Vendor import of OpenPAM Cineraria.

10 files changed, 358 insertions, 233 deletions

diff --git a/contrib/openpam/lib/Makefile b/contrib/openpam/lib/Makefile
index f2fb006..eb7f242 100644
--- a/contrib/openpam/lib/Makefile
+++ b/contrib/openpam/lib/Makefile
@@ -31,7 +31,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $P4: //depot/projects/openpam/lib/Makefile#13 $
+# $P4: //depot/projects/openpam/lib/Makefile#14 $
 #
 
 LIB		 = pam
@@ -45,6 +45,7 @@ CFLAGS		+= -DLIB_MAJ=${SHLIB_MAJOR}
 
 SRCS		 =
 SRCS		+= openpam_borrow_cred.c
+SRCS		+= openpam_configure.c
 SRCS		+= openpam_dispatch.c
 SRCS		+= openpam_dynamic.c
 SRCS		+= openpam_findenv.c
diff --git a/contrib/openpam/lib/openpam_configure.c b/contrib/openpam/lib/openpam_configure.c
new file mode 100644
index 0000000..8c12e10
--- /dev/null
+++ b/contrib/openpam/lib/openpam_configure.c
@@ -0,0 +1,264 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/openpam/lib/openpam_configure.c#1 $
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#define PAM_CONF_STYLE	0
+#define PAM_D_STYLE	1
+#define MAX_LINE_LEN	1024
+#define MAX_OPTIONS	256
+
+static int
+openpam_read_policy_file(pam_handle_t *pamh,
+	const char *service,
+	const char *filename,
+	int style)
+{
+	char buf[MAX_LINE_LEN], *p, *q;
+	const char *optv[MAX_OPTIONS + 1];
+	int ch, chain, flag, line, optc, n, r;
+	size_t len;
+	FILE *f;
+
+	n = 0;
+
+	if ((f = fopen(filename, "r")) == NULL) {
+		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE,
+		    "%s: %m", filename);
+		return (0);
+	}
+	openpam_log(PAM_LOG_DEBUG, "looking for '%s' in %s",
+	    service, filename);
+
+	for (line = 1; fgets(buf, MAX_LINE_LEN, f) != NULL; ++line) {
+		if ((len = strlen(buf)) == 0)
+			continue;
+
+		/* check for overflow */
+		if (buf[--len] != '\n' && !feof(f)) {
+			openpam_log(PAM_LOG_ERROR, "%s: line %d too long",
+			    filename, line);
+			openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
+			    filename, line);
+			while ((ch = fgetc(f)) != EOF)
+				if (ch == '\n')
+					break;
+			continue;
+		}
+
+		/* strip comments and trailing whitespace */
+		if ((p = strchr(buf, '#')) != NULL)
+			len = p - buf ? p - buf - 1 : p - buf;
+		while (len > 0 && isspace(buf[len - 1]))
+			--len;
+		if (len == 0)
+			continue;
+		buf[len] = '\0';
+		p = q = buf;
+
+		/* check service name */
+		if (style == PAM_CONF_STYLE) {
+			for (q = p = buf; *q != '\0' && !isspace(*q); ++q)
+				/* nothing */;
+			if (*q == '\0')
+				goto syntax_error;
+			*q++ = '\0';
+			if (strcmp(p, service) != 0)
+				continue;
+			openpam_log(PAM_LOG_DEBUG, "%s: line %d matches '%s'",
+			    filename, line, service);
+		}
+
+
+		/* get module type */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p || *q == '\0')
+			goto syntax_error;
+		*q++ = '\0';
+		if (strcmp(p, "auth") == 0) {
+			chain = PAM_AUTH;
+		} else if (strcmp(p, "account") == 0) {
+			chain = PAM_ACCOUNT;
+		} else if (strcmp(p, "session") == 0) {
+			chain = PAM_SESSION;
+		} else if (strcmp(p, "password") == 0) {
+			chain = PAM_PASSWORD;
