53 morgan Exp morgan $\n"
-" - PAM_PWDB authentication functions. <morgan@parc.power.net>";
-
-/*
- * _unix_auth() is a front-end for UNIX/shadow authentication
- *
- * First, obtain the password from the user. Then use a
- * routine in 'support.-c' to authenticate the user.
- */
-
-#define _UNIX_AUTHTOK "-UN*X-PASS"
-
-static int _unix_auth(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- const char *name, *p;
-
- D(("called."));
-
- /* get the user'name' */
-
- retval = _unix_get_user(pamh, ctrl, NULL, &name);
- if (retval != PAM_SUCCESS ) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_DEBUG, "auth could not identify user");
- }
- return retval;
- }
-
- /* if this user does not have a password... */
-
- if ( _unix_blankpasswd(ctrl, name) ) {
- D(("user '%s' has blank passwd", name));
- name = NULL;
- return PAM_SUCCESS;
- }
-
- /* get this user's authentication token */
-
- retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL
- , _UNIX_AUTHTOK, &p);
- if (retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "auth could not identify password for [%s]"
- , name);
- name = NULL;
- return retval;
- }
-
- /* verify the password of this user */
-
- retval = _unix_verify_password(pamh, name, p, ctrl);
- name = p = NULL;
-
- return retval;
-}
-
-/*
- * This function is for setting unix credentials. Sun has indicated
- * that there are *NO* authentication credentials for unix. The
- * obvious credentials would be the group membership of the user as
- * listed in the /etc/group file. However, Sun indicates that it is
- * the responsibility of the application to set these.
- */
-
-static int _unix_set_credentials(pam_handle_t *pamh, unsigned int ctrl)
-{
- D(("called <empty function> returning."));
-
- return PAM_SUCCESS;
-}
-
-/********************************************************************
- * Copyright (c) Alexander O. Yuriev, 1996.
- * Copyright (c) Andrew G. Morgan <morgan@parc.power.net> 1996
- * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996, 1997
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c
deleted file mode 100644
index cd90b0f..0000000
--- a/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * This function is a front-end for the message digest algorithms used
- * to compute the user's encrypted passwords. No reversible encryption
- * is used here and I intend to keep it that way.
- *
- * While there are many sources of encryption outside the United
- * States, it *may* be illegal to re-export reversible encryption
- * computer code. Until such time as it is legal to export encryption
- * software freely from the US, please do not send me any. (AGM)
- */
-
-/* this should have been defined in a header file.. Why wasn't it? AGM */
-extern char *crypt(const char *key, const char *salt);
-
-#include "md5.h"
-#include "bigcrypt.-c"
-
-struct cfns {
- const char *salt;
- int len;
- char * (* mdfn)(const char *key, const char *salt);
-};
-
-/* array of non-standard digest algorithms available */
-
-#define N_MDS 1
-const static struct cfns cfn_list[N_MDS] = {
- { "$1$", 3, crypt_md5 },
-};
-
-static char *_pam_md(const char *key, const char *salt)
-{
- char *x,*e=NULL;
- int i;
-
- D(("called with key='%s', salt='%s'", key, salt));
-
- /* check for non-standard salts */
-
- for (i=0; i<N_MDS; ++i) {
- if ( !strncmp(cfn_list[i].salt, salt, cfn_list[i].len) ) {
- e = cfn_list[i].mdfn(key, salt);
- break;
- }
- }
-
- if ( i >= N_MDS ) {
- e = bigcrypt(key, salt); /* (defaults to standard algorithm) */
- }
-
- x = x_strdup(e); /* put e in malloc()ed memory */
- _pam_overwrite(e); /* clean up */
- return x; /* this must be deleted elsewhere */
-}
-
diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c
deleted file mode 100644
index 402f7f3..0000000
--- a/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c
+++ /dev/null
@@ -1,371 +0,0 @@
-/* $Id: pam_unix_passwd.-c,v 1.6 1997/04/05 06:31:06 morgan Exp morgan $ */
-
-/*
- * $Log: pam_unix_passwd.-c,v $
- * Revision 1.6 1997/04/05 06:31:06 morgan
- * mostly a reformat.
- *
- * Revision 1.5 1996/12/01 03:05:54 morgan
- * debugging with _pam_macros.h
- *
- * Revision 1.4 1996/11/10 21:04:51 morgan
- * pwdb conversion
- *
- * Revision 1.3 1996/09/05 06:48:15 morgan
- * A lot has changed. I'd recommend you study the diff.
- *
- * Revision 1.2 1996/09/01 16:33:27 morgan
- * Cristian Gafton's changes
- *
- * Revision 1.1 1996/08/29 13:21:27 morgan
- * Initial revision
- *
- */
-
-static const char rcsid_pass[] =
-"$Id: pam_unix_passwd.-c,v 1.6 1997/04/05 06:31:06 morgan Exp morgan $\n"
-" - PAM_PWDB password module <morgan@parc.power.net>"
-;
-
-#include "pam_unix_pwupd.-c"
-
-/* passwd/salt conversion macros */
-
-#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.')
-#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')
-
-/* data tokens */
-
-#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS"
-#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS"
-
-/* Implementation */
-
-/*
- * FUNCTION: _pam_unix_chauthtok()
- *
- * this function works in two passes. The first, when UNIX__PRELIM is
- * set, obtains the previous password. It sets the PAM_OLDAUTHTOK item
- * or stores it as a data item. The second function obtains a new
- * password (verifying if necessary, that the user types it the same a
- * second time.) depending on the 'ctrl' flags this new password may
- * be stored in the PAM_AUTHTOK item or a private data item.
- *
- * Having obtained a new password. The function updates the
- * /etc/passwd (and optionally the /etc/shadow) file(s).
- *
- * Provision is made for the creation of a blank shadow file if none
- * is available, but one is required to update the shadow file -- the
- * intention being for shadow passwords to be seamlessly implemented
- * from the generic UNIX scheme. -- THIS BIT IS PRE-ALPHA.. and included
- * in this release (.52) mostly for the purpose of discussion.
- */
-
-static int _unix_chauthtok(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- unsigned int lctrl;
-
- /* <DO NOT free() THESE> */
- const char *user;
- const char *pass_old, *pass_new;
- /* </DO NOT free() THESE> */
-
- D(("called"));
-
- /*
- * First get the name of a user
- */
-
- retval = _unix_get_user( pamh, ctrl, "Username: ", &user );
- if ( retval != PAM_SUCCESS ) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_DEBUG, "password - could not identify user");
- }
- return retval;
- }
-
- if ( on(UNIX__PRELIM, ctrl) ) {
- /*
- * obtain and verify the current password (OLDAUTHTOK) for
- * the user.
- */
-
- char *Announce;
-
- D(("prelim check"));
-
- if ( _unix_blankpasswd(ctrl, user) ) {
-
- return PAM_SUCCESS;
-
- } else if ( off(UNIX__IAMROOT, ctrl) ) {
-
- /* instruct user what is happening */
-#define greeting "Changing password for "
- Announce = (char *) malloc(sizeof(greeting)+strlen(user));
- if (Announce == NULL) {
- _log_err(LOG_CRIT, "password - out of memory");
- return PAM_BUF_ERR;
- }
- (void) strcpy(Announce, greeting);
- (void) strcpy(Announce+sizeof(greeting)-1, user);
-#undef greeting
-
- lctrl = ctrl;
- set(UNIX__OLD_PASSWD, lctrl);
- retval = _unix_read_password( pamh, lctrl
- , Announce
- , "(current) UNIX password: "
- , NULL
- , _UNIX_OLD_AUTHTOK
- , &pass_old );
- free(Announce);
-
- if ( retval != PAM_SUCCESS ) {
- _log_err(LOG_NOTICE
- , "password - (old) token not obtained");
- return retval;
- }
-
- /* verify that this is the password for this user */
-
- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
- } else {
- D(("process run by root so do nothing this time around"));
- pass_old = NULL;
- retval = PAM_SUCCESS; /* root doesn't have too */
- }
-
- if ( retval != PAM_SUCCESS ) {
- D(("Authentication failed"));
- pass_old = NULL;
- return retval;
- }
-
- retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
- pass_old = NULL;
- if ( retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
- }
-
- } else if ( on( UNIX__UPDATE, ctrl ) ) {
- /* tpass is used below to store the _pam_md() return; it
- * should be _pam_delete()'d. */
-
- char *tpass=NULL;
-
- /*
- * obtain the proposed password
- */
-
- D(("do update"));
-
- /*
- * get the old token back. NULL was ok only if root [at this
- * point we assume that this has already been enforced on a
- * previous call to this function].
- */
-
- if ( off(UNIX_NOT_SET_PASS, ctrl) ) {
- retval = pam_get_item(pamh, PAM_OLDAUTHTOK
- , (const void **)&pass_old);
- } else {
- retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK
- , (const void **)&pass_old);
- if (retval == PAM_NO_MODULE_DATA) {
- retval = PAM_SUCCESS;
- pass_old = NULL;
- }
- }
-
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "user not authenticated");
- return retval;
- }
-
- D(("get new password now"));
-
- lctrl = ctrl;
-
- /*
- * use_authtok is to force the use of a previously entered
- * password -- needed for pluggable password strength checking
- */
-
- if ( on(UNIX_USE_AUTHTOK, lctrl) ) {
- set(UNIX_USE_FIRST_PASS, lctrl);
- }
-
- retval = _unix_read_password( pamh, lctrl
- , NULL
- , "Enter new UNIX password: "
- , "Retype new UNIX password: "
- , _UNIX_NEW_AUTHTOK
- , &pass_new );
-
- if ( retval != PAM_SUCCESS ) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_ALERT
- , "password - new password not obtained");
- }
- pass_old = NULL; /* tidy up */
- return retval;
- }
-
- D(("returned to _unix_chauthtok"));
-
- /*
- * At this point we know who the user is and what they
- * propose as their new password. Verify that the new
- * password is acceptable.
- */
-
- if (pass_new[0] == '\0') { /* "\0" password = NULL */
- pass_new = NULL;
- }
-
- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
-
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "new password not acceptable");
- pass_new = pass_old = NULL; /* tidy up */
- return retval;
- }
-
- /*
- * By reaching here we have approved the passwords and must now
- * rebuild the password database file.
- */
-
- /*
- * First we encrypt the new password.
- *
- * XXX - this is where we might need some code for RADIUS types
- * of password handling... no encryption needed..
- */
-
- if ( on(UNIX_MD5_PASS, ctrl) ) {
-
- /*
- * Code lifted from Marek Michalkiewicz's shadow suite. (CG)
- * removed use of static variables (AGM)
- */
-
- struct timeval tv;
- MD5_CTX ctx;
- unsigned char result[16];
- char *cp = (char *)result;
- unsigned char tmp[16];
- int i;
-
- MD5Init(&ctx);
- gettimeofday(&tv, (struct timezone *) 0);
- MD5Update(&ctx, (void *) &tv, sizeof tv);
- i = getpid();
- MD5Update(&ctx, (void *) &i, sizeof i);
- i = clock();
- MD5Update(&ctx, (void *) &i, sizeof i);
- MD5Update(&ctx, result, sizeof result);
- MD5Final(tmp, &ctx);
- strcpy(cp, "$1$"); /* magic for the MD5 */
- cp += strlen(cp);
- for (i = 0; i < 8; i++)
- *cp++ = i64c(tmp[i] & 077);
- *cp = '\0';
-
- /* no longer need cleartext */
- pass_new = tpass = _pam_md(pass_new, (const char *)result);
-
- } else {
- /*
- * Salt manipulation is stolen from Rick Faith's passwd
- * program. Sorry Rick :) -- alex
- */
-
- time_t tm;
- char salt[3];
-
- time(&tm);
- salt[0] = bin_to_ascii(tm & 0x3f);
- salt[1] = bin_to_ascii((tm >> 6) & 0x3f);
- salt[2] = '\0';
-
- if ( off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8 ) {
- /* to avoid using the _extensions_ of the bigcrypt()
- function we truncate the newly entered password */
- char *temp = malloc(9);
-
- if (temp == NULL) {
- _log_err(LOG_CRIT, "out of memory for password");
- pass_new = pass_old = NULL; /* tidy up */
- return PAM_BUF_ERR;
- }
-
- /* copy first 8 bytes of password */
- strncpy(temp, pass_new, 8);
- temp[8] = '\0';
-
- /* no longer need cleartext */
- pass_new = tpass = _pam_md( temp, salt );
-
- _pam_delete(temp); /* tidy up */
- } else {
- /* no longer need cleartext */
- pass_new = tpass = _pam_md( pass_new, salt );
- }
- }
-
- D(("password processed"));
-
- /* update the password database(s) -- race conditions..? */
-
- retval = unix_update_db(pamh, ctrl, user, pass_old, pass_new);
- pass_old = pass_new = NULL;
-
- } else { /* something has broken with the module */
-
- _log_err(LOG_ALERT, "password received unknown request");
- retval = PAM_ABORT;
-
- }
-
- return retval;
-}
-
-/* ******************************************************************
- * Copyright (c) Alexander O. Yuriev (alex@bach.cis.temple.edu), 1996.
- * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996, 1997.
- * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c
deleted file mode 100644
index d50031d..0000000
--- a/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * $Id: pam_unix_pwupd.-c,v 1.4 1997/01/04 20:35:32 morgan Exp morgan $
- *
- * This file contains the routines to update the passwd databases.
- *
- * $Log: pam_unix_pwupd.-c,v $
- * Revision 1.4 1997/01/04 20:35:32 morgan
- * minor comment change
- *
- * Revision 1.3 1996/12/01 03:05:54 morgan
- * debugging with _pam_macros.h
- *
- * Revision 1.2 1996/11/10 21:05:09 morgan
- * pwdb conversion
- *
- *
- */
-
-/* Implementation */
-
-static int unix_update_db(pam_handle_t *pamh, int ctrl, const char *user,
- const char *pass_old, const char *pass_new)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
- pwdb_flag flag;
- int retval, i;
-
- D(("called."));
-
- /* obtain default user record */
-
- retval = pwdb_locate("user", PWDB_DEFAULT, user, PWDB_ID_UNKNOWN, &pw);
- if (retval == PWDB_PASS_PHRASE_REQD) {
- retval = pwdb_set_entry(pw, "pass_phrase"
- , pass_old, 1+strlen(pass_old)
- , NULL, NULL, 0);
- if (retval == PWDB_SUCCESS)
- retval = pwdb_locate("user", pw->source, user
- , PWDB_ID_UNKNOWN, &pw);
- }
- pass_old = NULL;
-
- if ( retval != PWDB_SUCCESS ) {
- _log_err(LOG_ALERT, "cannot identify user %s (uid=%d)"
- , user, getuid() );
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_USER_UNKNOWN;
- }
-
- /* check that we can update all of the default databases */
-
- retval = pwdb_flags("user", pw->source, &flag);
-
- if ( retval != PWDB_SUCCESS || ( pwdb_on(flag,PWDB_F_NOUPDATE) ) ) {
- _log_err(LOG_ERR, "cannot update default database for user %s"
- , user );
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_PERM_DENIED;
- }
-
- /* If there was one, we delete the "last_change" entry */
- retval = pwdb_get_entry(pw, "last_change", &pwe);
- if (retval == PWDB_SUCCESS) {
- (void) pwdb_entry_delete(&pwe);
- pwdb_set_entry(pw, "last_change", NULL, -1, NULL, NULL, 0);
- }
-
- /*
- * next check for pam.conf specified databases: shadow etc... [In
- * other words, pam.conf indicates which database the password is
- * to be subsequently placed in: this is password migration].
- */
-
- if ( on(UNIX__SET_DB, ctrl) ) {
- const char *db_token;
- pwdb_type pt = _PWDB_MAX_TYPES;
-
- if ( on(UNIX_UNIX, ctrl) ) {
- db_token = "U"; /* XXX - should be macro */
- pt = PWDB_UNIX;
- } else if ( on(UNIX_SHADOW, ctrl) ) {
- db_token = "x"; /* XXX - should be macro */
- pt = PWDB_SHADOW;
- } else if ( on(UNIX_RADIUS, ctrl) ) {
- db_token = "R"; /* XXX - is this ok? */
- pt = PWDB_RADIUS;
- } else {
- _log_err(LOG_ALERT
- , "cannot determine database to use for authtok");
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_ABORT; /* we're in trouble */
- }
-
- /*
- * Attempt to update the indicated database (only)
- */
-
- {
- pwdb_type tpt[2];
- tpt[0] = pt;
- tpt[1] = _PWDB_MAX_TYPES;
-
- /* Can we set entry in database? */
- retval = pwdb_flags("user", tpt, &flag);
- if (retval == PWDB_SUCCESS && !pwdb_on(flag,PWDB_F_NOUPDATE)) {
- /* YES. This database is available.. */
-
- /* Only update if it is not already in the default list */
- for (i=0; pw->source[i] != _PWDB_MAX_TYPES
- && pw->source[i] != pt ; ++i);
- if (pw->source[i] == _PWDB_MAX_TYPES) {
- const struct pwdb *tpw=NULL;
-
- /* copy database entry */
- if ((retval = pwdb_new(&tpw, 10)) != PWDB_SUCCESS
- || (retval = pwdb_merge(tpw, pw, PWDB_TRUE))
- != PWDB_SUCCESS) {
- _log_err(LOG_CRIT, "failed to obtain new pwdb: %s"
- , pwdb_strerror(retval));
- retval = PAM_ABORT;
- } else
- retval = PAM_SUCCESS;
-
- /* set db_token */
- if (retval == PAM_SUCCESS) {
- retval = pwdb_set_entry(tpw, "defer_pass", db_token
- , 1+strlen(db_token)
- , NULL, NULL, 0);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "set defer_pass -> %s"
- , pwdb_strerror(retval));
- retval = PAM_PERM_DENIED;
- } else
- retval = PAM_SUCCESS;
- }
-
- /* update specific database */
- if (retval == PAM_SUCCESS) {
- retval = pwdb_replace("user", tpt
- , user, PWDB_ID_UNKNOWN, &tpw);
- if (retval != PWDB_SUCCESS) {
- const char *service=NULL;
- (void) pam_get_item(pamh, PAM_SERVICE
- , (const void **)&service);
- _log_err(LOG_ALERT
- , "(%s) specified database failed: %s"
- , service
- , pwdb_strerror(retval));
- retval = PAM_PERM_DENIED;
- } else {
- retval = PAM_SUCCESS;
- }
- }
-
- /* clean up temporary pwdb */
- if (tpw)
- (void) pwdb_delete(&tpw);
- }
-
- /* we can properly adopt new defer_pass */
- if (retval == PAM_SUCCESS) {
- /* failing here will mean we go back to former
- password location */
- (void) pwdb_set_entry(pw, "defer_pass", db_token
- , 1+strlen(db_token), NULL, NULL, 0);
- }
- }
- }
- }
-
- /*
- * the password will now be placed in appropriate (perhaps original) db
- */
-
- retval = pwdb_get_entry(pw, "uid", &pwe);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "no uid!? (%s); %s", user, pwdb_strerror(retval));
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_USER_UNKNOWN;
- }
-
- /* insert the passwd into the 'pw' structure */
-
- retval = pwdb_set_entry(pw, "passwd", pass_new, 1+strlen(pass_new)
- , NULL, NULL, 0);
- pass_new = NULL;
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "set2 failed; %s", pwdb_strerror(retval));
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_AUTHTOK_LOCK_BUSY;
- }
-
- retval = pwdb_replace("user", pw->source, user
- , *((uid_t *)pwe->value), &pw);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "user (%s/%d) update failed; %s"
- , user, *((uid_t *)pwe->value), pwdb_strerror(retval));
- if (pw)
- (void) pwdb_delete(&pw);
- (void) pwdb_entry_delete(&pwe);
- return PAM_ABORT;
- }
-
- if (retval != PWDB_SUCCESS) {
-
- _log_err(LOG_ALERT, "user (%s/%d) update failed; %s"
- , user, *((uid_t *)pwe->value), pwdb_strerror(retval));
- retval = PAM_ABORT;
-
- } else {
- /* password updated */
-
- _log_err(LOG_INFO, "password for (%s/%d) changed by (%s/%d)"
- , user, *((uid_t *)pwe->value), getlogin(), getuid());
- retval = PAM_SUCCESS;
- }
-
- /* tidy up */
-
- (void) pwdb_entry_delete(&pwe);
- if (pw)
- (void) pwdb_delete(&pw);
-
- return retval;
-}
-
-/* ******************************************************************
- * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996,1997.
- * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997.
- * All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c
deleted file mode 100644
index 49ce96c..0000000
--- a/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * $Id: pam_unix_sess.-c,v 1.4 1996/12/01 03:05:54 morgan Exp morgan $
- *
- * $Log: pam_unix_sess.-c,v $
- * Revision 1.4 1996/12/01 03:05:54 morgan
- * debugging with _pam_macros.h
- *
- * Revision 1.3 1996/11/10 21:05:33 morgan
- * pwdb conversion
- *
- * Revision 1.2 1996/09/05 06:49:02 morgan
- * more informative logging
- *
- * Revision 1.1 1996/08/29 13:27:51 morgan
- * Initial revision
- *
- *
- * See end for Copyright information
- */
-
-static const char rcsid_sess[] =
-"$Id: pam_unix_sess.-c,v 1.4 1996/12/01 03:05:54 morgan Exp morgan $\n"
-" - PAM_PWDB session management. morgan@parc.power.net";
-
-/* Define internal functions */
-
-static int _unix_open_session(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- char *user_name, *service;
-
- D(("called."));
-
- retval = pam_get_item( pamh, PAM_USER, (void *) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "open_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service );
- if ( service == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "open_session - error recovering service");
- return PAM_SESSION_ERR;
- }
-
- _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)"
- , service, user_name
- , getlogin() == NULL ? "":getlogin(), getuid() );
-
- return PAM_SUCCESS;
-}
-
-static int _unix_close_session(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- char *user_name, *service;
-
- D(("called."));
-
- retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "close_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service );
- if ( service == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "close_session - error recovering service");
- return PAM_SESSION_ERR;
- }
-
- _log_err(LOG_INFO, "(%s) session closed for user %s"
- , service, user_name );
-
- return PAM_SUCCESS;
-}
-
-/*
- * Copyright (c) Alexander O. Yuriev, 1996. All rights reserved.
- * Copyright (c) Andrew G. Morgan, 1996, <morgan@parc.power.net>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c b/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c
deleted file mode 100644
index 6332eaa..0000000
--- a/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * $Id: pwdb_chkpwd.c,v 1.1 1997/02/15 17:26:18 morgan Exp $
- *
- * This program is designed to run setuid(root) or with sufficient
- * privilege to read all of the unix password databases. It is designed
- * to provide a mechanism for the current user (defined by this
- * process' real uid) to verify their own password.
- *
- * The password is read from the standard input. The exit status of
- * this program indicates whether the user is authenticated or not.
- *
- * Copyright information is located at the end of the file.
- *
- * $Log: pwdb_chkpwd.c,v $
- * Revision 1.1 1997/02/15 17:26:18 morgan
- * Initial revision
- *
- * Revision 1.1 1996/11/10 21:20:51 morgan
- * Initial revision
- *
- */
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-
-#include <security/_pam_macros.h>
-
-#define MAXPASS 200 /* the maximum length of a password */
-
-#define UNIX_PASSED (PWDB_SUCCESS)
-#define UNIX_FAILED (PWDB_SUCCESS+1)
-
-#include <pwdb/pwdb_public.h>
-
-/* syslogging function for errors and other information */
-
-static void _log_err(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("pwdb_chkpwd", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-#include "pam_unix_md.-c"
-
-static int _unix_verify_passwd(const char *salt, const char *p)
-{
- char *pp=NULL;
- int retval;
-
- if (p == NULL) {
- if (*salt == '\0') {
- retval = UNIX_PASSED;
- } else {
- retval = UNIX_FAILED;
- }
- } else {
- pp = _pam_md(p, salt);
- p = NULL; /* no longer needed here */
-
- if ( strcmp( pp, salt ) == 0 ) {
- retval = UNIX_PASSED;
- } else {
- retval = UNIX_FAILED;
- }
- }
-
- /* clean up */
- {
- char *tp = pp;
- if (pp != NULL) {
- while(tp && *tp)
- *tp++ = '\0';
- free(pp);
- pp = tp = NULL;
- }
- }
-
- return retval;
-}
-
-void main(void)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
- char pass[MAXPASS+1];
- int npass;
- int retval=UNIX_FAILED;
-
- /*
- * we establish that this program is running with non-tty stdin.
- * this is to discourage casual use. It does *NOT* prevent an
- * intruder from repeatadly running this program to determine the
- * password of the current user (brute force attack, but one for
- * which the attacker must already have gained access to the user's
- * account).
- */
-
- if ( isatty(STDIN_FILENO) ) {
- _log_err(LOG_NOTICE
- , "inappropriate use of PWDB helper binary [UID=%d]"
- , getuid() );
- fprintf(stderr,
- "This program is not designed for running in this way\n"
- "-- the system administrator has been informed\n");
- exit(UNIX_FAILED);
- }
-
- /*
- * determine the current user's name:
- */
-
- retval = pwdb_start();
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "failed to open pwdb");
- retval = UNIX_FAILED;
- }
- if (retval != UNIX_FAILED) {
- retval = pwdb_locate("user", PWDB_DEFAULT, PWDB_NAME_UNKNOWN
- , getuid(), &pw);
- }
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "could not identify user");
- while (pwdb_end() != PWDB_SUCCESS);
- exit(UNIX_FAILED);
- }
-
- /* read the password from stdin (a pipe from the pam_pwdb module) */
-
- npass = read(STDIN_FILENO, pass, MAXPASS);
-
- if (npass < 0) { /* is it a valid password? */
- _log_err(LOG_DEBUG, "no password supplied");
- retval = UNIX_FAILED;
- } else if (npass >= MAXPASS-1) {
- _log_err(LOG_DEBUG, "password too long");
- retval = UNIX_FAILED;
- } else if (pwdb_get_entry(pw, "passwd", &pwe) != PWDB_SUCCESS) {
- _log_err(LOG_WARNING, "password not found");
- retval = UNIX_FAILED;
- } else {
- if (npass <= 0) {
- /* the password is NULL */
-
- retval = _unix_verify_passwd((const char *)(pwe->value), NULL);
- } else {
- /* does pass agree with the official one? */
-
- pass[npass] = '\0'; /* NUL terminate */
- retval = _unix_verify_passwd((const char *)(pwe->value), pass);
- }
- }
-
- memset(pass, '\0', MAXPASS); /* clear memory of the password */
- while (pwdb_end() != PWDB_SUCCESS);
-
- /* return pass or fail */
-
- exit(retval);
-}
-
-/*
- * Copyright (c) Andrew G. Morgan, 1997. All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_pwdb/support.-c b/contrib/libpam/modules/pam_pwdb/support.-c
deleted file mode 100644
index 71e212d..0000000
--- a/contrib/libpam/modules/pam_pwdb/support.-c
+++ /dev/null
@@ -1,910 +0,0 @@
-/*
- * $Id: support.-c,v 1.7 1997/04/05 06:32:06 morgan Exp morgan $
- *
- * $Log: support.-c,v $
- * Revision 1.7 1997/04/05 06:32:06 morgan
- * new option and also deleted _readto
- *
- * Revision 1.6 1997/02/15 17:27:20 morgan
- * added helper binary to password checking
- *
- * Revision 1.5 1996/12/01 03:05:54 morgan
- * debugging with _pam_macros.h
- *
- * Revision 1.4 1996/11/10 21:06:07 morgan
- * pwdb conversion
- *
- * Copyright information at end of file.
