Aggressive cleanup of warnings + authtok-related code in preparation for

PAMifying passwd(1).

Sponsored by:	DARPA, NAI Labs.

8 files changed, 112 insertions, 150 deletions

diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc
index d7b08aa..2e8eb66 100644
--- a/lib/libpam/modules/modules.inc
+++ b/lib/libpam/modules/modules.inc
@@ -14,7 +14,7 @@ MODULES		+= pam_login_access
 MODULES		+= pam_nologin
 MODULES		+= pam_opie
 MODULES		+= pam_opieaccess
-MODULES		+= pam_passwdqc
+#MODULES		+= pam_passwdqc
 MODULES		+= pam_permit
 MODULES		+= pam_radius
 MODULES		+= pam_rootok
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c
index 2c54448..396390d 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c
@@ -2,7 +2,14 @@
  * Copyright 2001 Mark R V Murray
  * Copyright Frank Cusack fcusack@fcusack.com 1999-2000
  * All rights reserved
+ * Copyright (c) 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
  * 
+ * Portions of this software were developed for the FreeBSD Project by
+ * ThinkSec AS and NAI Labs, the Security Research Division of Network
+ * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -200,7 +207,7 @@ __FBSDID("$FreeBSD$");
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <strings.h>
+#include <string.h>
 #include <syslog.h>
 #include <unistd.h>
 
@@ -229,7 +236,6 @@ static void	compat_free_data_contents(krb5_context, krb5_data *);
 #define USER_PROMPT		"Username: "
 #define PASSWORD_PROMPT		"Password:"
 #define NEW_PASSWORD_PROMPT	"New Password:"
-#define NEW_PASSWORD_PROMPT_2	"New Password (again):"
 
 enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_CCACHE, PAM_OPT_FORWARDABLE, PAM_OPT_NO_CCACHE, PAM_OPT_REUSE_CCACHE };
 
@@ -258,7 +264,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	struct passwd *pwd;
 	int retval;
 	const char *sourceuser, *user, *pass, *service;
-	char *principal, *princ_name, *cache_name, luser[32];	
+	char *principal, *princ_name, *cache_name, luser[32], *srvdup;
 
 	pam_std_option(&options, other_options, argc, argv);
 
@@ -339,7 +345,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	PAM_LOG("Got principal: %s", princ_name);
 
 	/* Get password */
-	retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
+	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
 	if (retval != PAM_SUCCESS)
 		goto cleanup2;
 
@@ -420,8 +426,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	PAM_LOG("Credentials stashed");
 
 	/* Verify them */
-	if (verify_krb_v5_tgt(pam_context, ccache, (char *)service,
-	    pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL)) == -1) {
+	if ((srvdup = strdup(service)) == NULL) {
+		retval = PAM_BUF_ERR;
+		goto cleanup;
+	}
+	krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
+	    pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL));
+	free(srvdup);
+	if (krbret == -1) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
 		krb5_cc_destroy(pam_context, ccache);
 		retval = PAM_AUTH_ERR;
@@ -809,8 +821,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	krb5_data result_code_string, result_string;
 	struct options options;
 	int result_code, retval;
-	const char *user, *pass, *pass2;
-	char *princ_name;
+	const char *user, *pass;
+	char *princ_name, *passdup;
 
 	pam_std_option(&options, other_options, argc, argv);
 
@@ -857,7 +869,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	PAM_LOG("Got principal: %s", princ_name);
 
 	/* Get password */
-	retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
+	retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT);
 	if (retval != PAM_SUCCESS)
 		goto cleanup2;
 
@@ -876,27 +888,26 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	PAM_LOG("Credentials established");
 
 	/* Now get the new password */
-	retval = pam_get_pass(pamh, &pass, NEW_PASSWORD_PROMPT, &options);
-	if (retval != PAM_SUCCESS)
-		goto cleanup;
-
-	retval = pam_get_pass(pamh, &pass2, NEW_PASSWORD_PROMPT_2, &options);
+	for (;;) {
+		retval = pam_get_authtok(pamh,
+		    PAM_AUTHTOK, &pass, NEW_PASSWORD_PROMPT);
+		if (retval != PAM_TRY_AGAIN)
+			break;
+		pam_error(pamh, "Mismatch; try again, EOF to quit.");
+	}
 	if (retval != PAM_SUCCESS)
 		goto cleanup;
 