+		} else {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: invalid module type on line %d: '%s'",
+			    filename, line, p);
+			continue;
+		}
+
+		/* get control flag */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p || *q == '\0')
+			goto syntax_error;
+		*q++ = '\0';
+		if (strcmp(p, "required") == 0) {
+			flag = PAM_REQUIRED;
+		} else if (strcmp(p, "requisite") == 0) {
+			flag = PAM_REQUISITE;
+		} else if (strcmp(p, "sufficient") == 0) {
+			flag = PAM_SUFFICIENT;
+		} else if (strcmp(p, "optional") == 0) {
+			flag = PAM_OPTIONAL;
+		} else {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: invalid control flag on line %d: '%s'",
+			    filename, line, p);
+			continue;
+		}
+
+		/* get module name */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p)
+			goto syntax_error;
+
+		/* get options */
+		for (optc = 0; *q != '\0' && optc < MAX_OPTIONS; ++optc) {
+			*q++ = '\0';
+			while (isspace(*q))
+				++q;
+			optv[optc] = q;
+			while (*q != '\0' && !isspace(*q))
+				++q;
+		}
+		optv[optc] = NULL;
+		if (*q != '\0') {
+			*q = '\0';
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: too many options on line %d",
+			    filename, line);
+		}
+
+		/*
+		 * Finally, add the module at the end of the
+		 * appropriate chain and bump the counter.
+		 */
+		r = openpam_add_module(pamh, chain, flag, p, optc, optv);
+		if (r != PAM_SUCCESS)
+			return (-r);
+		++n;
+		continue;
+ syntax_error:
+		openpam_log(PAM_LOG_ERROR, "%s: syntax error on line %d",
+		    filename, line);
+		openpam_log(PAM_LOG_DEBUG, "%s: line %d: [%s]",
+		    filename, line, q);
+		openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
+		    filename, line);
+	}
+
+	if (ferror(f))
+		openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
+
+	fclose(f);
+	return (n);
+}
+
+static const char *openpam_policy_path[] = {
+	"/etc/pam.d/",
+	"/etc/pam.conf",
+	"/usr/local/etc/pam.d/",
+	NULL
+};
+
+/*
+ * OpenPAM internal
+ *
+ * Configure a service
+ */
+
+int
+openpam_configure(pam_handle_t *pamh,
+	const char *service)
+{
+	const char **path;
+	char *filename;
+	size_t len;
+	int r;
+
+	for (path = openpam_policy_path; *path != NULL; ++path) {
+		len = strlen(*path);
+		if ((*path)[len - 1] == '/') {
+			filename = malloc(len + strlen(service) + 1);
+			if (filename == NULL) {
+				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+				return (PAM_BUF_ERR);
+			}
+			strcpy(filename, *path);
+			strcat(filename, service);
+			r = openpam_read_policy_file(pamh,
+			    service, filename, PAM_D_STYLE);
+			free(filename);
+		} else {
+			r = openpam_read_policy_file(pamh,
+			    service, *path, PAM_CONF_STYLE);
+		}
+		if (r < 0)
+			return (-r);
+		if (r > 0)
+			return (PAM_SUCCESS);
+	}
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ *
+ * Error codes:
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h
index a9b011e..1fc0184 100644
--- a/contrib/openpam/lib/openpam_impl.h
+++ b/contrib/openpam/lib/openpam_impl.h
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/openpam_impl.h#12 $
+ * $P4: //depot/projects/openpam/lib/openpam_impl.h#13 $
  */
 