- */
-
-/*
- * here is the string to inform the user that the new passwords they
- * typed were not the same.
- */
-
-#define MISTYPED_PASS "Sorry, passwords do not match"
-
-/* type definition for the control options */
-
-typedef struct {
- const char *token;
- unsigned int mask; /* shall assume 32 bits of flags */
- unsigned int flag;
-} UNIX_Ctrls;
-
-/*
- * macro to determine if a given flag is on
- */
-
-#define on(x,ctrl) (unix_args[x].flag & ctrl)
-
-/*
- * macro to determine that a given flag is NOT on
- */
-
-#define off(x,ctrl) (!on(x,ctrl))
-
-/*
- * macro to turn on/off a ctrl flag manually
- */
-
-#define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag)
-#define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag))
-
-/* the generic mask */
-
-#define _ALL_ON_ (~0U)
-
-/* end of macro definitions definitions for the control flags */
-
-/* ****************************************************************** *
- * ctrl flags proper..
- */
-
-/*
- * here are the various options recognized by the unix module. They
- * are enumerated here and then defined below. Internal arguments are
- * given NULL tokens.
- */
-
-#define UNIX__OLD_PASSWD 0 /* internal */
-#define UNIX__VERIFY_PASSWD 1 /* internal */
-#define UNIX__IAMROOT 2 /* internal */
-
-#define UNIX_AUDIT 3 /* print more things than debug..
- some information may be sensitive */
-#define UNIX_USE_FIRST_PASS 4
-#define UNIX_TRY_FIRST_PASS 5
-#define UNIX_NOT_SET_PASS 6 /* don't set the AUTHTOK items */
-
-#define UNIX__PRELIM 7 /* internal */
-#define UNIX__UPDATE 8 /* internal */
-#define UNIX__NONULL 9 /* internal */
-#define UNIX__QUIET 10 /* internal */
-#define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */
-#define UNIX_SHADOW 12 /* signal shadow on */
-#define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */
-#define UNIX__NULLOK 14 /* Null token ok */
-#define UNIX_RADIUS 15 /* wish to use RADIUS for password */
-#define UNIX__SET_DB 16 /* internal - signals redirect to db */
-#define UNIX_DEBUG 17 /* send more info to syslog(3) */
-#define UNIX_NODELAY 18 /* admin does not want a fail-delay */
-#define UNIX_UNIX 19 /* wish to use /etc/passwd for pwd */
-#define UNIX_BIGCRYPT 20 /* use DEC-C2 crypt()^x function */
-/* -------------- */
-#define UNIX_CTRLS_ 21 /* number of ctrl arguments defined */
-
-
-static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = {
-/* symbol token name ctrl mask ctrl *
- * ------------------ ------------------ -------------- ---------- */
-
-/* UNIX__OLD_PASSWD */ { NULL, _ALL_ON_, 01 },
-/* UNIX__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 },
-/* UNIX__IAMROOT */ { NULL, _ALL_ON_, 04 },
-/* UNIX_AUDIT */ { "audit", _ALL_ON_, 010 },
-/* UNIX_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(060), 020 },
-/* UNIX_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(060), 040 },
-/* UNIX_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 0100 },
-/* UNIX__PRELIM */ { NULL, _ALL_ON_^(0600), 0200 },
-/* UNIX__UPDATE */ { NULL, _ALL_ON_^(0600), 0400 },
-/* UNIX__NONULL */ { NULL, _ALL_ON_, 01000 },
-/* UNIX__QUIET */ { NULL, _ALL_ON_, 02000 },
-/* UNIX_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 04000 },
-/* UNIX_SHADOW */ { "shadow", _ALL_ON_^(0140000), 010000 },
-/* UNIX_MD5_PASS */ { "md5", _ALL_ON_^(02000000), 020000 },
-/* UNIX__NULLOK */ { "nullok", _ALL_ON_^(01000), 0 },
-/* UNIX_RADIUS */ { "radius", _ALL_ON_^(0110000), 040000 },
-/* UNIX__SET_DB */ { NULL, _ALL_ON_, 0100000 },
-/* UNIX_DEBUG */ { "debug", _ALL_ON_, 0200000 },
-/* UNIX_NODELAY */ { "nodelay", _ALL_ON_, 0400000 },
-/* UNIX_UNIX */ { "unix", _ALL_ON_^(050000), 01000000 },
-/* UNIX_BIGCRYPT */ { "bigcrypt", _ALL_ON_^(020000), 02000000 },
-};
-
-#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
-
-/* syslogging function for errors and other information */
-
-static void _log_err(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM_pwdb", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* this is a front-end for module-application conversations */
-
-static int converse(pam_handle_t *pamh, int ctrl, int nargs
- , struct pam_message **message
- , struct pam_response **response)
-{
- int retval;
- struct pam_conv *conv;
-
- D(("begin to converse"));
-
- retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
- if ( retval == PAM_SUCCESS ) {
-
- retval = conv->conv(nargs, ( const struct pam_message ** ) message
- , response, conv->appdata_ptr);
-
- D(("returned from application's conversation function"));
-
- if (retval != PAM_SUCCESS && on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_DEBUG, "conversation failure [%s]"
- , pam_strerror(pamh, retval));
- }
-
- } else {
- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
- , pam_strerror(pamh, retval));
- }
-
- D(("ready to return from module conversation"));
-
- return retval; /* propagate error status */
-}
-
-static int make_remark(pam_handle_t *pamh, unsigned int ctrl
- , int type, const char *text)
-{
- int retval=PAM_SUCCESS;
-
- if ( off(UNIX__QUIET, ctrl) ) {
- struct pam_message *pmsg[1], msg[1];
- struct pam_response *resp;
-
- pmsg[0] = &msg[0];
- msg[0].msg = text;
- msg[0].msg_style = type;
-
- resp = NULL;
- retval = converse(pamh, ctrl, 1, pmsg, &resp);
-
- if (resp) {
- _pam_drop_reply(resp, 1);
- }
- }
- return retval;
-}
-
-/*
- * set the control flags for the UNIX module.
- */
-
-static int set_ctrl(int flags, int argc, const char **argv)
-{
- unsigned int ctrl;
-
- D(("called."));
-
- ctrl = UNIX_DEFAULTS; /* the default selection of options */
-
- /* set some flags manually */
-
- if ( getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK) ) {
- set(UNIX__IAMROOT, ctrl);
- }
- if ( flags & PAM_UPDATE_AUTHTOK ) {
- set(UNIX__UPDATE, ctrl);
- }
- if ( flags & PAM_PRELIM_CHECK ) {
- set(UNIX__PRELIM, ctrl);
- }
- if ( flags & PAM_DISALLOW_NULL_AUTHTOK ) {
- set(UNIX__NONULL, ctrl);
- }
- if ( flags & PAM_SILENT ) {
- set(UNIX__QUIET, ctrl);
- }
-
- /* now parse the arguments to this module */
-
- while (argc-- > 0) {
- int j;
-
- D(("pam_pwdb arg: %s",*argv));
-
- for (j=0; j<UNIX_CTRLS_; ++j) {
- if (unix_args[j].token
- && ! strcmp(*argv, unix_args[j].token) ) {
- break;
- }
- }
-
- if ( j >= UNIX_CTRLS_ ) {
- _log_err(LOG_ERR, "unrecognized option [%s]",*argv);
- } else {
- ctrl &= unix_args[j].mask; /* for turning things off */
- ctrl |= unix_args[j].flag; /* for turning things on */
- }
-
- ++argv; /* step to next argument */
- }
-
- /* these are used for updating passwords in specific places */
-
- if (on(UNIX_SHADOW,ctrl) || on(UNIX_RADIUS,ctrl) || on(UNIX_UNIX,ctrl)) {
- set(UNIX__SET_DB, ctrl);
- }
-
- /* auditing is a more sensitive version of debug */
-
- if ( on(UNIX_AUDIT,ctrl) ) {
- set(UNIX_DEBUG, ctrl);
- }
-
- /* return the set of flags */
-
- D(("done."));
- return ctrl;
-}
-
-/* use this to free strings. ESPECIALLY password strings */
-
-static char *_pam_delete(register char *xx)
-{
- _pam_overwrite(xx);
- _pam_drop(xx);
- return NULL;
-}
-
-static void _cleanup(pam_handle_t *pamh, void *x, int error_status)
-{
- x = _pam_delete( (char *) x );
-}
-
-/* ************************************************************** *
- * Useful non-trivial functions *
- * ************************************************************** */
-
-#include "pam_unix_md.-c"
-
-/*
- * the following is used to keep track of the number of times a user fails
- * to authenticate themself.
- */
-
-#define FAIL_PREFIX "-UN*X-FAIL-"
-#define UNIX_MAX_RETRIES 3
-
-struct _pam_failed_auth {
- char *user; /* user that's failed to be authenticated */
- char *name; /* attempt from user with name */
- int id; /* uid of name'd user */
- int count; /* number of failures so far */
-};
-
-#ifndef PAM_DATA_REPLACE
-#error "Need to get an updated libpam 0.52 or better"
-#endif
-
-static void _cleanup_failures(pam_handle_t *pamh, void *fl, int err)
-{
- int quiet;
- const char *service=NULL;
- struct _pam_failed_auth *failure;
-
- D(("called"));
-
- quiet = err & PAM_DATA_SILENT; /* should we log something? */
- err &= PAM_DATA_REPLACE; /* are we just replacing data? */
- failure = (struct _pam_failed_auth *) fl;
-
- if ( failure != NULL ) {
-
- if ( !quiet && !err ) { /* under advisement from Sun,may go away */
-
- /* log the number of authentication failures */
- if ( failure->count != 0 ) {
- (void) pam_get_item(pamh, PAM_SERVICE
- , (const void **)&service);
- _log_err(LOG_NOTICE
- , "%d authentication failure%s; %s(uid=%d) -> "
- "%s for %s service"
- , failure->count, failure->count==1 ? "":"s"
- , failure->name
- , failure->id
- , failure->user
- , service == NULL ? "**unknown**":service
- );
- if ( failure->count > UNIX_MAX_RETRIES ) {
- _log_err(LOG_ALERT
- , "service(%s) ignoring max retries; %d > %d"
- , service == NULL ? "**unknown**":service
- , failure->count
- , UNIX_MAX_RETRIES );
- }
- }
- }
- failure->user = _pam_delete(failure->user); /* tidy up */
- failure->name = _pam_delete(failure->name); /* tidy up */
- free(failure);
- }
-}
-
-/*
- * verify the password of a user
- */
-
-#include <sys/types.h>
-#include <sys/wait.h>
-
-static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd)
-{
- int retval, child, fds[2];
-
- D(("called."));
- /* create a pipe for the password */
- if (pipe(fds) != 0) {
- D(("could not make pipe"));
- return PAM_AUTH_ERR;
- }
-
- /* fork */
- child = fork();
- if (child == 0) {
- static char *args[] = { NULL, NULL };
- static char *envp[] = { NULL };
-
- /* XXX - should really tidy up PAM here too */
- while (pwdb_end() == PWDB_SUCCESS);
-
- /* reopen stdin as pipe */
- close(fds[1]);
- dup2(fds[0], STDIN_FILENO);
-
- /* exec binary helper */
- args[0] = x_strdup(CHKPWD_HELPER);
- execve(CHKPWD_HELPER, args, envp);
-
- /* should not get here: exit with error */
- D(("helper binary is not available"));
- exit(PWDB_SUCCESS+1);
- } else if (child > 0) {
- /* wait for child */
- close(fds[0]);
- if (passwd != NULL) { /* send the password to the child */
- write(fds[1], passwd, strlen(passwd)+1);
- passwd = NULL;
- } else {
- write(fds[1], "", 1); /* blank password */
- }
- close(fds[1]);
- (void) waitpid(child, &retval, 0); /* wait for helper to complete */
- retval = (retval == PWDB_SUCCESS) ? PAM_SUCCESS:PAM_AUTH_ERR;
- } else {
- D(("fork failed"));
- retval = PAM_AUTH_ERR;
- }
-
- D(("returning %d", retval));
- return retval;
-}
-
-static int _unix_verify_password(pam_handle_t *pamh, const char *name
- , const char *p, unsigned int ctrl)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
-
- const char *salt;
- char *pp;
- char *data_name;
- int retval;
-
- D(("called"));
-
-#ifdef HAVE_PAM_FAIL_DELAY
- if ( off(UNIX_NODELAY, ctrl) ) {
- D(("setting delay"));
- (void) pam_fail_delay(pamh, 1000000); /* 1 sec delay for on failure */
- }
-#endif
-
- /* locate the entry for this user */
-
- D(("locating user's record"));
- retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw);
- if (retval == PWDB_PASS_PHRASE_REQD) {
- /*
- * give the password to the pwdb library. It may be needed to
- * access the database
- */
-
- retval = pwdb_set_entry( pw, "pass_phrase", p, 1+strlen(p)
- , NULL, NULL, 0);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "find pass; %s", pwdb_strerror(retval));
- (void) pwdb_delete(&pw);
- p = NULL;
- return PAM_CRED_INSUFFICIENT;
- }
-
- retval = pwdb_locate("user", pw->source, name, PWDB_ID_UNKNOWN, &pw);
- }
-
- if (retval != PWDB_SUCCESS) {
- D(("user's record unavailable"));
- if ( on(UNIX_AUDIT, ctrl) ) {
- /* this might be a typo and the user has given a password
- instead of a username. Careful with this. */
- _log_err(LOG_ALERT, "check pass; user (%s) unknown", name);
- } else {
- _log_err(LOG_ALERT, "check pass; user unknown");
- }
- (void) pwdb_delete(&pw);
- p = NULL;
- return PAM_USER_UNKNOWN;
- }
-
- /*
- * courtesy of PWDB the password for the user is stored in
- * encrypted form in the "passwd" entry of pw.
- */
-
- retval = pwdb_get_entry(pw, "passwd", &pwe);
- if (retval != PWDB_SUCCESS) {
- if (geteuid()) {
- /* we are not root perhaps this is the reason? Run helper */
- D(("running helper binary"));
- retval = pwdb_run_helper_binary(pamh, p);
- } else {
- retval = PAM_AUTHINFO_UNAVAIL;
- _log_err(LOG_ALERT, "get passwd; %s", pwdb_strerror(retval));
- }
- (void) pwdb_delete(&pw);
- p = NULL;
- return retval;
- }
- salt = (const char *) pwe->value;
-
- /*
- * XXX: Cristian, the above is not the case for RADIUS(?) Some
- * lines should be added for RADIUS to verify the password in
- * clear text...
- */
-
- if ( ( !salt ) && ( !p ) ) {
-
- /* the stored password is NULL */
-
- (void) pwdb_entry_delete(&pwe);
- (void) pwdb_delete(&pw);
-
- if ( off(UNIX__NONULL, ctrl ) ) { /* this means we've succeeded */
- return PAM_SUCCESS;
- } else {
- return PAM_AUTH_ERR;
- }
- }
-
- pp = _pam_md(p, salt);
- p = NULL; /* no longer needed here */
-
- data_name = (char *) malloc(sizeof(FAIL_PREFIX)+strlen(name));
- if ( data_name == NULL ) {
- _log_err(LOG_CRIT, "no memory for data-name");
- }
- strcpy(data_name, FAIL_PREFIX);
- strcpy(data_name + sizeof(FAIL_PREFIX)-1, name);
-
- /* the moment of truth -- do we agree with the password? */
-
- if ( strcmp( pp, salt ) == 0 ) {
-
- retval = PAM_SUCCESS;
- if (data_name) { /* reset failures */
- pam_set_data(pamh, data_name, NULL, _cleanup_failures);
- }
-
- } else {
-
- retval = PAM_AUTH_ERR;
- if (data_name != NULL) {
- struct _pam_failed_auth *new=NULL;
- const struct _pam_failed_auth *old=NULL;
-
- /* get a failure recorder */
-
- new = (struct _pam_failed_auth *)
- malloc(sizeof(struct _pam_failed_auth));
-
- if (new != NULL) {
-
- /* any previous failures for this user ? */
- pam_get_data(pamh, data_name, (const void **)&old );
-
- if (old != NULL) {
- new->count = old->count +1;
- if (new->count >= UNIX_MAX_RETRIES) {
- retval = PAM_MAXTRIES;
- }
- } else {
- new->count = 1;
- }
- new->user = x_strdup(name);
- new->id = getuid();
- new->name = x_strdup(getlogin() ? getlogin():"" );
-
- pam_set_data(pamh, data_name, new, _cleanup_failures);
-
- } else {
- _log_err(LOG_CRIT, "no memory for failure recorder");
- }
- }
-
- }
-
- (void) pwdb_entry_delete(&pwe);
- (void) pwdb_delete(&pw);
- salt = NULL;
- _pam_delete(data_name);
- _pam_delete(pp);
-
- return retval;
-}
-
-/*
- * this function obtains the name of the current user and ensures
- * that the PAM_USER item is set to this value
- */
-
-static int _unix_get_user(pam_handle_t *pamh, unsigned int ctrl
- , const char *prompt, const char **user)
-{
- int retval;
-
- D(("called"));
-
- retval = pam_get_user(pamh, user, prompt);
- if (retval != PAM_SUCCESS) {
- D(("trouble reading username"));
- return retval;
- }
-
- /*
- * Various libraries at various times have had bugs related to
- * '+' or '-' as the first character of a user name. Don't take
- * any chances here. Require that the username starts with an
- * alphanumeric character.
- */
-
- if (!isalnum(**user)) {
- if (on(UNIX_DEBUG,ctrl) || **user) {
- _log_err(LOG_ERR, "bad username [%s]", *user);
- }
- return PAM_USER_UNKNOWN;
- }
-
- if (retval == PAM_SUCCESS && on(UNIX_DEBUG,ctrl)) {
- _log_err(LOG_DEBUG, "username [%s] obtained", *user);
- }
-
- return retval;
-}
-
-/*
- * _unix_blankpasswd() is a quick check for a blank password
- *
- * returns TRUE if user does not have a password
- * - to avoid prompting for one in such cases (CG)
- */
-
-static int _unix_blankpasswd(unsigned int ctrl, const char *name)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
- int retval;
-
- D(("called"));
-
- /*
- * This function does not have to be too smart if something goes
- * wrong, return FALSE and let this case to be treated somewhere
- * else (CG)
- */
-
- if ( on(UNIX__NONULL, ctrl) )
- return 0; /* will fail but don't let on yet */
-
- /* find the user's database entry */
-
- retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw);
- if (retval != PWDB_SUCCESS || pw == NULL ) {
-
- retval = 0;
-
- } else {
-
- /* Does this user have a password? */
-
- retval = pwdb_get_entry(pw, "passwd", &pwe);
- if ( retval != PWDB_SUCCESS || pwe == NULL )
- retval = 0;
- else if ( pwe->value == NULL || ((char *)pwe->value)[0] == '\0' )
- retval = 1;
- else
- retval = 0;
-
- }
-
- /* tidy up */
-
- if ( pw ) {
- (void) pwdb_delete(&pw);
- if ( pwe )
- (void) pwdb_entry_delete(&pwe);
- }
-
- return retval;
-}
-
-/*
- * obtain a password from the user
- */
-
-static int _unix_read_password( pam_handle_t *pamh
- , unsigned int ctrl
- , const char *comment
- , const char *prompt1
- , const char *prompt2
- , const char *data_name
- , const char **pass )
-{
- int authtok_flag;
- int retval;
- const char *item;
- char *token;
-
- D(("called"));
-
- /*
- * make sure nothing inappropriate gets returned
- */
-
- *pass = token = NULL;
-
- /*
- * which authentication token are we getting?
- */
-
- authtok_flag = on(UNIX__OLD_PASSWD,ctrl) ? PAM_OLDAUTHTOK:PAM_AUTHTOK ;
-
- /*
- * should we obtain the password from a PAM item ?
- */
-
- if ( on(UNIX_TRY_FIRST_PASS,ctrl) || on(UNIX_USE_FIRST_PASS,ctrl) ) {
- retval = pam_get_item(pamh, authtok_flag, (const void **) &item);
- if (retval != PAM_SUCCESS ) {
- /* very strange. */
- _log_err(LOG_ALERT
- , "pam_get_item returned error to unix-read-password"
- );
- return retval;
- } else if (item != NULL) { /* we have a password! */
- *pass = item;
- item = NULL;
- return PAM_SUCCESS;
- } else if (on(UNIX_USE_FIRST_PASS,ctrl)) {
- return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
- } else if (on(UNIX_USE_AUTHTOK, ctrl)
- && off(UNIX__OLD_PASSWD, ctrl)) {
- return PAM_AUTHTOK_RECOVER_ERR;
- }
- }
-
- /*
- * getting here implies we will have to get the password from the
- * user directly.
- */
-
- {
- struct pam_message msg[3],*pmsg[3];
- struct pam_response *resp;
- int i, replies;
-
- /* prepare to converse */
-
- if ( comment != NULL && off(UNIX__QUIET, ctrl) ) {
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_TEXT_INFO;
- msg[0].msg = comment;
- i = 1;
- } else {
- i = 0;
- }
-
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt1;
- replies = 1;
-
- if ( prompt2 != NULL ) {
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt2;
- ++replies;
- }
-
- /* so call the conversation expecting i responses */
- resp = NULL;
- retval = converse(pamh, ctrl, i, pmsg, &resp);
-
- if (resp != NULL) {
-
- /* interpret the response */
-
- if (retval == PAM_SUCCESS) { /* a good conversation */
-
- token = x_strdup(resp[i-replies].resp);
- if (token != NULL) {
- if (replies == 2) {
-
- /* verify that password entered correctly */
- if (!resp[i-1].resp
- || strcmp(token,resp[i-1].resp)) {
- token = _pam_delete(token); /* mistyped */
- retval = PAM_AUTHTOK_RECOVER_ERR;
- make_remark(pamh, ctrl
- , PAM_ERROR_MSG, MISTYPED_PASS);
- }
- }
-
- } else {
- _log_err(LOG_NOTICE
- , "could not recover authentication token");
- }
-
- }
-
- /*
- * tidy up the conversation (resp_retcode) is ignored
- * -- what is it for anyway? AGM
- */
-
- _pam_drop_reply(resp, i);
-
- } else {
- retval = (retval == PAM_SUCCESS)
- ? PAM_AUTHTOK_RECOVER_ERR:retval ;
- }
- }
-
- if (retval != PAM_SUCCESS) {
- if ( on(UNIX_DEBUG,ctrl) )
- _log_err(LOG_DEBUG,"unable to obtain a password");
- return retval;
- }
-
- /* 'token' is the entered password */
-
- if ( off(UNIX_NOT_SET_PASS, ctrl) ) {
-
- /* we store this password as an item */
-
- retval = pam_set_item(pamh, authtok_flag, token);
- token = _pam_delete(token); /* clean it up */
- if ( retval != PAM_SUCCESS
- || (retval = pam_get_item(pamh, authtok_flag
- , (const void **)&item))
- != PAM_SUCCESS ) {
-
- _log_err(LOG_CRIT, "error manipulating password");
- return retval;
-
- }
-
- } else {
- /*
- * then store it as data specific to this module. pam_end()
- * will arrange to clean it up.
- */
-
- retval = pam_set_data(pamh, data_name, (void *) token, _cleanup);
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "error manipulating password data [%s]"
- , pam_strerror(pamh, retval) );
- token = _pam_delete(token);
- return retval;
- }
- item = token;
- token = NULL; /* break link to password */
- }
-
- *pass = item;
- item = NULL; /* break link to password */
-
- return PAM_SUCCESS;
-}
-
-static int _pam_unix_approve_pass(pam_handle_t *pamh
- , unsigned int ctrl
- , const char *pass_old
- , const char *pass_new)
-{
- D(("&new=%p, &old=%p",pass_old,pass_new));
- D(("new=[%s]",pass_new));
- D(("old=[%s]",pass_old));
-
- if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_DEBUG, "bad authentication token");
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
- "No password supplied":"Password unchanged" );
- return PAM_AUTHTOK_ERR;
- }
-
- /*
- * if one wanted to hardwire authentication token strength
- * checking this would be the place - AGM
- */
-
- return PAM_SUCCESS;
-}
-
-/* ****************************************************************** *
- * Copyright (c) Andrew G. Morgan, <morgan@parc.power.net> 1996.
- * Copyright (c) Alex O. Yuriev, 1996.
- * Copyright (c) Cristian Gafton 1996.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
diff --git a/contrib/libpam/modules/pam_radius/Makefile b/contrib/libpam/modules/pam_radius/Makefile
deleted file mode 100644
index a74b911..0000000
--- a/contrib/libpam/modules/pam_radius/Makefile
+++ /dev/null
@@ -1,99 +0,0 @@
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10
-#
-# STATIC modules are not supported
-#
-
-TITLE=pam_radius
-CONFD=$(CONFIGED)/security
-export CONFD
-CONFILE=$(CONFD)/radius.conf
-export CONFILE
-
-ifeq ($(HAVE_PWDBLIB),yes)
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-#LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-#static/%.o : %.c
-# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-#ifdef STATIC
-#LIBSTATIC = lib$(TITLE).o
-#endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-#ifdef STATIC
-# $(MKDIR) ./static
-#endif
-
-register:
-#ifdef STATIC
-# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-#endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) -lpwdb
-endif
-
-#ifdef STATIC
-#$(LIBOBJS): $(LIBSRC)
-#
-#$(LIBSTATIC): $(LIBOBJS)
-# $(LD) -r -o $@ $(LIBOBJS) -lpwdb
-#endif
-
-install: all
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
-else
-
-include ../dont_makefile
-
-endif
diff --git a/contrib/libpam/modules/pam_radius/README b/contrib/libpam/modules/pam_radius/README
deleted file mode 100644
index 253308f..0000000
--- a/contrib/libpam/modules/pam_radius/README
+++ /dev/null
@@ -1,58 +0,0 @@
-
-pam_radius module:
- RADIUS session module.
-
-WHAT IT DOES:
- This module is intended to provide the session service for users
-autheticated with a RADIUS server. At the present stage, the only option
-supported is the use of the RADIUS server as an accounting server. There are
-few things which needs to be cleared out first in the PAM project until one
-will be able to use this module and expect it to magically start pppd in
-response to a RADIUS server command to use PPP for this user, or to initiate
-a telnet connection to another host, or to hang and call back the user using
-parameters provided in the RADIUS server response. Most of these things are
-better suited for the radius login application. I hope to make available
-Real Soon (tm) patches for the login apps to make it work this way.
