Vendor import of OpenSSH 4.2p1.

16 files changed, 689 insertions, 165 deletions

diff --git a/crypto/openssh/openbsd-compat/Makefile.in b/crypto/openssh/openbsd-compat/Makefile.in
index 0f34f22..6f5ee28 100644
--- a/crypto/openssh/openbsd-compat/Makefile.in
+++ b/crypto/openssh/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.31 2004/08/15 08:41:00 djm Exp $
+# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,11 +16,11 @@ RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
 
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtoul.o vis.o
+OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
 
-COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-irix.o port-aix.o
+PORTS=port-irix.o port-aix.o port-uw.o
 
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
index ff394ec..b5e3cc5 100644
--- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
+++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
@@ -29,7 +29,7 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-cygwin_util.c,v 1.13.4.1 2005/05/25 09:42:40 dtucker Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
 
 #ifdef HAVE_CYGWIN
 
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.c b/crypto/openssh/openbsd-compat/bsd-misc.c
index 41f92cc..6ba9bd9 100644
--- a/crypto/openssh/openbsd-compat/bsd-misc.c
+++ b/crypto/openssh/openbsd-compat/bsd-misc.c
@@ -18,7 +18,7 @@
 #include "includes.h"
 #include "xmalloc.h"
 
-RCSID("$Id: bsd-misc.c,v 1.26 2005/02/25 23:07:38 dtucker Exp $");
+RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $");
 
 #ifndef HAVE___PROGNAME
 char *__progname;
@@ -212,3 +212,21 @@ mysignal(int sig, mysig_t act)
 	return (signal(sig, act));
 #endif
 }
+
+#ifndef HAVE_STRDUP
+char *
+strdup(const char *str)
+{
+	size_t len;
+	char *cp;
+
+	len = strlen(str) + 1;
+	cp = malloc(len);
+	if (cp != NULL)
+		if (strlcpy(cp, str, len) != len) {
+			free(cp);
+			return NULL;
+		}
+	return cp;
+}
+#endif
diff --git a/crypto/openssh/openbsd-compat/fake-rfc2553.h b/crypto/openssh/openbsd-compat/fake-rfc2553.h
index 636792e..cbcf7f7 100644
--- a/crypto/openssh/openbsd-compat/fake-rfc2553.h
+++ b/crypto/openssh/openbsd-compat/fake-rfc2553.h
@@ -1,4 +1,4 @@
-/* $Id: fake-rfc2553.h,v 1.10 2005/02/11 07:32:13 dtucker Exp $ */
+/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */
 
 /*
  * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
@@ -114,10 +114,16 @@ struct sockaddr_in6 {
 #endif /* !NI_MAXHOST */
 
 #ifndef EAI_NODATA
-# define EAI_NODATA	1
-# define EAI_MEMORY	2
-# define EAI_NONAME	3
-# define EAI_SYSTEM	4
+# define EAI_NODATA	(INT_MAX - 1)
+#endif
+#ifndef EAI_MEMORY
+# define EAI_MEMORY	(INT_MAX - 2)
+#endif
+#ifndef EAI_NONAME
+# define EAI_NONAME	(INT_MAX - 3)
+#endif
+#ifndef EAI_SYSTEM
+# define EAI_SYSTEM	(INT_MAX - 4)
 #endif
 
 #ifndef HAVE_STRUCT_ADDRINFO
diff --git a/crypto/openssh/openbsd-compat/getrrsetbyname.c b/crypto/openssh/openbsd-compat/getrrsetbyname.c
index 4e869c4..2016ffe 100644
--- a/crypto/openssh/openbsd-compat/getrrsetbyname.c
+++ b/crypto/openssh/openbsd-compat/getrrsetbyname.c
@@ -144,6 +144,8 @@ _getshort(msgp)
 	GETSHORT(u, msgp);
 	return (u);
 }
+#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
+u_int16_t _getshort(register const u_char *);
 #endif
 