-	PAM_LOG("Got new password twice");
+	PAM_LOG("Got new password");
 
-	if (strcmp(pass, pass2) != 0) {
-		PAM_LOG("Error strcmp(): passwords are different");
-		retval = PAM_AUTHTOK_ERR;
+	/* Change it */
+	if ((passdup = strdup(pass)) == NULL) {
+		retval = PAM_BUF_ERR;
 		goto cleanup;
 	}
-
-	PAM_LOG("New passwords are the same");
-
-	/* Change it */
-	krbret = krb5_change_password(pam_context, &creds, (char *)pass,
+	krbret = krb5_change_password(pam_context, &creds, passdup,
 	    &result_code, &result_code_string, &result_string);
+	free(passdup);
 	if (krbret != 0) {
 		PAM_LOG("Error krb5_change_password(): %s",
 		    error_message(krbret));
diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c
index 521fbb4..b4bafc9 100644
--- a/lib/libpam/modules/pam_opie/pam_opie.c
+++ b/lib/libpam/modules/pam_opie/pam_opie.c
@@ -2,9 +2,7 @@
  * Copyright 2000 James Bloom
  * All rights reserved.
  * Based upon code Copyright 1998 Juniper Networks, Inc. 
- * Copyright (c) 2001 Networks Associates Technology, Inc.
- * All rights reserved.
- * Copyright (c) 2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * Portions of this software were developed for the FreeBSD Project by
@@ -124,7 +122,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	
 	for (i = 0; i < 2; i++) {
 		snprintf(prompt, sizeof prompt, promptstr[i], challenge);
-		retval = pam_get_authtok(pamh, &response, prompt);
+		retval = pam_get_authtok(pamh, PAM_AUTHTOK, &response, prompt);
 		if (retval != PAM_SUCCESS) {
 			opieunlock();
 			PAM_RETURN(retval);
diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c
index 4e19f82..56eaff4 100644
--- a/lib/libpam/modules/pam_radius/pam_radius.c
+++ b/lib/libpam/modules/pam_radius/pam_radius.c
@@ -1,7 +1,7 @@
 /*-
  * Copyright 1998 Juniper Networks, Inc.
  * All rights reserved.
- * Copyright (c) 2001 Networks Associates Technology, Inc.
+ * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * Portions of this software were developed for the FreeBSD Project by
@@ -63,7 +63,7 @@ static struct opttab other_options[] = {
 };
 
 #define	MAX_CHALLENGE_MSGS	10
-#define	PASSWORD_PROMPT		"RADIUS password:"
+#define	PASSWORD_PROMPT		"RADIUS Password:"
 
 static int	 build_access_request(struct rad_handle *, const char *,
 		    const char *, const void *, size_t);
@@ -237,7 +237,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 
 	PAM_LOG("Got user: %s", user);
 
-	retval = pam_get_authtok(pamh, &pass, PASSWORD_PROMPT);
+	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
 	if (retval != PAM_SUCCESS)
 		PAM_RETURN(retval);
 
diff --git a/lib/libpam/modules/pam_self/pam_self.c b/lib/libpam/modules/pam_self/pam_self.c
index ae42ba4..da93596 100644
--- a/lib/libpam/modules/pam_self/pam_self.c
+++ b/lib/libpam/modules/pam_self/pam_self.c
@@ -1,7 +1,7 @@
 /*-
  * Copyright (c) 2001 Mark R V Murray
  * All rights reserved.
- * Copyright (c) 2001 Networks Associates Technology, Inc.
+ * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * Portions of this software were developed for the FreeBSD Project by
@@ -74,7 +74,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 
 	PAM_LOG("Options processed");
 