-
-
-ARGUMENTS RECOGNIZED:
- debug verbose logging
-
-MODULE SERVICES PROVIDED:
- session _open_session and _close_session
-
- When opening a session, this module sends an Accounting-Start
-message to the RADIUS server, which will log/update/whatever a database for
-this user. On close, an Accounting-Stop message is sent to the RADIUS
-server.
-
-This module have no other pre-requisites for making it work. One can install
-a RADIUS server just for fun and use it as a centralized accounting server and
-forget about wtmp/last/sac&comp :-)
-
-USAGE:
- For the services you need this module (login for example) put
- the following line in /etc/pam.conf as the last line for that
- service (usually after the pam_unix session line):
-
- login session required /lib/security/pam_radius.so
-
- Replace "login" for each service you are using this module.
-
- This module make extensive use of the API provided in libpwdb
- 0.54preB or later. By default, it will read the radius server
- configuration (hostname and secret) from /etc/raddb/server. This is
- a default compiled into libpwdb, and curently there is no way to
- modify this default without recompiling libpwdb. I am working on
- extending the radius support from libpwdb to provide a possibility
- to make this runtime-configurable.
-
- Also please note that libpwdb will require also the RADIUS
- dictionary to be present (/etc/raddb/dictionary).
-
-TODO:
- The work is far from complete. Deal with "real" session things.
-
-AUTHOR:
- Cristian Gafton <gafton@redhat.com>
-
diff --git a/contrib/libpam/modules/pam_radius/pam_radius.c b/contrib/libpam/modules/pam_radius/pam_radius.c
deleted file mode 100644
index b412edf..0000000
--- a/contrib/libpam/modules/pam_radius/pam_radius.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * pam_radius
- * Process an user session according to a RADIUS server response
- *
- * 1.0 - initial release - Linux ONLY
- * 1.1 - revised and reorganized for libpwdb 0.54preB or higher
- * - removed the conf= parameter, since we use libpwdb exclusively now
- *
- * See end for Copyright information
- */
-
-#if !(defined(linux))
-#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!!
-#endif
-
-/* Module defines */
-#define BUFFER_SIZE 1024
-#define LONG_VAL_PTR(ptr) ((*(ptr)<<24)+(*((ptr)+1)<<16)+(*((ptr)+2)<<8)+(*((ptr)+3)))
-
-#define PAM_SM_SESSION
-
-#include "pam_radius.h"
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-static time_t session_time;
-
-/* we need to save these from open_session to close_session, since
- * when close_session will be called we won't be root anymore and
- * won't be able to access again the radius server configuration file
- * -- cristiang */
-
-static RADIUS_SERVER rad_server;
-static char hostname[BUFFER_SIZE];
-static char secret[BUFFER_SIZE];
-
-/* logging */
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_radius", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x0001
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-/* now the session stuff */
-PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- int retval;
- char *user_name;
- int ctrl;
-
- ctrl = _pam_parse(argc, argv);
- retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _pam_log(LOG_CRIT, "open_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "starting RADIUS user session for '%s'",
- user_name);
-
- retval = get_server_entries(hostname, secret);
- if ((retval != PWDB_RADIUS_SUCCESS) ||
- !strlen(hostname) || !strlen(secret)) {
- _pam_log(LOG_CRIT, "Could not determine the radius server to talk to");
- return PAM_IGNORE;
- }
- session_time = time(NULL);
- rad_server.hostname = hostname;
- rad_server.secret = secret;
- retval = radius_acct_start(rad_server, user_name);
- if (retval != PWDB_RADIUS_SUCCESS) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server");
- return PAM_IGNORE;
- }
-
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- int ctrl;
- char *user_name;
- int retval;
-
- ctrl = _pam_parse(argc, argv);
- retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _pam_log(LOG_CRIT, "open_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "closing RADIUS user session for '%s'",
- user_name);
-
- if (!strlen(hostname) || !strlen(secret)) {
- _pam_log(LOG_CRIT, "Could not determine the radius server to talk to");
- return PAM_IGNORE;
- }
- retval = radius_acct_stop(rad_server, user_name,
- time(NULL) - session_time);
- if (retval != PWDB_RADIUS_SUCCESS) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server");
- return PAM_IGNORE;
- }
-
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_radius_modstruct = {
- "pam_radius",
- NULL,
- NULL,
- NULL,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL
-};
-#endif
-
-/*
- * Copyright (c) Cristian Gafton, 1996, <gafton@redhat.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/contrib/libpam/modules/pam_radius/pam_radius.h b/contrib/libpam/modules/pam_radius/pam_radius.h
deleted file mode 100644
index 72b1da8..0000000
--- a/contrib/libpam/modules/pam_radius/pam_radius.h
+++ /dev/null
@@ -1,35 +0,0 @@
-
-#ifndef PAM_RADIUS_H
-#define PAM_RADIUS_H
-
-#define _GNU_SOURCE
-#include <features.h>
-
-#include <stdio.h>
-#define __USE_POSIX2
-
-#include <stdlib.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/resource.h>
-
-#include <unistd.h>
-#include <string.h>
-#include <ctype.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <utmp.h>
-#include <time.h>
-#include <netdb.h>
-
-#include <netinet/in.h>
-#include <rpcsvc/ypclnt.h>
-#include <rpc/rpc.h>
-
-#include <pwdb/radius.h>
-#include <pwdb/pwdb_radius.h>
-
-/******************************************************************/
-
-#endif /* PAM_RADIUS_H */
diff --git a/contrib/libpam/modules/pam_rhosts/Makefile b/contrib/libpam/modules/pam_rhosts/Makefile
deleted file mode 100644
index 93addbb..0000000
--- a/contrib/libpam/modules/pam_rhosts/Makefile
+++ /dev/null
@@ -1,94 +0,0 @@
-# This Makefile controls a build process of the pam_rhosts modules
-# for Linux-PAM. You should not modify this Makefile.
-
-LIBAUTHOBJ = pam_rhosts_auth.o
-LIBAUTHSRC = pam_rhosts_auth.c
-LIBSESSOBJ =
-LIBSESSSRC =
-LIBPASSWDSRC =
-LIBPASSWDOBJ =
-LIBOBJ = $(LIBAUTHOBJ) $(LIBSESSOBJ) $(LIBPASSWDOBJ)
-LIBSRC = $(LIBAUTHSRC) $(LIBSESSSRC) $(LIBPASSWDSRC)
-
-ifdef STATIC
-LIBSTATIC = libpam_rhosts.o
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-endif
-
-ifdef DYNAMIC
-LIBSESSSH =
-LIBAUTHSH = pam_rhosts_auth.so
-LIBPASSWDSH =
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBSHARED = $(LIBSESSSH) $(LIBAUTHSH) $(LIBPASSWDSH)
-endif
-
-####################### don't edit below #######################
-
-dummy:
- @echo "**** This is not a top-level Makefile "
- exit
-
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; \
- ./register_static pam_rhosts_auth pam_rhosts/libpam_rhosts.o )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-endif
-
-ifdef DYNAMIC
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-endif
-
-ifdef STATIC
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-
-endif
-
-#.c.o:
-# $(CC) -c $(CFLAGS) $<
-
-install: all
-ifdef DYNAMIC
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-# tidy up
-
-remove:
- cd $(FAKEROOT)$(SECUREDIR) && rm -f $(LIBSHARED)
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) a.out core *~
-
-extraclean:
- rm -f *.a *.out *.o *.so *.bak dynamic/* static/*
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
diff --git a/contrib/libpam/modules/pam_rhosts/README b/contrib/libpam/modules/pam_rhosts/README
deleted file mode 100644
index 527dfd3..0000000
--- a/contrib/libpam/modules/pam_rhosts/README
+++ /dev/null
@@ -1,57 +0,0 @@
-arguments recognized:
-
-"no_hosts_equiv"
-"no_rhosts"
-"debug"
-"nowarn"
-"suppress"
-"promiscuous"
-
-.rhosts/hosts.equiv format:
-
-There are positive entries, when one is matched authentication
-succeeds and terminates. There are negative entries, when one is
-matched authentication fails and terminates. Thus order is
-significant.
-
-Entry hosts.equiv .rhosts
-<host> All users on <host> are ok Same username from <host> is ok
-<host> <user> <user> from <host> is ok ditto
--<host> No users from <host> are ok ditto
-<host> -<user> <user> from <host> is not ok ditto
-
-<host> can be ip (IPv4) numbers.
-
-Netgroups may be used in either host or user fields, and then applies
-to all hosts, or users, in the netgroup. The syntax is
-
- +@<ng>
-
-The entries
-
- <host> +@<ng>
- +@<ng> +@<ng>
- +@<ng> <user>
-
-means exactly what you think it does. Negative entries are of the
-form
-
- -@<ng>
-
-When the "promiscuous" option is given the special character + may be
-used as a wildcard in any field.
-
- + Allow anyone from any host to connect. DANGEROUS.
- + + Ditto.
- + <user> Allow the user to connect from anywhere. DANGEROUS.
- <host> + Allow any user from the host. Dangerous.
-
-These, perhaps more usefull, forms of the + form is also disallowed
-unless "promiscuous" is specified:
-
- + -<user> Disallow the user from any host
- + -@<ng> Disallow all members of the netgroup from any host
-
-When "promiscuous" is not specified a '+' is handled as a negative
-match.
-
diff --git a/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c b/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c
deleted file mode 100644
index 10dfcf7..0000000
--- a/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c
+++ /dev/null
@@ -1,788 +0,0 @@
-/*----------------------------------------------------------------------
- * Modified for Linux-PAM by Al Longyear <longyear@netcom.com> 96/5/5
- * Modifications, Cristian Gafton 97/2/8
- * Modifications, Peter Allgeyer 97/3
- * Modifications (netgroups and fixes), Nicolai Langfeldt 97/3/21
- * Security fix: 97/10/2 - gethostbyname called repeatedly without care
- * Modification (added privategroup option) Andrew <morgan@transmeta.com>
- *----------------------------------------------------------------------
- * Copyright (c) 1983, 1993, 1994
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#define _BSD_SOURCE
-
-#define USER_RHOSTS_FILE "/.rhosts" /* prefixed by user's home dir */
-
-#ifdef linux
-#include <endian.h>
-#endif
-
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h> /* This is supposed(?) to contain the following */
-int innetgr(const char *, const char *, const char *,const char *);
-
-#include <stdio.h>
-#include <errno.h>
-#include <sys/time.h>
-#include <arpa/inet.h>
-
-#ifndef MAXDNAME
-#define MAXDNAME 256
-#endif
-
-#include <stdarg.h>
-#include <ctype.h>
-
-#include <net/if.h>
-#ifdef linux
-# include <linux/sockios.h>
-# ifndef __USE_MISC
-# define __USE_MISC
-# include <sys/fsuid.h>
-# endif /* __USE_MISC */
-#endif
-
-#include <pwd.h>
-#include <grp.h>
-#include <sys/file.h>
-#include <sys/signal.h>
-#include <sys/stat.h>
-#include <syslog.h>
-#ifndef _PATH_HEQUIV
-#define _PATH_HEQUIV "/etc/hosts.equiv"
-#endif /* _PATH_HEQUIV */
-
-#define PAM_SM_AUTH /* only defines this management group */
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-/* to the best of my knowledge, all modern UNIX boxes have 32 bit integers */
-#define U32 unsigned int
-
-
-/*
- * Options for this module
- */
-
-struct _options {
- int opt_no_hosts_equiv;
- int opt_no_rhosts;
- int opt_debug;
- int opt_nowarn;
- int opt_disallow_null_authtok;
- int opt_silent;
- int opt_promiscuous;
- int opt_suppress;
- int opt_private_group;
- const char *last_error;
-};
-
-/* logging */
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_rhosts_auth", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-static void set_option (struct _options *opts, const char *arg)
-{
- if (strcmp(arg, "no_hosts_equiv") == 0) {
- opts->opt_no_hosts_equiv = 1;
- return;
- }
-
- if (strcmp(arg, "no_rhosts") == 0) {
- opts->opt_no_rhosts = 1;
- return;
- }
-
- if (strcmp(arg, "debug") == 0) {
- D(("debugging enabled"));
- opts->opt_debug = 1;
- return;
- }
-
- if (strcmp(arg, "no_warn") == 0) {
- opts->opt_nowarn = 1;
- return;
- }
-
- if (strcmp(arg, "promiscuous") == 0) {
- opts->opt_promiscuous = 1; /* used to permit '+' in ...hosts file */
- return;
- }
-
- if (strcmp(arg, "suppress") == 0) {
- opts->opt_suppress = 1; /* used to suppress failure warning message */
- return;
- }
-
- if (strcmp(arg, "privategroup") == 0) {
- opts->opt_private_group = 1; /* used to permit group write on .rhosts
- file if group has same name as owner */
- return;
- }
-
- /*
- * All other options are ignored at the present time.
- */
- _pam_log(LOG_WARNING, "unrecognized option '%s'", arg);
-}
-
-static void set_parameters (struct _options *opts, int flags,
- int argc, const char **argv)
-{
- opts->opt_silent = flags & PAM_SILENT;
- opts->opt_disallow_null_authtok = flags & PAM_DISALLOW_NULL_AUTHTOK;
-
- while (argc-- > 0) {
- set_option (opts, *argv);
- ++argv;
- }
-}
-
-/*
- * Obtain the name of the remote host. Currently, this is simply by
- * requesting the contents of the PAM_RHOST item.
- */
-
-static int pam_get_rhost(pam_handle_t *pamh, const char **rhost
- , const char *prompt)
-{
- int retval;
- const char *current;
-
- retval = pam_get_item (pamh, PAM_RHOST, (const void **)&current);
- if (retval != PAM_SUCCESS)
- return retval;
-
- if (current == NULL) {
- return PAM_AUTH_ERR;
- }
- *rhost = current;
-
- return retval; /* pass on any error from conversation */
-}
-
-/*
- * Obtain the name of the remote user. Currently, this is simply by
- * requesting the contents of the PAM_RUSER item.
- */
-
-static int pam_get_ruser(pam_handle_t *pamh, const char **ruser
- , const char *prompt)
-{
- int retval;
- const char *current;
-
- retval = pam_get_item (pamh, PAM_RUSER, (const void **)&current);
- if (retval != PAM_SUCCESS)
- return retval;
-
- if (current == NULL) {
- return PAM_AUTH_ERR;
- }
- *ruser = current;
-
- return retval; /* pass on any error from conversation */
-}
-
-/*
- * Returns 1 if positive match, 0 if no match, -1 if negative match.
- */
-
-static int
-__icheckhost (pam_handle_t *pamh, struct _options *opts, U32 raddr
- , register char *lhost, const char *rhost)
-{
- struct hostent *hp;
- U32 laddr;
- int negate=1; /* Multiply return with this to get -1 instead of 1 */
- char **pp, *user;
-
- /* Check nis netgroup. We assume that pam has done all needed
- paranoia checking before we are handed the rhost */
- if (strncmp("+@",lhost,2) == 0)
- return(innetgr(&lhost[2],rhost,NULL,NULL));
-
- if (strncmp("-@",lhost,2) == 0)
- return(-innetgr(&lhost[2],rhost,NULL,NULL));
-
- /* -host */
- if (strncmp("-",lhost,1) == 0) {
- negate=-1;
- lhost++;
- } else if (strcmp("+",lhost) == 0) {
- (void) pam_get_item(pamh, PAM_USER, (const void **)&user);
- D(("user %s has a `+' host entry", user));
- if (opts->opt_promiscuous)
- return (1); /* asking for trouble, but ok.. */
- /* If not promiscuous: handle as negative */
- return (-1);
- }
-
- /* Try for raw ip address first. */
- if (isdigit(*lhost) && (long)(laddr = inet_addr(lhost)) != -1)
- return (negate*(! (raddr ^ laddr)));
-
- /* Better be a hostname. */
- hp = gethostbyname(lhost);
- if (hp == NULL)
- return (0);
-
- /* Spin through ip addresses. */
- for (pp = hp->h_addr_list; *pp; ++pp)
- if (!memcmp (&raddr, *pp, sizeof (U32)))
- return (negate);
-
- /* No match. */
- return (0);
-}
-
-/* Returns 1 on positive match, 0 on no match, -1 on negative match */
-
-static int __icheckuser(pam_handle_t *pamh, struct _options *opts
- , const char *luser, const char *ruser
- , const char *rhost)
-{
- /*
- luser is user entry from .rhosts/hosts.equiv file
- ruser is user id on remote host
- rhost is the remote host name
- */
- char *user;
-
- /* [-+]@netgroup */
- if (strncmp("+@",luser,2) == 0)
- return (innetgr(&luser[2],NULL,ruser,NULL));
-
- if (strncmp("-@",luser,2) == 0)
- return (-innetgr(&luser[2],NULL,ruser,NULL));
-
- /* -user */
- if (strncmp("-",luser,1) == 0)
- return(-(strcmp(&luser[1],ruser) == 0));
-
- /* + */
- if (strcmp("+",luser) == 0) {
- (void) pam_get_item(pamh, PAM_USER, (const void **)&user);
- _pam_log(LOG_WARNING, "user %s has a `+' user entry", user);
- if (opts->opt_promiscuous)
- return(1);
- /* If not promiscuous we handle it as a negative match */
- return(-1);
- }
-
- /* simple string match */
- return (strcmp(ruser, luser) == 0);
-}
-
-/*
- * Returns 1 for blank lines (or only comment lines) and 0 otherwise
- */
-
-static int __isempty(char *p)
-{
- while (*p && isspace(*p)) {
- ++p;
- }
-
- return (*p == '\0' || *p == '#') ? 1:0 ;
-}
-
-/*
- * Returns 0 if positive match, 1 if _not_ ok.
- */
-
-static int
-__ivaliduser (pam_handle_t *pamh, struct _options *opts,
- FILE *hostf, U32 raddr,
- const char *luser, const char *ruser, const char *rhost)
-{
- register const char *user;
- register char *p;
- int hcheck, ucheck;
- char buf[MAXHOSTNAMELEN + 128]; /* host + login */
-
- buf[sizeof (buf)-1] = '\0'; /* terminate line */
-
- while (fgets(buf, sizeof(buf), hostf) != NULL) { /* hostf file line */
- p = buf; /* from beginning of file.. */
-
- /* Skip empty or comment lines */
- if (__isempty(p)) {
- continue;
- }
-
- /* Skip lines that are too long. */
- if (strchr(p, '\n') == NULL) {
- int ch = getc(hostf);
-
- while (ch != '\n' && ch != EOF)
- ch = getc(hostf);
- continue;
- }
-
- /*
- * If there is a hostname at the start of the line. Set it to
- * lower case. A leading ' ' or '\t' indicates no hostname
- */
-
- for (;*p && !isspace(*p); ++p) {
- *p = tolower(*p);
- }
-
- /*
- * next we want to find the permitted name for the remote user
- */
-
- if (*p == ' ' || *p == '\t') {
-
- /* <nul> terminate hostname and skip spaces */
- for (*p++='\0'; *p && isspace(*p); ++p);
-
- user = p; /* this is the user's name */
- while (*p && !isspace(*p))
- ++p; /* find end of user's name */
- } else
- user = p;
-
- *p = '\0'; /* <nul> terminate username (+host?) */
-
- /* buf -> host(?) ; user -> username(?) */
-
- /* First check host part */
- hcheck=__icheckhost(pamh, opts, raddr, buf, rhost);
-
- if (hcheck<0)
- return(1);
-
- if (hcheck) {
- /* Then check user part */
- if (! (*user))
- user = luser;
-
- ucheck=__icheckuser(pamh, opts, user, ruser, rhost);
-
- /* Positive 'host user' match? */
- if (ucheck>0)
- return(0);
-
- /* Negative 'host -user' match? */
- if (ucheck<0)
- return(1);
-
- /* Neither, go on looking for match */
- }
- }
-
- return (1);
-}
-
-/*
- * New .rhosts strategy: We are passed an ip address. We spin through
- * hosts.equiv and .rhosts looking for a match. When the .rhosts only
- * has ip addresses, we don't have to trust a nameserver. When it
- * contains hostnames, we spin through the list of addresses the nameserver
- * gives us and look for a match.
- *
- * Returns 0 if ok, -1 if not ok.
- */
-
-static int
-pam_iruserok(pam_handle_t *pamh,
- struct _options *opts, U32 raddr, int superuser,
- const char *ruser, const char *luser, const char *rhost)
-{
- const char *cp;
- struct stat sbuf;
- struct passwd *pwd;
- FILE *hostf;
- uid_t uid;
- int answer;
- char pbuf[MAXPATHLEN]; /* potential buffer overrun */
-
- if ( !superuser && !opts->opt_no_hosts_equiv ) {
-
- /* try to open system hosts.equiv file */
- hostf = fopen (_PATH_HEQUIV, "r");
- if (hostf) {
- answer = __ivaliduser(pamh, opts, hostf, raddr, luser
- , ruser, rhost);
- (void) fclose(hostf);
- if (answer == 0)
- return 0; /* remote host is equivalent to localhost */
- } /* else {
- No hosts.equiv file on system.
- } */
- }
-
- if ( opts->opt_no_rhosts )
- return 1;
-
- /*
- * Identify user's local .rhosts file
- */
-
- pwd = getpwnam(luser);
- if (pwd == NULL) {
- /*
- * luser is assumed to be valid because of an earlier check for uid = 0
- * we don't log this error twice. However, this shouldn't happen !
- * --cristiang
- */
- return(1);
- }
-
- /* check for buffer overrun */
- if (strlen(pwd->pw_dir) + sizeof(USER_RHOSTS_FILE) + 2 >= MAXPATHLEN) {
- if (opts->opt_debug)
- _pam_log(LOG_DEBUG,"home directory for `%s' is too long", luser);
- return 1; /* to dangerous to try */
- }
-
- (void) strcpy(pbuf, pwd->pw_dir);
- (void) strcat(pbuf, USER_RHOSTS_FILE);
-
- /*
- * Change effective uid while _reading_ .rhosts. (not just
- * opening). If root and reading an NFS mounted file system,
- * can't read files that are 0600 as .rhosts files should be.
- */
-
- /* We are root, this will not fail */
-#ifdef linux
- /* If we are on linux the better way is setfsuid */
- uid = setfsuid(pwd->pw_uid);
- hostf = fopen(pbuf, "r");
-#else
- uid = geteuid();
- (void) seteuid(pwd->pw_uid);
- hostf = fopen(pbuf, "r");
-#endif
-
- if (hostf == NULL) {
- if (opts->opt_debug)
- _pam_log(LOG_DEBUG,"Could not open %s file",pbuf);
- answer = 1;
- goto exit_function;
- }
-
- /*
- * If not a regular file, or is owned by someone other than
- * user or root or if writeable by anyone but the owner, quit.
- */
-
- cp = NULL;
- if (lstat(pbuf, &sbuf) < 0 || !S_ISREG(sbuf.st_mode))
- cp = ".rhosts not regular file";
- else if (fstat(fileno(hostf), &sbuf) < 0)
- cp = ".rhosts fstat failed";
- else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid)
- cp = "bad .rhosts owner";
- else if (sbuf.st_mode & S_IWOTH)
- cp = ".rhosts writable by other!";
- else if (sbuf.st_mode & S_IWGRP) {
-
- /* private group caveat */
- if (opts->opt_private_group) {
- struct group *grp = getgrgid(sbuf.st_gid);
-
- if (NULL == grp || NULL == grp->gr_name
- || strcmp(luser,grp->gr_name)) {
- cp = ".rhosts writable by public group";
- } else if (grp->gr_mem) {
- int gcount;
-
- /* require at most one member (luser) of this group */
- for (gcount=0; grp->gr_mem[gcount]; ++gcount) {
- if (strcmp(grp->gr_mem[gcount], luser)) {
- gcount = -1;
- break;
- }
- }
- if (gcount < 0) {
- cp = ".rhosts writable by other members of group";
- }
- }
- } else {
- cp = ".rhosts writable by group";
- }
-
- } /* It is _NOT_ safe to append an else here... Do so prior to
- * S_IWGRP check */
-
- /* If there were any problems, quit. */
- if (cp) {
- opts->last_error = cp;
- answer = 1;
- goto exit_function;
- }
-
- answer = __ivaliduser (pamh, opts, hostf, raddr, luser, ruser, rhost);
-
-exit_function:
- /*
- * Go here to exit after the fsuid/euid has been adjusted so that
- * they are reset before we exit.
- */
-
-#ifdef linux
- setfsuid(uid);
-#else
- (void)seteuid(uid);
-#endif
-
- if (hostf != NULL)
- (void) fclose(hostf);
-
- return answer;
-}
-
-static int
-pam_ruserok (pam_handle_t *pamh,
- struct _options *opts, const char *rhost, int superuser,
- const char *ruser, const char *luser)
-{
- struct hostent *hp;
- int answer = 1; /* default to failure */
- U32 *addrs;
- int n, i;
-
- opts->last_error = (char *) 0;
- hp = gethostbyname(rhost); /* identify host */
-
- if (hp != NULL) {
- /* First of all check the address length */
- if (hp->h_length != 4) {
- _pam_log(LOG_ALERT, "pam_rhosts module can't work with not IPv4 "
- "addresses");
- return 1; /* not allowed */
- }
-
- /* loop though address list */
- for (n = 0; hp->h_addr_list[n]; n++);
- D(("rhosts: %d addresses", n));
-
- if (n) {
- addrs = calloc (n, hp->h_length);
- for (i = 0; i < n; i++)
- memcpy (addrs+i, hp->h_addr_list[i], hp->h_length);
-
- for (i = 0; i < n && answer; i++) {
- D(("rhosts: address %d is %04x", i, addrs[i]));
- answer = pam_iruserok(pamh, opts, addrs[i], superuser,
- ruser, luser, rhost);
- /* answer == 0 means success */
- }
-
- free (addrs);
- }
- }
-
- return answer;
-}
-
-/*
- * Internal function to do authentication
- */
-
-static int _pam_auth_rhosts (pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv)
-{
- int retval;
- const char *luser;
- const char *ruser,*rhost;
- struct _options opts;
- int as_root = 0;
- /*
- * Look at the options and set the flags accordingly.
- */
- memset (&opts, 0, sizeof (opts));
- set_parameters (&opts, flags, argc, argv);
- /*
- * Obtain the parameters for the various items
- */
- for (;;) { /* abuse loop to avoid goto */
-
- /* get the remotehost */
- retval = pam_get_rhost(pamh, &rhost, NULL);
- (void) pam_set_item(pamh, PAM_RHOST, rhost);
- if (retval != PAM_SUCCESS) {
- if (opts.opt_debug) {
- _pam_log(LOG_DEBUG, "could not get the remote host name");
- }
- break;
- }
-
- /* get the remote user */
- retval = pam_get_ruser(pamh, &ruser, NULL);
- (void) pam_set_item(pamh, PAM_RUSER, ruser);
- if (retval != PAM_SUCCESS) {
- if (opts.opt_debug)
- _pam_log(LOG_DEBUG, "could not get the remote username");
- break;
- }
-
- /* get the local user */
- retval = pam_get_user(pamh, &luser, NULL);
-
- if (retval != PAM_SUCCESS) {
- if (opts.opt_debug)
- _pam_log(LOG_DEBUG, "could not determine name of local user");
- break;
- }
-
- /* check if the luser uid == 0... --cristiang */
- {
- struct passwd *luser_pwd;
-
- luser_pwd = getpwnam(luser);
- if (luser_pwd == NULL) {
- if (opts.opt_debug)
- _pam_log(LOG_DEBUG, "user '%s' unknown to this system",
- luser);
- retval = PAM_AUTH_ERR;
- break;
- }
- if (luser_pwd->pw_uid == 0)
- as_root = 1;
- luser_pwd = NULL; /* forget */
- }
-/*
- * Validate the account information.
