Clean up (and in some cases write) the PAM mudules, using

o The new options-processing API
o The new DEBUG-logging API

Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.

Audit, clean up while I'm here.

35 files changed, 2030 insertions, 266 deletions

diff --git a/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c b/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c
index 437225c..b3562f5 100644
--- a/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c
+++ b/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c
@@ -33,8 +33,7 @@
 #include <security/pam_modules.h>
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	int retval;
 	const void *item;
@@ -42,12 +41,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 	const char *tty;
 	const char *rhost;
 
-	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS)
 		return retval;
-	if ((retval = pam_get_item(pamh, PAM_TTY, &item)) != PAM_SUCCESS)
+	retval = pam_get_item(pamh, PAM_TTY, &item);
+	if (retval != PAM_SUCCESS)
 		return retval;
 	tty = (const char *)item;
-	if ((retval = pam_get_item(pamh, PAM_RHOST, &item)) != PAM_SUCCESS)
+	retval = pam_get_item(pamh, PAM_RHOST, &item);
+	if (retval != PAM_SUCCESS)
 		return retval;
 	rhost = (const char *)item;
 	/*
diff --git a/lib/libpam/modules/pam_deny/Makefile b/lib/libpam/modules/pam_deny/Makefile
index f3dfad3..9e07378 100644
--- a/lib/libpam/modules/pam_deny/Makefile
+++ b/lib/libpam/modules/pam_deny/Makefile
@@ -27,7 +27,6 @@
 LIB=		pam_deny
 SHLIB_NAME=	pam_deny.so
 SRCS=		pam_deny.c
+MAN=		pam_deny.8
 
 .include <bsd.lib.mk>
-
-.PATH:		${PAMDIR}/modules/pam_deny
diff --git a/lib/libpam/modules/pam_deny/pam_deny.8 b/lib/libpam/modules/pam_deny/pam_deny.8
new file mode 100644
index 0000000..ed35bc5
--- /dev/null
+++ b/lib/libpam/modules/pam_deny/pam_deny.8
@@ -0,0 +1,75 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 7, 2001
+.Dt PAM_DENY 8
+.Os
+.Sh NAME
+.Nm pam_deny
+.Nd Deny PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_deny
+.Op Ar options
+.Sh DESCRIPTION
+The Deny authentication service module for PAM,
+.Nm
+provides functionality for all the PAM categories:
+authentication,
+account management,
+session management and
+password management.
+In terms of the 
+.Ar module-type
+parameter, these are the
+.Dv auth ,
+.Dv account ,
+.Dv session
+and
+.Dv password
+features.
+.Pp
+The Deny module
+will universally deny all requests.
+It is primarily of use during testing,
+and to
+.Dq null-out
+unwanted functionality.
+.Pp
+The following options may be passed to the module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.El
+.Sh SEE ALSO
+.Xr syslog 3 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_deny/pam_deny.c b/lib/libpam/modules/pam_deny/pam_deny.c
new file mode 100644
index 0000000..9cbb8f0
--- /dev/null
+++ b/lib/libpam/modules/pam_deny/pam_deny.c
@@ -0,0 +1,109 @@
+/*-
+ * Copyright 2001 Mark R V Murray
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+#define PAM_SM_SESSION
+#define PAM_SM_PASSWORD
+
+#include <security/pam_modules.h>
+#include "pam_mod_misc.h"
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_CRED_UNAVAIL);
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_ACCT_EXPIRED);
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_AUTHTOK_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SYSTEM_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SYSTEM_ERR);
+}
+
+PAM_MODULE_ENTRY("pam_deny");
diff --git a/lib/libpam/modules/pam_ftp/Makefile b/lib/libpam/modules/pam_ftp/Makefile
index 17f8a0f..78717d4 100644
--- a/lib/libpam/modules/pam_ftp/Makefile
+++ b/lib/libpam/modules/pam_ftp/Makefile
@@ -27,5 +27,6 @@
 LIB=		pam_ftp
 SHLIB_NAME=	pam_ftp.so
 SRCS=		pam_ftp.c
+MAN=		pam_ftp.8
 
 .include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.8 b/lib/libpam/modules/pam_ftp/pam_ftp.8
new file mode 100644
index 0000000..423564b
--- /dev/null
+++ b/lib/libpam/modules/pam_ftp/pam_ftp.8
@@ -0,0 +1,92 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 8, 2001
+.Dt PAM_FTP 8
+.Os
+.Sh NAME
+.Nm pam_ftp
+.Nd FTP PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_ftp
+.Op Ar options
+.Sh DESCRIPTION
+The FTP authentication service module for PAM,
+.Nm
+provides functionality for only one PAM category:
+authentication.
+In terms of the 
+.Ar module-type
+parameter, this is the
+.Dv auth
+feature.
+It also provides a null function for session management.
+.Ss FTP Authentication Module
+The FTP authentication component
+.Pq Fn pam_sm_authenticate ,
+authenticates the anonymous user
+.Pq usually Do anonymous Dc or Do ftp Dc
+usually by simply requesting an email address as a password.
+The supplied email address is broken up
+into its username and host parts,
+and these are assigned to the
+.Dv PAM_RUSER
+and
+.Dv PAM_RHOST
+facilities respectively.
+.Pp
+This module is intended for the
+.Xr ftpd 8
+service.
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.It Cm no_anon
+Disallow anonymous access.
+.It Cm ignore
+Ingnore the password supplied,
+and do not use its constituent parts
+.Pq username and hostname
+as
+.Dv PAM_RUSER
+and
+.Dv PAM_RHOST
+respectively.
+.El
+.Sh SEE ALSO
+.Xr ftp 1 ,
+.Xr syslog 3 ,
+.Xr pam.conf 5 ,
+.Xr ftpd 8 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.c b/lib/libpam/modules/pam_ftp/pam_ftp.c
index 673f73c..df63c6a 100644
--- a/lib/libpam/modules/pam_ftp/pam_ftp.c
+++ b/lib/libpam/modules/pam_ftp/pam_ftp.c
@@ -26,11 +26,8 @@
  * $FreeBSD$
  */
 
-#define PLEASE_ENTER_PASSWORD "Password required for %s."
-#define GUEST_LOGIN_PROMPT "Guest login ok, send your e-mail address as password."
-
-/* the following is a password that "can't be correct" */
-#define BLOCK_PASSWORD "\177BAD PASSWPRD\177"
+#define	PROMPT		"OINK Password required for %s."
+#define	GUEST_PROMPT	"TWEET Guest login ok, send your e-mail address as password."
 
 #include <security/_pam_aconf.h>
 
@@ -41,20 +38,23 @@
 #include <stdarg.h>
 #include <string.h>
 
-/* here, we make a definition for the externally accessible function in this
- * file (this definition is required for static a module but strongly
- * encouraged generally) it is used to instruct the modules include file to
- * define the function prototypes. */
-
 #define PAM_SM_AUTH
 #include <security/pam_modules.h>
 #include <pam_mod_misc.h>
 
 #include <security/_pam_macros.h>
 
+enum { PAM_OPT_NO_ANON=PAM_OPT_STD_MAX, PAM_OPT_IGNORE };
+
+static struct opttab other_options[] = {
+	{ "no_anon",	PAM_OPT_NO_ANON },
+	{ "ignore",	PAM_OPT_IGNORE },
+	{ NULL, 0 }
+};
+
 static int 
 converse(pam_handle_t *pamh, int nargs, struct pam_message **message,
-	struct pam_response **response)
+    struct pam_response **response)
 {
 	struct pam_conv *conv;
 	int retval;
@@ -103,8 +103,6 @@ lookup(const char *name, char *list, const char **user)
 	return anon;
 }
 
-/* --- authentication management functions (only) --- */
-
 /* Check if the user name is 'ftp' or 'anonymous'.
  * If this is the case, set the PAM_RUSER to the entered email address
  * and succeed, otherwise fail.
@@ -112,47 +110,52 @@ lookup(const char *name, char *list, const char **user)
 PAM_EXTERN int 
 pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
 {
+	struct options options;
 	struct pam_message msg[1], *mesg[1];
 	struct pam_response *resp;
-	int retval, anon, options, i;
-	const char *user, *token;
+	int retval, anon;
 	char *users, *context, *prompt;
+	const char *user, *token;
 
 	users = prompt = NULL;
 
-	options = 0;
-	for (i = 0;  i < argc;  i++)
-		pam_std_option(&options, argv[i]);
+	pam_std_option(&options, other_options, argc, argv);
+
+	PAM_LOG("Options processed");
 
 	retval = pam_get_user(pamh, &user, NULL);
 	if (retval != PAM_SUCCESS || user == NULL)
-		return PAM_USER_UNKNOWN;
+		PAM_RETURN(PAM_USER_UNKNOWN);
 
 	anon = 0;
-	if (!(options & PAM_OPT_NO_ANON))
+	if (!pam_test_option(&options, PAM_OPT_NO_ANON, NULL))
 		anon = lookup(user, users, &user);
 
 	if (anon) {
 		retval = pam_set_item(pamh, PAM_USER, (const void *)user);
 		if (retval != PAM_SUCCESS || user == NULL)
-			return PAM_USER_UNKNOWN;
+			PAM_RETURN(PAM_USER_UNKNOWN);
 	}
 