-	pam_err = pam_get_item(pamh, PAM_USER, (const void **)&luser);
+	pam_err = pam_get_user(pamh, &luser, NULL);
 	if (pam_err != PAM_SUCCESS)
 		PAM_RETURN(pam_err);
 	if (luser == NULL || (pwd = getpwnam(luser)) == NULL)
diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c
index 853bac7..f4d7f47 100644
--- a/lib/libpam/modules/pam_ssh/pam_ssh.c
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.c
@@ -1,7 +1,7 @@
 /*-
  * Copyright (c) 1999, 2000 Andrew J. Korty
  * All rights reserved.
- * Copyright (c) 2001 Networks Associates Technology, Inc.
+ * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * Portions of this software were developed for the FreeBSD Project by
@@ -69,12 +69,15 @@ __FBSDID("$FreeBSD$");
 #include "log.h"
 #include "pam_ssh.h"
 
+static void key_cleanup(pam_handle_t *, void *, int);
+static void ssh_cleanup(pam_handle_t *, void *, int);
+
 /*
  * Generic cleanup function for OpenSSH "Key" type.
  */
 
-void
-key_cleanup(pam_handle_t *pamh, void *data, int error_status)
+static void
+key_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
 {
 	if (data)
 		key_free(data);
@@ -85,8 +88,8 @@ key_cleanup(pam_handle_t *pamh, void *data, int error_status)
  * Generic PAM cleanup function for this module.
  */
 
-void
-ssh_cleanup(pam_handle_t *pamh, void *data, int error_status)
+static void
+ssh_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
 {
 	if (data)
 		free(data);
@@ -107,7 +110,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
 {
 	char *comment;		/* private key comment */
 	char *data_name;	/* PAM state */
-	static int index = 0;	/* for saved keys */
+	static int key_idx = 0;	/* for saved keys */
 	Key *key;		/* user's key */
 	char *path;		/* to key files */
 	int retval;		/* from calls */
@@ -140,7 +143,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
 	/* save the key and comment to pass to ssh-agent in the session
 	   phase */
 
-	if (!asprintf(&data_name, "ssh_private_key_%d", index)) {
+	if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
 		openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
 		free(comment);
 		return PAM_SERVICE_ERR;
@@ -152,7 +155,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
 		free(comment);
 		return retval;
 	}
-	if (!asprintf(&data_name, "ssh_key_comment_%d", index)) {
+	if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
 		openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
 		free(comment);
 		return PAM_SERVICE_ERR;
@@ -164,7 +167,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
 		return retval;
 	}
 
-	++index;
+	++key_idx;
 	return PAM_SUCCESS;
 }
 
@@ -175,13 +178,13 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
  */
 
 static int
-add_keys(pam_handle_t *pamh, char *socket)
+add_keys(pam_handle_t *pamh)
 {
 	AuthenticationConnection *ac;	/* connection to ssh-agent */
 	char *comment;			/* private key comment */
 	char *data_name;		/* PAM state */
 	int final;			/* final return value */
-	int index;			/* for saved keys */
+	int key_idx;			/* for saved keys */
 	Key *key;			/* user's private key */
 	int retval;			/* from calls */
 
@@ -217,8 +220,8 @@ add_keys(pam_handle_t *pamh, char *socket)
 	/* hand off each private key to the agent */
 
 	final = 0;
-	for (index = 0; ; index++) {
-		if (!asprintf(&data_name, "ssh_private_key_%d", index)) {
+	for (key_idx = 0; ; key_idx++) {
+		if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
 			openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
 			ssh_close_authentication_connection(ac);
 			return PAM_SERVICE_ERR;
@@ -227,7 +230,7 @@ add_keys(pam_handle_t *pamh, char *socket)
 		free(data_name);
 		if (retval != PAM_SUCCESS)
 			break;
-		if (!asprintf(&data_name, "ssh_key_comment_%d", index)) {
+		if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
 			openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
 			ssh_close_authentication_connection(ac);
 			return PAM_SERVICE_ERR;
@@ -248,8 +251,8 @@ add_keys(pam_handle_t *pamh, char *socket)
 