- */
- if (pam_ruserok (pamh, &opts, rhost, as_root, ruser, luser) != 0) {
- if ( !opts.opt_suppress ) {
- _pam_log(LOG_WARNING, "denied to %s@%s as %s: %s",
- ruser, rhost, luser, (opts.last_error==NULL) ?
- "access not allowed":opts.last_error);
- }
- retval = PAM_AUTH_ERR;
- } else {
- _pam_log(LOG_NOTICE, "allowed to %s@%s as %s",
- ruser, rhost, luser);
- }
- break;
- }
-
- return retval;
-}
-
-/* --- authentication management functions --- */
-
-PAM_EXTERN
-int pam_sm_authenticate (pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv)
-{
- int retval;
-
- if (sizeof(U32) != 4) {
- _pam_log (LOG_ALERT, "pam_rhosts module can\'t work on this hardware "
- "(yet)");
- return PAM_AUTH_ERR;
- }
- sethostent(1);
- retval = _pam_auth_rhosts (pamh, flags, argc, argv);
- endhostent();
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc,
- const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-/* end of module definition */
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_rhosts_auth_modstruct = {
- "pam_rhosts_auth",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/*
- * $Log: pam_rhosts_auth.c,v $
- * Revision 1.12 1997/09/27 14:34:01 morgan
- * fixed comment and renamed iruserok to pam_iruserok.
- *
- * Revision 1.11 1997/04/05 06:26:39 morgan
- * fairly major fixes and enhancements (see CHANGELOG for 0.57 release)
- *
- * Revision 1.10 1997/02/09 02:09:30 morgan
- * - implementation of 'debug' argument (Cristian Gafton)
- * - we check for uid=0 accounts instead of hardcoded 'root' (Cristian Gafton)
- *
- * Revision 1.9 1996/12/01 03:09:47 morgan
- * *** empty log message ***
- *
- * Revision 1.8 1996/11/12 06:08:59 morgan
- * Oliver Crow's "rootok" patch plus a little clean up of set_option
- * (AGM)
- *
- * Revision 1.7 1996/11/10 20:15:56 morgan
- * cross platform support
- *
- * Revision 1.6 1996/08/09 05:46:29 morgan
- * removed code for manually setting the remote username etc..
- *
- */
diff --git a/contrib/libpam/modules/pam_rootok/Makefile b/contrib/libpam/modules/pam_rootok/Makefile
deleted file mode 100644
index b378708..0000000
--- a/contrib/libpam/modules/pam_rootok/Makefile
+++ /dev/null
@@ -1,111 +0,0 @@
-#
-# $Id: Makefile,v 1.7 1997/04/05 06:25:20 morgan Exp $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.7 1997/04/05 06:25:20 morgan
-# fakeroot
-#
-# Revision 1.6 1997/02/15 19:15:50 morgan
-# fixed email
-#
-# Revision 1.5 1996/11/10 20:16:10 morgan
-# cross platform support
-#
-# Revision 1.4 1996/09/05 06:29:36 morgan
-# ld --> gcc
-#
-# Revision 1.3 1996/05/26 15:47:46 morgan
-# make dynamic/static dirs!
-#
-# Revision 1.2 1996/05/26 04:04:53 morgan
-# automated static support
-#
-# Revision 1.1 1996/05/05 17:14:15 morgan
-# Initial revision
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/5/5
-#
-
-TITLE=pam_rootok
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_rootok/README b/contrib/libpam/modules/pam_rootok/README
deleted file mode 100644
index d7010dd..0000000
--- a/contrib/libpam/modules/pam_rootok/README
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: README,v 1.1 1996/05/10 04:15:31 morgan Exp $
-#
-
-this module is an authentication module that performs one task: if the
-id of the user is '0' then it returns 'PAM_SUCCESS' with the
-'sufficient' /etc/pam.conf control flag it can be used to allow
-password free access to some service for 'root'
-
-Recognized arguments:
-
- debug write a message to syslog indicating success or
- failure.
-
-module services provided:
-
- auth _authetication and _setcred (blank)
-
-Andrew Morgan
diff --git a/contrib/libpam/modules/pam_rootok/pam_rootok.c b/contrib/libpam/modules/pam_rootok/pam_rootok.c
deleted file mode 100644
index 21327d4..0000000
--- a/contrib/libpam/modules/pam_rootok/pam_rootok.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/* pam_rootok module */
-
-/*
- * $Id: pam_rootok.c,v 1.5 1997/02/15 17:32:47 morgan Exp $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- *
- * $Log: pam_rootok.c,v $
- * Revision 1.5 1997/02/15 17:32:47 morgan
- * removed fixed syslog buffer
- *
- * Revision 1.4 1996/12/01 03:10:14 morgan
- * reformatted
- *
- * Revision 1.3 1996/06/02 08:11:01 morgan
- * updated for new static protocol
- *
- */
-
-#include <stdio.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-rootok", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 01
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int ctrl;
- int retval = PAM_AUTH_ERR;
-
- ctrl = _pam_parse(argc, argv);
- if (getuid() == 0)
- retval = PAM_SUCCESS;
-
- if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "authetication %s"
- , retval==PAM_SUCCESS ? "succeeded":"failed" );
- }
-
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_rootok_modstruct = {
- "pam_rootok",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_securetty/Makefile b/contrib/libpam/modules/pam_securetty/Makefile
deleted file mode 100644
index d8a09ea..0000000
--- a/contrib/libpam/modules/pam_securetty/Makefile
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-
-TITLE=pam_securetty
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
diff --git a/contrib/libpam/modules/pam_securetty/README b/contrib/libpam/modules/pam_securetty/README
deleted file mode 100644
index 1df095c..0000000
--- a/contrib/libpam/modules/pam_securetty/README
+++ /dev/null
@@ -1,9 +0,0 @@
-pam_securetty:
- Allows root logins only if the user is logging in on a
- "secure" tty, as defined by the listing in /etc/securetty
-
- Also checks to make sure that /etc/securetty is a plain
- file and not world writable.
-
- - Elliot Lee <sopwith@redhat.com>, Red Hat Software.
- July 25, 1996.
diff --git a/contrib/libpam/modules/pam_securetty/pam_securetty.c b/contrib/libpam/modules/pam_securetty/pam_securetty.c
deleted file mode 100644
index 369fb03..0000000
--- a/contrib/libpam/modules/pam_securetty/pam_securetty.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/* pam_securetty module */
-
-#define SECURETTY_FILE "/etc/securetty"
-#define TTY_PREFIX "/dev/"
-
-/*
- * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
- * July 25, 1996.
- * This code shamelessly ripped from the pam_rootok module.
- * Slight modifications AGM. 1996/12/3
- * $Log: pam_securetty.c,v $
- * Revision 1.7 1997/04/05 06:24:23 morgan
- * changed return value on user unknown error
- *
- * Revision 1.6 1997/02/15 17:30:36 morgan
- * removed fixed length syslog buffer
- *
- * Revision 1.5 1997/02/09 02:22:24 morgan
- * added "debug" flag handling (Cristian Gafton)
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <pwd.h>
-#include <strings.h>
-
-#define PAM_SM_AUTH
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x0001
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int retval = PAM_AUTH_ERR;
- const char *username;
- char *uttyname;
- char ttyfileline[256];
- struct stat ttyfileinfo;
- struct passwd *user_pwd;
- FILE *ttyfile;
- int ctrl;
-
- /* parse the arguments */
- ctrl = _pam_parse(argc, argv);
-
- retval = pam_get_item(pamh,PAM_USER,(const void **)&username);
- if (retval == PAM_SUCCESS)
- retval = pam_get_item(pamh,PAM_TTY,(const void **)&uttyname);
- if (retval != PAM_SUCCESS || uttyname == NULL) {
- /* If we couldn't get the username or the tty return error */
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_WARNING, "can not determine tty I'm running on !");
- return PAM_SERVICE_ERR;
- }
-
- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
- uttyname += sizeof(TTY_PREFIX)-1;
-
- /* If we didn't get a username, get one */
- if(!username || (strlen(username) <= 0)) {
- /* Don't let them use a NULL username... */
- (void) pam_set_item(pamh, PAM_USER, NULL);
- pam_get_user(pamh,&username,NULL);
- if (retval != PAM_SUCCESS || username == NULL || *username == '\0') {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_WARNING,
- "can not determine username for this service!");
- return PAM_SERVICE_ERR;
- }
- }
-
- user_pwd = getpwnam(username);
- if (user_pwd == NULL)
- return PAM_IGNORE;
- else if (user_pwd->pw_uid != 0) /* If the user is not root,
- securetty's does not apply to them */
- return PAM_SUCCESS;
-
- if(stat(SECURETTY_FILE,&ttyfileinfo)) {
- _pam_log(LOG_NOTICE,
- "Couldn't open " SECURETTY_FILE);
- return PAM_SUCCESS; /* for compatibility with old securetty handling,
- this needs to succeed. But we still log the
- error. */
- }
-
- if((ttyfileinfo.st_mode & S_IWOTH)
- || !S_ISREG(ttyfileinfo.st_mode)) {
- /* If the file is world writable or is not a
- normal file, return error */
- _pam_log(LOG_ERR, SECURETTY_FILE
- " is either world writable or not a normal file");
- return PAM_AUTH_ERR;
- }
-
- ttyfile = fopen(SECURETTY_FILE,"r");
- if(ttyfile == NULL) { /* Check that we opened it successfully */
- _pam_log(LOG_ERR,
- "Error opening " SECURETTY_FILE);
- return PAM_SERVICE_ERR;
- }
- /* There should be no more errors from here on */
- retval=PAM_AUTH_ERR;
- /* This loop assumes that PAM_SUCCESS == 0
- and PAM_AUTH_ERR != 0 */
- while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
- && retval) {
- if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
- ttyfileline[strlen(ttyfileline) - 1] = '\0';
- retval = strcmp(ttyfileline,uttyname);
- }
- fclose(ttyfile);
- if(retval) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !",
- uttyname);
- retval = PAM_AUTH_ERR;
- }
- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG))
- _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'",
- username, uttyname);
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_securetty_modstruct = {
- "pam_securetty",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_shells/Makefile b/contrib/libpam/modules/pam_shells/Makefile
deleted file mode 100644
index 121b19a..0000000
--- a/contrib/libpam/modules/pam_shells/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-
-TITLE=pam_shells
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_shells/README b/contrib/libpam/modules/pam_shells/README
deleted file mode 100644
index cbd5bfb..0000000
--- a/contrib/libpam/modules/pam_shells/README
+++ /dev/null
@@ -1,10 +0,0 @@
-pam_shells:
- Authentication is granted if the users shell is listed in
- /etc/shells. If no shell is in /etc/passwd (empty), the
- /bin/sh is used (following ftpd's convention).
-
- Also checks to make sure that /etc/shells is a plain
- file and not world writable.
-
- - Erik Troan <ewt@redhat.com>, Red Hat Software.
- August 5, 1996.
diff --git a/contrib/libpam/modules/pam_shells/pam_shells.c b/contrib/libpam/modules/pam_shells/pam_shells.c
deleted file mode 100644
index edc9134..0000000
--- a/contrib/libpam/modules/pam_shells/pam_shells.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/* pam_securetty module */
-
-#define SHELL_FILE "/etc/shells"
-
-/*
- * by Erik Troan <ewt@redhat.com>, Red Hat Software.
- * August 5, 1996.
- * This code shamelessly ripped from the pam_securetty module.
- */
-
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/stat.h>
-#include <syslog.h>
-#include <unistd.h>
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-shells", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int retval = PAM_AUTH_ERR;
- const char *userName;
- char *userShell;
- char shellFileLine[256];
- struct stat sb;
- struct passwd * pw;
- FILE * shellFile;
-
- retval = pam_get_user(pamh,&userName,NULL);
- if(retval != PAM_SUCCESS)
- return PAM_SERVICE_ERR;
-
- if(!userName || (strlen(userName) <= 0)) {
- /* Don't let them use a NULL username... */
- pam_get_user(pamh,&userName,NULL);
- if (retval != PAM_SUCCESS)
- return PAM_SERVICE_ERR;
- }
-
- pw = getpwnam(userName);
- if (!pw)
- return PAM_AUTH_ERR; /* user doesn't exist */
- userShell = pw->pw_shell;
-
- if(stat(SHELL_FILE,&sb)) {
- _pam_log(LOG_ERR, SHELL_FILE, " cannot be stat'd (it probably does "
- "not exist)");
- return PAM_AUTH_ERR; /* must have /etc/shells */
- }
-
- if((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) {
- _pam_log(LOG_ERR,
- SHELL_FILE " is either world writable or not a normal file");
- return PAM_AUTH_ERR;
- }
-
- shellFile = fopen(SHELL_FILE,"r");
- if(shellFile == NULL) { /* Check that we opened it successfully */
- _pam_log(LOG_ERR,
- "Error opening " SHELL_FILE);
- return PAM_SERVICE_ERR;
- }
- /* There should be no more errors from here on */
- retval=PAM_AUTH_ERR;
- /* This loop assumes that PAM_SUCCESS == 0
- and PAM_AUTH_ERR != 0 */
- while((fgets(shellFileLine,255,shellFile) != NULL)
- && retval) {
- if (shellFileLine[strlen(shellFileLine) - 1] == '\n')
- shellFileLine[strlen(shellFileLine) - 1] = '\0';
- retval = strcmp(shellFileLine, userShell);
- }
- fclose(shellFile);
- if(retval)
- retval = PAM_AUTH_ERR;
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_shells_modstruct = {
- "pam_shells",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_stress/Makefile b/contrib/libpam/modules/pam_stress/Makefile
deleted file mode 100644
index 52e8e21..0000000
--- a/contrib/libpam/modules/pam_stress/Makefile
+++ /dev/null
@@ -1,109 +0,0 @@
-#
-# $Id: Makefile,v 1.7 1997/04/05 06:23:08 morgan Exp $
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.7 1997/04/05 06:23:08 morgan
-# fakeroot
-#
-# Revision 1.6 1997/02/15 19:05:55 morgan
-# fixed email
-#
-# Revision 1.5 1996/11/10 20:17:55 morgan
-# cross platform support
-#
-# Revision 1.4 1996/09/05 06:31:09 morgan
-# ld --> gcc
-#
-# Revision 1.3 1996/05/26 15:50:43 morgan
-# make dynamic and static dirs
-#
-# Revision 1.2 1996/05/26 04:11:56 morgan
-# automated static support
-#
-#
-#
-
-TITLE=pam_stress
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_stress/README b/contrib/libpam/modules/pam_stress/README
deleted file mode 100644
index 1cb7c14..0000000
--- a/contrib/libpam/modules/pam_stress/README
+++ /dev/null
@@ -1,66 +0,0 @@
-#
-# $Id: README,v 1.7 1997/02/15 19:07:08 morgan Exp $
-#
-# This describes the behavior of this module with respect to the
-# /etc/pam.conf file.
-#
-# writen by Andrew Morgan <morgan@parc.power.net>
-#
-
-This module recognizes the following arguments.
-
-debug put lots of information in syslog.
- *NOTE* this option writes passwords to syslog, so
- don't use anything sensitive when testing.
-
-no_warn don't give warnings about things (otherwise warnings are issued
- via the conversation function)
-
-use_first_pass don't prompt for a password, for pam_sm_authentication
- function just use item PAM_AUTHTOK.
-
-try_first_pass don't prompt for a password unless there has been no
- previous authentication token (item PAM_AUTHTOK is NULL)
-
-rootok This is intended for the pam_sm_chauthtok function and
- it instructs this function to permit root to change
- the user's password without entering the old password.
-
-The following arguments are acted on by the module. They are intended
-to make the module give the impression of failing as a fully
-functioning module might.
-
-expired an argument intended for the account and chauthtok module
- parts. It instructs the module to act as if the user's
- password has expired
-
-fail_1 this instructs the module to make its first function fail.
-
-fail_2 this instructs the module to make its second function (if there
- is one) fail.
-
- The function break up is indicated in the Module
- Developers' Guide. Listed here it is:
-
- service function 1 function 2
- ------- ---------- ----------
- auth pam_sm_authenticate pam_sm_setcred
- password pam_sm_chauthtok
- session pam_sm_open_session pam_sm_close_session
- account pam_sm_acct_mgmt
-
-prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK.
-
-required for pam_sm_chauthtok, means fail if the user hasn't already
- been authenticated by this module. (See stress_new_pwd data
- item below.)
-
-#
-# data strings that this module uses are the following:
-#
-
-data name value(s) Comments
---------- -------- --------
-stress_new_pwd yes tells pam_sm_chauthtok that
- pam_sm_acct_mgmt says we need a new
- password
diff --git a/contrib/libpam/modules/pam_stress/pam_stress.c b/contrib/libpam/modules/pam_stress/pam_stress.c
deleted file mode 100644
index 5015418..0000000
--- a/contrib/libpam/modules/pam_stress/pam_stress.c
+++ /dev/null
@@ -1,581 +0,0 @@
-/* pam_stress module */
-
-/* $Id: pam_stress.c,v 1.12 1997/02/15 19:06:30 morgan Exp morgan $
- *
- * created by Andrew Morgan <morgan@parc.power.net> 1996/3/12
- *
- * $Log: pam_stress.c,v $
- * Revision 1.12 1997/02/15 19:06:30 morgan
- * fixed email
- *
- * Revision 1.11 1997/02/15 17:33:24 morgan
- * removed fixed syslog buffer
- *
- * Revision 1.10 1996/12/01 03:11:35 morgan
- * using _pam_macros.h now
- *
- * Revision 1.9 1996/11/10 20:18:10 morgan
- * changes for .53 compilation
- *
- * Revision 1.8 1996/09/05 06:31:59 morgan
- * changed return value of wipe_up from int to void
- *
- * Revision 1.7 1996/06/02 08:12:28 morgan
- * updated for new static protocol, added STRESS to various user prompts
- * and added rootok flag for pam_sm_chauthtok to look out for
- *
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-static char *_strdup(const char *x)
-{
- char *new;
- new = malloc(strlen(x)+1);
- strcpy(new,x);
- return new;
-}
-
-/* log errors */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-stress", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* ---------- */
-
-/* an internal function to turn all possible test arguments into bits
- of a ctrl number */
-
-/* generic options */
-
-#define PAM_ST_DEBUG 01
-#define PAM_ST_NO_WARN 02
-#define PAM_ST_USE_PASS1 04
-#define PAM_ST_TRY_PASS1 010
-#define PAM_ST_ROOTOK 020
-
-/* simulation options */
-
-#define PAM_ST_EXPIRED 040
-#define PAM_ST_FAIL_1 0100
-#define PAM_ST_FAIL_2 0200
-#define PAM_ST_PRELIM 0400
-#define PAM_ST_REQUIRE_PWD 01000
-
-/* some syslogging */
-
-static void _pam_report(int ctrl, const char *name, int flags,
- int argc, const char **argv)
-{
- if (ctrl & PAM_ST_DEBUG) {
- _pam_log(LOG_DEBUG, "CALLED: %s", name);
- _pam_log(LOG_DEBUG, "FLAGS : 0%o%s", flags,
- (flags & PAM_SILENT) ? " (silent)":"");
- _pam_log(LOG_DEBUG, "CTRL = 0%o",ctrl);
- _pam_log(LOG_DEBUG, "ARGV :");
- while (argc--) {
- _pam_log(LOG_DEBUG, " \"%s\"", *argv++);
- }
- }
-}
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_ST_DEBUG;
- else if (!strcmp(*argv,"no_warn"))
- ctrl |= PAM_ST_NO_WARN;
- else if (!strcmp(*argv,"use_first_pass"))
- ctrl |= PAM_ST_USE_PASS1;
- else if (!strcmp(*argv,"try_first_pass"))
- ctrl |= PAM_ST_TRY_PASS1;
- else if (!strcmp(*argv,"rootok"))
- ctrl |= PAM_ST_ROOTOK;
-
- /* simulation options */
-
- else if (!strcmp(*argv,"expired")) /* signal password needs
- renewal */
- ctrl |= PAM_ST_EXPIRED;
- else if (!strcmp(*argv,"fail_1")) /* instruct fn 1 to fail */
- ctrl |= PAM_ST_FAIL_1;
- else if (!strcmp(*argv,"fail_2")) /* instruct fn 2 to fail */
- ctrl |= PAM_ST_FAIL_2;
- else if (!strcmp(*argv,"prelim")) /* instruct pam_sm_setcred
- to fail on first call */
- ctrl |= PAM_ST_PRELIM;
- else if (!strcmp(*argv,"required")) /* module is fussy about the
- user being authenticated */
- ctrl |= PAM_ST_REQUIRE_PWD;
-
- else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-static int converse(pam_handle_t *pamh, int nargs
- , struct pam_message **message
- , struct pam_response **response)
-{
- int retval;
- struct pam_conv *conv;
-
- if ((retval = pam_get_item(pamh,PAM_CONV,(const void **)&conv))
- == PAM_SUCCESS) {
- retval = conv->conv(nargs, (const struct pam_message **) message
- , response, conv->appdata_ptr);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_ERR,"(pam_stress) converse returned %d",retval);
- _pam_log(LOG_ERR,"that is: %s",pam_strerror(pamh, retval));
- }
- } else {
- _pam_log(LOG_ERR,"(pam_stress) converse failed to get pam_conv");
- }
-
- return retval;
-}
-
-/* authentication management functions */
-
-static int stress_get_password(pam_handle_t *pamh, int flags
- , int ctrl, char **password)
-{
- char *pass;
-
- if ( (ctrl & (PAM_ST_TRY_PASS1|PAM_ST_USE_PASS1))
- && (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass)
- == PAM_SUCCESS)
- && (pass != NULL) ) {
- pass = _strdup(pass);
- } else if ((ctrl & PAM_ST_USE_PASS1)) {
- _pam_log(LOG_WARNING, "pam_stress: no forwarded password");
- return PAM_PERM_DENIED;
- } else { /* we will have to get one */
- struct pam_message msg[1],*pmsg[1];
- struct pam_response *resp;
- int retval;
-
- /* set up conversation call */
-
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[0].msg = "STRESS Password: ";
- resp = NULL;
-
- if ((retval = converse(pamh,1,pmsg,&resp)) != PAM_SUCCESS) {
- return retval;
- }
-
- if (resp) {
- if ((resp[0].resp == NULL) && (ctrl & PAM_ST_DEBUG)) {
- _pam_log(LOG_DEBUG,
- "pam_sm_authenticate: NULL authtok given");
- }
- if ((flags & PAM_DISALLOW_NULL_AUTHTOK)
- && resp[0].resp == NULL) {
- free(resp);
- return PAM_AUTH_ERR;
- }
-
- pass = resp[0].resp; /* remember this! */
-
- resp[0].resp = NULL;
- } else if (ctrl & PAM_ST_DEBUG) {
- _pam_log(LOG_DEBUG,"pam_sm_authenticate: no error reported");
- _pam_log(LOG_DEBUG,"getting password, but NULL returned!?");
- return PAM_CONV_ERR;
- }
- free(resp);
- }
-
- *password = pass; /* this *MUST* be free()'d by this module */
-
- return PAM_SUCCESS;
-}
-
-/* function to clean up data items */
-
-static void wipe_up(pam_handle_t *pamh, void *data, int error)
-{
- free(data);
-}
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- const char *username;
- int retval=PAM_SUCCESS;
- char *pass;
- int ctrl;
-
- D(("called."));
-
- ctrl = _pam_parse(argc,argv);
- _pam_report(ctrl, "pam_sm_authenticate", flags, argc, argv);
-
- /* try to get the username */
-
- retval = pam_get_user(pamh, &username, "username: ");
- if ((ctrl & PAM_ST_DEBUG) && (retval == PAM_SUCCESS)) {
- _pam_log(LOG_DEBUG, "pam_sm_authenticate: username = %s", username);
- } else if (retval != PAM_SUCCESS) {
- _pam_log(LOG_WARNING, "pam_sm_authenticate: failed to get username");
- return retval;
- }
-
- /* now get the password */
-
- retval = stress_get_password(pamh,flags,ctrl,&pass);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_WARNING, "pam_sm_authenticate: "
- "failed to get a password");
- return retval;
- }
-
- /* try to set password item */
-
- retval = pam_set_item(pamh,PAM_AUTHTOK,pass);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_WARNING, "pam_sm_authenticate: "
- "failed to store new password");
- _pam_overwrite(pass);
- free(pass);
- return retval;
- }
-
- /* clean up local copy of password */
-
- _pam_overwrite(pass);
- free(pass);
- pass = NULL;
-
- /* if we are debugging then we print the password */
-
- if (ctrl & PAM_ST_DEBUG) {
- (void) pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass);
- _pam_log(LOG_DEBUG,
- "pam_st_authenticate: password entered is: [%s]\n",pass);
- pass = NULL;
- }
-
- /* if we signal a fail for this function then fail */
-
- if ((ctrl & PAM_ST_FAIL_1) && retval == PAM_SUCCESS)
- return PAM_PERM_DENIED;
-
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- int ctrl = _pam_parse(argc,argv);
-
- D(("called. [post parsing]"));
-
- _pam_report(ctrl, "pam_sm_setcred", flags, argc, argv);
-
- if (ctrl & PAM_ST_FAIL_2)
- return PAM_CRED_ERR;
-
- return PAM_SUCCESS;
-}
-
-/* account management functions */
-
-PAM_EXTERN
-int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- int ctrl = _pam_parse(argc,argv);
-
- D(("called. [post parsing]"));
-
- _pam_report(ctrl,"pam_sm_acct_mgmt", flags, argc, argv);
-
- if (ctrl & PAM_ST_FAIL_1)
- return PAM_PERM_DENIED;
- else if (ctrl & PAM_ST_EXPIRED) {
- void *text = malloc(sizeof("yes")+1);
- strcpy(text,"yes");
- pam_set_data(pamh,"stress_new_pwd",text,wipe_up);
- if (ctrl & PAM_ST_DEBUG) {
- _pam_log(LOG_DEBUG,"pam_sm_acct_mgmt: need a new password");
- }
- return PAM_NEW_AUTHTOK_REQD;
- }
-
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- char *username,*service;
- int ctrl = _pam_parse(argc,argv);
-
- D(("called. [post parsing]"));
-
- _pam_report(ctrl,"pam_sm_open_session", flags, argc, argv);
-
- if ((pam_get_item(pamh, PAM_USER, (const void **) &username)
- != PAM_SUCCESS)
- || (pam_get_item(pamh, PAM_SERVICE, (const void **) &service)
- != PAM_SUCCESS)) {
- _pam_log(LOG_WARNING,"pam_sm_open_session: for whom?");
- return PAM_SESSION_ERR;
- }
-
- _pam_log(LOG_NOTICE,"pam_stress: opened [%s] session for user [%s]"
- , service, username);
-
- if (ctrl & PAM_ST_FAIL_1)
- return PAM_SESSION_ERR;
-
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- const char *username,*service;
- int ctrl = _pam_parse(argc,argv);
-
- D(("called. [post parsing]"));
-
- _pam_report(ctrl,"pam_sm_close_session", flags, argc, argv);
-
- if ((pam_get_item(pamh, PAM_USER, (const void **)&username)
- != PAM_SUCCESS)
- || (pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
- != PAM_SUCCESS)) {
- _pam_log(LOG_WARNING,"pam_sm_close_session: for whom?");
- return PAM_SESSION_ERR;
- }
-
- _pam_log(LOG_NOTICE,"pam_stress: closed [%s] session for user [%s]"
- , service, username);
-
- if (ctrl & PAM_ST_FAIL_2)
- return PAM_SESSION_ERR;
-
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- int retval;
- int ctrl = _pam_parse(argc,argv);
-
- D(("called. [post parsing]"));
-
- _pam_report(ctrl,"pam_sm_chauthtok", flags, argc, argv);
-
- /* this function should be called twice by the Linux-PAM library */
-
- if (flags & PAM_PRELIM_CHECK) { /* first call */
- if (ctrl & PAM_ST_DEBUG) {
- _pam_log(LOG_DEBUG,"pam_sm_chauthtok: prelim check");
- }
- if (ctrl & PAM_ST_PRELIM)
- return PAM_TRY_AGAIN;
-
- return PAM_SUCCESS;
- } else if (flags & PAM_UPDATE_AUTHTOK) { /* second call */
- struct pam_message msg[3],*pmsg[3];
- struct pam_response *resp;
- const char *text;
- char *txt=NULL;
- int i;
-
- if (ctrl & PAM_ST_DEBUG) {
- _pam_log(LOG_DEBUG,"pam_sm_chauthtok: alter password");
- }
-
- if (ctrl & PAM_ST_FAIL_1)
- return PAM_AUTHTOK_LOCK_BUSY;
-
- if ( !(ctrl && PAM_ST_EXPIRED)
- && (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
- && (pam_get_data(pamh,"stress_new_pwd",(const void **)&text)
- != PAM_SUCCESS || strcmp(text,"yes"))) {
- return PAM_SUCCESS; /* the token has not expired */
- }
-
- /* the password should be changed */
-
- if ((ctrl & PAM_ST_REQUIRE_PWD)
- && !(getuid() == 0 && (ctrl & PAM_ST_ROOTOK))
- ) { /* first get old one? */
- char *pass;
-
- if (ctrl & PAM_ST_DEBUG) {
- _pam_log(LOG_DEBUG
- ,"pam_sm_chauthtok: getting old password");
- }
- retval = stress_get_password(pamh,flags,ctrl,&pass);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_DEBUG
- ,"pam_sm_chauthtok: no password obtained");
- return retval;
- }
- retval = pam_set_item(pamh, PAM_OLDAUTHTOK, pass);
- if (retval != PAM_SUCCESS) {
- _pam_log(LOG_DEBUG
- ,"pam_sm_chauthtok: could not set OLDAUTHTOK");
- _pam_overwrite(pass);
- free(pass);
- return retval;
- }
- _pam_overwrite(pass);
- free(pass);
- }
-
- /* set up for conversation */
-
- if (!(flags & PAM_SILENT)) {
- char *username;
-
- if ( pam_get_item(pamh, PAM_USER, (const void **)&username)
- || username == NULL ) {
- _pam_log(LOG_ERR,"no username set");
- return PAM_USER_UNKNOWN;
- }
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_TEXT_INFO;
-#define _LOCAL_STRESS_COMMENT "Changing STRESS password for "
- txt = (char *) malloc(sizeof(_LOCAL_STRESS_COMMENT)
- +strlen(username)+1);
- strcpy(txt, _LOCAL_STRESS_COMMENT);
-#undef _LOCAL_STRESS_COMMENT
- strcat(txt, username);
- msg[0].msg = txt;
- i = 1;
- } else {
- i = 0;
- }
-
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = "Enter new STRESS password: ";
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = "Retype new STRESS password: ";
- resp = NULL;
-
- retval = converse(pamh,i,pmsg,&resp);
- if (txt) {
- free(txt);
- txt = NULL; /* clean up */
- }
- if (retval != PAM_SUCCESS) {
- return retval;
- }
-
- if (resp == NULL) {
- _pam_log(LOG_ERR, "pam_sm_chauthtok: no response from conv");
- return PAM_CONV_ERR;
- }
-
- /* store the password */
-
- if (resp[i-2].resp && resp[i-1].resp) {
- if (strcmp(resp[i-2].resp,resp[i-1].resp)) {
- /* passwords are not the same; forget and return error */
-
- _pam_drop_reply(resp, i);
-
- if (!(flags & PAM_SILENT) && !(ctrl & PAM_ST_NO_WARN)) {
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_ERROR_MSG;
- msg[0].msg = "Verification mis-typed; "
- "password unchaged";
- resp = NULL;
- (void) converse(pamh,1,pmsg,&resp);
- if (resp) {
- _pam_drop_reply(resp, 1);
- }
- }
- return PAM_AUTHTOK_ERR;
- }
-
- if (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&text)
- == PAM_SUCCESS) {
- (void) pam_set_item(pamh,PAM_OLDAUTHTOK,text);
- text = NULL;
- }
- (void) pam_set_item(pamh,PAM_AUTHTOK,resp[0].resp);
- } else {
- _pam_log(LOG_DEBUG,"pam_sm_chauthtok: problem with resp");
- retval = PAM_SYSTEM_ERR;
- }
-
- _pam_drop_reply(resp, i); /* clean up the passwords */
- } else {
- _pam_log(LOG_ERR,"pam_sm_chauthtok: this must be a Linux-PAM error");
- return PAM_SYSTEM_ERR;
- }
-
- return retval;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_stress_modstruct = {
- "pam_stress",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-
-#endif
diff --git a/contrib/libpam/modules/pam_tally/Makefile b/contrib/libpam/modules/pam_tally/Makefile
deleted file mode 100644
index ec17ff3..0000000
--- a/contrib/libpam/modules/pam_tally/Makefile
+++ /dev/null
@@ -1,93 +0,0 @@
-#
-# $Id: Makefile,v 1.1 1997/04/05 06:19:04 morgan Exp $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.1 1997/04/05 06:19:04 morgan
-# Initial revision
-#
-#
-
-TITLE=pam_tally
-
-#
-## Should add some more rules to make the application too.