+	PAM_LOG("Got user: %s", user);
+
 	/* Require an email address for user's password. */
 	if (!anon) {
-		prompt = malloc(strlen(PLEASE_ENTER_PASSWORD) + strlen(user));
+		prompt = malloc(strlen(PROMPT) + strlen(user));
 		if (prompt == NULL)
-			return PAM_BUF_ERR;
+			PAM_RETURN(PAM_BUF_ERR);
 		else {
-			sprintf(prompt, PLEASE_ENTER_PASSWORD, user);
+			sprintf(prompt, PROMPT, user);
 			msg[0].msg = prompt;
 		}
 	}
 	else
-		msg[0].msg = GUEST_LOGIN_PROMPT;
+		msg[0].msg = GUEST_PROMPT;
 	msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
 	mesg[0] = &msg[0];
 
+	PAM_LOG("Sent prompt");
+
 	resp = NULL;
 	retval = converse(pamh, 1, mesg, &resp);
 	if (prompt) {
@@ -160,15 +163,19 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
 		_pam_drop(prompt);
 	}
 
+	PAM_LOG("Done conversation 1");
+
 	if (retval != PAM_SUCCESS) {
 		if (resp != NULL)
 			_pam_drop_reply(resp, 1);
-		return retval == PAM_CONV_AGAIN
-			? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL;
+		PAM_RETURN(retval == PAM_CONV_AGAIN
+			? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL);
 	}
 
+	PAM_LOG("Done conversation 2");
+
 	if (anon) {
-		if (!(options & PAM_OPT_IGNORE)) {
+		if (!pam_test_option(&options, PAM_OPT_IGNORE, NULL)) {
 			token = strtok_r(resp->resp, "@", &context);
 			pam_set_item(pamh, PAM_RUSER, token);
 
@@ -178,16 +185,21 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
 			}
 		}
 		retval = PAM_SUCCESS;
+
+		PAM_LOG("Done anonymous");
+
 	}
 	else {
 		pam_set_item(pamh, PAM_AUTHTOK, resp->resp);
 		retval = PAM_AUTH_ERR;
+
+		PAM_LOG("Done non-anonymous");
 	}
 
 	if (resp)
-		_pam_drop_reply(resp, i);
+		_pam_drop_reply(resp, 1);
 
-	return retval;
+	PAM_RETURN(retval);
 }
 
 PAM_EXTERN int 
@@ -196,6 +208,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	return PAM_IGNORE;
 }
 
-/* end of module definition */
-
 PAM_MODULE_ENTRY("pam_ftp");
diff --git a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
index 403f8d6..bf7a451 100644
--- a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
+++ b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
@@ -47,9 +47,9 @@ int	noticketsdontcomplain = 1;
 char	*krbtkfile_env;
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
+	struct options options;
 	int retval;
 	const char *user;
 	char *principal;
@@ -57,40 +57,46 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 	const char *password;
 	char localhost[MAXHOSTNAMELEN + 1];
 	struct passwd *pwd;
-	int options;
-	int i;
 
-	options = 0;
-	for (i = 0;  i < argc;  i++)
-		pam_std_option(&options, argv[i]);
-	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+	pam_std_option(&options, NULL, argc, argv);
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS)
 		return retval;
-	if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
-	    options)) != PAM_SUCCESS)
+
+	retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, &options);
+	if (retval != PAM_SUCCESS)
 		return retval;
+
 	if (gethostname(localhost, sizeof localhost - 1) == -1)
 		return PAM_SYSTEM_ERR;
-	if ((principal = strdup(user)) == NULL)
+
+	principal = strdup(user);
+	if (principal == NULL)
 		return PAM_BUF_ERR;
-	if ((instance = strchr(principal, '.')) != NULL)
+
+	instance = strchr(principal, '.');
+	if (instance != NULL)
 		*instance++ = '\0';
 	else
 		instance = "";
-	if ((pwd = getpwnam(user)) != NULL &&
-	    klogin(pwd, instance, localhost, (char *)password) == 0) {
-		if (!(flags & PAM_SILENT) && notickets &&
-		    !noticketsdontcomplain)
-			pam_prompt(pamh, PAM_ERROR_MSG,
-			    "Warning: no Kerberos tickets issued", NULL);
-		/*
-		 * XXX - I think the ticket file really isn't supposed to
-		 * be even created until pam_sm_setcred() is called.
-		 */
-		if (krbtkfile_env != NULL)
-			setenv("KRBTKFILE", krbtkfile_env, 1);
-		retval = PAM_SUCCESS;
-	} else
-		retval = PAM_AUTH_ERR;
+
+	retval = PAM_AUTH_ERR;
+	pwd = getpwnam(user);
+	if (pwd != NULL) {
+		if (klogin(pwd, instance, localhost, (char *)password) == 0) {
+			if (!(flags & PAM_SILENT) && notickets && !noticketsdontcomplain)
+				pam_prompt(pamh, PAM_ERROR_MSG,
+				    "Warning: no Kerberos tickets issued",
+				    NULL);
+			/*
+			 * XXX - I think the ticket file isn't supposed to
+			 * be created until pam_sm_setcred() is called.
+			 */
+			if (krbtkfile_env != NULL)
+				setenv("KRBTKFILE", krbtkfile_env, 1);
+			retval = PAM_SUCCESS;
+		}
+	}
 	/*
 	 * The PAM infrastructure will obliterate the cleartext
 	 * password before returning to the application.
diff --git a/lib/libpam/modules/pam_nologin/Makefile b/lib/libpam/modules/pam_nologin/Makefile
index db23a3d..bc18408 100644
--- a/lib/libpam/modules/pam_nologin/Makefile
+++ b/lib/libpam/modules/pam_nologin/Makefile
@@ -27,7 +27,6 @@
 LIB=		pam_nologin
 SHLIB_NAME=	pam_nologin.so
 SRCS=		pam_nologin.c
+MAN=		pam_nologin.8
 
 .include <bsd.lib.mk>
-
-.PATH:		${PAMDIR}/modules/pam_nologin
diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8
new file mode 100644
index 0000000..dd39981
--- /dev/null
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.8
@@ -0,0 +1,77 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 8, 2001
+.Dt PAM_NOLOGIN 8
+.Os
+.Sh NAME
+.Nm pam_nologin
+.Nd NoLogin PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_nologin
+.Op Ar options
+.Sh DESCRIPTION
+The NoLogin authentication service module for PAM,
+.Nm
+provides functionality for only one PAM category:
+authentication.
+In terms of the 
+.Ar module-type
+parameter, this is the
+.Dv auth
+feature.
+It also provides a null function for session management.
+.Ss NoLogin Authentication Module
+The NoLogin authentication component
+.Pq Fn pam_sm_authenticate ,
+always returns success for the superuser,
+and returns success for all other users
+if the file
+.Pa /var/run/nologin
+does not exist.
+If
+.Pa /var/run/nologin
+does exist,
+then its contents are echoed
+to non-superusers
+before failure is returned.
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.El
+.Sh SEE ALSO
+.Xr syslog 3 ,
+.Xr nologin 5 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c
new file mode 100644
index 0000000..4a56342
--- /dev/null
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.c
@@ -0,0 +1,115 @@
+/*-
+ * Copyright 2001 Mark R V Murray
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#define PAM_SM_AUTH
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <pwd.h>
+
+#include <security/_pam_macros.h>
+#include <security/pam_modules.h>
+#include "pam_mod_misc.h"
+
+#define	NOLOGIN	"/var/run/nologin"
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+	struct pam_conv *conv;
+	struct pam_message message, *pmessage;
+	struct pam_response *resp;
+	struct passwd *user_pwd;
+	struct stat st;
+	int retval, fd;
+	const char *user;
+	char *mtmp;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
+
+	PAM_LOG("Got user: %s", user);
+
+	fd = open(NOLOGIN, O_RDONLY, 0);
+	if (fd < 0)
+		PAM_RETURN(PAM_SUCCESS);
+
+	PAM_LOG("Opened %s file", NOLOGIN);
+
+	user_pwd = getpwnam(user);
+	if (user_pwd && user_pwd->pw_uid == 0) {
+		message.msg_style = PAM_TEXT_INFO;
+		retval = PAM_SUCCESS;
+	}
+	else {
+		message.msg_style = PAM_ERROR_MSG;
+		if (!user_pwd)
+			retval = PAM_USER_UNKNOWN;
+		else
+			retval = PAM_AUTH_ERR;
+	}
+	
+	if (fstat(fd, &st) < 0)
+		PAM_RETURN(retval);
+	message.msg = mtmp = malloc(st.st_size + 1);
+	if (!message.msg)
+		PAM_RETURN(retval);
+
+	read(fd, mtmp, st.st_size);
+	mtmp[st.st_size] = '\0';
+
+	pmessage = &message;
+	resp = NULL;
+	pam_get_item(pamh, PAM_CONV, (const void **)&conv);
+	conv->conv(1, (const struct pam_message **)&pmessage, &resp,
+	    conv->appdata_ptr);
+
+	free(mtmp);
+	if (resp)
+		   _pam_drop_reply(resp, 1);
+	
+	PAM_RETURN(retval);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}
+
+PAM_MODULE_ENTRY("pam_nologin");
diff --git a/lib/libpam/modules/pam_opie/Makefile b/lib/libpam/modules/pam_opie/Makefile
index 7d14ccf..704f2f6 100644
--- a/lib/libpam/modules/pam_opie/Makefile
+++ b/lib/libpam/modules/pam_opie/Makefile
@@ -30,5 +30,6 @@ SHLIB_NAME=	pam_opie.so
 SRCS=		pam_opie.c
 DPADD=		${LIBOPIE}
 LDADD=		-lopie
+MAN=		pam_opie.8
 