 #ifndef _OPENPAM_IMPL_H_INCLUDED
@@ -105,6 +105,7 @@ struct pam_saved_cred {
 
 #define PAM_OTHER	"other"
 
+int		openpam_configure(pam_handle_t *, const char *);
 int		openpam_dispatch(pam_handle_t *, int, int);
 int		openpam_findenv(pam_handle_t *, const char *, size_t);
 int		openpam_add_module(pam_handle_t *, int, int,
diff --git a/contrib/openpam/lib/pam_acct_mgmt.c b/contrib/openpam/lib/pam_acct_mgmt.c
index 4464604..11e389d 100644
--- a/contrib/openpam/lib/pam_acct_mgmt.c
+++ b/contrib/openpam/lib/pam_acct_mgmt.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#7 $
+ * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#8 $
  */
 
 #include <sys/param.h>
@@ -62,3 +62,19 @@ pam_acct_mgmt(pam_handle_t *pamh,
  *	=pam_sm_acct_mgmt
  *	!PAM_IGNORE
  */
+
+/**
+ * The =pam_acct_mgmt function verifies and enforces account restrictions
+ * after the user has been authenticated.
+ *
+ * The =flags argument is the binary or of zero or more of the following
+ * values:
+ *
+ *	=PAM_SILENT:
+ *		Do not emit any messages.
+ *	=PAM_DISALLOW_NULL_AUTHTOK:
+ *		Fail if the user's authentication token is null.
+ *
+ * If any other bits are set, =pam_authenticate will return
+ * =PAM_SYMBOL_ERR.
+ */
diff --git a/contrib/openpam/lib/pam_authenticate.c b/contrib/openpam/lib/pam_authenticate.c
index 20c656e..fbf3829 100644
--- a/contrib/openpam/lib/pam_authenticate.c
+++ b/contrib/openpam/lib/pam_authenticate.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_authenticate.c#9 $
+ * $P4: //depot/projects/openpam/lib/pam_authenticate.c#10 $
  */
 
 #include <sys/param.h>
@@ -66,6 +66,7 @@ pam_authenticate(pam_handle_t *pamh,
  *	=openpam_dispatch
  *	=pam_sm_authenticate
  *	!PAM_IGNORE
+ *	PAM_SYMBOL_ERR
  */
 
 /**
@@ -79,8 +80,11 @@ pam_authenticate(pam_handle_t *pamh,
  * The =flags argument is the binary or of zero or more of the following
  * values:
  *
- *	=PAM_SILENT
+ *	=PAM_SILENT:
  *		Do not emit any messages.
- *	=PAM_DISALLOW_NULL_AUTHTOK
+ *	=PAM_DISALLOW_NULL_AUTHTOK:
  *		Fail if the user's authentication token is null.
+ *
+ * If any other bits are set, =pam_authenticate will return
+ * =PAM_SYMBOL_ERR.
  */
diff --git a/contrib/openpam/lib/pam_chauthtok.c b/contrib/openpam/lib/pam_chauthtok.c
index bf56a13..3101d0c 100644
--- a/contrib/openpam/lib/pam_chauthtok.c
+++ b/contrib/openpam/lib/pam_chauthtok.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#10 $
+ * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#11 $
  */
 
 #include <sys/param.h>
@@ -82,8 +82,10 @@ pam_chauthtok(pam_handle_t *pamh,
  * The =flags argument is the binary or of zero or more of the following
  * values:
  *
- *	=PAM_SILENT
+ *	=PAM_SILENT:
  *		Do not emit any messages.
- *	=PAM_CHANGE_EXPIRED_AUTHTOK
+ *	=PAM_CHANGE_EXPIRED_AUTHTOK:
  *		Change only those authentication tokens that have expired.
+ *
+ * If any other bits are set, =pam_chauthtok will return =PAM_SYMBOL_ERR.
  */
diff --git a/contrib/openpam/lib/pam_close_session.c b/contrib/openpam/lib/pam_close_session.c
index bf806f7..50d8ba2 100644
--- a/contrib/openpam/lib/pam_close_session.c
+++ b/contrib/openpam/lib/pam_close_session.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_close_session.c#7 $
+ * $P4: //depot/projects/openpam/lib/pam_close_session.c#8 $
  */
 
 #include <sys/param.h>
@@ -52,6 +52,8 @@ pam_close_session(pam_handle_t *pamh,
 	int flags)
 {
 
+	if (flags & ~(PAM_SILENT))
+		return (PAM_SYMBOL_ERR);
 	return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags));
 }
 