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_tally/README b/contrib/libpam/modules/pam_tally/README
deleted file mode 100644
index aaa8512..0000000
--- a/contrib/libpam/modules/pam_tally/README
+++ /dev/null
@@ -1,51 +0,0 @@
-
-SUMMARY:
- pam_tally:
-
- Maintains a count of attempted accesses, can reset count on success,
- can deny access if too many attempts fail.
-
- Options:
-
- * onerr=[succeed|fail] (if something weird happens
- such as unable to open the file, what to do?)
- * file=/where/to/keep/counts (default /var/log/faillog)
-
- (auth)
- * no_magic_root (root DOES increment counter. Use for
- daemon-based stuff, like telnet/rsh/login)
-
- (account)
- * deny=n (deny access if tally for this user exceeds n;
- The presence of deny=n changes the default for
- reset/no_reset to reset, unless the user trying to
- gain access is root and the no_magic_root option
- has NOT been specified.)
-
- * no_magic_root (access attempts by root DON'T ignore deny.
- Use this for daemon-based stuff, like telnet/rsh/login)
- * even_deny_root_account (Root can become unavailable. BEWARE.
- Note that magic root trying to gain root bypasses this,
- but normal users can be locked out.)
-
- * reset (reset count to 0 on successful entry, even for
- magic root)
- * no_reset (don't reset count on successful entry)
- This is the default unless deny exists and the
- user attempting access is NOT magic root.
-
- Also checks to make sure that the list file is a plain
- file and not world writable.
-
- - Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd.
- v0.1 5 March 1997
-
-BUGS:
-
-pam_tally is very dependant on getpw*(): a database of usernames
-would be much more flexible.
-
-The (4.0 Redhat) utilities seem to do funny things with uid, and I'm
-not wholly sure I understood what I should have been doing anyway so
-the `keep a count of current logins' bit has been #ifdef'd out and you
-can only reset the counter on successful authentication, for now.
diff --git a/contrib/libpam/modules/pam_tally/pam_tally.c b/contrib/libpam/modules/pam_tally/pam_tally.c
deleted file mode 100644
index a1b65c0..0000000
--- a/contrib/libpam/modules/pam_tally/pam_tally.c
+++ /dev/null
@@ -1,634 +0,0 @@
-/*
- * pam_tally.c
- *
- * Revision history? :) 0.1
- */
-
-
-/* By Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd.
- * 5 March 1997
- *
- * Stuff stolen from pam_rootok and pam_listfile
- */
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <stdio.h>
-#include <strings.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <pwd.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-
-#ifndef TRUE
-#define TRUE 1L
-#define FALSE 0L
-#endif
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-/* #define PAM_SM_SESSION */
-/* #define PAM_SM_PASSWORD */
-
-#include <security/pam_modules.h>
-
-/*---------------------------------------------------------------------*/
-
-#define DEFAULT_LOGFILE "/var/log/faillog"
-#define MODULE_NAME "pam_tally"
-
-enum TALLY_RESET {
- TALLY_RESET_DEFAULT,
- TALLY_RESET_RESET,
- TALLY_RESET_NO_RESET
-};
-
-#define tally_t unsigned short int
-#define TALLY_FMT "%hu"
-#define TALLY_HI ((tally_t)~0L)
-
-#define UID_FMT "%hu"
-
-#ifndef FILENAME_MAX
-# define FILENAME_MAX MAXPATHLEN
-#endif
-
-/*---------------------------------------------------------------------*/
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
- va_start(args, format);
-
-#ifdef MAIN
- vfprintf(stderr,format,args);
-#else
- openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- closelog();
-#endif
- va_end(args);
-}
-
-/*---------------------------------------------------------------------*/
-
-/* --- Support function: get uid (and optionally username) from PAM or
- cline_user --- */
-
-#ifdef MAIN
-static char *cline_user=0; /* cline_user is used in the administration prog */
-#endif
-
-static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp )
- {
- const char *user;
- struct passwd *pw;
-
-#ifdef MAIN
- user = cline_user;
-#else
- pam_get_user( pamh, &user, NULL );
-#endif
-
- if ( !user || !*user ) {
- _pam_log(LOG_ERR, MODULE_NAME ": pam_get_uid; user?");
- return PAM_AUTH_ERR;
- }
-
- if ( ! ( pw = getpwnam( user ) ) ) {
- _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user);
- return PAM_USER_UNKNOWN;
- }
-
- if ( uid ) *uid = pw->pw_uid;
- if ( userp ) *userp = user;
- return PAM_SUCCESS;
- }
-
-/*---------------------------------------------------------------------*/
-
-/* --- Support function: open/create tallyfile and return tally for uid --- */
-
-/* If on entry *tally==TALLY_HI, tallyfile is opened READONLY */
-/* Otherwise, if on entry tallyfile doesn't exist, creation is attempted. */
-
-static int get_tally( tally_t *tally,
- uid_t uid,
- const char *filename,
- FILE **TALLY )
- {
- struct stat fileinfo;
- int lstat_ret = lstat(filename,&fileinfo);
-
- if ( lstat_ret && *tally!=TALLY_HI ) {
- if ( ( *TALLY=fopen(filename, "a") ) ) {
- /* Create file, or append-open in pathological case. */
- _pam_log(LOG_ALERT, "Couldn't create %s",filename);
- return PAM_AUTH_ERR;
- }
- fclose(*TALLY);
- lstat_ret = lstat(filename,&fileinfo);
- }
-
- if ( lstat_ret ) {
- _pam_log(LOG_ALERT, "Couldn't stat %s",filename);
- return PAM_AUTH_ERR;
- }
-
- if((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) {
- /* If the file is world writable or is not a
- normal file, return error */
- _pam_log(LOG_ALERT,
- "%s is either world writable or not a normal file",
- filename);
- return PAM_AUTH_ERR;
- }
-
- if ( ! ( *TALLY = fopen(filename,(*tally!=TALLY_HI)?"r+":"r") ) ) {
- _pam_log(LOG_ALERT, "Error opening %s for update", filename);
-
-/* Discovering why account service fails: e/uid are target user.
- *
- * perror(MODULE_NAME);
- * fprintf(stderr,"uid %d euid %d\n",getuid(), geteuid());
- */
- return PAM_AUTH_ERR;
- }
-
- if ( fseek( *TALLY, uid * sizeof (tally_t), SEEK_SET ) ) {
- _pam_log(LOG_ALERT, "fseek failed %s", filename);
- return PAM_AUTH_ERR;
- }
-
- if ( ( fread(tally, sizeof(tally_t), 1, *TALLY) )==0 ) {
- *tally=0; /* Assuming a gappy filesystem */
- }
- return PAM_SUCCESS;
- }
-
-/*---------------------------------------------------------------------*/
-
-/* --- Support function: update and close tallyfile with tally!=TALLY_HI --- */
-
-static int set_tally( tally_t tally,
- uid_t uid,
- const char *filename,
- FILE **TALLY )
- {
- if ( tally!=TALLY_HI )
- {
- if ( fseek( *TALLY, uid * sizeof(tally_t), SEEK_SET ) ) {
- _pam_log(LOG_ALERT, "fseek failed %s", filename);
- return PAM_AUTH_ERR;
- }
-
- if ( fwrite(&tally, sizeof(tally_t), 1, *TALLY)==0 ) {
- _pam_log(LOG_ALERT, "tally update (fputc) failed.", filename);
- return PAM_AUTH_ERR;
- }
- }
-
- if ( fclose(*TALLY) ) {
- _pam_log(LOG_ALERT, "tally update (fclose) failed.", filename);
- return PAM_AUTH_ERR;
- }
- *TALLY=NULL;
- return PAM_SUCCESS;
- }
-
-/*---------------------------------------------------------------------*/
-
-/* --- PAM bits --- */
-
-#ifndef MAIN
-
-#define PAM_FUNCTION(name) \
- PAM_EXTERN int name (pam_handle_t *pamh,int flags,int argc,const char **argv)
-
-#define RETURN_ERROR(i) return ((fail_on_error)?(i):(PAM_SUCCESS))
-
-/*---------------------------------------------------------------------*/
-
-/* --- tally bump function: bump tally for uid by (signed) inc --- */
-
-static int tally_bump (int inc,
- pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv) {
- uid_t uid;
-
- int
- fail_on_error = FALSE;
- tally_t
- tally = 0; /* !TALLY_HI --> Log opened for update */
-
- char
- no_magic_root = FALSE;
-
- char
- filename[ FILENAME_MAX ] = DEFAULT_LOGFILE;
-
- /* Should probably decode the parameters before anything else. */
-
- {
- for ( ; argc-- > 0; ++argv ) {
-
- /* generic options.. um, ignored. :] */
-
- if ( ! strcmp( *argv, "no_magic_root" ) ) {
- no_magic_root = TRUE;
- }
- else if ( ! strncmp( *argv, "file=", 5 ) ) {
- char const
- *from = (*argv)+5;
- char
- *to = filename;
- if ( *from!='/' || strlen(from)>FILENAME_MAX-1 ) {
- _pam_log(LOG_ERR,
- MODULE_NAME ": filename not /rooted or too long; ",
- *argv);
- RETURN_ERROR( PAM_AUTH_ERR );
- }
- while ( ( *to++ = *from++ ) );
- }
- else if ( ! strcmp( *argv, "onerr=fail" ) ) {
- fail_on_error=TRUE;
- }
- else if ( ! strcmp( *argv, "onerr=succeed" ) ) {
- fail_on_error=FALSE;
- }
- else {
- _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv);
- }
- } /* for() */
- }
-
- {
- FILE
- *TALLY = NULL;
- const char
- *user = NULL;
-
- int i=pam_get_uid(pamh, &uid, &user);
- if ( i != PAM_SUCCESS ) RETURN_ERROR( i );
-
- i=get_tally( &tally, uid, filename, &TALLY );
- if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); }
-
- if ( no_magic_root || getuid() ) { /* no_magic_root kills uid test */
-
- tally+=inc;
-
- if ( tally==TALLY_HI ) { /* Overflow *and* underflow. :) */
- tally-=inc;
- _pam_log(LOG_ALERT,"Tally %sflowed for user %s",
- (inc<0)?"under":"over",user);
- }
- }
-
- i=set_tally( tally, uid, filename, &TALLY );
- if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); }
- }
-
- return PAM_SUCCESS;
-}
-
-/*---------------------------------------------------------------------*/
-
-/* --- authentication management functions (only) --- */
-
-#ifdef PAM_SM_AUTH
-
-PAM_FUNCTION( pam_sm_authenticate ) {
- return tally_bump( 1, pamh, flags, argc, argv);
-}
-
-/* --- Seems to need this function. Ho hum. --- */
-
-PAM_FUNCTION( pam_sm_setcred ) { return PAM_SUCCESS; }
-
-#endif
-
-/*---------------------------------------------------------------------*/
-
-/* --- session management functions (only) --- */
-
-/*
- * Unavailable until .so files can be suid
- */
-
-#ifdef PAM_SM_SESSION
-
-/* To maintain a balance-tally of successful login/outs */
-
-PAM_FUNCTION( pam_sm_open_session ) {
- return tally_bump( 1, pamh, flags, argc, argv);
-}
-
-PAM_FUNCTION( pam_sm_close_session ) {
- return tally_bump(-1, pamh, flags, argc, argv);
-}
-
-#endif
-
-/*---------------------------------------------------------------------*/
-
-/* --- authentication management functions (only) --- */
-
-#ifdef PAM_SM_AUTH
-
-/* To lock out a user with an unacceptably high tally */
-
-PAM_FUNCTION( pam_sm_acct_mgmt ) {
- uid_t
- uid;
-
- int
- fail_on_error = FALSE;
- tally_t
- deny = 0;
- tally_t
- tally = 0; /* !TALLY_HI --> Log opened for update */
-
- char
- no_magic_root = FALSE,
- even_deny_root_account = FALSE;
-
- const char
- *user = NULL;
-
- enum TALLY_RESET
- reset = TALLY_RESET_DEFAULT;
-
- char
- filename[ FILENAME_MAX ] = DEFAULT_LOGFILE;
-
- /* Should probably decode the parameters before anything else. */
-
- {
- for ( ; argc-- > 0; ++argv ) {
-
- /* generic options.. um, ignored. :] */
-
- if ( ! strcmp( *argv, "no_magic_root" ) ) {
- no_magic_root = TRUE;
- }
- else if ( ! strcmp( *argv, "even_deny_root_account" ) ) {
- even_deny_root_account = TRUE;
- }
- else if ( ! strcmp( *argv, "reset" ) ) {
- reset = TALLY_RESET_RESET;
- }
- else if ( ! strcmp( *argv, "no_reset" ) ) {
- reset = TALLY_RESET_NO_RESET;
- }
- else if ( ! strncmp( *argv, "file=", 5 ) ) {
- char const
- *from = (*argv)+5;
- char
- *to = filename;
- if ( *from != '/' || strlen(from) > FILENAME_MAX-1 ) {
- _pam_log(LOG_ERR,
- MODULE_NAME ": filename not /rooted or too long; ",
- *argv);
- RETURN_ERROR( PAM_AUTH_ERR );
- }
- while ( ( *to++ = *from++ ) );
- }
- else if ( ! strncmp( *argv, "deny=", 5 ) ) {
- if ( sscanf((*argv)+5,TALLY_FMT,&deny) != 1 ) {
- _pam_log(LOG_ERR,"bad number supplied; %s",*argv);
- RETURN_ERROR( PAM_AUTH_ERR );
- }
- }
- else if ( ! strcmp( *argv, "onerr=fail" ) ) {
- fail_on_error=TRUE;
- }
- else if ( ! strcmp( *argv, "onerr=succeed" ) ) {
- fail_on_error=FALSE;
- }
- else {
- _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv);
- }
- } /* for() */
- }
-
- {
- FILE *TALLY=0;
- int i=pam_get_uid(pamh, &uid, &user);
- if ( i != PAM_SUCCESS ) RETURN_ERROR( i );
-
- i=get_tally( &tally, uid, filename, &TALLY );
- if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); }
-
- if ( no_magic_root || getuid() ) { /* no_magic_root kills uid test */
-
- /* To deny or not to deny; that is the question */
-
- if (
- ( deny != 0 ) && /* deny==0 means no deny */
- ( tally > deny ) && /* tally>deny means exceeded */
- ( even_deny_root_account || uid ) /* even_deny stops uid check */
- ) {
- _pam_log(LOG_NOTICE,"user %s ("UID_FMT") tally "TALLY_FMT", deny "TALLY_FMT,
- user, uid, tally, deny);
- return PAM_AUTH_ERR; /* Only unconditional failure */
- }
-
- /* resets for explicit reset
- * or by default if deny exists and not magic-root
- */
-
- if ( ( reset == TALLY_RESET_RESET ) ||
- ( reset == TALLY_RESET_DEFAULT && deny ) ) { tally=0; }
- }
- else /* is magic root */ {
-
- /* Magic root skips deny test... */
-
- /* Magic root only resets on explicit reset, regardless of deny */
-
- if ( reset == TALLY_RESET_RESET ) { tally=0; }
- }
-
- i=set_tally( tally, uid, filename, &TALLY );
- if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); }
- }
-
- return PAM_SUCCESS;
-}
-
-#endif /* #ifdef PAM_SM_AUTH */
-
-/*-----------------------------------------------------------------------*/
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_tally_modstruct = {
- MODULE_NAME,
-#ifdef PAM_SM_AUTH
- pam_sm_authenticate,
- pam_sm_setcred,
-#else
- NULL,
- NULL,
-#endif
-#ifdef PAM_SM_ACCOUNT
- pam_sm_acct_mgmt,
-#else
- NULL,
-#endif
-#ifdef PAM_SM_SESSION
- pam_sm_open_session,
- pam_sm_close_session,
-#else
- NULL,
- NULL,
-#endif
-#ifdef PAM_SM_PASSWORD
- pam_sm_chauthtok,
-#else
- NULL,
-#endif
-};
-
-#endif /* #ifdef PAM_STATIC */
-
-/*-----------------------------------------------------------------------*/
-
-#else /* #ifndef MAIN */
-
-static const char *cline_filename = DEFAULT_LOGFILE;
-static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */
-static int cline_quiet = 0;
-
-/*
- * Not going to link with pamlib just for these.. :)
- */
-
-static const char * pam_errors( int i ) {
- switch (i) {
- case PAM_AUTH_ERR: return "Authentication error";
- case PAM_SERVICE_ERR: return "Service error";
- case PAM_USER_UNKNOWN: return "Unknown user";
- default: return "Unknown error";
- }
-}
-
-static int getopts( int argc, char **argv ) {
- const char *pname = *argv;
- for ( ; *argv ; (void)(*argv && ++argv) ) {
- if ( !strcmp (*argv,"--file") ) cline_filename=*++argv;
- else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7;
- else if ( !strcmp (*argv,"--user") ) cline_user=*++argv;
- else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7;
- else if ( !strcmp (*argv,"--reset") ) cline_reset=0;
- else if ( !strncmp(*argv,"--reset=",8)) {
- if ( sscanf(*argv+8,TALLY_FMT,&cline_reset) != 1 )
- fprintf(stderr,"%s: Bad number given to --reset=\n",pname), exit(0);
- }
- else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1;
- else {
- fprintf(stderr,"%s: Unrecognised option %s\n",pname,*argv);
- return FALSE;
- }
- }
- return TRUE;
-}
-
-int main ( int argc, char **argv ) {
-
- if ( ! getopts( argc, argv+1 ) ) {
- printf("%s: [--file rooted-filename] [--user username] "
- "[--reset[=n]] [--quiet]\n",
- *argv);
- exit(0);
- }
-
- /*
- * Major difference between individual user and all users:
- * --user just handles one user, just like PAM.
- * --user=* handles all users, sniffing cline_filename for nonzeros
- */
-
- if ( cline_user ) {
- uid_t uid;
- tally_t tally=cline_reset;
- FILE *TALLY=0;
- int i=pam_get_uid( NULL, &uid, NULL);
- if ( i != PAM_SUCCESS ) {
- fprintf(stderr,"%s: %s\n",*argv,pam_errors(i));
- exit(0);
- }
-
- i=get_tally( &tally, uid, cline_filename, &TALLY );
- if ( i != PAM_SUCCESS ) {
- if (TALLY) fclose(TALLY);
- fprintf(stderr,"%s: %s\n",*argv,pam_errors(i));
- exit(0);
- }
-
- if ( !cline_quiet )
- printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",cline_user,uid,
- (cline_reset!=TALLY_HI)?"had":"has",tally);
-
- i=set_tally( cline_reset, uid, cline_filename, &TALLY );
- if ( i != PAM_SUCCESS ) {
- if (TALLY) fclose(TALLY);
- fprintf(stderr,"%s: %s\n",*argv,pam_errors(i));
- exit(0);
- }
- }
- else /* !cline_user (ie, operate on all users) */ {
- FILE *TALLY=fopen(cline_filename, "r");
- uid_t uid=0;
- if ( !TALLY ) perror(*argv), exit(0);
-
- for ( ; !feof(TALLY); uid++ ) {
- tally_t tally;
- struct passwd *pw;
- if ( ! fread(&tally, sizeof(tally_t), 1, TALLY) || ! tally ) continue;
-
- if ( ( pw=getpwuid(uid) ) ) {
- printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",pw->pw_name,uid,
- (cline_reset!=TALLY_HI)?"had":"has",tally);
- }
- else {
- printf("User [NONAME]\t("UID_FMT")\t%s "TALLY_FMT"\n",uid,
- (cline_reset!=TALLY_HI)?"had":"has",tally);
- }
- }
- fclose(TALLY);
- if ( cline_reset!=0 && cline_reset!=TALLY_HI ) {
- fprintf(stderr,"%s: Can't reset all users to non-zero\n",*argv);
- }
- else if ( !cline_reset ) {
- TALLY=fopen(cline_filename, "w");
- if ( !TALLY ) perror(*argv), exit(0);
- fclose(TALLY);
- }
- }
- return 0;
-}
-
-
-#endif
diff --git a/contrib/libpam/modules/pam_time/Makefile b/contrib/libpam/modules/pam_time/Makefile
deleted file mode 100644
index bc297d4..0000000
--- a/contrib/libpam/modules/pam_time/Makefile
+++ /dev/null
@@ -1,121 +0,0 @@
-#
-# $Id: Makefile,v 1.6 1997/04/05 06:22:32 morgan Exp morgan $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.6 1997/04/05 06:22:32 morgan
-# fakeroot
-#
-# Revision 1.5 1997/02/15 19:16:16 morgan
-# fixed email
-#
-# Revision 1.4 1996/11/10 20:18:21 morgan
-# cross platform support
-#
-# Revision 1.3 1996/09/05 06:27:37 morgan
-# ld --> gcc
-#
-# Revision 1.2 1996/08/09 05:48:19 morgan
-# inherit installation files from parent
-#
-# Revision 1.1 1996/07/07 23:42:48 morgan
-# Initial revision
-#
-# Revision 1.1 1996/06/24 05:48:49 morgan
-# Initial revision
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/6/11
-#
-
-TITLE=pam_time
-CONFD=$(CONFIGED)/security
-export CONFD
-CONFILE=$(CONFD)/time.conf
-export CONFILE
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-DEFS=-DCONFILE=\"$(CONFILE)\"
-
-CFLAGS += $(DEFS)
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
-ifdef DYNAMIC
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
- $(MKDIR) $(FAKEROOT)$(SCONFIGED)
- bash -f ./install_conf
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
- rm -f $(FAKEROOT)$(CONFILE)
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
- rm -f ./.ignore_age
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_time/README b/contrib/libpam/modules/pam_time/README
deleted file mode 100644
index 0c3f976..0000000
--- a/contrib/libpam/modules/pam_time/README
+++ /dev/null
@@ -1,37 +0,0 @@
-$Id: README,v 1.3 1997/01/04 20:42:43 morgan Exp $
-
-This is a help file for the pam_time module. It explains the need for
-pam_time and also the syntax of the /etc/security/time.conf file.