 .include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_opie/pam_opie.8 b/lib/libpam/modules/pam_opie/pam_opie.8
new file mode 100644
index 0000000..9f00a90
--- /dev/null
+++ b/lib/libpam/modules/pam_opie/pam_opie.8
@@ -0,0 +1,91 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 7, 2001
+.Dt PAM_OPIE 8
+.Os
+.Sh NAME
+.Nm pam_opie
+.Nd OPIE PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_opie
+.Op Ar options
+.Sh DESCRIPTION
+The OPIE authentication service module for PAM,
+.Nm
+provides functionality for only one PAM category:
+that of authentication.
+In terms of the 
+.Ar module-type
+parameter, this is the
+.Dv auth
+feature.
+It also provides a null function for session management.
+.Ss OPIE Authentication Module
+The OPIE authentication component
+provides functions to verify the identity of a user
+.Pq Fn pam_sm_authenticate ,
+which obtains the relevant
+.Xr opie 4
+credentials.
+It provides the user with an OPIE challenge,
+and verifies that this is correct with
+.Xr opiechallenge 3 .
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.It Cm auth_as_self
+This option will require the user
+to authenticate themself as the user
+given by
+.Fn getuid 2 ,
+not as the account they are attempting to access.
+This is primarily for services like
+.Xr su 1 ,
+where the user's ability to retype
+their own password
+might be deemed sufficient.
+.El
+.Sh FILES
+.Bl -tag -xwidth ".Pa /etc/opiekeys" -compact
+.It Pa /etc/opiekeys
+default OPIE password database.
+.El
+.Sh SEE ALSO
+.Xr passwd 1 ,
+.Xr opiechallenge 3 ,
+.Xr opie 4 ,
+.Xr syslog 3 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c
index fa00bf8..566a694 100644
--- a/lib/libpam/modules/pam_opie/pam_opie.c
+++ b/lib/libpam/modules/pam_opie/pam_opie.c
@@ -27,77 +27,98 @@
  *	$FreeBSD$
  */
 
-#include <syslog.h>	/* XXX */
-
+#include <sys/types.h>
+#include <opie.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <string.h>
-#include <opie.h>
+#include <unistd.h>
 
 #define PAM_SM_AUTH
 #include <security/pam_modules.h>
-
 #include "pam_mod_misc.h"
 
+enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX };
+
+static struct opttab other_options[] = {
+	{ "auth_as_self",	PAM_OPT_AUTH_AS_SELF },
+	{ NULL, 0 }
+};
+
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-	int retval;
-	const char *user;
-	const char *response;
 	struct opie opie;
+	struct options options;
+	struct passwd *pwd;
+	int retval, i;
+	char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
 	char challenge[OPIE_CHALLENGE_MAX];
 	char prompt[OPIE_CHALLENGE_MAX+22];
-	char resp_buf[OPIE_SECRET_MAX];
-	int options;
-	int i;
+	char resp[OPIE_SECRET_MAX];
+	const char *user;
+	const char *response;
+
+	pam_std_option(&options, other_options, argc, argv);
+
+	PAM_LOG("Options processed");
 
-	user = NULL;
-	options = 0;
-	for (i = 0;  i < argc;  i++)
-		pam_std_option(&options, argv[i]);
 	/*
 	 * It doesn't make sense to use a password that has already been
 	 * typed in, since we haven't presented the challenge to the user
 	 * yet.
 	 */
-	options &= ~(PAM_OPT_USE_FIRST_PASS | PAM_OPT_TRY_FIRST_PASS);
-	if ((retval = pam_get_user(pamh, (const char **)&user, NULL))
-	    != PAM_SUCCESS)
-		return retval;
+	if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) ||
+	    pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL))
+		PAM_RETURN(PAM_AUTH_ERR);
+
+	user = NULL;
+	if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
+		pwd = getpwuid(getuid());
+		user = pwd->pw_name;
+	}
+	else {
+		retval = pam_get_user(pamh, (const char **)&user, NULL);
+		if (retval != PAM_SUCCESS)
+			PAM_RETURN(retval);
+	}
+
+	PAM_LOG("Got user: %s", user);
+
 	/*
 	 * Don't call the OPIE atexit() handler when our program exits,
 	 * since the module has been unloaded and we will SEGV.
 	 */
 	opiedisableaeh();
 
-	if (opiechallenge(&opie, (char *)user, challenge) != 0)
-		return PAM_AUTH_ERR;
-	snprintf(prompt, sizeof prompt, "%s\nPassword: ", challenge);
-	if ((retval = pam_get_pass(pamh, &response, prompt, options)) !=
-	    PAM_SUCCESS) {
-		opieunlock();
-		return retval;
-	}
-	if (response[0] == '\0' && !(options & PAM_OPT_ECHO_PASS)) {
-		options |= PAM_OPT_ECHO_PASS;
-		snprintf(prompt, sizeof prompt,
-			 "%s\nPassword [echo on]: ", challenge);
-		if ((retval = pam_get_pass(pamh, &response, prompt,
-		    options)) != PAM_SUCCESS) {
+	opiechallenge(&opie, (char *)user, challenge);
+	for (i = 0; i < 2; i++) {
+		snprintf(prompt, sizeof prompt, promptstr[i], challenge);
+		retval = pam_get_pass(pamh, &response, prompt, &options);
+		if (retval != PAM_SUCCESS) {
 			opieunlock();
-			return retval;
+			PAM_RETURN(retval);
 		}
+
+		PAM_LOG("Completed challenge %d: %s", i, response);
+
+		if (response[0] != '\0')
+			break;
+
+		/* Second time round, echo the password */
+		pam_set_option(&options, PAM_OPT_ECHO_PASS);
 	}
+
 	/* We have to copy the response, because opieverify mucks with it. */
-	snprintf(resp_buf, sizeof resp_buf, "%s", response);
+	snprintf(resp, sizeof resp, "%s", response);
+
 	/*
 	 * Opieverify is supposed to return -1 only if an error occurs.
 	 * But it returns -1 even if the response string isn't in the form
 	 * it expects.  Thus we can't log an error and can only check for
 	 * success or lack thereof.
 	 */
-	return opieverify(&opie, resp_buf) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR;
+	PAM_RETURN(opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR);
 }
 
 PAM_EXTERN int
diff --git a/lib/libpam/modules/pam_permit/Makefile b/lib/libpam/modules/pam_permit/Makefile
index e1b717d..6d797b4 100644
--- a/lib/libpam/modules/pam_permit/Makefile
+++ b/lib/libpam/modules/pam_permit/Makefile
@@ -27,7 +27,6 @@
 LIB=		pam_permit
 SHLIB_NAME=	pam_permit.so
 SRCS=		pam_permit.c
+MAN=		pam_permit.8
 