@@ -61,4 +63,19 @@ pam_close_session(pam_handle_t *pamh,
  *	=openpam_dispatch
  *	=pam_sm_close_session
  *	!PAM_IGNORE
+ *	PAM_SYMBOL_ERR
+ */
+
+/**
+ * The =pam_close_session function tears down the user session previously
+ * set up by =pam_open_session.
+ *
+ * The =flags argument is the binary or of zero or more of the following
+ * values:
+ *
+ *	=PAM_SILENT:
+ *		Do not emit any messages.
+ *
+ * If any other bits are set, =pam_close_session will return
+ * =PAM_SYMBOL_ERR.
  */
diff --git a/contrib/openpam/lib/pam_open_session.c b/contrib/openpam/lib/pam_open_session.c
index c33c829..02f73fb 100644
--- a/contrib/openpam/lib/pam_open_session.c
+++ b/contrib/openpam/lib/pam_open_session.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_open_session.c#7 $
+ * $P4: //depot/projects/openpam/lib/pam_open_session.c#8 $
  */
 
 #include <sys/param.h>
@@ -52,6 +52,8 @@ pam_open_session(pam_handle_t *pamh,
 	int flags)
 {
 
+	if (flags & ~(PAM_SILENT))
+		return (PAM_SYMBOL_ERR);
 	return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags));
 }
 
@@ -61,4 +63,20 @@ pam_open_session(pam_handle_t *pamh,
  *	=openpam_dispatch
  *	=pam_sm_open_session
  *	!PAM_IGNORE
+ *	PAM_SYMBOL_ERR
+ */
+
+/**
+ * The =pam_open_session sets up a user session for a previously
+ * authenticated user.  The session should later be torn down by a call to
+ * =pam_close_session.
+ *
+ * The =flags argument is the binary or of zero or more of the following
+ * values:
+ *
+ *	=PAM_SILENT:
+ *		Do not emit any messages.
+ *
+ * If any other bits are set, =pam_open_session will return
+ * =PAM_SYMBOL_ERR.
  */
diff --git a/contrib/openpam/lib/pam_setcred.c b/contrib/openpam/lib/pam_setcred.c
index f381139..1273cb4 100644
--- a/contrib/openpam/lib/pam_setcred.c
+++ b/contrib/openpam/lib/pam_setcred.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_setcred.c#8 $
+ * $P4: //depot/projects/openpam/lib/pam_setcred.c#9 $
  */
 
 #include <sys/param.h>
@@ -52,6 +52,10 @@ pam_setcred(pam_handle_t *pamh,
 	int flags)
 {
 
+	if (flags & ~(PAM_SILENT|PAM_ESTABLISH_CRED|PAM_DELETE_CRED|
+		PAM_REINITIALIZE_CRED|PAM_REFRESH_CRED))
+		return (PAM_SYMBOL_ERR);
+	/* XXX enforce exclusivity */
 	return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags));
 }
 
@@ -61,18 +65,27 @@ pam_setcred(pam_handle_t *pamh,
  *	=openpam_dispatch
  *	=pam_sm_setcred
  *	!PAM_IGNORE
+ *	PAM_SYMBOL_ERR
  */
 
 /**
  * The =pam_setcred function manages the application's credentials.
- * The operation to perform is specified by the =flags argument:
  *
- *	PAM_ESTABLISH_CRED:
+ * The =flags argument is the binary or of zero or more of the following
+ * values:
+ *
+ *	=PAM_SILENT:
+ *		Do not emit any messages.
+ *	=PAM_ESTABLISH_CRED:
  *		Establish the credentials of the target user.
- *	PAM_DELETE_CRED:
+ *	=PAM_DELETE_CRED:
  *		Revoke all established credentials.
- *	PAM_REINITIALIZE_CRED:
+ *	=PAM_REINITIALIZE_CRED:
  *		Fully reinitialise credentials.
- *	PAM_REFRESH_CRED:
+ *	=PAM_REFRESH_CRED:
  *		Refresh credentials.
+ *
+ * The latter four are mutually exclusive.
+ *
+ * If any other bits are set, =pam_setcred will return =PAM_SYMBOL_ERR.
  */
diff --git a/contrib/openpam/lib/pam_start.c b/contrib/openpam/lib/pam_start.c
index 4043f16..49976b4 100644
--- a/contrib/openpam/lib/pam_start.c
+++ b/contrib/openpam/lib/pam_start.c
@@ -31,21 +31,15 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_start.c#12 $
+ * $P4: //depot/projects/openpam/lib/pam_start.c#13 $
  */
 