-[a lot of the syntax is freely adapted from the porttime file of the
-shadow suite.]
-
-1. Introduction
-===============
-
-It is desirable to restrict access to a system and or specific
-applications at various times of the day and on specific days or over
-various terminal lines.
-
-The pam_time module is intended to offer a configurable module that
-satisfies this purpose, within the context of Linux-PAM.
-
-2. the /etc/security/time.conf file
-===================================
-
-This file is the configuration script for defining time/port access
-control to the system/applications.
-
-Its syntax is described in the sample ./time.conf provided in this
-directory.
-
-unrecognised rules are ignored (but an error is logged to syslog(3))
-
---------------------
-Bugs to Andrew <morgan@parc.power.net> or the list <pam-list@redhat.com>
-
-########################################################################
-# $Log: README,v $
-# Revision 1.3 1997/01/04 20:42:43 morgan
-# I want email on parc now
-#
-# \ No newline at end of file
diff --git a/contrib/libpam/modules/pam_time/install_conf b/contrib/libpam/modules/pam_time/install_conf
deleted file mode 100755
index 051d8b7..0000000
--- a/contrib/libpam/modules/pam_time/install_conf
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-CONFILE=$FAKEROOT"$CONFILE"
-IGNORE_AGE=./.ignore_age
-QUIET_INSTALL=../../.quiet_install
-CONF=./time.conf
-MODULE=pam_time
-
-echo
-
-if [ -f "$QUIET_INSTALL" ]; then
- if [ ! -f "$CONFILE" ]; then
- yes="y"
- else
- yes="skip"
- fi
-elif [ -f "$IGNORE_AGE" ]; then
- echo "you don't want to be bothered with the age of your $CONFILE file"
- yes="n"
-elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then
- if [ -f "$CONFILE" ]; then
- echo "An older $MODULE configuration file already exists ($CONFILE)"
- echo "Do you wish to copy the $CONF file in this distribution"
- echo "to $CONFILE ? (y/n) [skip] "
- read yes
- else
- yes="y"
- fi
-else
- yes="skip"
-fi
-
-if [ "$yes" = "y" ]; then
- mkdir -p $FAKEROOT$CONFD
- echo " copying $CONF to $CONFILE"
- cp $CONF $CONFILE
-else
- echo " Skipping $CONF installation"
- if [ "$yes" = "n" ]; then
- touch "$IGNORE_AGE"
- fi
-fi
-
-echo
-
-exit 0
diff --git a/contrib/libpam/modules/pam_time/pam_time.c b/contrib/libpam/modules/pam_time/pam_time.c
deleted file mode 100644
index 489c1d7..0000000
--- a/contrib/libpam/modules/pam_time/pam_time.c
+++ /dev/null
@@ -1,614 +0,0 @@
-/* pam_time module */
-
-/*
- * $Id: pam_time.c,v 1.7 1997/02/15 17:32:21 morgan Exp $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/6/22
- * (File syntax and much other inspiration from the shadow package
- * shadow-960129)
- *
- * $Log: pam_time.c,v $
- * Revision 1.7 1997/02/15 17:32:21 morgan
- * time parsing more robust
- *
- * Revision 1.6 1997/01/04 20:43:15 morgan
- * fixed buffer underflow, reformatted to 4 spaces
- *
- */
-
-const static char rcsid[] =
-"$Id: pam_time.c,v 1.7 1997/02/15 17:32:21 morgan Exp $;\n"
-"\t\tVersion 0.22 for Linux-PAM\n"
-"Copyright (C) Andrew G. Morgan 1996 <morgan@parc.power.net>\n";
-
-#include <sys/file.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <time.h>
-#include <syslog.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-#define PAM_TIME_CONF CONFILE /* from external define */
-#define PAM_TIME_BUFLEN 1000
-#define FIELD_SEPARATOR ';' /* this is new as of .02 */
-
-typedef enum { FALSE, TRUE } boolean;
-typedef enum { AND, OR } operator;
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_ACCOUNT
-
-#include <security/_pam_macros.h>
-#include <security/pam_modules.h>
-
-/* --- static functions for checking whether the user should be let in --- */
-
-static void _log_err(const char *format, ... )
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_time", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(LOG_CRIT, format, args);
- va_end(args);
- closelog();
-}
-
-static void shift_bytes(char *mem, int from, int by)
-{
- while (by-- > 0) {
- *mem = mem[from];
- ++mem;
- }
-}
-
-static int read_field(int fd, char **buf, int *from, int *to)
-{
- /* is buf set ? */
-
- if (! *buf) {
- *buf = (char *) malloc(PAM_TIME_BUFLEN);
- if (! *buf) {
- _log_err("out of memory");
- D(("no memory"));
- return -1;
- }
- *from = *to = 0;
- fd = open(PAM_TIME_CONF, O_RDONLY);
- }
-
- /* do we have a file open ? return error */
-
- if (fd < 0 && *to <= 0) {
- _log_err( PAM_TIME_CONF " not opened");
- memset(*buf, 0, PAM_TIME_BUFLEN);
- _pam_drop(*buf);
- return -1;
- }
-
- /* check if there was a newline last time */
-
- if ((*to > *from) && (*to > 0)
- && ((*buf)[*from] == '\0')) { /* previous line ended */
- (*from)++;
- (*buf)[0] = '\0';
- return fd;
- }
-
- /* ready for more data: first shift the buffer's remaining data */
-
- *to -= *from;
- shift_bytes(*buf, *from, *to);
- *from = 0;
- (*buf)[*to] = '\0';
-
- while (fd >= 0 && *to < PAM_TIME_BUFLEN) {
- int i;
-
- /* now try to fill the remainder of the buffer */
-
- i = read(fd, *to + *buf, PAM_TIME_BUFLEN - *to);
- if (i < 0) {
- _log_err("error reading " PAM_TIME_CONF);
- return -1;
- } else if (!i) {
- fd = -1; /* end of file reached */
- } else
- *to += i;
-
- /*
- * contract the buffer. Delete any comments, and replace all
- * multiple spaces with single commas
- */
-
- i = 0;
-#ifdef DEBUG_DUMP
- D(("buffer=<%s>",*buf));
-#endif
- while (i < *to) {
- if ((*buf)[i] == ',') {
- int j;
-
- for (j=++i; j<*to && (*buf)[j] == ','; ++j);
- if (j!=i) {
- shift_bytes(i + (*buf), j-i, (*to) - j);
- *to -= j-i;
- }
- }
- switch ((*buf)[i]) {
- int j,c;
- case '#':
- for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j);
- if (j >= *to) {
- (*buf)[*to = ++i] = '\0';
- } else if (c == '\n') {
- shift_bytes(i + (*buf), j-i, (*to) - j);
- *to -= j-i;
- ++i;
- } else {
- _log_err("internal error in " __FILE__
- " at line %d", __LINE__ );
- return -1;
- }
- break;
- case '\\':
- if ((*buf)[i+1] == '\n') {
- shift_bytes(i + *buf, 2, *to - (i+2));
- *to -= 2;
- }
- break;
- case '!':
- case ' ':
- case '\t':
- if ((*buf)[i] != '!')
- (*buf)[i] = ',';
- /* delete any trailing spaces */
- for (j=++i; j < *to && ( (c = (*buf)[j]) == ' '
- || c == '\t' ); ++j);
- shift_bytes(i + *buf, j-i, (*to)-j );
- *to -= j-i;
- break;
- default:
- ++i;
- }
- }
- }
-
- (*buf)[*to] = '\0';
-
- /* now return the next field (set the from/to markers) */
- {
- int i;
-
- for (i=0; i<*to; ++i) {
- switch ((*buf)[i]) {
- case '#':
- case '\n': /* end of the line/file */
- (*buf)[i] = '\0';
- *from = i;
- return fd;
- case FIELD_SEPARATOR: /* end of the field */
- (*buf)[i] = '\0';
- *from = ++i;
- return fd;
- }
- }
- *from = i;
- (*buf)[*from] = '\0';
- }
-
- if (*to <= 0) {
- D(("[end of text]"));
- *buf = NULL;
- }
-
- return fd;
-}
-
-/* read a member from a field */
-
-static int logic_member(const char *string, int *at)
-{
- int len,c,to;
- int done=0;
- int token=0;
-
- len=0;
- to=*at;
- do {
- c = string[to++];
-
- switch (c) {
-
- case '\0':
- --to;
- done = 1;
- break;
-
- case '&':
- case '|':
- case '!':
- if (token) {
- --to;
- }
- done = 1;
- break;
-
- default:
- if (isalpha(c) || c == '*' || isdigit(c) || c == '_'
- || c == '-' || c == '.') {
- token = 1;
- } else if (token) {
- --to;
- done = 1;
- } else {
- ++*at;
- }
- }
- } while (!done);
-
- return to - *at;
-}
-
-typedef enum { VAL, OP } expect;
-
-static boolean logic_field(const void *me, const char *x, int rule,
- boolean (*agrees)(const void *, const char *
- , int, int))
-{
- boolean left=FALSE, right, not=FALSE;
- operator oper=OR;
- int at=0, l;
- expect next=VAL;
-
- while ((l = logic_member(x,&at))) {
- int c = x[at];
-
- if (next == VAL) {
- if (c == '!')
- not = !not;
- else if (isalpha(c) || c == '*') {
- right = not ^ agrees(me, x+at, l, rule);
- if (oper == AND)
- left &= right;
- else
- left |= right;
- next = OP;
- } else {
- _log_err("garbled syntax; expected name (rule #%d)", rule);
- return FALSE;
- }
- } else { /* OP */
- switch (c) {
- case '&':
- oper = AND;
- break;
- case '|':
- oper = OR;
- break;
- default:
- _log_err("garbled syntax; expected & or | (rule #%d)"
- , rule);
- D(("%c at %d",c,at));
- return FALSE;
- }
- next = VAL;
- }
- at += l;
- }
-
- return left;
-}
-
-static boolean is_same(const void *A, const char *b, int len, int rule)
-{
- int i;
- const char *a;
-
- a = A;
- for (i=0; len > 0; ++i, --len) {
- if (b[i] != a[i]) {
- if (b[i++] == '*') {
- return (!--len || !strncmp(b+i,a+strlen(a)-len,len));
- } else
- return FALSE;
- }
- }
- return ( !len );
-}
-
-typedef struct {
- int day; /* array of 7 bits, one set for today */
- int minute; /* integer, hour*100+minute for now */
-} TIME;
-
-struct day {
- const char *d;
- int bit;
-} static const days[11] = {
- { "su", 01 },
- { "mo", 02 },
- { "tu", 04 },
- { "we", 010 },
- { "th", 020 },
- { "fr", 040 },
- { "sa", 0100 },
- { "wk", 076 },
- { "wd", 0101 },
- { "al", 0177 },
- { NULL, 0 }
-};
-
-static TIME time_now(void)
-{
- struct tm *local;
- time_t the_time;
- TIME this;
-
- the_time = time((time_t *)0); /* get the current time */
- local = localtime(&the_time);
- this.day = days[local->tm_wday].bit;
- this.minute = local->tm_hour*100 + local->tm_min;
-
- D(("day: 0%o, time: %.4d", this.day, this.minute));
- return this;
-}
-
-/* take the current date and see if the range "date" passes it */
-static boolean check_time(const void *AT, const char *times, int len, int rule)
-{
- boolean not,pass;
- int marked_day, time_start, time_end;
- const TIME *at;
- int i,j=0;
-
- at = AT;
- D(("chcking: 0%o/%.4d vs. %s", at->day, at->minute, times));
-
- if (times == NULL) {
- /* this should not happen */
- _log_err("internal error: " __FILE__ " line %d", __LINE__);
- return FALSE;
- }
-
- if (times[j] == '!') {
- ++j;
- not = TRUE;
- } else {
- not = FALSE;
- }
-
- for (marked_day = 0; len > 0 && isalpha(times[j]); --len) {
- int this_day=-1;
-
- D(("%c%c ?", times[j], times[j+1]));
- for (i=0; days[i].d != NULL; ++i) {
- if (tolower(times[j]) == days[i].d[0]
- && tolower(times[j+1]) == days[i].d[1] ) {
- this_day = days[i].bit;
- break;
- }
- }
- j += 2;
- if (this_day == -1) {
- _log_err("bad day specified (rule #%d)", rule);
- return FALSE;
- }
- marked_day ^= this_day;
- }
- if (marked_day == 0) {
- _log_err("no day specified");
- return FALSE;
- }
- D(("day range = 0%o", marked_day));
-
- time_start = 0;
- for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) {
- time_start *= 10;
- time_start += times[i+j]-'0'; /* is this portable? */
- }
- j += i;
-
- if (times[j] == '-') {
- time_end = 0;
- for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) {
- time_end *= 10;
- time_end += times[i+j]-'0'; /* is this portable */
- }
- j += i;
- } else
- time_end = -1;
-
- D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j]));
- if (i != 5 || time_end == -1) {
- _log_err("no/bad times specified (rule #%d)", rule);
- return TRUE;
- }
- D(("times(%d to %d)", time_start,time_end));
- D(("marked_day = 0%o", marked_day));
-
- /* compare with the actual time now */
-
- pass = FALSE;
- if (time_start < time_end) { /* start < end ? --> same day */
- if ((at->day & marked_day) && (at->minute >= time_start)
- && (at->minute < time_end)) {
- D(("time is listed"));
- pass = TRUE;
- }
- } else { /* spans two days */
- if ((at->day & marked_day) && (at->minute >= time_start)) {
- D(("caught on first day"));
- pass = TRUE;
- } else {
- marked_day <<= 1;
- marked_day |= (marked_day & 0200) ? 1:0;
- D(("next day = 0%o", marked_day));
- if ((at->day & marked_day) && (at->minute <= time_end)) {
- D(("caught on second day"));
- pass = TRUE;
- }
- }
- }
-
- return (not ^ pass);
-}
-
-static int check_account(const char *service
- , const char *tty, const char *user)
-{
- int from=0,to=0,fd=-1;
- char *buffer=NULL;
- int count=0;
- TIME here_and_now;
- int retval=PAM_SUCCESS;
-
- here_and_now = time_now(); /* find current time */
- do {
- boolean good=TRUE,intime;
-
- /* here we get the service name field */
-
- fd = read_field(fd,&buffer,&from,&to);
-
- if (!buffer || !buffer[0]) {
- /* empty line .. ? */
- continue;
- }
- ++count;
-
- good = logic_field(service, buffer, count, is_same);
- D(("with service: %s", good ? "passes":"fails" ));
-
- /* here we get the terminal name field */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- _log_err(PAM_TIME_CONF "; no tty entry #%d", count);
- continue;
- }
- good &= logic_field(tty, buffer, count, is_same);
- D(("with tty: %s", good ? "passes":"fails" ));
-
- /* here we get the username field */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- _log_err(PAM_TIME_CONF "; no user entry #%d", count);
- continue;
- }
- good &= logic_field(user, buffer, count, is_same);
- D(("with user: %s", good ? "passes":"fails" ));
-
- /* here we get the time field */
-
- fd = read_field(fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- _log_err(PAM_TIME_CONF "; no time entry #%d", count);
- continue;
- }
-
- intime = logic_field(&here_and_now, buffer, count, check_time);
- D(("with time: %s", intime ? "passes":"fails" ));
-
- fd = read_field(fd,&buffer,&from,&to);
- if (buffer && buffer[0]) {
- _log_err(PAM_TIME_CONF "; poorly terminated rule #%d", count);
- continue;
- }
-
- if (good && !intime) {
- /*
- * for security parse whole file.. also need to ensure
- * that the buffer is free()'d and the file is closed.
- */
- retval = PAM_PERM_DENIED;
- } else {
- D(("rule passed"));
- }
- } while (buffer);
-
- return retval;
-}
-
-/* --- public account management functions --- */
-
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- const char *service=NULL, *tty=NULL;
- const char *user=NULL;
-
- /* set service name */
-
- if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
- != PAM_SUCCESS || service == NULL) {
- _log_err("cannot find the current service name");
- return PAM_ABORT;
- }
-
- /* set username */
-
- if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
- || *user == '\0') {
- _log_err("cannot determine the user's name");
- return PAM_USER_UNKNOWN;
- }
-
- /* set tty name */
-
- if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS
- || tty == NULL) {
- D(("PAM_TTY not set, probing stdin"));
- tty = ttyname(STDIN_FILENO);
- if (tty == NULL) {
- _log_err("couldn't get the tty name");
- return PAM_ABORT;
- }
- if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) {
- _log_err("couldn't set tty name");
- return PAM_ABORT;
- }
- }
-
- if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */
- tty += 5;
- }
-
- /* good, now we have the service name, the user and the terminal name */
-
- D(("service=%s", service));
- D(("user=%s", user));
- D(("tty=%s", tty));
-
- return check_account(service,tty,user);
-}
-
-/* end of module definition */
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_time_modstruct = {
- "pam_time",
- NULL,
- NULL,
- pam_sm_acct_mgmt,
- NULL,
- NULL,
- NULL
-};
-#endif
diff --git a/contrib/libpam/modules/pam_time/time.conf b/contrib/libpam/modules/pam_time/time.conf
deleted file mode 100644
index d2062fd..0000000
--- a/contrib/libpam/modules/pam_time/time.conf
+++ /dev/null
@@ -1,64 +0,0 @@
-# this is an example configuration file for the pam_time module. Its syntax
-# was initially based heavily on that of the shadow package (shadow-960129).
-#
-# the syntax of the lines is as follows:
-#
-# services;ttys;users;times
-#
-# white space is ignored and lines maybe extended with '\\n' (escaped
-# newlines). As should be clear from reading these comments,
-# text following a '#' is ignored to the end of the line.
-#
-# the combination of individual users/terminals etc is a logic list
-# namely individual tokens that are optionally prefixed with '!' (logical
-# not) and separated with '&' (logical and) and '|' (logical or).
-#
-# services
-# is a logic list of PAM service names that the rule applies to.
-#
-# ttys
-# is a logic list of terminal names that this rule applies to.
-#
-# users
-# is a logic list of users to whom this rule applies.
-#
-# NB. For these items the simple wildcard '*' may be used only once.
-#
-# times
-# the format here is a logic list of day/time-range
-# entries the days are specified by a sequence of two character
-# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
-# that repeated days are unset MoMo = no day, and MoWk = all weekdays
-# bar Monday. The two character combinations accepted are
-#
-# Mo Tu We Th Fr Sa Su Wk Wd Al
-#
-# the last two being week-end days and all 7 days of the week
-# respectively. As a final example, AlFr means all days except Friday.
-#
-# each day/time-range can be prefixed with a '!' to indicate "anything
-# but"
-#
-# The time-range part is two 24-hour times HHMM separated by a hyphen
-# indicating the start and finish time (if the finish time is smaller
-# than the start time it is deemed to apply on the following day).
-#
-# for a rule to be active, ALL of service+ttys+users must be satisfied
-# by the applying process.
-#
-
-#
-# Here is a simple example: running blank on tty* (any ttyXXX device),
-# the users 'you' and 'me' are denied service all of the time
-#
-
-#blank;tty* & !ttyp*;you|me;!Al0000-2400
-
-# Another silly example, user 'root' is denied xsh access
-# from pseudo terminals at the weekend and on mondays.
-
-#xsh;ttyp*;root;!WdMo0000-2400
-
-#
-# End of example file.
-# \ No newline at end of file
diff --git a/contrib/libpam/modules/pam_unix/CHANGELOG b/contrib/libpam/modules/pam_unix/CHANGELOG
deleted file mode 100644
index 37e4c85..0000000
--- a/contrib/libpam/modules/pam_unix/CHANGELOG
+++ /dev/null
@@ -1,6 +0,0 @@
-$Id: CHANGELOG,v 1.1 1996/11/09 19:42:41 morgan Exp $
-
-$Log: CHANGELOG,v $
-Revision 1.1 1996/11/09 19:42:41 morgan
-Initial revision
-
diff --git a/contrib/libpam/modules/pam_unix/Makefile b/contrib/libpam/modules/pam_unix/Makefile
deleted file mode 100644
index ad1f47f..0000000
--- a/contrib/libpam/modules/pam_unix/Makefile
+++ /dev/null
@@ -1,155 +0,0 @@
-# $Header$
-#
-# This Makefile controls a build process of the pam_unix modules
-# for Linux-PAM. You should not modify this Makefile.
-#
-# $Log$
-# Revision 1.1.1.2 1998/06/03 03:43:56 adam
-# Import from archive
-#
-# Revision 1.3 1998/05/31 23:48:13 adam
-# Link crypt library as necessary.
-#
-# Revision 1.3 1997/04/05 06:20:58 morgan
-# fakeroot and also lockpwdf is in libc now
-#
-# Revision 1.2 1996/11/10 20:18:59 morgan
-# cross platform support
-#
-# Revision 1.1 1996/11/09 19:44:16 morgan
-# Initial revision
-#
-#
-
-########################################################################
-# some options... uncomment to take effect
-########################################################################
-
-# do you want shadow?
-USE_SHADOW=-D"HAVE_SHADOW_H"
-
-# do you want cracklib?
-ifeq ($(HAVE_CRACKLIB),yes)
-USE_CRACKLIB=-D"USE_CRACKLIB"
-endif
-
-# do you want to use lckpwdf?
-USE_LCKPWDF=-D"USE_LCKPWDF"
-
-# do you need to include the locking functions in the source?
-#NEED_LCKPWDF=-D"NEED_LCKPWDF"
-
-########################################################################
-
-CFLAGS += $(USE_SHADOW) $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF)
-
-ifdef DYNAMIC
-LIBSESSSH = pam_unix_session.so
-LIBAUTHSH = pam_unix_auth.so
-LIBPASSWDSH = pam_unix_passwd.so
-LIBACCOUNT = pam_unix_acct.so
-endif
-
-ifdef STATIC
-LIBSTATIC = libpam_unix.o
-endif
-
-ifdef USE_CRACKLIB
-CRACKLIB = -lcrack
-endif
-
-LIBAUTHOBJ = pam_unix_auth.o support.o
-LIBAUTHSRC = pam_unix_auth.c support.c
-LIBSESSOBJ = pam_unix_sess.o
-LIBSESSSRC = pam_unix_sess.c
-LIBPASSWDSRC = pam_unix_passwd.c
-LIBPASSWDOBJ = pam_unix_passwd.o
-LIBACCOUNTSRC = pam_unix_acct.c
-LIBACCOUNTOBJ = pam_unix_acct.o
-LIBOBJ = $(LIBAUTHOBJ) $(LIBSESSOBJ) $(LIBPASSWDOBJ) $(LIBACCOUNTOBJ)
-LIBSRC = $(LIBAUTHSRC) $(LIBSESSSRC) $(LIBPASSWDSRC) $(LIBACCOUNTSRC)
-
-LIBSHARED = $(LIBSESSSH) $(LIBAUTHSH) $(LIBPASSWDSH) $(LIBACCOUNT)
-
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) -c $< -o $@
-
-static/%.o: %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) -c $< -o $@
-
-
-########################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-info:
- @echo
- @echo "*** Building pam-unix(alpha) module of the framework..."
- @echo
-
-all: dirs info $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- mkdir -p ./dynamic
-endif
-ifdef STATIC
- mkdir -p ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; \
- ./register_static pam_unix_auth pam_unix/$(LIBSTATIC) ; \
- ./register_static pam_unix_acct "" ; \
- )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBAUTHSH): $(LIBAUTHSRC) $(LIBOBJD)
- $(LD_D) -o $@ $(addprefix dynamic/,$(LIBAUTHOBJ)) -lcrypt
-
-$(LIBSESSSH): $(LIBSESSSRC) $(LIBOBJD)
- $(LD_D) -o $@ $(addprefix dynamic/,$(LIBSESSOBJ))
-
-$(LIBPASSWDSH): $(LIBPASSWDSRC) $(LIBOBJD)
- $(LD_D) -o $@ $(addprefix dynamic/,$(LIBPASSWDOBJ)) $(CRACKLIB) -lcrypt
-
-$(LIBACCOUNT): $(LIBACCOUNTSRC) $(LIBOBJD)
- $(LD_D) -o $@ $(addprefix dynamic/,$(LIBACCOUNTOBJ))
-endif
-
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- mkdir -p $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- install -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- cd $(FAKEROOT)$(SECUREDIR) && rm -f $(LIBSHARED)
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) a.out core *~
-
-extraclean: clean
- rm -f *.a *.out *.o *.so *.bak
-
-.c.o:
- $(CC) -c $(CFLAGS) $<
-
diff --git a/contrib/libpam/modules/pam_unix/README b/contrib/libpam/modules/pam_unix/README
deleted file mode 100644
index 082e996..0000000
--- a/contrib/libpam/modules/pam_unix/README
+++ /dev/null
@@ -1,39 +0,0 @@
-This is the README for pam_unix in Linux-PAM-0.53.
---------------------------------------------------
-
-pam_unix comes as four separate modules:
-
-pam_unix_auth: authentication module providing
- pam_authenticate() and pam_setcred() hooks
-
- NO options are recognized. Credential facilities are trivial
- (function simply returns)
-
-pam_unix_sess: session module, providing session logging
-
- "debug" and "trace" arguments are accepted, which indicate the
- logging-level for syslog.
-
- "debug" -> LOG_DEBUG [ also default ]
- "trace" -> LOG_AUTHPRIV
-
-pam_unix_acct: account management, providing shadow account
- managment features, password aging etc..
-
- NO options are recognized. Account managment trivial without
- shadow active.
-
-pam_unix_passwd: password updating facilities providing
- cracklib password strength checking facilities.
-
- if compiled, the default behavior is to check passwords
- strictly using CrackLib. This behavior can be turned off
- with the argument
-
- "strict=false"
-
- invalid arguments are logged to syslog.