 .include <bsd.lib.mk>
-
-.PATH:		${PAMDIR}/modules/pam_permit
diff --git a/lib/libpam/modules/pam_permit/pam_permit.8 b/lib/libpam/modules/pam_permit/pam_permit.8
new file mode 100644
index 0000000..f396fe7
--- /dev/null
+++ b/lib/libpam/modules/pam_permit/pam_permit.8
@@ -0,0 +1,74 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 7, 2001
+.Dt PAM_PERMIT 8
+.Os
+.Sh NAME
+.Nm pam_permit
+.Nd Promiscuous PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_permit
+.Op Ar options
+.Sh DESCRIPTION
+The Promiscuous authentication service module for PAM,
+.Nm
+provides functionality for all the PAM categories:
+authentication,
+account management,
+session management and
+password management.
+In terms of the 
+.Ar module-type
+parameter, these are the
+.Dv auth ,
+.Dv account ,
+.Dv session
+and
+.Dv password
+features.
+.Pp
+The Promiscuous module
+will universally allow all requests.
+It is primarily of use during testing,
+and to silence 
+.Dq noisy
+PAM-enabled applications.
+.Pp
+The following options may be passed to the module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.Sh SEE ALSO
+.Xr syslog 3 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_permit/pam_permit.c b/lib/libpam/modules/pam_permit/pam_permit.c
new file mode 100644
index 0000000..b02306c
--- /dev/null
+++ b/lib/libpam/modules/pam_permit/pam_permit.c
@@ -0,0 +1,126 @@
+/*-
+ * Copyright 2001 Mark R V Murray
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#define	PAM_SM_AUTH
+#define	PAM_SM_ACCOUNT
+#define	PAM_SM_SESSION
+#define	PAM_SM_PASSWORD
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+#include "pam_mod_misc.h"
+
+#define NOBODY "nobody"
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+	int retval;
+	const char *user;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	/* We always need to know who the user is */
+	user = NULL;
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
+
+	PAM_LOG("Got user: %s", user);
+
+	if (user == NULL || *user == '\0')
+		pam_set_item(pamh, PAM_USER, (const void *)NOBODY);
+	user = NULL;
+
+	PAM_RETURN(PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SUCCESS);
+}
+
+PAM_MODULE_ENTRY("pam_permit");
diff --git a/lib/libpam/modules/pam_radius/pam_radius.8 b/lib/libpam/modules/pam_radius/pam_radius.8
index c5053fe..abe0095 100644
--- a/lib/libpam/modules/pam_radius/pam_radius.8
+++ b/lib/libpam/modules/pam_radius/pam_radius.8
@@ -45,12 +45,11 @@
 .Nm pam_radius
 .Nd RADIUS authentication PAM module
 .Sh SYNOPSIS
-.Nm pam_radius.so
-.Op Cm use_first_pass
-.Op Cm try_first_pass
-.Op Cm echo_pass
-.Op Cm conf Ns No = Ns Ar pathname
-.Op Cm template_user Ns No = Ns Ar username
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_radius
+.Op Ar options
 .Sh DESCRIPTION
 The
 .Nm
diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c
index c04d8f2..781e1d4 100644
--- a/lib/libpam/modules/pam_radius/pam_radius.c
+++ b/lib/libpam/modules/pam_radius/pam_radius.c
@@ -39,12 +39,16 @@
 
 #include "pam_mod_misc.h"
 
-#define MAX_CHALLENGE_MSGS	10
-#define PASSWORD_PROMPT	"RADIUS password:"
+enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER };
 
-/* Option names, including the "=" sign. */
-#define OPT_CONF		"conf="
-#define OPT_TMPL		"template_user="
+static struct opttab other_options[] = {
+	{ "conf",		PAM_OPT_CONF },
+	{ "template_user",	PAM_OPT_TEMPLATE_USER },
+	{ NULL, 0 }
+};
+
+#define	MAX_CHALLENGE_MSGS	10
+#define	PASSWORD_PROMPT		"RADIUS password:"
 
 static int	 build_access_request(struct rad_handle *, const char *,
 		    const char *, const void *, size_t);
@@ -194,48 +198,59 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
 }
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
+	struct options options;
 	struct rad_handle *radh;
-	const char *user;
-	const char *pass;
-	const char *conf_file = NULL;
-	const char *template_user = NULL;
-	int options = 0;
+	const char *user, *tmpuser, *pass;
+	char *conf_file, *template_user;
 	int retval;
-	int i;
 	int e;
 
-	for (i = 0;  i < argc;  i++) {
-		size_t len;
+	pam_std_option(&options, other_options, argc, argv);
 
-		pam_std_option(&options, argv[i]);
-		if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0)
-			conf_file = argv[i] + len;
-		else if (strncmp(argv[i], OPT_TMPL,
-		    (len = strlen(OPT_TMPL))) == 0)
-			template_user = argv[i] + len;
-	}
-	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
-		return retval;
-	if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT,
-	    options)) != PAM_SUCCESS)
-		return retval;
+	PAM_LOG("Options processed");
+
+	conf_file = NULL;
+	pam_test_option(&options, PAM_OPT_CONF, &conf_file);
+	template_user = NULL;
+	pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user);
+
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
 
-	if ((radh = rad_open()) == NULL) {
+	PAM_LOG("Got user: %s", user);
+
+	retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
+
+	PAM_LOG("Got password");
+
+	radh = rad_open();
+	if (radh == NULL) {
 		syslog(LOG_CRIT, "rad_open failed");
-		return PAM_SERVICE_ERR;
+		PAM_RETURN(PAM_SERVICE_ERR);
 	}
+
+	PAM_LOG("Radius opened");
+
 	if (rad_config(radh, conf_file) == -1) {
 		syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh));
 		rad_close(radh);
-		return PAM_SERVICE_ERR;
+		PAM_RETURN(PAM_SERVICE_ERR);
 	}
+
+	PAM_LOG("Radius config file read");
+
 	if (build_access_request(radh, user, pass, NULL, 0) == -1) {
 		rad_close(radh);
-		return PAM_SERVICE_ERR;
+		PAM_RETURN(PAM_SERVICE_ERR);
 	}
+
+	PAM_LOG("Radius build access done");
+
 	for ( ; ; ) {
 		switch (rad_send_request(radh)) {
 
@@ -243,10 +258,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 			e = do_accept(pamh, radh);
 			rad_close(radh);
 			if (e == -1)
-				return PAM_SERVICE_ERR;
+				PAM_RETURN(PAM_SERVICE_ERR);
 			if (template_user != NULL) {
-				const void *item;
-				const char *user;
+
+				PAM_LOG("Trying template user: %s",
+				    template_user);
 
 				/*
 				 * If the given user name doesn't exist in
@@ -254,25 +270,28 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 				 * to the value given in the "template_user"
 				 * option.
 				 */
-				retval = pam_get_item(pamh, PAM_USER, &item);
+				retval = pam_get_item(pamh, PAM_USER,
+				    (void *)&tmpuser);
 				if (retval != PAM_SUCCESS)
-					return retval;
-				user = (const char *)item;
-				if (getpwnam(user) == NULL)
+					PAM_RETURN(retval);
+				if (getpwnam(tmpuser) == NULL) {
 					pam_set_item(pamh, PAM_USER,
 					    template_user);
+					PAM_LOG("Using template user");
+				}
+
 			}
-			return PAM_SUCCESS;
+			PAM_RETURN(PAM_SUCCESS);
 
 		case RAD_ACCESS_REJECT:
 			rad_close(radh);
-			return PAM_AUTH_ERR;
+			PAM_RETURN(PAM_AUTH_ERR);
 
 		case RAD_ACCESS_CHALLENGE:
-			if ((retval = do_challenge(pamh, radh, user)) !=
-			    PAM_SUCCESS) {
+			retval = do_challenge(pamh, radh, user);
+			if (retval != PAM_SUCCESS) {
 				rad_close(radh);
-				return retval;
+				PAM_RETURN(retval);
 			}
 			break;
 
@@ -280,13 +299,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 			syslog(LOG_CRIT, "rad_send_request: %s",
 			    rad_strerror(radh));
 			rad_close(radh);
-			return PAM_AUTHINFO_UNAVAIL;
+			PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
 
 		default:
 			syslog(LOG_CRIT,
 			    "rad_send_request: unexpected return value");
 			rad_close(radh);
-			return PAM_SERVICE_ERR;
+			PAM_RETURN(PAM_SERVICE_ERR);
 		}
 	}
 }
diff --git a/lib/libpam/modules/pam_rootok/Makefile b/lib/libpam/modules/pam_rootok/Makefile
index 8d9bf06..948c0299 100644
--- a/lib/libpam/modules/pam_rootok/Makefile
+++ b/lib/libpam/modules/pam_rootok/Makefile
@@ -27,7 +27,6 @@
 LIB=		pam_rootok
 SHLIB_NAME=	pam_rootok.so
 SRCS=		pam_rootok.c
+MAN=		pam_rootok.8
 