 #ifndef HAVE__GETLONG
@@ -156,6 +158,8 @@ _getlong(msgp)
 	GETLONG(u, msgp);
 	return (u);
 }
+#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
+u_int32_t _getlong(register const u_char *);
 #endif
 
 int
diff --git a/crypto/openssh/openbsd-compat/openbsd-compat.h b/crypto/openssh/openbsd-compat/openbsd-compat.h
index 89d1454..ba68bc2 100644
--- a/crypto/openssh/openbsd-compat/openbsd-compat.h
+++ b/crypto/openssh/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.26 2004/08/15 08:41:00 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -152,6 +152,10 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *);
 int snprintf(char *, size_t, const char *, ...);
 #endif 
 
+#ifndef HAVE_STRTONUM
+long long strtonum(const char *, long long, long long, const char **);
+#endif
+
 #ifndef HAVE_VSNPRINTF
 int vsnprintf(char *, size_t, const char *, va_list);
 #endif
@@ -169,5 +173,6 @@ char *shadow_pw(struct passwd *pw);
 #include "bsd-cygwin_util.h"
 #include "port-irix.h"
 #include "port-aix.h"
+#include "port-uw.h"
 
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/crypto/openssh/openbsd-compat/openssl-compat.c b/crypto/openssh/openbsd-compat/openssl-compat.c
new file mode 100644
index 0000000..b690e8f
--- /dev/null
+++ b/crypto/openssh/openbsd-compat/openssl-compat.c
@@ -0,0 +1,46 @@
+/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */
+
+/*
+ * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#define SSH_DONT_REDEF_EVP
+#include "openssl-compat.h"
+
+#ifdef SSH_OLD_EVP
+int
+ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
+    unsigned char *key, unsigned char *iv, int enc)
+{
+	EVP_CipherInit(evp, type, key, iv, enc);
+	return 1;
+}
+
+int
+ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
+{
+	EVP_Cipher(evp, dst, src, len);
+	return 1;
+}
+
+int
+ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
+{
+	EVP_CIPHER_CTX_cleanup(evp);
+	return 1;
+}
+#endif
diff --git a/crypto/openssh/openbsd-compat/openssl-compat.h b/crypto/openssh/openbsd-compat/openssl-compat.h
new file mode 100644
index 0000000..d9b2fa5
--- /dev/null
+++ b/crypto/openssh/openbsd-compat/openssl-compat.h
@@ -0,0 +1,65 @@
+/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */
+
+/*
+ * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+# define SSH_OLD_EVP
+# define EVP_CIPHER_CTX_get_app_data(e)		((e)->app_data)
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define EVP_aes_128_cbc evp_rijndael
+# define EVP_aes_192_cbc evp_rijndael
+# define EVP_aes_256_cbc evp_rijndael
+extern const EVP_CIPHER *evp_rijndael(void);
+extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+#endif
+
+#if !defined(EVP_CTRL_SET_ACSS_MODE)
+# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+#  define USE_CIPHER_ACSS 1
+extern const EVP_CIPHER *evp_acss(void);
+#  define EVP_acss evp_acss
+# else
+#  define EVP_acss NULL
+# endif
+#endif
+
+/*
+ * insert comment here
+ */
+#ifdef SSH_OLD_EVP
+
+# ifndef SSH_DONT_REDEF_EVP
+
+#  ifdef EVP_Cipher
+#   undef EVP_Cipher
+#  endif
+
+#  define EVP_CipherInit(a,b,c,d,e)	ssh_EVP_CipherInit((a),(b),(c),(d),(e))
+#  define EVP_Cipher(a,b,c,d)		ssh_EVP_Cipher((a),(b),(c),(d))
+#  define EVP_CIPHER_CTX_cleanup(a)	ssh_EVP_CIPHER_CTX_cleanup((a))
+# endif
+
+int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
+    unsigned char *, int);
+int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
+int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
+#endif
diff --git a/crypto/openssh/openbsd-compat/port-aix.c b/crypto/openssh/openbsd-compat/port-aix.c
index cf5d4b9..81d8124 100644
--- a/crypto/openssh/openbsd-compat/port-aix.c
+++ b/crypto/openssh/openbsd-compat/port-aix.c
@@ -1,7 +1,7 @@
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
- * Copyright (c) 2003,2004 Darren Tucker.  All rights reserved.
+ * Copyright (c) 2003,2004,2005 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -42,14 +42,12 @@ static char old_registry[REGISTRY_SIZE] = "";
 # endif
 