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
+    int argc, const char **argv)
 {
 	int authenticated;		/* user authenticated? */
 	char *dotdir;			/* .ssh dir name */
@@ -262,7 +265,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 	int retval;			/* from calls */
 	const char *user;		/* username */
 
-	keyfiles = DEF_KEYFILES;
+	keyfiles = NULL;
 	options = 0;
 	for (; argc; argc--, argv++)
 		if (strncmp(*argv, OPT_KEYFILES "=", sizeof OPT_KEYFILES)
@@ -282,8 +285,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 
 	/* pass prompt message to application and receive passphrase */
 
-	if ((retval = pam_get_authtok(pamh, &pass, NEED_PASSPHRASE))
-	    != PAM_SUCCESS)
+	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NEED_PASSPHRASE);
+	if (retval != PAM_SUCCESS)
 		return retval;
 
 	OpenSSL_add_all_algorithms(); /* required for DSA */
@@ -297,7 +300,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 		return PAM_SERVICE_ERR;
 	}
 	authenticated = 0;
-	keyfiles = strdup(keyfiles);
+	keyfiles = strdup(keyfiles ? keyfiles : DEF_KEYFILES);
 	for (file = strtok(keyfiles, SEP_KEYFILES); file;
 	     file = strtok(NULL, SEP_KEYFILES))
 		if (auth_via_key(pamh, file, dotdir, pwent, pass) ==
@@ -327,15 +330,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 
 
 PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
+    int argc __unused, const char **argv __unused)
 {
 	return PAM_SUCCESS;
 }
 
 
 PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
+    int argc __unused, const char **argv __unused)
 {
 	char *agent_socket;		/* agent socket */
 	char *env_end;			/* end of env */
@@ -525,7 +529,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
 	if (!agent_socket)
 		return PAM_SESSION_ERR;
 
-	if (start_agent && (retval = add_keys(pamh, agent_socket))
+	if (start_agent && (retval = add_keys(pamh))
 	    != PAM_SUCCESS)
 		return retval;
 	free(agent_socket);
@@ -565,8 +569,8 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
 
 
 PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
+    int argc __unused, const char **argv __unused)
 {
 	const char *env_file;		/* ssh-agent environment */
 	pid_t pid;			/* ssh-agent process id */
@@ -600,7 +604,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
 	   just call kill(). */
 
 	pid = atoi(ssh_agent_pid);
-	if (ssh_agent_pid <= 0)
+	if (pid <= 0)
 		return PAM_SESSION_ERR;
 	if (kill(pid, SIGTERM) != 0) {
 		openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME,
@@ -612,15 +616,15 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
 }
 
 PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
+    int argc __unused, const char **argv __unused)
 {
 	return (PAM_IGNORE);
 }
 
 PAM_EXTERN int
-pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused,
+    int argc __unused, const char **argv __unused)
 {
 	return (PAM_IGNORE);
 }
diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c
index 05e98cc..9dfe937 100644
--- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c
+++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c
@@ -1,7 +1,7 @@
 /*-
  * Copyright 1998 Juniper Networks, Inc.
  * All rights reserved.
- * Copyright (c) 2001 Networks Associates Technology, Inc.
+ * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * Portions of this software were developed for the FreeBSD Project by
@@ -226,11 +226,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
 				PAM_RETURN(PAM_SERVICE_ERR);
 			if (status == TAC_AUTHEN_STATUS_GETUSER)
 				retval = pam_get_user(pamh, &user_msg,
-				    srvr_msg[0] != '\0' ? srvr_msg : NULL);
+				    *srvr_msg ? srvr_msg : NULL);
 			else if (status == TAC_AUTHEN_STATUS_GETPASS)
-				retval = pam_get_authtok(pamh, &user_msg,
-				    srvr_msg[0] != '\0' ? srvr_msg :
-				    "Password:");
+				retval = pam_get_authtok(pamh,
+				    PAM_AUTHTOK, &user_msg,
+				    *srvr_msg ? srvr_msg : "Password:");
 			free(srvr_msg);
 			if (retval != PAM_SUCCESS) {
 				/* XXX - send a TACACS+ abort packet */
@@ -247,9 +247,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
 			retval = pam_prompt(pamh,
 			    pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
 			        ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
-			    &data_msg,
-			    "%s",
-			    srvr_msg[0] != '\0' ? srvr_msg : "Data:");
+			    &data_msg, "%s", *srvr_msg ? srvr_msg : "Data:");
 			free(srvr_msg);
 			if (retval != PAM_SUCCESS) {
 				/* XXX - send a TACACS+ abort packet */
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 09910a6..b1d68b7 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -76,21 +76,13 @@ __FBSDID("$FreeBSD$");
 #include <security/pam_modules.h>
 #include <security/pam_mod_misc.h>
 