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <security/pam_appl.h>
 
 #include "openpam_impl.h"
 
-static int _pam_configure_service(pam_handle_t *pamh, const char *service);
-
 /*
  * XSSO 4.2.1
  * XSSO 6 page 89
@@ -71,9 +65,9 @@ pam_start(const char *service,
 	if ((r = pam_set_item(ph, PAM_CONV, pam_conv)) != PAM_SUCCESS)
 		goto fail;
 
-	if ((r = _pam_configure_service(ph, service)) != PAM_SUCCESS &&
-	    r != PAM_BUF_ERR)
-		r = _pam_configure_service(ph, PAM_OTHER);
+	r = openpam_configure(ph, service);
+	if (r != PAM_SUCCESS && r != PAM_BUF_ERR)
+		r = openpam_configure(ph, PAM_OTHER);
 	if (r != PAM_SUCCESS)
 		goto fail;
 
@@ -86,217 +80,12 @@ pam_start(const char *service,
 	return (r);
 }
 
-#define PAM_CONF_STYLE	0
-#define PAM_D_STYLE	1
-#define MAX_LINE_LEN	1024
-#define MAX_OPTIONS	256
-
-static int
-_pam_read_policy_file(pam_handle_t *pamh,
-	const char *service,
-	const char *filename,
-	int style)
-{
-	char buf[MAX_LINE_LEN], *p, *q;
-	const char *optv[MAX_OPTIONS + 1];
-	int ch, chain, flag, line, optc, n, r;
-	size_t len;
-	FILE *f;
-
-	n = 0;
-
-	if ((f = fopen(filename, "r")) == NULL) {
-		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE,
-		    "%s: %m", filename);
-		return (0);
-	}
-	openpam_log(PAM_LOG_DEBUG, "looking for '%s' in %s",
-	    service, filename);
-
-	for (line = 1; fgets(buf, MAX_LINE_LEN, f) != NULL; ++line) {
-		if ((len = strlen(buf)) == 0)
-			continue;
-
-		/* check for overflow */
-		if (buf[--len] != '\n' && !feof(f)) {
-			openpam_log(PAM_LOG_ERROR, "%s: line %d too long",
-			    filename, line);
-			openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
-			    filename, line);
-			while ((ch = fgetc(f)) != EOF)
-				if (ch == '\n')
-					break;
-			continue;
-		}
-
-		/* strip comments and trailing whitespace */
-		if ((p = strchr(buf, '#')) != NULL)
-			len = p - buf ? p - buf - 1 : p - buf;
-		while (len > 0 && isspace(buf[len - 1]))
-			--len;
-		if (len == 0)
-			continue;
-		buf[len] = '\0';
-		p = q = buf;
-
-		/* check service name */
-		if (style == PAM_CONF_STYLE) {
-			for (q = p = buf; *q != '\0' && !isspace(*q); ++q)
-				/* nothing */;
-			if (*q == '\0')
-				goto syntax_error;
-			*q++ = '\0';
-			if (strcmp(p, service) != 0)
-				continue;
-			openpam_log(PAM_LOG_DEBUG, "%s: line %d matches '%s'",
-			    filename, line, service);
-		}
-
-
-		/* get module type */
-		for (p = q; isspace(*p); ++p)
-			/* nothing */;
-		for (q = p; *q != '\0' && !isspace(*q); ++q)
-			/* nothing */;
-		if (q == p || *q == '\0')
-			goto syntax_error;
-		*q++ = '\0';
-		if (strcmp(p, "auth") == 0) {
-			chain = PAM_AUTH;
-		} else if (strcmp(p, "account") == 0) {
-			chain = PAM_ACCOUNT;
-		} else if (strcmp(p, "session") == 0) {
-			chain = PAM_SESSION;
-		} else if (strcmp(p, "password") == 0) {
-			chain = PAM_PASSWORD;
-		} else {
-			openpam_log(PAM_LOG_ERROR,
-			    "%s: invalid module type on line %d: '%s'",