 /*
- * AIX has a "usrinfo" area where logname and other stuff is stored - 
+ * AIX has a "usrinfo" area where logname and other stuff is stored -
  * a few applications actually use this and die if it's not set
  *
  * NOTE: TTY= should be set, but since no one uses it and it's hard to
  * acquire due to privsep code.  We will just drop support.
  */
-
-
 void
 aix_usrinfo(struct passwd *pw)
 {
@@ -60,7 +58,7 @@ aix_usrinfo(struct passwd *pw)
 	len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
 	cp = xmalloc(len);
 
-	i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0', 
+	i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
 	    pw->pw_name, '\0');
 	if (usrinfo(SETUINFO, cp, i) == -1)
 		fatal("Couldn't set usrinfo: %s", strerror(errno));
@@ -153,14 +151,14 @@ aix_valid_authentications(const char *user)
 int
 sys_auth_passwd(Authctxt *ctxt, const char *password)
 {
-	char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
+	char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
 	int authsuccess = 0, expired, reenter, result;
 
 	do {
 		result = authenticate((char *)name, (char *)password, &reenter,
 		    &authmsg);
 		aix_remove_embedded_newlines(authmsg);	
-		debug3("AIX/authenticate result %d, msg %.100s", result,
+		debug3("AIX/authenticate result %d, authmsg %.100s", result,
 		    authmsg);
 	} while (reenter);
 
@@ -170,7 +168,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
 	if (result == 0) {
 		authsuccess = 1;
 
-	       	/*
+		/*
 		 * Record successful login.  We don't have a pty yet, so just
 		 * label the line as "ssh"
 		 */
@@ -257,7 +255,7 @@ int
 sys_auth_record_login(const char *user, const char *host, const char *ttynm,
     Buffer *loginmsg)
 {
-	char *msg;
+	char *msg = NULL;
 	int success = 0;
 
 	aix_setauthdb(user);
diff --git a/crypto/openssh/openbsd-compat/port-aix.h b/crypto/openssh/openbsd-compat/port-aix.h
index 9e3dce4..37b2c12 100644
--- a/crypto/openssh/openbsd-compat/port-aix.h
+++ b/crypto/openssh/openbsd-compat/port-aix.h
@@ -1,8 +1,9 @@
-/* $Id: port-aix.h,v 1.25 2005/03/21 11:46:34 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.26 2005/05/28 10:28:40 dtucker Exp $ */
 
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
+ * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -47,23 +48,23 @@
 
 /* These should be in the system headers but are not. */
 int usrinfo(int, char *, int);
-#if (HAVE_DECL_SETAUTHDB == 0)
+#if defined(HAVE_DECL_SETAUTHDB) && (HAVE_DECL_SETAUTHDB == 0)
 int setauthdb(const char *, char *);
 #endif
 /* these may or may not be in the headers depending on the version */
-#if (HAVE_DECL_AUTHENTICATE == 0)
+#if defined(HAVE_DECL_AUTHENTICATE) && (HAVE_DECL_AUTHENTICATE == 0)
 int authenticate(char *, char *, int *, char **);
 #endif
-#if (HAVE_DECL_LOGINFAILED == 0)
+#if defined(HAVE_DECL_LOGINFAILED) && (HAVE_DECL_LOGINFAILED == 0)
 int loginfailed(char *, char *, char *);
 #endif
-#if (HAVE_DECL_LOGINRESTRICTIONS == 0)
+#if defined(HAVE_DECL_LOGINRESTRICTIONS) && (HAVE_DECL_LOGINRESTRICTIONS == 0)
 int loginrestrictions(char *, int, char *, char **);
 #endif
-#if (HAVE_DECL_LOGINSUCCESS == 0)
+#if defined(HAVE_DECL_LOGINSUCCESS) && (HAVE_DECL_LOGINSUCCESS == 0)
 int loginsuccess(char *, char *, char *, char **);
 #endif
-#if (HAVE_DECL_PASSWDEXPIRED == 0)
+#if defined(HAVE_DECL_PASSWDEXPIRED) && (HAVE_DECL_PASSWDEXPIRED == 0)
 int passwdexpired(char *, char **);
 #endif
 