-#define USER_PROMPT		"Username: "
-#define PASSWORD_PROMPT		"Password:"
-#define PASSWORD_PROMPT_EXPIRED	"\nPassword expired\nOld Password:"
-#define NEW_PASSWORD_PROMPT_1	"New Password:"
-#define NEW_PASSWORD_PROMPT_2	"New Password (again):"
 #define PASSWORD_HASH		"md5"
 #define DEFAULT_WARN		(2L * 7L * 86400L)  /* Two weeks */
-#define	MAX_TRIES		3
 #define	SALTSIZE		32
 
 static void makesalt(char []);
 
-static char password_prompt_def[] =	PASSWORD_PROMPT;
 static char password_hash[] =		PASSWORD_HASH;
-static char blank[] =			"";
 static char colon[] =			":";
 
 enum {
@@ -149,7 +141,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 
 	lc = login_getclass(NULL);
 	password_prompt = login_getcapstr(lc, "passwd_prompt",
-	    password_prompt_def, password_prompt_def);
+	    password_prompt, NULL);
 	login_close(lc);
 	lc = NULL;
 
@@ -167,7 +159,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 			PAM_RETURN(PAM_SUCCESS);
 		}
 		else {
-			retval = pam_get_authtok(pamh, &pass, password_prompt);
+			retval = pam_get_authtok(pamh, PAM_AUTHTOK,
+			    &pass, password_prompt);
 			if (retval != PAM_SUCCESS)
 				PAM_RETURN(retval);
 			PAM_LOG("Got password");
@@ -190,7 +183,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 		 * User unknown.
 		 * Encrypt a dummy password so as to not give away too much.
 		 */
-		retval = pam_get_authtok(pamh, &pass, password_prompt);
+		retval = pam_get_authtok(pamh,
+		    PAM_AUTHTOK, &pass, password_prompt);
 		if (retval != PAM_SUCCESS)
 			PAM_RETURN(retval);
 		PAM_LOG("Got password");
@@ -240,7 +234,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
 
 	PAM_LOG("Options processed");
 
-	retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
+	retval = pam_get_user(pamh, &user, NULL);
 	if (retval != PAM_SUCCESS)
 		PAM_RETURN(retval);
 
@@ -375,9 +369,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	struct options options;
 	struct passwd *pwd;
-	int retval, retry, res, got;
-	const char *user, *pass;
-	char *new_pass, *new_pass_, *encrypted, *usrdup;
+	const char *user, *pass, *new_pass;
+	char *encrypted, *usrdup;
+	int retval, res;
 
 	pam_std_option(&options, other_options, argc, argv);
 
@@ -403,83 +397,48 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			/*
 			 * No password case. XXX Are we giving too much away
 			 * by not prompting for a password?
+			 * XXX check PAM_DISALLOW_NULL_AUTHTOK
 			 */
-			PAM_LOG("No password, and null password OK");
+			PAM_LOG("Got password");
 			PAM_RETURN(PAM_SUCCESS);
 		}
 		else {
-			retval = pam_get_authtok(pamh, &pass,
-			    PASSWORD_PROMPT_EXPIRED);
+			retval = pam_get_authtok(pamh,
+			    PAM_OLDAUTHTOK, &pass, NULL);
 			if (retval != PAM_SUCCESS)
 				PAM_RETURN(retval);
-			PAM_LOG("Got password: %s", pass);
+			PAM_LOG("Got password");
 		}
 		encrypted = crypt(pass, pwd->pw_passwd);
 		if (pass[0] == '\0' && pwd->pw_passwd[0] != '\0')
 			encrypted = colon;
 