-
-------------------------------
-- Andrew 1996/11/9
-------------------------------
diff --git a/contrib/libpam/modules/pam_unix/pam_unix_acct.c b/contrib/libpam/modules/pam_unix/pam_unix_acct.c
deleted file mode 100644
index 5c0546a..0000000
--- a/contrib/libpam/modules/pam_unix/pam_unix_acct.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Copyright Elliot Lee, 1996. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* pam_unix_acct.c module, different track */
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#define __USE_MISC
-#include <pwd.h>
-#include <sys/types.h>
-#include <syslog.h>
-#include <unistd.h>
-#ifdef HAVE_SHADOW_H
-#include <shadow.h>
-#endif
-#include <time.h>
-
-#define PAM_SM_ACCOUNT
-
-#ifndef LINUX
-# include <security/pam_appl.h>
-#endif
-
-#define _PAM_EXTERN_FUNCTIONS
-#include <security/pam_modules.h>
-
-PAM_EXTERN
-int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
-#ifdef HAVE_SHADOW_H
- const char *uname;
- int retval;
- time_t curdays;
- struct spwd *spent;
- struct passwd *pwent;
-
- setpwent();
- setspent();
- retval = pam_get_item(pamh,PAM_USER,(const void **)&uname);
- if(retval != PAM_SUCCESS || uname == NULL) {
- return PAM_SUCCESS; /* Couldn't get username, just ignore this
- (i.e. they don't have any expiry info available */
- }
- pwent = getpwnam(uname);
- if(!pwent)
- return PAM_USER_UNKNOWN;
- if(strcmp(pwent->pw_passwd,"x"))
- return PAM_SUCCESS; /* They aren't using shadow passwords & expiry
- info */
- spent = getspnam(uname);
- if(!spent)
- return PAM_SUCCESS; /* Couldn't get username from shadow, just ignore this
- (i.e. they don't have any expiry info available */
- curdays = time(NULL)/(60*60*24);
- if((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact))
- && (spent->sp_max != -1) && (spent->sp_inact != -1))
- return PAM_ACCT_EXPIRED;
- if((curdays > spent->sp_expire) && (spent->sp_expire != -1))
- return PAM_ACCT_EXPIRED;
- endspent();
- endpwent();
-#endif
- return PAM_SUCCESS;
-}
-
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_unix_acct_modstruct = {
- "pam_unix_acct",
- NULL,
- NULL,
- pam_sm_acct_mgmt,
- NULL,
- NULL,
- NULL,
-};
-#endif
diff --git a/contrib/libpam/modules/pam_unix/pam_unix_auth.c b/contrib/libpam/modules/pam_unix/pam_unix_auth.c
deleted file mode 100644
index 65c2229..0000000
--- a/contrib/libpam/modules/pam_unix/pam_unix_auth.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/* $Header: /home/morgan/pam/Linux-PAM-0.59/modules/pam_unix/RCS/pam_unix_auth.c,v 1.1 1996/11/09 19:44:35 morgan Exp morgan $ */
-
-/*
- * Copyright Alexander O. Yuriev, 1996. All rights reserved.
- * NIS+ support by Thorsten Kukuk <kukuk@weber.uni-paderborn.de>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * $Log: pam_unix_auth.c,v $
- *
- * Revision 1.9 1996/05/26 04:13:04 morgan
- * added static support
- *
- * Revision 1.8 1996/05/21 03:51:58 morgan
- * added "const" to rcsid[] definition
- *
- * Revision 1.7 1996/04/19 03:25:57 alex
- * minor corrections.
- *
- * Revision 1.6 1996/04/17 01:05:05 alex
- * _pam_auth_unix() cleaned up - non-authentication code is made into funcs
- * and mostly moved out to support.c.
- *
- * Revision 1.5 1996/04/16 21:12:46 alex
- * unix authentication works on Bach again. This is a tranitional stage.
- * I really don't like that _pam_unix_auth() grew into a monster that does
- * prompts etc etc. They should go into other functions.
- *
- * Revision 1.4 1996/04/07 08:06:12 morgan
- * tidied up a little
- *
- * Revision 1.3 1996/04/07 07:34:07 morgan
- * added conversation support. Now the module is capable of obtaining a
- * username and a password all by itself.
- *
- * Revision 1.2 1996/03/29 02:31:19 morgan
- * Marek Michalkiewicz's small patches for shadow support.
- *
- * Revision 1.1 1996/03/09 09:10:57 morgan
- * Initial revision
- *
- */
-
-#ifdef linux
-# define _GNU_SOURCE
-# include <features.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#define __USE_BSD
-#include <unistd.h>
-#include <pwd.h>
-#include <sys/types.h>
-
-#ifndef NDEBUG
-
-#include <syslog.h>
-
-#endif /* NDEBUG */
-
-#ifdef HAVE_SHADOW_H
-
-#include <shadow.h>
-
-#endif /* HAVE_SHADOW_H */
-
-#ifndef LINUX
-
-#include <security/pam_appl.h>
-
-#endif /* LINUX */
-
-#define _PAM_EXTERN_FUNCTIONS
-#include <security/pam_modules.h>
-
-static const char rcsid[] = "$Id: pam_unix_auth.c,v 1.1 1996/11/09 19:44:35 morgan Exp morgan $ pam_unix authentication functions. alex@bach.cis.temple.edu";
-
-/* Define function phototypes */
-
-extern char *crypt(const char *key, const char *salt); /* This should have
- been in unistd.h
- but it is not */
-extern int converse( pam_handle_t *pamh,
- int nargs,
- struct pam_message **message,
- struct pam_response **response );
-
-extern int _set_auth_tok( pam_handle_t *pamh,
- int flags, int argc,
- const char **argv );
-
-static int _pam_auth_unix( pam_handle_t *pamh,
- int flags, int argc,
- const char **argv );
-
-static int _pam_set_credentials_unix ( pam_handle_t *pamh,
- int flags,
- int argc,
- const char ** argv ) ;
-
-
-/* Fun starts here :)
- *
- * _pam_auth_unix() actually performs UNIX/shadow authentication
- *
- * First, if shadow support is available, attempt to perform
- * authentication using shadow passwords. If shadow is not
- * available, or user does not have a shadow password, fallback
- * onto a normal UNIX authentication
- */
-
-static int _pam_auth_unix( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv )
-{
- int retval;
- struct passwd *pw;
- const char *name;
- char *p, *pp;
- const char *salt;
-
-#ifdef HAVE_SHADOW_H
-
- struct spwd *sp;
-
-#endif
-
- /* get the user'name' */
-
- if ( (retval = pam_get_user( pamh, &name, "login: ") ) != PAM_SUCCESS )
- return retval;
-
- /*
- * at some point we will have to make this module pay
- * attention to arguments, like 'pam_first_pass' etc...
- */
-
- pw = getpwnam ( name );
-
-#ifndef __FreeBSD__
- /* For NIS+, root cannot get password for lesser user */
- if (pw) {
- uid_t save_euid, save_uid;
-
- save_uid = getuid ();
- save_euid = geteuid();
- if (setreuid (0,pw->pw_uid) >= 0) {
- pw = getpwnam ( name );
- setreuid (save_uid,save_euid);
- }
- }
-#endif
-
- if ( pw && (!pw->pw_passwd || pw->pw_passwd[0] == '\0') &&
- !(flags & PAM_DISALLOW_NULL_AUTHTOK)) {
- return PAM_SUCCESS;
- }
- pam_get_item( pamh, PAM_AUTHTOK, (void*) &p );
-
- if ( !p )
- {
- retval = _set_auth_tok( pamh, flags, argc, argv );
- if ( retval != PAM_SUCCESS )
- return retval;
- }
-
- /*
- We have to call pam_get_item() again because value of p should
- change
- */
-
- pam_get_item( pamh, PAM_AUTHTOK, (void*) &p );
-
-
- if (pw)
- {
-
-#ifdef HAVE_SHADOW_H
-
- /*
- * Support for shadow passwords on Linux and SVR4-based
- * systems. Shadow passwords are optional on Linux - if
- * there is no shadow password, use the non-shadow one.
- */
-
- sp = getspnam( name );
- if (sp && (!strcmp(pw->pw_passwd,"x")))
- {
- /* TODO: check if password has expired etc. */
- salt = sp->sp_pwdp;
- }
- else
-#endif
- salt = pw->pw_passwd;
- }
- else
- return PAM_USER_UNKNOWN;
-
- /* The 'always-encrypt' method does not make sense in PAM
- because the framework requires return of a different
- error code for non-existant users -- alex */
-
- if ( ( !pw->pw_passwd ) && ( !p ) )
- if ( flags && PAM_DISALLOW_NULL_AUTHTOK )
- return PAM_SUCCESS;
- else
- return PAM_AUTH_ERR;
-
- pp = crypt(p, salt);
-
- if ( strcmp( pp, salt ) == 0 )
- return PAM_SUCCESS;
-
- return PAM_AUTH_ERR;
-}
-
-/*
- * The only thing _pam_set_credentials_unix() does is initialization of
- * UNIX group IDs.
- *
- * Well, everybody but me on linux-pam is convinced that it should not
- * initialize group IDs, so I am not doing it but don't say that I haven't
- * warned you. -- AOY
- */
-
-static int _pam_set_credentials_unix ( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv )
-
-{ /* FIX ME: incorrect error code */
-
- return PAM_SUCCESS; /* This is a wrong result code. From what I
- remember from reafing one of the guides
- there's an error-level saying 'N/A func'
- -- AOY
- */
-}
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * authentication module.
- */
-
-PAM_EXTERN
-int pam_sm_authenticate( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv )
-{
- return _pam_auth_unix( pamh, flags, argc, argv );
-}
-
-PAM_EXTERN
-int pam_sm_setcred( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv)
-{
- return _pam_set_credentials_unix ( pamh, flags, argc, argv ) ;
-}
-
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_unix_auth_modstruct = {
- "pam_unix_auth",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-#endif
diff --git a/contrib/libpam/modules/pam_unix/pam_unix_passwd.c b/contrib/libpam/modules/pam_unix/pam_unix_passwd.c
deleted file mode 100644
index de1345e..0000000
--- a/contrib/libpam/modules/pam_unix/pam_unix_passwd.c
+++ /dev/null
@@ -1,813 +0,0 @@
-
-/* Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
- Copyright (C) 1996. */
-
-/*
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- How it works:
- Gets in username (has to be done) from the calling program
- Does authentication of user (only if we are not running as root)
- Gets new password/checks for sanity
- Sets it.
- */
-
-#define PAM_SM_PASSWORD
-
-/* #define DEBUG 1 */
-
-#include <stdio.h>
-#include <sys/time.h>
-#define _BSD_SOURCE
-#define _SVID_SOURCE
-#include <errno.h>
-#define __USE_BSD
-#define _BSD_SOURCE
-#include <pwd.h>
-#include <sys/types.h>
-
-/* why not defined? */
-void setpwent(void);
-void endpwent(void);
-int chmod(const char *path, mode_t mode);
-struct passwd *fgetpwent(FILE *stream);
-int putpwent(const struct passwd *p, FILE *stream);
-
-#include <unistd.h>
-char *crypt(const char *key, const char *salt);
-#ifdef USE_CRACKLIB
-#include <crack.h>
-#endif
-#include <ctype.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <string.h>
-#include <stdarg.h>
-#include <malloc.h>
-#include <security/_pam_macros.h>
-
-#ifndef LINUX /* AGM added this as of 0.2 */
-#include <security/pam_appl.h>
-#endif /* ditto */
-#include <security/pam_modules.h>
-#ifdef HAVE_SHADOW_H
-#include <shadow.h>
-#endif
-
-#define MAX_PASSWD_TRIES 3
-#define OLD_PASSWORD_PROMPT "Password: "
-#define NEW_PASSWORD_PROMPT "New password: "
-#define AGAIN_PASSWORD_PROMPT "New password (again): "
-#define PW_TMPFILE "/etc/npasswd"
-#define SH_TMPFILE "/etc/nshadow"
-#define CRACKLIB_DICTS "/usr/lib/cracklib_dict"
-
-/* Various flags for the getpass routine to send back in... */
-#define PPW_EXPIRED 1
-#define PPW_EXPIRING 2
-#define PPW_WILLEXPIRE 4
-#define PPW_NOSUCHUSER 8
-#define PPW_SHADOW 16
-#define PPW_TOOEARLY 32
-#define PPW_ERROR 64
-
-#ifndef DO_TEST
-#define STATIC static
-#else
-#define STATIC
-#endif
-/* Sets a password for the specified user to the specified password
- Returns flags PPW_*, or'd. */
-STATIC int _do_setpass(char *forwho, char *towhat, int flags);
-/* Gets a password for the specified user
- Returns flags PPW_*, or'd. */
-STATIC int _do_getpass(char *forwho, char **theirpass);
-/* Checks whether the password entered is same as listed in the database
- 'entered' should not be crypt()'d or anything (it should be as the
- user entered it...), 'listed' should be as it is listed in the
- password database file */
-STATIC int _do_checkpass(const char *entered, char *listed);
-
-/* sends a one-way message to the user, either error or info... */
-STATIC int conv_sendmsg(struct pam_conv *aconv, const char *message, int style);
-/* sends a message and returns the results of the conversation */
-STATIC int conv_getitem(struct pam_conv *aconv, char *message, int style,
- char **result);
-
-PAM_EXTERN
-int pam_sm_chauthtok( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv);
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-unix_passwd", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-#ifdef NEED_LCKPWDF
-/* This is a hack, but until libc and glibc both include this function
- * by default (libc only includes it if nys is not being used, at the
- * moment, and glibc doesn't appear to have it at all) we need to have
- * it here, too. :-(
- *
- * This should not become an official part of PAM.
- *
- * BEGIN_HACK
-*/
-
-/*
- * lckpwdf.c -- prevent simultaneous updates of password files
- *
- * Before modifying any of the password files, call lckpwdf(). It may block
- * for up to 15 seconds trying to get the lock. Return value is 0 on success
- * or -1 on failure. When you are done, call ulckpwdf() to release the lock.
- * The lock is also released automatically when the process exits. Only one
- * process at a time may hold the lock.
- *
- * These functions are supposed to be conformant with AT&T SVID Issue 3.
- *
- * Written by Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>,
- * public domain.
- */
-
-#include <fcntl.h>
-#include <signal.h>
-
-#define LOCKFILE "/etc/.pwd.lock"
-#define TIMEOUT 15
-
-static int lockfd = -1;
-
-static int
-set_close_on_exec(int fd)
-{
- int flags = fcntl(fd, F_GETFD, 0);
- if (flags == -1)
- return -1;
- flags |= FD_CLOEXEC;
- return fcntl(fd, F_SETFD, flags);
-}
-
-static int
-do_lock(int fd)
-{
- struct flock fl;
-
- memset(&fl, 0, sizeof fl);
- fl.l_type = F_WRLCK;
- fl.l_whence = SEEK_SET;
- return fcntl(fd, F_SETLKW, &fl);
-}
-
-static void
-alarm_catch(int sig)
-{
-/* does nothing, but fcntl F_SETLKW will fail with EINTR */
-}
-
-static int lckpwdf(void)
-{
- struct sigaction act, oldact;
- sigset_t set, oldset;
-
- if (lockfd != -1)
- return -1;
-
- lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
- if (lockfd == -1)
- return -1;
- if (set_close_on_exec(lockfd) == -1)
- goto cleanup_fd;
-
- memset(&act, 0, sizeof act);
- act.sa_handler = alarm_catch;
- act.sa_flags = 0;
- sigfillset(&act.sa_mask);
- if (sigaction(SIGALRM, &act, &oldact) == -1)
- goto cleanup_fd;
-
- sigemptyset(&set);
- sigaddset(&set, SIGALRM);
- if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1)
- goto cleanup_sig;
-
- alarm(TIMEOUT);
- if (do_lock(lockfd) == -1)
- goto cleanup_alarm;
- alarm(0);
- sigprocmask(SIG_SETMASK, &oldset, NULL);
- sigaction(SIGALRM, &oldact, NULL);
- return 0;
-
-cleanup_alarm:
- alarm(0);
- sigprocmask(SIG_SETMASK, &oldset, NULL);
-cleanup_sig:
- sigaction(SIGALRM, &oldact, NULL);
-cleanup_fd:
- close(lockfd);
- lockfd = -1;
- return -1;
-}
-
-static int
-ulckpwdf(void)
-{
- unlink(LOCKFILE);
- if (lockfd == -1)
- return -1;
-
- if (close(lockfd) == -1) {
- lockfd = -1;
- return -1;
- }
- lockfd = -1;
- return 0;
-}
-/* END_HACK */
-#endif
-
-#define PAM_FAIL_CHECK if(retval != PAM_SUCCESS) { return retval; }
-
-PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- char *usrname, *curpass, *newpass; /* pointers to the username,
- current password, and new password */
-
- struct pam_conv *appconv; /* conversation with the app */
- struct pam_message msg, *pmsg; /* Misc for conversations */
- struct pam_response *resp;
-
- int retval=0; /* Gets the return values for all our function calls */
- unsigned int pflags=0; /* Holds the flags from our getpass & setpass
- functions */
-
- const char *cmiscptr; /* Utility variables, used for different purposes at
- different times */
- char *miscptr; /* Utility variables, used for different purposes at
- different times */
- unsigned int miscint;
- int fascist = 1; /* Be fascist by default. If compiled with cracklib,
- call cracklib. Otherwise just check length... */
-
- char argbuf[256],argval[256];
- int i;
-
-
- retval = pam_get_item(pamh,PAM_CONV,(const void **) &appconv);
- PAM_FAIL_CHECK;
-
- retval = pam_get_item(pamh,PAM_USER,(const void **) &usrname);
- PAM_FAIL_CHECK;
- if(flags & PAM_PRELIM_CHECK) {
- pflags = _do_getpass(usrname,&miscptr);
- if(pflags & PPW_NOSUCHUSER)
- return PAM_USER_UNKNOWN;
- else if(pflags & ~(PPW_SHADOW|PPW_EXPIRING|PPW_WILLEXPIRE))
- return PAM_AUTHTOK_ERR;
- else
- return PAM_SUCCESS;
- } /* else... */
-#ifdef DEBUG
- fprintf(stderr,"Got username of %s\n",usrname);
-#endif
- if((usrname == NULL) || (strlen(usrname) < 1)) {
- /* The app is supposed to get us the username! */
- retval = PAM_USER_UNKNOWN;
- PAM_FAIL_CHECK;
- }
-
- for(i=0; i < argc; i++) {
- {
- char *tmp = x_strdup(argv[i]);
- strncpy(argbuf,strtok(tmp ,"="),255);
- strncpy(argval,strtok(NULL,"="),255);
- free(tmp);
- }
-
- /* For PC functionality use "strict" -- historically "fascist" */
- if(!strcmp(argbuf,"strict") || !strcmp(argbuf, "fascist"))
-
- if(!strcmp(argval,"true"))
- fascist = 1;
- else if(!strcmp(argval,"false"))
- fascist = 0;
- else
- return PAM_SERVICE_ERR;
- else {
- _pam_log(LOG_ERR,"Unknown option: %s",argbuf);
- return PAM_SERVICE_ERR;
- }
- }
-
-
- /* Now we have all the initial information we need from the app to
- set things up (we assume that getting the username succeeded...) */
- retval = pam_get_item(pamh,PAM_OLDAUTHTOK,(const void **) &curpass);
- PAM_FAIL_CHECK;
- if(getuid()) { /* If this is being run by root, we don't need to get their
- old password.