-			    filename, line, p);
-			continue;
-		}
-
-		/* get control flag */
-		for (p = q; isspace(*p); ++p)
-			/* nothing */;
-		for (q = p; *q != '\0' && !isspace(*q); ++q)
-			/* nothing */;
-		if (q == p || *q == '\0')
-			goto syntax_error;
-		*q++ = '\0';
-		if (strcmp(p, "required") == 0) {
-			flag = PAM_REQUIRED;
-		} else if (strcmp(p, "requisite") == 0) {
-			flag = PAM_REQUISITE;
-		} else if (strcmp(p, "sufficient") == 0) {
-			flag = PAM_SUFFICIENT;
-		} else if (strcmp(p, "optional") == 0) {
-			flag = PAM_OPTIONAL;
-		} else {
-			openpam_log(PAM_LOG_ERROR,
-			    "%s: invalid control flag on line %d: '%s'",
-			    filename, line, p);
-			continue;
-		}
-
-		/* get module name */
-		for (p = q; isspace(*p); ++p)
-			/* nothing */;
-		for (q = p; *q != '\0' && !isspace(*q); ++q)
-			/* nothing */;
-		if (q == p)
-			goto syntax_error;
-
-		/* get options */
-		for (optc = 0; *q != '\0' && optc < MAX_OPTIONS; ++optc) {
-			*q++ = '\0';
-			while (isspace(*q))
-				++q;
-			optv[optc] = q;
-			while (*q != '\0' && !isspace(*q))
-				++q;
-		}
-		optv[optc] = NULL;
-		if (*q != '\0') {
-			*q = '\0';
-			openpam_log(PAM_LOG_ERROR,
-			    "%s: too many options on line %d",
-			    filename, line);
-		}
-
-		/*
-		 * Finally, add the module at the end of the
-		 * appropriate chain and bump the counter.
-		 */
-		r = openpam_add_module(pamh, chain, flag, p, optc, optv);
-		if (r != PAM_SUCCESS)
-			return (-r);
-		++n;
-		continue;
- syntax_error:
-		openpam_log(PAM_LOG_ERROR, "%s: syntax error on line %d",
-		    filename, line);
-		openpam_log(PAM_LOG_DEBUG, "%s: line %d: [%s]",
-		    filename, line, q);
-		openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
-		    filename, line);
-	}
-
-	if (ferror(f))
-		openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
-
-	fclose(f);
-	return (n);
-}
-
-static const char *_pam_policy_path[] = {
-	"/etc/pam.d/",
-	"/etc/pam.conf",
-	"/usr/local/etc/pam.d/",
-	NULL
-};
-
-static int
-_pam_configure_service(pam_handle_t *pamh,
-	const char *service)
-{
-	const char **path;
-	char *filename;
-	size_t len;
-	int r;
-
-	for (path = _pam_policy_path; *path != NULL; ++path) {
-		len = strlen(*path);
-		if ((*path)[len - 1] == '/') {
-			filename = malloc(len + strlen(service) + 1);
-			if (filename == NULL) {
-				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
-				return (PAM_BUF_ERR);
-			}
-			strcpy(filename, *path);
-			strcat(filename, service);
-			r = _pam_read_policy_file(pamh,
-			    service, filename, PAM_D_STYLE);
-			free(filename);
-		} else {
-			r = _pam_read_policy_file(pamh,
-			    service, *path, PAM_CONF_STYLE);
-		}
-		if (r < 0)
-			return (-r);
-		if (r > 0)
-			return (PAM_SUCCESS);
-	}
-
-	return (PAM_SYSTEM_ERR);
-}
-
 /*
  * Error codes:
  *
+ *	=openpam_configure
  *	=pam_set_item
  *	!PAM_SYMBOL_ERR
- *	PAM_SYSTEM_ERR
  *	PAM_BUF_ERR
  */