-		PAM_LOG("Encrypted password 1 is: %s", encrypted);
-		PAM_LOG("Encrypted password 2 is: %s", pwd->pw_passwd);
-
-		if (strcmp(encrypted, pwd->pw_passwd) != 0)
+		if (strcmp(encrypted, pwd->pw_passwd) != 0) {
+			pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
 			PAM_RETURN(PAM_AUTH_ERR);
-
-		retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *)pass);
-		pass = NULL;
-		if (retval != PAM_SUCCESS)
-			PAM_RETURN(retval);
-
-		PAM_LOG("Stashed old password");
-
-		retval = pam_set_item(pamh, PAM_AUTHTOK, (const void *)pass);
-		if (retval != PAM_SUCCESS)
-			PAM_RETURN(retval);
-
-		PAM_LOG("Voided old password");
+		}
 
 		PAM_RETURN(PAM_SUCCESS);
 	}
 	else if (flags & PAM_UPDATE_AUTHTOK) {
 		PAM_LOG("UPDATE round; checking user password");
 
-		retval = pam_get_item(pamh, PAM_OLDAUTHTOK,
-		    (const void **)&pass);
+		retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, NULL);
 		if (retval != PAM_SUCCESS)
 			PAM_RETURN(retval);
 
-		PAM_LOG("Got old password: %s", pass);
-
-		got = 0;
-		retry = 0;
-		while (retry++ < MAX_TRIES) {
-			new_pass = NULL;
-			retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
-			    &new_pass, "%s", NEW_PASSWORD_PROMPT_1);
-
-			if (new_pass == NULL)
-				new_pass = blank;
-
-			if (retval == PAM_SUCCESS) {
-				new_pass_ = NULL;
-				retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
-				    &new_pass_, "%s", NEW_PASSWORD_PROMPT_2);
-
-				if (new_pass_ == NULL)
-					new_pass_ = blank;
-
-				if (retval == PAM_SUCCESS) {
-					if (strcmp(new_pass, new_pass_) == 0) {
-						got = 1; 
-						break;
-					}
-					else
-						PAM_VERBOSE_ERROR("Password mismatch");
-				}
-			}
+		PAM_LOG("Got old password");
+
+		for (;;) {
+			retval = pam_get_authtok(pamh,
+			    PAM_AUTHTOK, &new_pass, NULL);
+			if (retval != PAM_TRY_AGAIN)
+				break;
+			pam_error(pamh, "Mismatch; try again, EOF to quit.");
 		}
 
-		if (!got) {
-			PAM_VERBOSE_ERROR("Unable to get valid password");
+		if (retval != PAM_SUCCESS) {
+			PAM_VERBOSE_ERROR("Unable to get new password");
 			PAM_RETURN(PAM_PERM_DENIED);
 		}
 
@@ -523,10 +482,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 #else
 		retval = local_passwd(user, new_pass);
 #endif
-
-		/* XXX wipe the mem as well */
-		pass = NULL;
-		new_pass = NULL;
 	}
 	else {
 		/* Very bad juju */
@@ -556,7 +511,6 @@ local_passwd(const char *user, const char *pass)
 {
 	login_cap_t * lc;
 	struct passwd *pwd;
-	struct timeval tv;
 	int pfd, tfd;
 	char *crypt_type, salt[SALTSIZE + 1];
 
@@ -598,16 +552,13 @@ local_passwd(const char *user, const char *pass)
 int
 yp_passwd(const char *user __unused, const char *pass)
 {
+	struct yppasswd yppwd;
 	struct master_yppasswd master_yppwd;
 	struct passwd *pwd;
 	struct rpc_err err;
-	struct timeval tv;
-	struct yppasswd yppwd;
 	CLIENT *clnt;
 	login_cap_t *lc;
 	int    *status;
-	gid_t gid;
-	pid_t pid;
 	uid_t uid;
 	char   *master, sockname[] = YP_SOCKNAME, salt[SALTSIZE + 1];