diff --git a/crypto/openssh/openbsd-compat/port-uw.c b/crypto/openssh/openbsd-compat/port-uw.c
new file mode 100644
index 0000000..d881ff0
--- /dev/null
+++ b/crypto/openssh/openbsd-compat/port-uw.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2005 The SCO Group. All rights reserved.
+ * Copyright (c) 2005 Tim Rice. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#include "packet.h"
+#include "buffer.h"
+#include "log.h"
+#include "servconf.h"
+#include "auth.h"
+#include "auth-options.h"
+
+int nischeck(char *);
+
+int
+sys_auth_passwd(Authctxt *authctxt, const char *password)
+{
+	struct passwd *pw = authctxt->pw;
+	char *encrypted_password;
+	char *salt;
+	int result;
+
+	/* Just use the supplied fake password if authctxt is invalid */
+	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
+
+	/* Check for users with no password. */
+	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
+		return (1);
+
+	/* Encrypt the candidate password using the proper salt. */
+	salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
+#ifdef UNIXWARE_LONG_PASSWORDS
+	if (!nischeck(pw->pw_name))
+		encrypted_password = bigcrypt(password, salt);
+	else
+#endif /* UNIXWARE_LONG_PASSWORDS */
+		encrypted_password = xcrypt(password, salt);
+
+	/*
+	 * Authentication is accepted if the encrypted passwords
+	 * are identical.
+	 */
+	result = (strcmp(encrypted_password, pw_password) == 0);
+
+	if (authctxt->valid)
+		free(pw_password);
+	return(result);
+}
+
+#ifdef UNIXWARE_LONG_PASSWORDS
+int
+nischeck(char *namep)
+{
+	char password_file[] = "/etc/passwd";
+	FILE *fd;
+	struct passwd *ent = NULL;
+
+	if ((fd = fopen (password_file, "r")) == NULL) {
+		/*
+		 * If the passwd file has dissapeared we are in a bad state.
+		 * However, returning 0 will send us back through the
+		 * authentication scheme that has checked the ia database for
+		 * passwords earlier.
+		 */
+		return(0);
+	}
+
+	/*
+	 * fgetpwent() only reads from password file, so we know for certain
+	 * that the user is local.
+	 */
+	while (ent = fgetpwent(fd)) {
+		if (strcmp (ent->pw_name, namep) == 0) {
+			/* Local user */
+			fclose (fd);
+			return(0);
+		}
+	}
+
+	fclose (fd);
+	return (1);
+}
+
+#endif /* UNIXWARE_LONG_PASSWORDS */
+
+/*
+	NOTE: ia_get_logpwd() allocates memory for arg 2
+	functions that call shadow_pw() will need to free
+ */
+
+char *
+get_iaf_password(struct passwd *pw)
+{
+	char *pw_password = NULL;
+
+	uinfo_t uinfo;
+	if (!ia_openinfo(pw->pw_name,&uinfo)) {
+		ia_get_logpwd(uinfo, &pw_password);
+		if (pw_password == NULL)
+			fatal("ia_get_logpwd: Unable to get the shadow passwd");
+		ia_closeinfo(uinfo);
+	 	return pw_password;
+	}
+	else
+		fatal("ia_openinfo: Unable to open the shadow passwd file");
+}
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+
diff --git a/crypto/openssh/openbsd-compat/port-uw.h b/crypto/openssh/openbsd-compat/port-uw.h
new file mode 100644
index 0000000..3589b2e
--- /dev/null
+++ b/crypto/openssh/openbsd-compat/port-uw.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2005 Tim Rice.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+char * get_iaf_password(struct passwd *pw);
+#endif
+
diff --git a/crypto/openssh/openbsd-compat/realpath.c b/crypto/openssh/openbsd-compat/realpath.c
index 7f73bd9..8430bec 100644
--- a/crypto/openssh/openbsd-compat/realpath.c
+++ b/crypto/openssh/openbsd-compat/realpath.c
@@ -1,11 +1,7 @@
 /* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
 