 .include <bsd.lib.mk>
-
-.PATH:		${PAMDIR}/modules/pam_rootok
diff --git a/lib/libpam/modules/pam_rootok/pam_rootok.8 b/lib/libpam/modules/pam_rootok/pam_rootok.8
new file mode 100644
index 0000000..805fc6c
--- /dev/null
+++ b/lib/libpam/modules/pam_rootok/pam_rootok.8
@@ -0,0 +1,70 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 8, 2001
+.Dt PAM_ROOTOK 8
+.Os
+.Sh NAME
+.Nm pam_rootok
+.Nd RootOK PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_rootok
+.Op Ar options
+.Sh DESCRIPTION
+The RootOK authentication service module for PAM,
+.Nm
+provides functionality for only one PAM category:
+authentication.
+In terms of the 
+.Ar module-type
+parameter, this is the
+.Dv auth
+feature.
+It also provides a null function for session management.
+.Ss RootOK Authentication Module
+The RootOK authentication component
+.Pq Fn pam_sm_authenticate ,
+always returns success for the superuser;
+.Em ie,
+if
+.Xr getuid 2
+returns 0.
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.El
+.Sh SEE ALSO
+.Xr getuid 2 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_rootok/pam_rootok.c b/lib/libpam/modules/pam_rootok/pam_rootok.c
new file mode 100644
index 0000000..71478a1
--- /dev/null
+++ b/lib/libpam/modules/pam_rootok/pam_rootok.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2001 Mark R V Murray
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#define _BSD_SOURCE
+
+#include <unistd.h>
+#include <syslog.h>
+
+#define PAM_SM_AUTH
+
+#include <security/pam_modules.h>
+#include <pam_mod_misc.h>
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+	uid_t uid;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	uid = getuid();
+	if (uid == 0)
+		PAM_RETURN(PAM_SUCCESS);
+
+	PAM_LOG("User is not root");
+
+	PAM_RETURN(PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}
+
+PAM_MODULE_ENTRY("pam_rootok");
diff --git a/lib/libpam/modules/pam_securetty/Makefile b/lib/libpam/modules/pam_securetty/Makefile
index 1bf77db..764dfb0 100644
--- a/lib/libpam/modules/pam_securetty/Makefile
+++ b/lib/libpam/modules/pam_securetty/Makefile
@@ -27,5 +27,6 @@
 LIB=		pam_securetty
 SHLIB_NAME=	pam_securetty.so
 SRCS=		pam_securetty.c
+MAN=		pam_securetty.8
 
 .include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.8 b/lib/libpam/modules/pam_securetty/pam_securetty.8
new file mode 100644
index 0000000..33267a3
--- /dev/null
+++ b/lib/libpam/modules/pam_securetty/pam_securetty.8
@@ -0,0 +1,82 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 8, 2001
+.Dt PAM_SECURETTY 8
+.Os
+.Sh NAME
+.Nm pam_securetty
+.Nd SecureTTY PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_securetty
+.Op Ar options
+.Sh DESCRIPTION
+The SecureTTY authentication service module for PAM,
+.Nm
+provides functionality for only one PAM category:
+authentication.
+In terms of the 
+.Ar module-type
+parameter, this is the
+.Dv auth
+feature.
+It also provides a null function for session management.
+.Ss SecureTTY Authentication Module
+The SecureTTY authentication component
+.Pq Fn pam_sm_authenticate ,
+returns success if the user is attempting to authenticate as superuser,
+and the process is attached to a secure TTY.
+Alternatively,
+if the user is not authenticating as superuser,
+the module always returns success.
+.Pp
+A TTY is defined as secure if its entry is fetchable from
+.Pa /etc/ttys
+by
+.Xr getttynam 3
+(see
+.Xr ttys 5 ) ,
+and the entry (a struct ttyent) has the 
+.Dv TTY_SECURE
+flag set.
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.El
+.Sh SEE ALSO
+.Xr getttyynam 3 ,
+.Xr syslog 3 ,
+.Xr ttys 5 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.c b/lib/libpam/modules/pam_securetty/pam_securetty.c
index fe04b3c..aecabce 100644
--- a/lib/libpam/modules/pam_securetty/pam_securetty.c
+++ b/lib/libpam/modules/pam_securetty/pam_securetty.c
@@ -41,42 +41,51 @@
 PAM_EXTERN int 
 pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
 {
-	struct ttyent  *ttyfileinfo;
-	struct passwd  *user_pwd;
-	int             i, options, retval;
-	const char     *username, *ttyname;
+	struct options options;
+	struct ttyent *ttyfileinfo;
+	struct passwd *user_pwd;
+	int retval;
+	const char *user, *ttyname;
 
-	options = 0;
-	for (i = 0; i < argc; i++)
-		pam_std_option(&options, argv[i]);
+	pam_std_option(&options, NULL, argc, argv);
 
-	retval = pam_get_user(pamh, &username, NULL);
+	PAM_LOG("Options processed");
+
+	retval = pam_get_user(pamh, &user, NULL);
 	if (retval != PAM_SUCCESS)
-		return retval;
+		PAM_RETURN(retval);
+
+	PAM_LOG("Got user: %s", user);
 
 	retval = pam_get_item(pamh, PAM_TTY, (const void **)&ttyname);
 	if (retval != PAM_SUCCESS)
-		return retval;
+		PAM_RETURN(retval);
+
+	PAM_LOG("Got TTY: %s", ttyname);
 
 	/* Ignore any "/dev/" on the PAM_TTY item */
 	if (strncmp(TTY_PREFIX, ttyname, sizeof(TTY_PREFIX) - 1) == 0)
 		ttyname += sizeof(TTY_PREFIX) - 1;
 
 	/* If the user is not root, secure ttys do not apply */
-	user_pwd = getpwnam(username);
+	user_pwd = getpwnam(user);
 	if (user_pwd == NULL)
-		return PAM_IGNORE;
+		PAM_RETURN(PAM_IGNORE);
 	else if (user_pwd->pw_uid != 0)
-		return PAM_SUCCESS;
+		PAM_RETURN(PAM_SUCCESS);
+
+	PAM_LOG("User is not root");
 
 	ttyfileinfo = getttynam(ttyname);
 	if (ttyfileinfo == NULL)
-		return PAM_SERVICE_ERR;
+		PAM_RETURN(PAM_SERVICE_ERR);
+
+	PAM_LOG("Got ttyfileinfo");
 
 	if (ttyfileinfo->ty_status & TTY_SECURE)
-		return PAM_SUCCESS;
+		PAM_RETURN(PAM_SUCCESS);
 	else
-		return PAM_PERM_DENIED;
+		PAM_RETURN(PAM_PERM_DENIED);
 }
 
 PAM_EXTERN
@@ -86,6 +95,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	return PAM_SUCCESS;
 }
 
-/* end of module definition */
-
 PAM_MODULE_ENTRY("pam_securetty");
diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.8 b/lib/libpam/modules/pam_ssh/pam_ssh.8
new file mode 100644
index 0000000..ad4323c
--- /dev/null
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.8
@@ -0,0 +1,148 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 7, 2001
+.Dt PAM_UNIX 8
+.Os
+.Sh NAME
+.Nm pam_unix
+.Nd UNIX PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_unix
+.Op Ar options
+.Sh DESCRIPTION
+The
+.Ux
+authentication service module for PAM,
+.Nm
+provides functionality for two PAM categories:
+authentication
+and account management.
+In terms of the 
+.Ar module-type
+parameter, they are the
+.Dv auth
+and
+.Dv account
+features.
+It also provides a null function for session management.
+.Ss Ux Authentication Module
+The
+.Ux
+authentication component
+provides functions to verify the identity of a user
+.Pq Fn pam_sm_authenticate ,
+which obtains the relevant
+.Xr passwd 5
+entry.
+It prompts the user for a password
+and verifies that this is correct with
+.Xr crypt 3 .
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.It Cm use_first_pass
+If the authentication module
+is not the first in the stack,
+and a previous module
+obtained the user's password,
+that password is used
+to authenticate the user.
+If this fails,
+the authentication module returns failure
+without prompting the user for a password.
+This option has no effect
+if the authentication module
+is the first in the stack,
+or if no previous modules
+obtained the user's password.
+.It Cm try_first_pass
+This option is similar to the
+.Cm use_first_pass
+option,
+except that if the previously obtained password fails,
+the user is prompted for another password.
+.It Cm auth_as_self
+This option will require the user
+to authenticate themself as the user
+given by
+.Fn getuid 2 ,
+not as the account they are attempting to access.
+This is primarily for services like
+.Xr su 1 ,
+where the user's ability to retype
+their own password
+might be deemed sufficient.
+.It Cm nullok
+If the password database
+has no password
+for the entity being authenticated,
+then this option
+will forgo password prompting,
+and silently allow authentication to succeed.
+.El
+.Ss Ux Account Management Module
+The
+.Ux
+account management component
+provides a function to perform account management,
+.Fn pam_sm_acct_mgmt .
+The function verifies
+that the authenticated user
+is allowed to login to the local user account
+by checking the password expiry date.
+.Pp
+The following options may be passed to the management module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.El
+.Sh FILES
+.Bl -tag -xwidth ".Pa /etc/master.passwd" -compact
+.It Pa /etc/master.passwd
+default 
+.Ux
+password database.
+.El
+.Sh SEE ALSO
+.Xr passwd 1 ,
+.Xr getuid 2 ,
+.Xr crypt 3 ,
+.Xr passwd 5 ,
+.Xr syslog 3 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_tacplus/Makefile b/lib/libpam/modules/pam_tacplus/Makefile
index e324a30..0d6daaa 100644
--- a/lib/libpam/modules/pam_tacplus/Makefile
+++ b/lib/libpam/modules/pam_tacplus/Makefile
@@ -29,5 +29,6 @@ SHLIB_NAME=	pam_tacplus.so
 SRCS=		pam_tacplus.c
 DPADD=		${LIBTACPLUS}
 LDADD=		-ltacplus
+MAN=		pam_tacplus.8
 