- note */
- /* If we haven't been given a password yet, prompt for one... */
- miscint=0;
- while((curpass == NULL) && (miscint++ < MAX_PASSWD_TRIES)) {
- pflags = _do_getpass(usrname,&miscptr);
- if(pflags & PPW_NOSUCHUSER)
- return PAM_USER_UNKNOWN; /* If the user that was passed in doesn't
- exist, say so and exit (app passes in
- username) */
-
- /* Get the password from the user... */
- pmsg = &msg;
-
- msg.msg_style = PAM_PROMPT_ECHO_OFF;
- msg.msg = OLD_PASSWORD_PROMPT;
- resp = NULL;
-
- retval = appconv->conv(1, (const struct pam_message **) &pmsg,
- &resp, appconv->appdata_ptr);
-
- PAM_FAIL_CHECK;
- curpass = resp->resp;
- free (resp);
- if(_do_checkpass(curpass?curpass:"",miscptr)) {
- int abortme = 0;
-
- /* password is incorrect... */
- if (curpass && curpass[0] == '\0') {
- /* ...and it was zero-length; user wishes to abort change */
- abortme = 1;
- }
- if (curpass) { free (curpass); }
- curpass = NULL;
- if (abortme) {
- conv_sendmsg(appconv,"Password change aborted.",PAM_ERROR_MSG);
- return PAM_AUTHTOK_ERR;
- }
- }
- }
-
- if(curpass == NULL)
- return PAM_AUTH_ERR; /* They didn't seem to enter the right password
- for three tries - error */
- pam_set_item(pamh, PAM_OLDAUTHTOK, (void *)curpass);
- } else {
-#ifdef DEBUG
- fprintf(stderr,"I am ROOT!\n");
-#endif
- pflags = _do_getpass(usrname,&curpass);
- if(curpass == NULL)
- curpass = x_strdup("");
- }
- if(pflags & PPW_TOOEARLY) {
- conv_sendmsg(appconv,"You must wait longer to change your password",
- PAM_ERROR_MSG);
- return PAM_AUTHTOK_ERR;
- }
- if(pflags & PPW_WILLEXPIRE)
- conv_sendmsg(appconv,"Your password is about to expire",PAM_TEXT_INFO);
- else if(pflags & PPW_EXPIRED)
- return PAM_ACCT_EXPIRED; /* If their account has expired, we can't auth
- them to change their password */
- if(!(pflags & PPW_EXPIRING) && (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
- return PAM_SUCCESS;
- /* If we haven't been given a password yet, prompt for one... */
- miscint=0;
- pam_get_item(pamh,PAM_AUTHTOK,(const void **)&newpass);
- cmiscptr = NULL;
- while((newpass == NULL) && (miscint++ < MAX_PASSWD_TRIES)) {
-
- /* Get the password from the user... */
- pmsg = &msg;
-
- msg.msg_style = PAM_PROMPT_ECHO_OFF;
- msg.msg = NEW_PASSWORD_PROMPT;
- resp = NULL;
-
- retval = appconv->conv(1, (const struct pam_message **) &pmsg,
- &resp, appconv->appdata_ptr);
-
- PAM_FAIL_CHECK;
- newpass = resp->resp;
- free (resp);
-
-#ifdef DEBUG
- if(newpass)
- fprintf(stderr,"Got password of %s\n",newpass);
- else
- fprintf(stderr,"No new password...\n");
-#endif
- if (newpass[0] == '\0') { free (newpass); newpass = (char *) 0; }
- cmiscptr=NULL;
- if(newpass) {
-#ifdef USE_CRACKLIB
- if(fascist && getuid())
- cmiscptr = FascistCheck(newpass,CRACKLIB_DICTS);
-#else
- if(fascist && getuid() && strlen(newpass) < 6)
- cmiscptr = "You must choose a longer password";
-#endif
- if(curpass)
- if(!strcmp(curpass,newpass)) {
- cmiscptr="You must choose a new password.";
- newpass=NULL;
- }
- } else {
- /* We want to abort the password change */
- conv_sendmsg(appconv,"Password change aborted",PAM_ERROR_MSG);
- return PAM_AUTHTOK_ERR;
- }
- if(!cmiscptr) {
- /* We ask them to enter their password again... */
- /* Get the password from the user... */
- pmsg = &msg;
-
- msg.msg_style = PAM_PROMPT_ECHO_OFF;
- msg.msg = AGAIN_PASSWORD_PROMPT;
- resp = NULL;
-
- retval = appconv->conv(1, (const struct pam_message **) &pmsg,
- &resp, appconv->appdata_ptr);
-
- PAM_FAIL_CHECK;
- miscptr = resp->resp;
- free (resp);
- if (miscptr[0] == '\0') { free (miscptr); miscptr = (char *) 0; }
- if(!miscptr) { /* Aborting password change... */
- conv_sendmsg(appconv,"Password change aborted",PAM_ERROR_MSG);
- return PAM_AUTHTOK_ERR;
- }
- if(!strcmp(newpass,miscptr)) {
- miscptr=NULL;
- break;
- }
- conv_sendmsg(appconv,"You must enter the same password twice.",
- PAM_ERROR_MSG);
- miscptr=NULL;
- newpass=NULL;
- }
- else {
- conv_sendmsg(appconv,cmiscptr,PAM_ERROR_MSG);
- newpass = NULL;
- }
- }
- if(cmiscptr) {
- /* conv_sendmsg(appconv,cmiscptr,PAM_ERROR_MSG); */
- return PAM_AUTHTOK_ERR;
- } else if(newpass == NULL)
- return PAM_AUTHTOK_ERR; /* They didn't seem to enter the right password
- for three tries - error */
-#ifdef DEBUG
- printf("Changing password for sure!\n");
-#endif
- /* From now on, we are bound and determined to get their password
- changed :-) */
- pam_set_item(pamh, PAM_AUTHTOK, (void *)newpass);
- retval = _do_setpass(usrname,newpass,pflags);
-#ifdef DEBUG
- fprintf(stderr,"retval was %d\n",retval);
-#endif
- if(retval & ~PPW_SHADOW) {
- conv_sendmsg(appconv,"Error: Password NOT changed",PAM_ERROR_MSG);
- return PAM_AUTHTOK_ERR;
- } else {
- conv_sendmsg(appconv,"Password changed",PAM_TEXT_INFO);
- return PAM_SUCCESS;
- }
-}
-
-/* _do_checkpass() returns 0 on success, non-0 on failure */
-STATIC int _do_checkpass(const char *entered, char *listed)
-{
- char salt[3];
- if ((strlen(listed) == 0) &&(strlen(entered) == 0)) {
- /* no password in database; no password entered */
- return (0);
- }
- salt[0]=listed[0]; salt[1]=listed[1]; salt[2]='\0';
- return strcmp(crypt(entered,salt),listed);
-}
-
-STATIC char mksalt(int seed) {
- int num = seed % 64;
-
- if (num < 26)
- return 'a' + num;
- else if (num < 52)
- return 'A' + (num - 26);
- else if (num < 62)
- return '0' + (num - 52);
- else if (num == 63)
- return '.';
- else
- return '/';
-}
-
-STATIC int _do_setpass(char *forwho, char *towhat,int flags)
-{
- struct passwd *pwd=NULL, *tmpent=NULL;
- FILE *pwfile,*opwfile;
- char thesalt[3];
- int retval=0;
- struct timeval time1;
- int err = 0;
-#ifdef HAVE_SHADOW_H
- struct spwd *spwdent=NULL, *stmpent=NULL;
-#endif
- if(flags & PPW_SHADOW) { retval |= PPW_SHADOW; }
- gettimeofday(&time1, NULL);
- srand(time1.tv_usec);
- thesalt[0]=mksalt(rand());
- thesalt[1]=mksalt(rand());
- thesalt[2]='\0';
-
- /* lock the entire password subsystem */
-#ifdef USE_LCKPWDF
- lckpwdf();
-#endif
- setpwent();
- pwd = getpwnam(forwho);
-#ifdef DEBUG
- printf("Got %p, for %s (salt %s)\n",pwd,
- forwho,thesalt);
-#endif
- if(pwd == NULL)
- return PPW_NOSUCHUSER;
- endpwent();
-
-#ifdef HAVE_SHADOW_H
- if(flags & PPW_SHADOW) {
- spwdent = getspnam(forwho);
- if(spwdent == NULL)
- return PPW_NOSUCHUSER;
- spwdent->sp_pwdp = towhat;
- spwdent->sp_lstchg = time(NULL)/(60*60*24);
- pwfile = fopen(SH_TMPFILE,"w");
- opwfile = fopen("/etc/shadow","r");
- if(pwfile == NULL || opwfile == NULL)
- return PPW_ERROR;
- chown(SH_TMPFILE,0,0);
- chmod(SH_TMPFILE,0600);
- stmpent=fgetspent(opwfile);
- while(stmpent) {
- if(!strcmp(stmpent->sp_namp,forwho)) {
- stmpent->sp_pwdp = crypt(towhat,thesalt);
- stmpent->sp_lstchg = time(NULL)/(60*60*24);
-#ifdef DEBUG
- fprintf(stderr,"Set password %s for %s\n",stmpent->sp_pwdp,
- forwho);
-#endif
- }
- if (putspent(stmpent,pwfile)) {
- fprintf(stderr, "error writing entry to shadow file: %s\n",
- strerror(errno));
- err = 1;
- retval = PPW_ERROR;
- break;
- }
- stmpent=fgetspent(opwfile);
- }
- fclose(opwfile);
-
- if (fclose(pwfile)) {
- fprintf(stderr, "error writing entries to shadow file: %s\n",
- strerror(errno));
- retval = PPW_ERROR;
- err = 1;
- }
-
- if (!err)
- rename(SH_TMPFILE,"/etc/shadow");
- else
- unlink(SH_TMPFILE);
- } else {
- pwd->pw_passwd = towhat;
- pwfile = fopen(PW_TMPFILE,"w");
- opwfile = fopen("/etc/passwd","r");
- if(pwfile == NULL || opwfile == NULL)
- return PPW_ERROR;
- chown(PW_TMPFILE,0,0);
- chmod(PW_TMPFILE,0644);
- tmpent=fgetpwent(opwfile);
- while(tmpent) {
- if(!strcmp(tmpent->pw_name,forwho)) {
- tmpent->pw_passwd = crypt(towhat,thesalt);
- }
- if (putpwent(tmpent,pwfile)) {
- fprintf(stderr, "error writing entry to password file: %s\n",
- strerror(errno));
- err = 1;
- retval = PPW_ERROR;
- break;
- }
- tmpent=fgetpwent(opwfile);
- }
- fclose(opwfile);
-
- if (fclose(pwfile)) {
- fprintf(stderr, "error writing entries to password file: %s\n",
- strerror(errno));
- retval = PPW_ERROR;
- err = 1;
- }
-
- if (!err)
- rename(PW_TMPFILE,"/etc/passwd");
- else
- unlink(PW_TMPFILE);
- }
-#else
- pwd->pw_passwd = towhat;
- pwfile = fopen(PW_TMPFILE,"w");
- opwfile = fopen("/etc/passwd","r");
- if(pwfile == NULL || opwfile == NULL)
- return PPW_ERROR;
- chown(PW_TMPFILE,0,0);
- chmod(PW_TMPFILE,0644);
- tmpent=fgetpwent(opwfile);
- while(tmpent) {
- if(!strcmp(tmpent->pw_name,forwho)) {
- tmpent->pw_passwd = crypt(towhat,thesalt);
- }
- if (putpwent(tmpent,pwfile)) {
- fprintf(stderr, "error writing entry to shadow file: %s\n",
- strerror(errno));
- err = 1;
- retval = PPW_ERROR;
- break;
- }
- tmpent=fgetpwent(opwfile);
- }
- fclose(opwfile);
-
- if (fclose(pwfile)) {
- fprintf(stderr, "error writing entries to password file: %s\n",
- strerror(errno));
- retval = PPW_ERROR;
- err = 1;
- }
-
- if (!err)
- rename(PW_TMPFILE,"/etc/passwd");
- else
- unlink(PW_TMPFILE);
-#endif
- /* unlock the entire password subsystem */
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
- return retval;
-}
-
-STATIC int _do_getpass(char *forwho, char **theirpass)
-{
- struct passwd *pwd=NULL; /* Password and shadow password */
-#ifdef HAVE_SHADOW_H
- struct spwd *spwdent=NULL; /* file entries for the user */
- time_t curdays;
-#endif
- int retval=0;
- /* UNIX passwords area */
- setpwent();
- pwd = getpwnam(forwho); /* Get password file entry... */
- endpwent();
- if(pwd == NULL)
- return PPW_NOSUCHUSER; /* We don't need to do the rest... */
-#ifdef HAVE_SHADOW_H
- if(!strcmp(pwd->pw_passwd,"x")) {
- /* ...and shadow password file entry for this user, if shadowing
- is enabled */
- retval |= PPW_SHADOW;
- setspent();
- spwdent = getspnam(forwho);
- endspent();
- if(spwdent == NULL)
- return PPW_NOSUCHUSER;
- *theirpass = x_strdup(spwdent->sp_pwdp);
-
- /* We have the user's information, now let's check if their account
- has expired (60 * 60 * 24 = number of seconds in a day) */
-
- /* Get the current number of days since 1970 */
- curdays = time(NULL)/(60*60*24);
- if((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
- && (spwdent->sp_min != -1))
- retval |= PPW_TOOEARLY;
- else if((curdays
- > (spwdent->sp_lstchg + spwdent->sp_max + spwdent->sp_inact))
- && (spwdent->sp_max != -1) && (spwdent->sp_inact != -1))
- /* Their password change has been put off too long,
- OR their account has just plain expired */
- retval |= PPW_EXPIRED;
- else if((curdays > (spwdent->sp_lstchg + spwdent->sp_max))
- && (spwdent->sp_max != -1))
- /* Their passwd needs to be changed */
- retval |= PPW_EXPIRING;
- else if((curdays > (spwdent->sp_lstchg
- + spwdent->sp_max - spwdent->sp_warn))
- && (spwdent->sp_max != -1) && (spwdent->sp_warn != -1))
- retval |= PPW_WILLEXPIRE;
-/* if(spwdent->sp_lstchg < 0)
- retval &= ~(PPW_WILLEXPIRE | PPW_EXPIRING | PPW_EXPIRED);
- if(spwdent->sp_max < 0)
- retval &= ~(PPW_EXPIRING | PPW_EXPIRED); */
- } else {
- *theirpass = (char *)x_strdup(pwd->pw_passwd);
- }
-
-#else
- *theirpass = (char *) x_strdup(pwd->pw_passwd);
-#endif
-
- return retval;
-}
-
-STATIC int conv_sendmsg(struct pam_conv *aconv, const char *message, int style)
-{
- struct pam_message msg,*pmsg;
- struct pam_response *resp;
- int retval;
-
- /* Get the password from the user... */
- pmsg = &msg;
-
- msg.msg_style = style;
- msg.msg = message;
- resp = NULL;
-
- retval = aconv->conv(1, (const struct pam_message **) &pmsg,
- &resp, aconv->appdata_ptr);
- if (resp) {
- _pam_drop_reply(resp, 1);
- }
- return retval;
-}
-
-
-STATIC int conv_getitem(struct pam_conv *aconv, char *message, int style,
- char **result)
-{
- struct pam_message msg,*pmsg;
- struct pam_response *resp;
- int retval;
-
- D(("called."));
-
- /* Get the password from the user... */
- pmsg = &msg;
- msg.msg_style = style;
- msg.msg = message;
- resp = NULL;
-
- retval = aconv->conv(1, (const struct pam_message **) &pmsg,
- &resp, aconv->appdata_ptr);
- if(retval != PAM_SUCCESS)
- return retval;
- if(resp != NULL) {
- *result = resp->resp; free(resp);
- return PAM_SUCCESS;
- }
- else
- return PAM_SERVICE_ERR;
-}
diff --git a/contrib/libpam/modules/pam_unix/pam_unix_sess.c b/contrib/libpam/modules/pam_unix/pam_unix_sess.c
deleted file mode 100644
index 319b2ed..0000000
--- a/contrib/libpam/modules/pam_unix/pam_unix_sess.c
+++ /dev/null
@@ -1,181 +0,0 @@
-/*
- * $Header: /home/morgan/pam/Linux-PAM-0.53/modules/pam_unix/RCS/pam_unix_sess.c,v 1.1 1996/11/09 19:44:35 morgan Exp $
- */
-
-/*
- * Copyright Alexander O. Yuriev, 1996. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * $Log: pam_unix_sess.c,v $
- * Revision 1.1 1996/11/09 19:44:35 morgan
- * Initial revision
- *
- * Revision 1.4 1996/05/21 03:55:17 morgan
- * added "const" to definition of rcsid[]
- *
- * Revision 1.3 1996/04/23 16:32:28 alex
- * nothing really got changed.
- *
- * Revision 1.2 1996/04/19 03:23:33 alex
- * session code implemented. account management moved into pam_unix_acct.c
- *
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <pwd.h>
-
-#ifndef LINUX /* AGM added this as of 0.2 */
-
- #include <security/pam_appl.h>
-
-#endif /* ditto */
-
-#include <security/pam_modules.h>
-#include <syslog.h>
-#include <unistd.h>
-#ifndef LOG_AUTHPRIV
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-
-static const char rcsid[] = "$Id: pam_unix_sess.c,v 1.1 1996/11/09 19:44:35 morgan Exp $ pam_unix session management. alex@bach.cis.temple.edu";
-
-/* Define internal functions */
-
-static int _get_log_level( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv );
-
-int _pam_unix_open_session( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv );
-
-int _pam_unix_close_session( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv );
-
-/* Implementation */
-
-static int _get_log_level( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv )
-{
- int i = argc;
- int log_level = LOG_DEBUG;
-
- while ( i-- )
- {
- if ( strcmp( *argv, "debug" ) == 0 )
- log_level = LOG_DEBUG;
- else if ( strcmp ( *argv, "trace" ) == 0 )
- log_level = LOG_AUTHPRIV;
- argv++;
- }
-
- return log_level;
-}
-
-int _pam_unix_open_session( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv )
-{
- int log_level;
- char *user_name, *service;
-
-
- log_level = _get_log_level( pamh, flags, argc, argv );
-
- pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( !user_name )
- return PAM_CONV_ERR; /* How did we get authenticated with
- no username?! */
-
- pam_get_item( pamh, PAM_SERVICE, (void*) &service );
- if ( !service )
- return PAM_CONV_ERR;
-
- syslog ( log_level,
- "pam_unix authentication session started, user %s, service %s\n",
- user_name, service );
-
- return PAM_SUCCESS;
-}
-
-int _pam_unix_close_session( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv )
-{
- int log_level;
- char *user_name, *service;
-
- log_level = _get_log_level( pamh, flags, argc, argv );
-
- pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( !user_name )
- return PAM_CONV_ERR; /* How did we get authenticated with
- no username?! */
-
- pam_get_item( pamh, PAM_SERVICE, (void*) &service );
- if ( !service )
- return PAM_CONV_ERR;
-
- syslog ( log_level,
- "pam_unix authentication session finished, user %s, service %s\n",
- user_name, service );
-
- return PAM_SUCCESS;
-}
-
-int pam_sm_open_session( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv )
-{
- return _pam_unix_open_session( pamh, flags, argc, argv ) ;
-}
-
-int pam_sm_close_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return _pam_unix_close_session( pamh, flags, argc, argv ) ;
-}
-
diff --git a/contrib/libpam/modules/pam_unix/support.c b/contrib/libpam/modules/pam_unix/support.c
deleted file mode 100644
index a2fafcd..0000000
--- a/contrib/libpam/modules/pam_unix/support.c
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * $Header: /home/morgan/pam/Linux-PAM-0.53/modules/pam_unix/RCS/support.c,v 1.1 1996/11/09 19:44:35 morgan Exp $
- */
-
-/*
- * Copyright Andrew Morgan, 1996. All rights reserved.
- * Modified by Alexander O. Yuriev
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * $Log: support.c,v $
- * Revision 1.1 1996/11/09 19:44:35 morgan
- * Initial revision
- *
- * Revision 1.1 1996/04/17 01:11:08 alex
- * Initial revision
- *
- */
-
-#include <stdlib.h> /* define NULL */
-
-#ifndef LINUX
-
- #include <security/pam_appl.h>
-
-#endif /* LINUX */
-
-#include <security/pam_modules.h>
-
-
-#ifndef NDEBUG
-
- #include <syslog.h>
-
-#endif /* NDEBUG */
-
-
-/* Phototype declarations */
-
-int converse( pam_handle_t *pamh,
- int nargs,
- struct pam_message **message,
- struct pam_response **response );
-
-int _set_auth_tok( pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv );
-
-/* Implementation */
-
-int converse( pam_handle_t *pamh,
- int nargs,
- struct pam_message **message,
- struct pam_response **response )
-
-{
- int retval;
- struct pam_conv *conv;
-
- retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
- if ( retval == PAM_SUCCESS )
- {
- retval = conv->conv( nargs,
- ( const struct pam_message ** ) message,
- response,
- conv->appdata_ptr );
- }
- return retval;
-}
-
-/***************************************************************************/
-/* prompt user for a using conversation calls */
-/***************************************************************************/
-
-int _set_auth_tok( pam_handle_t *pamh,
- int flags, int argc,
- const char **argv )
-{
- int retval;
- char *p;
-
- struct pam_message msg[1],*pmsg[1];
- struct pam_response *resp;
-
- /* set up conversation call */
-
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[0].msg = "Password: ";
- resp = NULL;
-
- if ( ( retval = converse( pamh, 1 , pmsg, &resp ) ) != PAM_SUCCESS )
- return retval;
-
- if ( resp )
- {
- if ( ( flags & PAM_DISALLOW_NULL_AUTHTOK ) &&
- resp[0].resp == NULL )
- {
- free( resp );
- return PAM_AUTH_ERR;
- }
-
- p = resp[ 0 ].resp;
-
- /* This could be a memory leak. If resp[0].resp
- is malloc()ed, then it has to be free()ed!
- -- alex
- */
-
- resp[ 0 ].resp = NULL;
-
- }
- else
- return PAM_CONV_ERR;
-
- free( resp );
- pam_set_item( pamh, PAM_AUTHTOK, p );
- return PAM_SUCCESS;
-}
diff --git a/contrib/libpam/modules/pam_warn/Makefile b/contrib/libpam/modules/pam_warn/Makefile
deleted file mode 100644
index 167af5a..0000000
--- a/contrib/libpam/modules/pam_warn/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-#
-# $Id: Makefile,v 1.2 1997/04/05 06:20:16 morgan Exp $
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# $Log: Makefile,v $
-# Revision 1.2 1997/04/05 06:20:16 morgan
-# fixed fakeroot
-#
-# Revision 1.1 1996/12/01 03:12:22 morgan
-# Initial revision
-#
-#
-# Created by Andrew Morgan <morgan@parc.power.net> 1996/11/14
-#
-
-TITLE=pam_warn
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-static/%.o : %.c
- $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-ifdef STATIC
-LIBSTATIC = lib$(TITLE).o
-endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-ifdef STATIC
- $(MKDIR) ./static
-endif
-
-register:
-ifdef STATIC
- ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD)
-endif
-
-ifdef STATIC
-$(LIBOBJS): $(LIBSRC)
-
-$(LIBSTATIC): $(LIBOBJS)
- $(LD) -r -o $@ $(LIBOBJS)
-endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
diff --git a/contrib/libpam/modules/pam_warn/README b/contrib/libpam/modules/pam_warn/README
deleted file mode 100644
index f45b271..0000000
--- a/contrib/libpam/modules/pam_warn/README
+++ /dev/null
@@ -1,23 +0,0 @@
-# $Id: README,v 1.1 1996/12/01 03:12:22 morgan Exp $
-#
-
-This module is an authentication module that does not authenticate.
-Instead it always returns PAM_IGNORE, indicating that it does not want
-to affect the authentication process.
-
-Its purpose is to log a message to the syslog indicating the
-pam_item's available at the time it was invoked. It is a diagnostic
-tool.
-
-Recognized arguments:
-
- <none>
-
-module services provided:
-
- auth _autheticate and _setcred (blank)
- password _chauthtok [mapped to _authenticate]
-
-
-Andrew Morgan
-1996/11/14
diff --git a/contrib/libpam/modules/pam_warn/pam_warn.c b/contrib/libpam/modules/pam_warn/pam_warn.c
deleted file mode 100644
index 2a0a23d..0000000
--- a/contrib/libpam/modules/pam_warn/pam_warn.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/* pam_warn module */
-
-/*
- * $Id: pam_warn.c,v 1.2 1997/02/15 17:19:08 morgan Exp $
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- *
- * $Log: pam_warn.c,v $
- * Revision 1.2 1997/02/15 17:19:08 morgan
- * corrected many bugs and removed fixed buffer logging
- *
- * Revision 1.1 1996/12/01 03:12:22 morgan
- * Initial revision
- *
- *
- */
-
-#include <stdio.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-warn", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc
- , const char **argv)
-{
- const char *service=NULL, *user=NULL, *terminal=NULL
- , *rhost=NULL, *ruser=NULL;
-
- (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
- (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal);
- _pam_log(LOG_NOTICE, "service: %s [on terminal: %s]"
- , service ? service : "<unknown>"
- , terminal ? terminal : "<unknown>"
- );
- (void) pam_get_user(pamh, &user, "Who are you? ");
- (void) pam_get_item(pamh, PAM_RUSER, (const void **)&ruser);
- (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
- _pam_log(LOG_NOTICE, "user: (uid=%d) -> %s [remote: %s@%s]"
- , getuid()
- , user ? user : "<unknown>"
- , ruser ? ruser : "?nobody"
- , rhost ? rhost : "?nowhere"
- );
-
- /* we are just a fly on the wall */
-
- return PAM_IGNORE;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- , const char **argv)
-{
- return PAM_IGNORE;
-}
-
-/* password updating functions */
-
-PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
- , const char **argv)
-{
- /* map to the authentication function... */
-
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_warn_modstruct = {
- "pam_warn",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- pam_sm_chauthtok,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/contrib/libpam/modules/pam_wheel/Makefile b/contrib/libpam/modules/pam_wheel/Makefile
deleted file mode 100644
index 553e321..0000000
--- a/contrib/libpam/modules/pam_wheel/Makefile
+++ /dev/null
@@ -1,94 +0,0 @@
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# Created by Cristian Gafton <gafton@sorosis.ro> 1996/09/10
-#
-
-ifeq ($(HAVE_PWDBLIB),yes)
-
-TITLE=pam_wheel
-CFLAGS += -DHAVE_PWDBLIB
-
-#
-
-LIBSRC = $(TITLE).c
-LIBOBJ = $(TITLE).o
-LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
-#LIBOBJS = $(addprefix static/,$(LIBOBJ))
-
-EXTRALS = -lpwdb
-
-dynamic/%.o : %.c
- $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-#static/%.o : %.c
-# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
-
-
-ifdef DYNAMIC
-LIBSHARED = $(TITLE).so
-endif
-
-#ifdef STATIC
-#LIBSTATIC = lib$(TITLE).o
-#endif
-
-####################### don't edit below #######################
-
-dummy:
-
- @echo "**** This is not a top-level Makefile "
- exit
-
-all: dirs $(LIBSHARED) $(LIBSTATIC) register
-
-dirs:
-ifdef DYNAMIC
- $(MKDIR) ./dynamic
-endif
-#ifdef STATIC
-# $(MKDIR) ./static
-#endif
-
-register:
-#ifdef STATIC
-# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
-#endif
-
-ifdef DYNAMIC
-$(LIBOBJD): $(LIBSRC)
-
-$(LIBSHARED): $(LIBOBJD)
- $(LD_D) -o $@ $(LIBOBJD) $(EXTRALS)
-endif
-
-#ifdef STATIC
-#$(LIBOBJS): $(LIBSRC)
-#
-#$(LIBSTATIC): $(LIBOBJS)
-# $(LD) -r -o $@ $(LIBOBJS) $(EXTRALS)
-#endif
-
-install: all
- $(MKDIR) $(FAKEROOT)$(SECUREDIR)
-ifdef DYNAMIC
- $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
-endif
-
-remove:
- rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
-
-clean:
- rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so
-
-extraclean: clean
- rm -f *.a *.o *.so *.bak dynamic/* static/*
-
-.c.o:
- $(CC) $(CFLAGS) -c $<
-
-else
-include ../dont_makefile
-endif
diff --git a/contrib/libpam/modules/pam_wheel/README b/contrib/libpam/modules/pam_wheel/README
deleted file mode 100644
index 336bb31..0000000
--- a/contrib/libpam/modules/pam_wheel/README
+++ /dev/null
@@ -1,33 +0,0 @@
-
-pam_wheel:
- only permit root authentication too members of wheel group
-
-RECOGNIZED ARGUMENTS:
- debug write a message to syslog indicating success or
- failure.
-
- use_uid the check for wheel membership will be done against
- the current uid instead of the original one
- (useful when jumping with su from one account to
- another for example)
-
- trust the pam_wheel module will return PAM_SUCCESS instead
- of PAM_IGNORE if the user is a member of the wheel
- group (thus with a little play stacking the modules
- the wheel members may be able to su to root without
- being prompted for a passwd).
-
- deny Reverse the sense of the auth operation: if the user
- is trying to get UID 0 access and is a member of the
- wheel group, deny access (well, kind of nonsense, but
- for use in conjunction with 'group' argument... :-)
-
- group=xxxx Instead of checking the GID 0 group, use the xxxx
- group to perform the authentification.
-
-MODULE SERVICES PROVIDED:
- auth _authetication and _setcred (blank)
-
-AUTHOR:
- Cristian Gafton <gafton@sorosis.ro>
-
diff --git a/contrib/libpam/modules/pam_wheel/pam_wheel.c b/contrib/libpam/modules/pam_wheel/pam_wheel.c
deleted file mode 100644
index db262d8..0000000
--- a/contrib/libpam/modules/pam_wheel/pam_wheel.c
+++ /dev/null
@@ -1,277 +0,0 @@
-/* pam_wheel module */
-
-/*
- * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10
- * See the end of the file for Copyright Information
- *
- *
- * 1.2 - added 'deny' and 'group=' options
- * 1.1 - added 'trust' option
- * 1.0 - the code is working for at least another person, so... :-)
- * 0.1 - use vsyslog instead of vfprintf/syslog in _pam_log
- * - return PAM_IGNORE on success (take care of sloppy sysadmins..)
- * - use pam_get_user instead of pam_get_item(...,PAM_USER,...)
- * - a new arg use_uid to auth the current uid instead of the
- * initial (logged in) one.
- * 0.0 - first release
- *
- * TODO:
- * - try to use make_remark from pam_unix/support.c
- * - consider returning on failure PAM_FAIL_NOW if the user is not
- * a wheel member.
- */
-
-#include <stdio.h>
-#define __USE_BSD
-#include <unistd.h>
-#include <string.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <sys/types.h>
-#ifdef HAVE_PWDBLIB
-# include <pwdb/pwdb_public.h>
-#else
-# include <pwd.h>
-# include <grp.h>
-#endif
-
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-
-/* variables */
-static char use_group[BUFSIZ];
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-Wheel", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* checks if a user is on a list of members of the GID 0 group */
-
-static int is_on_list(char * const *list, const char *member)
-{
- while (*list) {
- if (strcmp(*list, member) == 0)
- return 1;
- list++;
- }
- return 0;
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x0001
-#define PAM_USE_UID_ARG 0x0002
-#define PAM_TRUST_ARG 0x0004
-#define PAM_DENY_ARG 0x0010
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strcmp(*argv,"use_uid"))
- ctrl |= PAM_USE_UID_ARG;
- else if (!strcmp(*argv,"trust"))
- ctrl |= PAM_TRUST_ARG;
- else if (!strcmp(*argv,"deny"))
- ctrl |= PAM_DENY_ARG;
- else if (!strncmp(*argv,"group=",6))
- strcpy(use_group,*argv+6);
- else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int ctrl;
- const char *username;
- char *fromsu;
- struct passwd *pwd, *tpwd;
- struct group *grp;
- int retval = PAM_AUTH_ERR;
-
- /* Init the optional group */
- bzero(use_group,sizeof(use_group));
-
- ctrl = _pam_parse(argc, argv);
- retval = pam_get_user(pamh,&username,NULL);
- if ((retval != PAM_SUCCESS) || (!username)) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG,"can not get the username");
- return PAM_SERVICE_ERR;
- }
-
- /* su to a uid 0 account ? */
- pwd = getpwnam(username);
- if (!pwd) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE,"unknown user %s",username);
- return PAM_USER_UNKNOWN;
- }
-
- /* Now we know that the username exists, pass on to other modules...
- * the call to pam_get_user made this obsolete, so is commented out
- *
- * pam_set_item(pamh,PAM_USER,(const void *)username);
- */
-
- /* is this user an UID 0 account ? */
- if(pwd->pw_uid) {
- /* no need to check for wheel */
- return PAM_IGNORE;
- }
-
- if (ctrl & PAM_USE_UID_ARG) {
- tpwd = getpwuid(getuid());
- if (!tpwd) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE,"who is running me ?!");
- return PAM_SERVICE_ERR;
- }
- fromsu = tpwd->pw_name;
- } else {
- fromsu = getlogin();
- if (!fromsu) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE,"who is running me ?!");
- return PAM_SERVICE_ERR;
- }
- }
-
- if (!use_group[0])
- grp = getgrgid(0);
- else
- grp = getgrnam(use_group);
-
- if (!grp || !grp->gr_mem) {
- if (ctrl & PAM_DEBUG_ARG) {
- if (!use_group[0])
- _pam_log(LOG_NOTICE,"no members in a GID 0 group");
- else
- _pam_log(LOG_NOTICE,"no members in '%s' group",use_group);
- }
- if (ctrl & PAM_DENY_ARG)
- /* if this was meant to deny access to the members
- * of this group and the group does not exist, allow
- * access
- */
- return PAM_IGNORE;
- else
- return PAM_AUTH_ERR;
- }
-
- if (is_on_list(grp->gr_mem, fromsu)) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE,"Access %s to '%s' for '%s'",
- (ctrl & PAM_DENY_ARG)?"denied":"granted",
- fromsu,username);
- if (ctrl & PAM_DENY_ARG)
- return PAM_PERM_DENIED;
- else
- if (ctrl & PAM_TRUST_ARG)
- return PAM_SUCCESS;
- else
- return PAM_IGNORE;
- }
-
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_NOTICE,"Access %s for '%s' to '%s'",
- (ctrl & PAM_DENY_ARG)?"granted":"denied",fromsu,username);
- if (ctrl & PAM_DENY_ARG)
- return PAM_SUCCESS;
- else
- return PAM_PERM_DENIED;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_wheel_modstruct = {
- "pam_wheel",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/*
- * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1996, 1997
- * All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
OpenPOWER on IntegriCloud