 /*
- * Copyright (c) 1994
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from software contributed to Berkeley by
- * Jan-Simon Pendry.
+ * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -15,14 +11,14 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -36,169 +32,165 @@
 
 #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
 
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: realpath.c,v 1.11 2004/11/30 15:12:59 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
 #include <sys/param.h>
 #include <sys/stat.h>
 
 #include <errno.h>
-#include <fcntl.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 /*
- * MAXSYMLINKS
- */
-#ifndef MAXSYMLINKS
-#define MAXSYMLINKS 5
-#endif
-
-/*
- * char *realpath(const char *path, char resolved_path[MAXPATHLEN]);
+ * char *realpath(const char *path, char resolved[PATH_MAX]);
  *
  * Find the real name of path, by removing all ".", ".." and symlink
  * components.  Returns (resolved) on success, or (NULL) on failure,
  * in which case the path which caused trouble is left in (resolved).
  */
 char *
-realpath(const char *path, char *resolved)
+realpath(const char *path, char resolved[PATH_MAX])
 {
 	struct stat sb;
-	int fd, n, needslash, serrno;
-	char *p, *q, wbuf[MAXPATHLEN];
-	int symlinks = 0;
-
-	/* Save the starting point. */
-#ifndef HAVE_FCHDIR
-	char start[MAXPATHLEN];
-	/* this is potentially racy but without fchdir we have no option */
-	if (getcwd(start, sizeof(start)) == NULL) {
-		resolved[0] = '.';
+	char *p, *q, *s;
+	size_t left_len, resolved_len;
+	unsigned symlinks;
+	int serrno, slen;
+	char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
+
+	serrno = errno;
+	symlinks = 0;
+	if (path[0] == '/') {
+		resolved[0] = '/';
 		resolved[1] = '\0';
-		return (NULL);
+		if (path[1] == '\0')
+			return (resolved);
+		resolved_len = 1;
+		left_len = strlcpy(left, path + 1, sizeof(left));
+	} else {
+		if (getcwd(resolved, PATH_MAX) == NULL) {
+			strlcpy(resolved, ".", PATH_MAX);
+			return (NULL);
+		}
+		resolved_len = strlen(resolved);
+		left_len = strlcpy(left, path, sizeof(left));
 	}
-#endif
-	if ((fd = open(".", O_RDONLY)) < 0) {
-		resolved[0] = '.';
-		resolved[1] = '\0';
+	if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
+		errno = ENAMETOOLONG;
 		return (NULL);
 	}
 