 .include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.8 b/lib/libpam/modules/pam_tacplus/pam_tacplus.8
new file mode 100644
index 0000000..67ec965
--- /dev/null
+++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.8
@@ -0,0 +1,128 @@
+.\" Copyright (c) 1999
+.\"	Andrzej Bialecki <abial@FreeBSD.org>.  All rights reserved.
+.\"
+.\" Copyright (c) 1992, 1993, 1994
+.\"	The Regents of the University of California.  All rights reserved.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software donated to Berkeley by
+.\" Jan-Simon Pendry.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd August 2, 1999
+.Dt PAM_TACPLUS 8
+.Os FreeBSD
+.Sh NAME
+.Nm pam_tacplus
+.Nd TACACS+ authentication PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_tacplus
+.Op Ar options
+.Sh DESCRIPTION
+The
+.Nm
+module provides authentication services based
+upon the TACACS+ protocol
+for the PAM (Pluggable Authentication Module) framework.
+.Pp
+The
+.Nm
+module accepts these optional parameters:
+.Bl -tag -width Fl
+.It Cm use_first_pass
+causes
+.Nm
+to use a previously entered password instead of prompting for a new one.
+If no password has been entered then authentication fails.
+.It Cm try_first_pass
+causes
+.Nm
+to use a previously entered password, if one is available.  If no
+password has been entered,
+.Nm
+prompts for one as usual.
+.It Cm echo_pass
+causes echoing to be left on if
+.Nm
+prompts for a password.
+.It Cm conf Ns No = Ns Ar pathname
+specifies a non-standard location for the TACACS+ client configuration file
+(normally located in /etc/tacplus.conf).
+.It Cm template_user Ns No = Ns Ar username
+specifies a user whose
+.Xr passwd 5
+entry will be used as a template to create the session environment
+if the supplied username doesn't exist in local password database.
+The user
+will be authenticated with the supplied username and password, but his
+credentials to the system will be presented as the ones for
+.Ar username ,
+i.e., his login class, home directory, resource limits, etc. will be set to ones
+defined for
+.Ar username .
+.Pp
+If this option is omitted, and there is no username
+in the system databases equal to the supplied one (as determined by call to
+.Xr getpwnam 3 ) ,
+the authentication will fail.
+.El
+.Sh FILES
+.Bl -tag -width /etc/tacplus.conf -compact
+.It Pa /etc/tacplus.conf
+The standard TACACS+ client configuration file for
+.Nm
+.El
+.Sh SEE ALSO
+.Xr passwd 5 ,
+.Xr tacplus.conf 5 ,
+.Xr pam 8
+.Sh HISTORY
+The
+.Nm
+module first appeared in
+.Fx 3.1 .
+.Sh AUTHORS
+.An -nosplit
+The
+.Nm
+manual page was written by
+.An Andrzej Bialecki Aq abial@FreeBSD.org
+and adapted to TACACS+ from RADIUS by
+.An Mark R V Murray Aq markm@FreeBSD.org .
+.Pp
+The
+.Nm
+module was written by
+.An John D. Polstra Aq jdp@FreeBSD.org .
diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c
index 0820071..786d303 100644
--- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c
+++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c
@@ -40,9 +40,13 @@
 
 #include "pam_mod_misc.h"
 
-/* Option names, including the "=" sign. */
-#define OPT_CONF		"conf="
-#define OPT_TMPL		"template_user="
+enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER };
+
+static struct opttab other_options[] = {
+	{ "conf",		PAM_OPT_CONF },
+	{ "template_user",	PAM_OPT_TEMPLATE_USER },
+	{ NULL, 0 }
+};
 
 typedef int (*set_func)(struct tac_handle *, const char *);
 
@@ -58,7 +62,8 @@ do_item(pam_handle_t *pamh, struct tac_handle *tach, int item,
 	int retval;
 	const void *value;
 
-	if ((retval = pam_get_item(pamh, item, &value)) != PAM_SUCCESS)
+	retval = pam_get_item(pamh, item, &value);
+	if (retval != PAM_SUCCESS)
 	    return retval;
 	if (value != NULL && (*func)(tach, (const char *)value) == -1) {
 		syslog(LOG_CRIT, "%s: %s", funcname, tac_strerror(tach));
@@ -73,7 +78,8 @@ get_msg(struct tac_handle *tach)
 {
 	char *msg;
 
-	if ((msg = tac_get_msg(tach)) == NULL) {
+	msg = tac_get_msg(tach);
+	if (msg == NULL) {
 		syslog(LOG_CRIT, "tac_get_msg: %s", tac_strerror(tach));
 		tac_close(tach);
 		return NULL;
@@ -96,48 +102,57 @@ PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
     const char **argv)
 {
+	struct options options;
 	int retval;
 	struct tac_handle *tach;
-	const char *conf_file = NULL;
-	const char *template_user = NULL;
-	int options = 0;
-	int i;
-
-	for (i = 0;  i < argc;  i++) {
-		size_t len;
-
-		pam_std_option(&options, argv[i]);
-		if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0)
-			conf_file = argv[i] + len;
-		else if (strncmp(argv[i], OPT_TMPL,
-		    (len = strlen(OPT_TMPL))) == 0)
-			template_user = argv[i] + len;
-	}
+	char *conf_file;
+	char *template_user;
+
+	pam_std_option(&options, other_options, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	conf_file = NULL;
+	pam_test_option(&options, PAM_OPT_CONF, &conf_file);
+	template_user = NULL;
+	pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user);
 
-	if ((tach = tac_open()) == NULL) {
+	tach = tac_open();
+	if (tach == NULL) {
 		syslog(LOG_CRIT, "tac_open failed");
-		return PAM_SERVICE_ERR;
+		PAM_RETURN(PAM_SERVICE_ERR);
 	}
 	if (tac_config(tach, conf_file) == -1) {
 		syslog(LOG_ALERT, "tac_config: %s", tac_strerror(tach));
 		tac_close(tach);
-		return PAM_SERVICE_ERR;
+		PAM_RETURN(PAM_SERVICE_ERR);
 	}
 	if (tac_create_authen(tach, TAC_AUTHEN_LOGIN, TAC_AUTHEN_TYPE_ASCII,
 	    TAC_AUTHEN_SVC_LOGIN) == -1) {
 		syslog(LOG_CRIT, "tac_create_authen: %s", tac_strerror(tach));
 		tac_close(tach);
-		return PAM_SERVICE_ERR;
+		PAM_RETURN(PAM_SERVICE_ERR);
 	}
-	if ((retval = do_item(pamh, tach, PAM_USER,
-	    tac_set_user, "tac_set_user")) != PAM_SUCCESS)
-		return retval;
-	if ((retval = do_item(pamh, tach, PAM_TTY,
-	    tac_set_port, "tac_set_port")) != PAM_SUCCESS)
-		return retval;
-	if ((retval = do_item(pamh, tach, PAM_RHOST,
-	    tac_set_rem_addr, "tac_set_rem_addr")) != PAM_SUCCESS)
-		return retval;
+
+	PAM_LOG("Done tac_open() ... tac_close()");
+
+	retval = do_item(pamh, tach, PAM_USER, tac_set_user, "tac_set_user");
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
+
+	PAM_LOG("Done user");
+
+	retval = do_item(pamh, tach, PAM_TTY, tac_set_port, "tac_set_port");
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
+
+	PAM_LOG("Done tty");
+
+	retval = do_item(pamh, tach, PAM_RHOST, tac_set_rem_addr,
+	    "tac_set_rem_addr");
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
+
 	for ( ; ; ) {
 		char *srvr_msg;
 		size_t msg_len;
@@ -145,16 +160,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 		char *data_msg;
 		int sflags;
 		int status;
-		int echo;
 
-		if ((sflags = tac_send_authen(tach)) == -1) {
+		sflags = tac_send_authen(tach);
+		if (sflags == -1) {
 			syslog(LOG_CRIT, "tac_send_authen: %s",
 			    tac_strerror(tach));
 			tac_close(tach);
-			return PAM_AUTHINFO_UNAVAIL;
+			PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
 		}
 		status = TAC_AUTHEN_STATUS(sflags);
-		echo = TAC_AUTHEN_NOECHO(sflags) ? 0 : PAM_OPT_ECHO_PASS;
+		if (!TAC_AUTHEN_NOECHO(sflags))
+			pam_set_option(&options, PAM_OPT_ECHO_PASS);
 		switch (status) {
 
 		case TAC_AUTHEN_STATUS_PASS:
@@ -163,6 +179,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 				const void *item;
 				const char *user;
 