-	/* Convert "." -> "" to optimize away a needless lstat() and chdir() */
-	if (path[0] == '.' && path[1] == '\0')
-		path = "";
-
 	/*
-	 * Find the dirname and basename from the path to be resolved.
-	 * Change directory to the dirname component.
-	 * lstat the basename part.
-	 *     if it is a symlink, read in the value and loop.
-	 *     if it is a directory, then change to that directory.
-	 * get the current directory name and append the basename.
+	 * Iterate over path components in `left'.
 	 */
-	if (strlcpy(resolved, path, MAXPATHLEN) >= MAXPATHLEN) {
-		serrno = ENAMETOOLONG;
-		goto err2;
-	}
-loop:
-	q = strrchr(resolved, '/');
-	if (q != NULL) {
-		p = q + 1;
-		if (q == resolved)
-			q = "/";
-		else {
-			do {
-				--q;
-			} while (q > resolved && *q == '/');
-			q[1] = '\0';
-			q = resolved;
+	while (left_len != 0) {
+		/*
+		 * Extract the next path component and adjust `left'
+		 * and its length.
+		 */
+		p = strchr(left, '/');
+		s = p ? p : left + left_len;
+		if (s - left >= sizeof(next_token)) {
+			errno = ENAMETOOLONG;
+			return (NULL);
 		}
-		if (chdir(q) < 0)
-			goto err1;
-	} else
-		p = resolved;
-
-	/* Deal with the last component. */
-	if (*p != '\0' && lstat(p, &sb) == 0) {
-		if (S_ISLNK(sb.st_mode)) {
-			if (++symlinks > MAXSYMLINKS) {
-				errno = ELOOP;
-				goto err1;
+		memcpy(next_token, left, s - left);
+		next_token[s - left] = '\0';
+		left_len -= s - left;
+		if (p != NULL)
+			memmove(left, s + 1, left_len + 1);
+		if (resolved[resolved_len - 1] != '/') {
+			if (resolved_len + 1 >= PATH_MAX) {
+				errno = ENAMETOOLONG;
+				return (NULL);
 			}
-			if ((n = readlink(p, resolved, MAXPATHLEN-1)) < 0)
-				goto err1;
-			resolved[n] = '\0';
-			goto loop;
+			resolved[resolved_len++] = '/';
+			resolved[resolved_len] = '\0';
 		}
-		if (S_ISDIR(sb.st_mode)) {
-			if (chdir(p) < 0)
-				goto err1;
-			p = "";
+		if (next_token[0] == '\0')
+			continue;
+		else if (strcmp(next_token, ".") == 0)
+			continue;
+		else if (strcmp(next_token, "..") == 0) {
+			/*
+			 * Strip the last path component except when we have
+			 * single "/"
+			 */
+			if (resolved_len > 1) {
+				resolved[resolved_len - 1] = '\0';
+				q = strrchr(resolved, '/') + 1;
+				*q = '\0';
+				resolved_len = q - resolved;
+			}
+			continue;
 		}
-	}
-
-	/*
-	 * Save the last component name and get the full pathname of
-	 * the current directory.
-	 */
-	if (strlcpy(wbuf, p, sizeof(wbuf)) >= sizeof(wbuf)) {
-		errno = ENAMETOOLONG;
-		goto err1;
-	}
-	if (getcwd(resolved, MAXPATHLEN) == NULL)
-		goto err1;
-
-	/*
-	 * Join the two strings together, ensuring that the right thing
-	 * happens if the last component is empty, or the dirname is root.
-	 */
-	if (resolved[0] == '/' && resolved[1] == '\0')
-		needslash = 0;
-	else
-		needslash = 1;
 
-	if (*wbuf) {
-		if (strlen(resolved) + strlen(wbuf) + needslash >= MAXPATHLEN) {
+		/*
+		 * Append the next path component and lstat() it. If
+		 * lstat() fails we still can return successfully if
+		 * there are no more path components left.
+		 */
+		resolved_len = strlcat(resolved, next_token, PATH_MAX);
+		if (resolved_len >= PATH_MAX) {
 			errno = ENAMETOOLONG;
-			goto err1;
+			return (NULL);
 		}
-		if (needslash) {
-			if (strlcat(resolved, "/", MAXPATHLEN) >= MAXPATHLEN) {
-				errno = ENAMETOOLONG;
-				goto err1;
+		if (lstat(resolved, &sb) != 0) {
+			if (errno == ENOENT && p == NULL) {
+				errno = serrno;
+				return (resolved);
 			}
+			return (NULL);
 		}
-		if (strlcat(resolved, wbuf, MAXPATHLEN) >= MAXPATHLEN) {
-			errno = ENAMETOOLONG;
-			goto err1;
-		}
-	}
+		if (S_ISLNK(sb.st_mode)) {
+			if (symlinks++ > MAXSYMLINKS) {
+				errno = ELOOP;
+				return (NULL);
+			}
+			slen = readlink(resolved, symlink, sizeof(symlink) - 1);
+			if (slen < 0)
+				return (NULL);
+			symlink[slen] = '\0';
+			if (symlink[0] == '/') {
+				resolved[1] = 0;
+				resolved_len = 1;
+			} else if (resolved_len > 1) {
+				/* Strip the last path component. */
+				resolved[resolved_len - 1] = '\0';
+				q = strrchr(resolved, '/') + 1;
+				*q = '\0';
+				resolved_len = q - resolved;
+			}
 
-	/* Go back to where we came from. */
-#ifdef HAVE_FCHDIR
-	if (fchdir(fd) < 0) {
-#else
-	if (chdir(start) < 0) {
-#endif
-		serrno = errno;
-		goto err2;
+			/*
+			 * If there are any path components left, then
+			 * append them to symlink. The result is placed
+			 * in `left'.
+			 */
+			if (p != NULL) {
+				if (symlink[slen - 1] != '/') {
+					if (slen + 1 >= sizeof(symlink)) {
+						errno = ENAMETOOLONG;
+						return (NULL);
+					}
+					symlink[slen] = '/';
+					symlink[slen + 1] = 0;
+				}
+				left_len = strlcat(symlink, left, sizeof(left));
+				if (left_len >= sizeof(left)) {
+					errno = ENAMETOOLONG;
+					return (NULL);
+				}
+			}
+			left_len = strlcpy(left, symlink, sizeof(left));
+		}
 	}
 
-	/* It's okay if the close fails, what's an fd more or less? */
-	(void)close(fd);
+	/*
+	 * Remove trailing slash except when the resolved pathname
+	 * is a single "/".
+	 */
+	if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
+		resolved[resolved_len - 1] = '\0';
 	return (resolved);
-
-err1:	serrno = errno;
-#ifdef HAVE_FCHDIR
-	(void)fchdir(fd);
-#else
-	chdir(start);
-#endif
-err2:	(void)close(fd);
-	errno = serrno;
-	return (NULL);
 }
 #endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */
diff --git a/crypto/openssh/openbsd-compat/strtoll.c b/crypto/openssh/openbsd-compat/strtoll.c
new file mode 100644
index 0000000..60c276f
--- /dev/null
+++ b/crypto/openssh/openbsd-compat/strtoll.c
@@ -0,0 +1,151 @@
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
+
+/*-
+ * Copyright (c) 1992 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+#ifndef HAVE_STRTOLL
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+/*
+ * Convert a string to a long long.
+ *
+ * Ignores `locale' stuff.  Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+long long
+strtoll(const char *nptr, char **endptr, int base)
+{
+	const char *s;
+	long long acc, cutoff;
+	int c;
+	int neg, any, cutlim;
+
+	/*
+	 * Skip white space and pick up leading +/- sign if any.
+	 * If base is 0, allow 0x for hex and 0 for octal, else
+	 * assume decimal; if base is already 16, allow 0x.
+	 */
+	s = nptr;
+	do {
+		c = (unsigned char) *s++;
+	} while (isspace(c));
+	if (c == '-') {
+		neg = 1;
+		c = *s++;
+	} else {
+		neg = 0;
+		if (c == '+')
+			c = *s++;
+	}
+	if ((base == 0 || base == 16) &&
+	    c == '0' && (*s == 'x' || *s == 'X')) {
+		c = s[1];
+		s += 2;
+		base = 16;
+	}
+	if (base == 0)
+		base = c == '0' ? 8 : 10;
+
+	/*
+	 * Compute the cutoff value between legal numbers and illegal
+	 * numbers.  That is the largest legal value, divided by the
+	 * base.  An input number that is greater than this value, if
+	 * followed by a legal input character, is too big.  One that
+	 * is equal to this value may be valid or not; the limit
+	 * between valid and invalid numbers is then based on the last
+	 * digit.  For instance, if the range for long longs is
+	 * [-9223372036854775808..9223372036854775807] and the input base
+	 * is 10, cutoff will be set to 922337203685477580 and cutlim to