+				PAM_LOG("Trying template user: %s",
+				    template_user);
+
 				/*
 				 * If the given user name doesn't exist in
 				 * the local password database, change it
@@ -171,58 +190,60 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 				 */
 				retval = pam_get_item(pamh, PAM_USER, &item);
 				if (retval != PAM_SUCCESS)
-					return retval;
+					PAM_RETURN(retval);
 				user = (const char *)item;
-				if (getpwnam(user) == NULL)
+				if (getpwnam(user) == NULL) {
 					pam_set_item(pamh, PAM_USER,
 					    template_user);
+					PAM_LOG("Using template user");
+				}
 			}
-			return PAM_SUCCESS;
+			PAM_RETURN(PAM_SUCCESS);
 
 		case TAC_AUTHEN_STATUS_FAIL:
 			tac_close(tach);
-			return PAM_AUTH_ERR;
+			PAM_RETURN(PAM_AUTH_ERR);
 
 		case TAC_AUTHEN_STATUS_GETUSER:
 		case TAC_AUTHEN_STATUS_GETPASS:
 			if ((srvr_msg = get_msg(tach)) == NULL)
-				return PAM_SERVICE_ERR;
+				PAM_RETURN(PAM_SERVICE_ERR);
 			if (status == TAC_AUTHEN_STATUS_GETUSER)
 				retval = pam_get_user(pamh, &user_msg,
 				    srvr_msg[0] != '\0' ? srvr_msg : NULL);
 			else if (status == TAC_AUTHEN_STATUS_GETPASS)
 				retval = pam_get_pass(pamh, &user_msg,
 				    srvr_msg[0] != '\0' ? srvr_msg :
-				    "Password:", options | echo);
+				    "Password:", &options);
 			free(srvr_msg);
 			if (retval != PAM_SUCCESS) {
 				/* XXX - send a TACACS+ abort packet */
 				tac_close(tach);
-				return retval;
+				PAM_RETURN(retval);
 			}
 			if (set_msg(tach, user_msg) == -1)
-				return PAM_SERVICE_ERR;
+				PAM_RETURN(PAM_SERVICE_ERR);
 			break;
 
 		case TAC_AUTHEN_STATUS_GETDATA:
 			if ((srvr_msg = get_msg(tach)) == NULL)
-				return PAM_SERVICE_ERR;
+				PAM_RETURN(PAM_SERVICE_ERR);
 			retval = pam_prompt(pamh,
-			    (options|echo) & PAM_OPT_ECHO_PASS ?
-			    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
+			    pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
+				? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
 			    srvr_msg[0] != '\0' ? srvr_msg : "Data:",
 			    &data_msg);
 			free(srvr_msg);
 			if (retval != PAM_SUCCESS) {
 				/* XXX - send a TACACS+ abort packet */
 				tac_close(tach);
-				return retval;
+				PAM_RETURN(retval);
 			}
 			retval = set_msg(tach, data_msg);
 			memset(data_msg, 0, strlen(data_msg));
 			free(data_msg);
 			if (retval == -1)
-				return PAM_SERVICE_ERR;
+				PAM_RETURN(PAM_SERVICE_ERR);
 			break;
 
 		case TAC_AUTHEN_STATUS_ERROR:
@@ -231,11 +252,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 				syslog(LOG_CRIT, "tac_send_authen:"
 				    " server detected error: %s", srvr_msg);
 				free(srvr_msg);
-			} else
+			}
+			else
 				syslog(LOG_CRIT,
 				    "tac_send_authen: server detected error");
 			tac_close(tach);
-			return PAM_AUTHINFO_UNAVAIL;
+			PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
 			break;
 
 		case TAC_AUTHEN_STATUS_RESTART:
@@ -244,7 +266,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 			syslog(LOG_CRIT,
 			    "tac_send_authen: unexpected status %#x", status);
 			tac_close(tach);
-			return PAM_AUTHINFO_UNAVAIL;
+			PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
 		}
 	}
 }
diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile
index 048fade..b2d928c 100644
--- a/lib/libpam/modules/pam_unix/Makefile
+++ b/lib/libpam/modules/pam_unix/Makefile
@@ -29,5 +29,6 @@ SHLIB_NAME=	pam_unix.so
 SRCS=		pam_unix.c
 DPADD=		${LIBUTIL} ${LIBCRYPT}
 LDADD=		-lutil -lcrypt
+MAN=		pam_unix.8
 
 .include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8
new file mode 100644
index 0000000..ad4323c
--- /dev/null
+++ b/lib/libpam/modules/pam_unix/pam_unix.8
@@ -0,0 +1,148 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 7, 2001
+.Dt PAM_UNIX 8
+.Os
+.Sh NAME
+.Nm pam_unix
+.Nd UNIX PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_unix
+.Op Ar options
+.Sh DESCRIPTION
+The
+.Ux
+authentication service module for PAM,
+.Nm
+provides functionality for two PAM categories:
+authentication
+and account management.
+In terms of the 
+.Ar module-type
+parameter, they are the
+.Dv auth
+and
+.Dv account
+features.
+It also provides a null function for session management.
+.Ss Ux Authentication Module
+The
+.Ux
+authentication component
+provides functions to verify the identity of a user
+.Pq Fn pam_sm_authenticate ,
+which obtains the relevant
+.Xr passwd 5
+entry.
+It prompts the user for a password
+and verifies that this is correct with
+.Xr crypt 3 .
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.It Cm use_first_pass
+If the authentication module
+is not the first in the stack,
+and a previous module
+obtained the user's password,
+that password is used
+to authenticate the user.
+If this fails,
+the authentication module returns failure
+without prompting the user for a password.
+This option has no effect
+if the authentication module
+is the first in the stack,
+or if no previous modules
+obtained the user's password.
+.It Cm try_first_pass
+This option is similar to the
+.Cm use_first_pass
+option,
+except that if the previously obtained password fails,
+the user is prompted for another password.
+.It Cm auth_as_self
+This option will require the user
+to authenticate themself as the user
+given by
+.Fn getuid 2 ,
+not as the account they are attempting to access.
+This is primarily for services like
+.Xr su 1 ,
+where the user's ability to retype
+their own password
+might be deemed sufficient.
+.It Cm nullok
+If the password database
+has no password
+for the entity being authenticated,
+then this option
+will forgo password prompting,
+and silently allow authentication to succeed.
+.El
+.Ss Ux Account Management Module
+The
+.Ux
+account management component
+provides a function to perform account management,
+.Fn pam_sm_acct_mgmt .
+The function verifies
+that the authenticated user
+is allowed to login to the local user account
+by checking the password expiry date.
+.Pp
+The following options may be passed to the management module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.El
+.Sh FILES
+.Bl -tag -xwidth ".Pa /etc/master.passwd" -compact
+.It Pa /etc/master.passwd
+default 
+.Ux
+password database.
+.El
+.Sh SEE ALSO
+.Xr passwd 1 ,
+.Xr getuid 2 ,
+.Xr crypt 3 ,
+.Xr passwd 5 ,
+.Xr syslog 3 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index cc97ad9..61c462c 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -42,64 +42,96 @@
 #include "pam_mod_misc.h"
 
 #define PASSWORD_PROMPT	"Password:"
+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
+
+enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_NULLOK };
+
+static struct opttab other_options[] = {
+	{ "auth_as_self",	PAM_OPT_AUTH_AS_SELF },
+	{ "nullok",		PAM_OPT_NULLOK },
+	{ NULL, 0 }
+};
 
 /*
  * authentication management
  */
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
-    const char **argv)
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-	int retval;
-	const char *user;
-	const char *password;
+	struct options options;
 	struct passwd *pwd;
+	int retval;
+	const char *password, *user;
 	char *encrypted;
-	int options;
-	int i;
 
-	options = 0;
-	for (i = 0;  i < argc;  i++)
-		pam_std_option(&options, argv[i]);
-	if (options & PAM_OPT_AUTH_AS_SELF)
+	pam_std_option(&options, other_options, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL))
 		pwd = getpwuid(getuid());
 	else {
-		if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
-			return retval;
+		retval = pam_get_user(pamh, &user, NULL);
+		if (retval != PAM_SUCCESS)
+			PAM_RETURN(retval);
 		pwd = getpwnam(user);
 	}
+
+	PAM_LOG("Got user: %s", user);
+
 	if (pwd != NULL) {
-		if (pwd->pw_passwd[0] == '\0' && (options & PAM_OPT_NULLOK))
+
+		PAM_LOG("Doing real authentication");
+
+		if (pwd->pw_passwd[0] == '\0'
+		    && pam_test_option(&options, PAM_OPT_NULLOK, NULL)) {
 			/*
 			 * No password case. XXX Are we giving too much away
 			 * by not prompting for a password?
 			 */
-			return PAM_SUCCESS;
+			PAM_LOG("No password, and null password OK");
+			PAM_RETURN(PAM_SUCCESS);
+		}
 		else {
-			if ((retval = pam_get_pass(pamh, &password,
-			    PASSWORD_PROMPT, options)) != PAM_SUCCESS)
-				return retval;
+			retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
+			    &options);
+			if (retval != PAM_SUCCESS)
+				PAM_RETURN(retval);
+			PAM_LOG("Got password");
 		}
 		encrypted = crypt(password, pwd->pw_passwd);
 		if (password[0] == '\0' && pwd->pw_passwd[0] != '\0')
 			encrypted = ":";
 