+	 * either 7 (neg==0) or 8 (neg==1), meaning that if we have
+	 * accumulated a value > 922337203685477580, or equal but the
+	 * next digit is > 7 (or 8), the number is too big, and we will
+	 * return a range error.
+	 *
+	 * Set any if any `digits' consumed; make it negative to indicate
+	 * overflow.
+	 */
+	cutoff = neg ? LLONG_MIN : LLONG_MAX;
+	cutlim = cutoff % base;
+	cutoff /= base;
+	if (neg) {
+		if (cutlim > 0) {
+			cutlim -= base;
+			cutoff += 1;
+		}
+		cutlim = -cutlim;
+	}
+	for (acc = 0, any = 0;; c = (unsigned char) *s++) {
+		if (isdigit(c))
+			c -= '0';
+		else if (isalpha(c))
+			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+		else
+			break;
+		if (c >= base)
+			break;
+		if (any < 0)
+			continue;
+		if (neg) {
+			if (acc < cutoff || (acc == cutoff && c > cutlim)) {
+				any = -1;
+				acc = LLONG_MIN;
+				errno = ERANGE;
+			} else {
+				any = 1;
+				acc *= base;
+				acc -= c;
+			}
+		} else {
+			if (acc > cutoff || (acc == cutoff && c > cutlim)) {
+				any = -1;
+				acc = LLONG_MAX;
+				errno = ERANGE;
+			} else {
+				any = 1;
+				acc *= base;
+				acc += c;
+			}
+		}
+	}
+	if (endptr != 0)
+		*endptr = (char *) (any ? s - 1 : nptr);
+	return (acc);
+}
+#endif /* HAVE_STRTOLL */
diff --git a/crypto/openssh/openbsd-compat/strtonum.c b/crypto/openssh/openbsd-compat/strtonum.c
new file mode 100644
index 0000000..b681ed8
--- /dev/null
+++ b/crypto/openssh/openbsd-compat/strtonum.c
@@ -0,0 +1,69 @@
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
+
+/*	$OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $	*/
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+#ifndef HAVE_STRTONUM
+#include <limits.h>
+
+#define INVALID 	1
+#define TOOSMALL 	2
+#define TOOLARGE 	3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+	long long ll = 0;
+	char *ep;
+	int error = 0;
+	struct errval {
+		const char *errstr;
+		int err;
+	} ev[4] = {
+		{ NULL,		0 },
+		{ "invalid",	EINVAL },
+		{ "too small",	ERANGE },
+		{ "too large",	ERANGE },
+	};
+
+	ev[0].err = errno;
+	errno = 0;
+	if (minval > maxval)
+		error = INVALID;
+	else {
+		ll = strtoll(numstr, &ep, 10);
+		if (numstr == ep || *ep != '\0')
+			error = INVALID;
+		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+			error = TOOSMALL;
+		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+			error = TOOLARGE;
+	}
+	if (errstrp != NULL)
+		*errstrp = ev[error].errstr;
+	errno = ev[error].err;
+	if (error)
+		ll = 0;
+
+	return (ll);
+}
+
+#endif /* HAVE_STRTONUM */
diff --git a/crypto/openssh/openbsd-compat/xcrypt.c b/crypto/openssh/openbsd-compat/xcrypt.c
index c3cea3c..9afa0b9 100644
--- a/crypto/openssh/openbsd-compat/xcrypt.c
+++ b/crypto/openssh/openbsd-compat/xcrypt.c
@@ -93,6 +93,11 @@ shadow_pw(struct passwd *pw)
 	if (spw != NULL)
 		pw_password = spw->sp_pwdp;
 # endif
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+	return(get_iaf_password(pw));
+#endif
+
 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
 	struct passwd_adjunct *spw;
 	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)