+		PAM_LOG("Encrypted passwords are: %s & %s", encrypted,
+		    pwd->pw_passwd);
+
 		retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
 		    PAM_SUCCESS : PAM_AUTH_ERR;
-	} else {
+	}
+	else {
+
+		PAM_LOG("Doing dummy authentication");
+
 		/*
-		 * User unknown.  Encrypt anyway so that it takes the
-		 * same amount of time.
+		 * User unknown.
+		 * Encrypt a dummy password so as to not give away too much.
 		 */
+		retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
+		    &options);
+		if (retval != PAM_SUCCESS)
+			PAM_RETURN(retval);
+		PAM_LOG("Got password");
 		crypt(password, "xx");
 		retval = PAM_AUTH_ERR;
 	}
+
 	/*
 	 * The PAM infrastructure will obliterate the cleartext
 	 * password before returning to the application.
 	 */
-	return retval;
+	PAM_RETURN(retval);
 }
 
 PAM_EXTERN int
@@ -114,24 +146,31 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
  * check pw_change and pw_expire fields
  */
 PAM_EXTERN
-int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
-		     int argc, const char **argv)
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-	const char *user;
+	struct options options;
 	struct passwd *pw;
 	struct timeval tp;
+	login_cap_t *lc;
 	time_t warntime;
-	login_cap_t *lc = NULL;
-	char buf[128];
 	int retval;
+	const char *user;
+	char buf[128];
+
+	pam_std_option(&options, other_options, argc, argv);
+
+	PAM_LOG("Options processed");
 
 	retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
 	if (retval != PAM_SUCCESS || user == NULL)
 		/* some implementations return PAM_SUCCESS here */
-		return PAM_USER_UNKNOWN;
+		PAM_RETURN(PAM_USER_UNKNOWN);
 
-	if ((pw = getpwnam(user)) == NULL)
-		return PAM_USER_UNKNOWN;
+	pw = getpwnam(user);
+	if (pw == NULL)
+		PAM_RETURN(PAM_USER_UNKNOWN);
+
+	PAM_LOG("Got user: %s", user);
 
 	retval = PAM_SUCCESS;
 	lc = login_getpwclass(pw);
@@ -139,11 +178,11 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 	if (pw->pw_change || pw->pw_expire)
 		gettimeofday(&tp, NULL);
 
-#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
-
 	warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN,
 	    DEFAULT_WARN);
 
+	PAM_LOG("Got login_cap");
+
 	if (pw->pw_change) {
 		if (tp.tv_sec >= pw->pw_change)
 			/* some implementations return PAM_AUTHTOK_EXPIRED */
@@ -171,7 +210,8 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 	}
 
 	login_close(lc);
-	return retval;
+
+	PAM_RETURN(retval);
 }
 
 PAM_MODULE_ENTRY("pam_unix");
diff --git a/lib/libpam/modules/pam_wheel/Makefile b/lib/libpam/modules/pam_wheel/Makefile
index d211df6..b889a18 100644
--- a/lib/libpam/modules/pam_wheel/Makefile
+++ b/lib/libpam/modules/pam_wheel/Makefile
@@ -27,7 +27,6 @@
 LIB=		pam_wheel
 SHLIB_NAME=	pam_wheel.so
 SRCS=		pam_wheel.c
+MAN=		pam_wheel.8
 
 .include <bsd.lib.mk>
-
-.PATH:		${PAMDIR}/modules/pam_wheel
diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.8 b/lib/libpam/modules/pam_wheel/pam_wheel.8
new file mode 100644
index 0000000..c493f89
--- /dev/null
+++ b/lib/libpam/modules/pam_wheel/pam_wheel.8
@@ -0,0 +1,94 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 8, 2001
+.Dt PAM_WHEEL 8
+.Os
+.Sh NAME
+.Nm pam_wheel
+.Nd Wheel PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_wheel
+.Op Ar options
+.Sh DESCRIPTION
+The Wheel authentication service module for PAM,
+.Nm
+provides functionality for only one PAM category:
+authentication.
+In terms of the 
+.Ar module-type
+parameter, this is the
+.Dv auth
+feature.
+It also provides a null function for session management.
+.Ss Wheel Authentication Module
+The Wheel authentication component
+.Pq Fn pam_sm_authenticate ,
+permit authentication to members of a group,
+which defaults to
+.Dv wheel.
+.Em ie,
+if
+.Xr getuid 2
+returns 0.
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -xwidth ".Cm use_first_pass"
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.It Cm use_uid
+check for wheel membership against 
+the current uid
+.Pq given by Fn getuid .
+.It Cm trust
+return
+.Dv PAM_SUCCESS
+instead of
+.Dv PAM_IGNORE
+if the user is a member of the group (default is
+.Dv wheel ).
+.It Cm deny
+invert the operation
+if is a member of the 
+.Pq default Dv wheel )
+group.
+.Pq return failure instead of success.
+mainly of use with the ``group=foo'' option.
+.It Cm group=foo
+checking for membership of group ``foo''
+instead of the default group
+.Dv wheel.
+.El
+.Sh SEE ALSO
+.Xr group 5 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.c b/lib/libpam/modules/pam_wheel/pam_wheel.c
new file mode 100644
index 0000000..e5005e3
--- /dev/null
+++ b/lib/libpam/modules/pam_wheel/pam_wheel.c
@@ -0,0 +1,145 @@
+/*-
+ * Copyright (c) 2001 Mark R V Murray
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#define _BSD_SOURCE
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <syslog.h>
+#include <stdarg.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+
+#define PAM_SM_AUTH
+#include <security/pam_modules.h>
+#include <pam_mod_misc.h>
+
+enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST,
+	PAM_OPT_USE_UID };
+
+static struct opttab other_options[] = {
+	{ "deny",		PAM_OPT_DENY },
+	{ "group",		PAM_OPT_GROUP },
+	{ "trust",		PAM_OPT_TRUST },
+	{ "use_uid",		PAM_OPT_USE_UID },
+	{ NULL, 0 }
+};
+
+/* Is member in list? */
+static int
+in_list(char *const *list, const char *member)
+{
+	for (; *list; list++)
+		if (strcmp(*list, member) == 0)
+			return 1;
+	return 0;
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
+{
+	struct options options;
+	struct passwd *pwd, *temppwd;
+	struct group *grp;
+	int retval;
+	const char *user;
+	char *fromsu, *use_group;
+
+	pam_std_option(&options, other_options, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS)
+		PAM_RETURN(retval);
+
+	pwd = getpwnam(user);
+	if (!pwd)
+		PAM_RETURN(PAM_USER_UNKNOWN);
+
+	PAM_LOG("Got user: %s", user);
+
+	/* Ignore if already uid 0 */
+	if (pwd->pw_uid)
+		PAM_RETURN(PAM_IGNORE);
+
+	PAM_LOG("Not superuser");
+
+	if (pam_test_option(&options, PAM_OPT_USE_UID, NULL)) {
+		temppwd = getpwuid(getuid());
+		if (temppwd == NULL)
+			PAM_RETURN(PAM_SERVICE_ERR);
+		fromsu = temppwd->pw_name;
+	}
+	else {
+		fromsu = getlogin();
+		if (!fromsu)
+			PAM_RETURN(PAM_SERVICE_ERR);
+	}
+
+	PAM_LOG("Got fromsu: %s", fromsu);
+
+	if (!pam_test_option(&options, PAM_OPT_GROUP, &use_group)) {
+		if ((grp = getgrnam("wheel")) == NULL)
+			grp = getgrgid(0);
+	}
+	else
+		grp = getgrnam(use_group);
+
+	if (grp == NULL || grp->gr_mem == NULL) {
+		if (pam_test_option(&options, PAM_OPT_DENY, NULL))
+			PAM_RETURN(PAM_IGNORE);
+		else
+			PAM_RETURN(PAM_AUTH_ERR);
+	}
+
+	PAM_LOG("Got group: %s", grp->gr_name);
+
+	if (in_list(grp->gr_mem, fromsu)) {
+		if (pam_test_option(&options, PAM_OPT_DENY, NULL))
+			PAM_RETURN(PAM_PERM_DENIED);
+		if (pam_test_option(&options, PAM_OPT_TRUST, NULL))
+			PAM_RETURN(PAM_SUCCESS);
+		PAM_RETURN(PAM_IGNORE);
+	}
+
+	if (pam_test_option(&options, PAM_OPT_DENY, NULL))
+		PAM_RETURN(PAM_SUCCESS);
+
+	PAM_RETURN(PAM_PERM_DENIED);
+}
+
+PAM_EXTERN int 
+pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}
+
+PAM_MODULE_ENTRY("pam_wheel");