Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-auth/pam_skey/files
diff options
context:
space:
mode:
authorJakub Moc <jakub@gentoo.org>2006-06-08 09:28:53 +0000
committerJakub Moc <jakub@gentoo.org>2006-06-08 09:28:53 +0000
commit498a6465701e1f98504734b06b50bf8e80c1aee9 (patch)
treeee9a733b6ad17374c69a9e62ea8962f18cf2bd3d /sys-auth/pam_skey/files
parentRemove useless ChangeLog based on a request from dertobi123 in #gentoo-overla... (diff)
downloadsunrise-498a6465701e1f98504734b06b50bf8e80c1aee9.tar.gz
sunrise-498a6465701e1f98504734b06b50bf8e80c1aee9.tar.bz2
sunrise-498a6465701e1f98504734b06b50bf8e80c1aee9.zip
New pam_skey ebuild, thanks to Ulrich Mueller and Dani Church in Bug 55279
svn path=/; revision=5
Diffstat (limited to 'sys-auth/pam_skey/files')
-rw-r--r--sys-auth/pam_skey/files/digest-pam_skey-1.1.43
-rw-r--r--sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch1706
-rw-r--r--sys-auth/pam_skey/files/pam_skey-system-auth.pam.d15
3 files changed, 1724 insertions, 0 deletions
diff --git a/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 b/sys-auth/pam_skey/files/digest-pam_skey-1.1.4
new file mode 100644
index 000000000..82d8fdb41
--- /dev/null
+++ b/sys-auth/pam_skey/files/digest-pam_skey-1.1.4
@@ -0,0 +1,3 @@
+MD5 5e3bbe897bdd665fbe9d3b647455a863 pam_skey-1.1.4.tar.gz 82861
+RMD160 ea195cbe4cd188d223d3bb7d0ffc51be0f3fc713 pam_skey-1.1.4.tar.gz 82861
+SHA256 625e255e8c7ac27a85e2336d64cec46a83e246fe96e3e851c685dbf870c359bc pam_skey-1.1.4.tar.gz 82861
diff --git a/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch b/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch
new file mode 100644
index 000000000..a1403d0d2
--- /dev/null
+++ b/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch
@@ -0,0 +1,1706 @@
+diff -Nur pam_skey-1.1.4/INSTALL pam_skey/INSTALL
+--- pam_skey-1.1.4/INSTALL 2005-06-18 14:11:24.000000000 +0200
++++ pam_skey/INSTALL 2006-03-06 09:26:55.000000000 +0100
+@@ -1,5 +1,39 @@
+ $Id: INSTALL,v 1.1.1.1 2005/06/18 12:11:24 kreator Exp $
+
++Gentoo patch
++------------
++Most everything below still holds, though the libraries required are now
++those used by Gentoo. Other S/Key libraries may work with a bit of
++tweaking.
++
++The options listed for the module below are no longer valid. See the
++Gentoo patch section in README for details.
++
++The intended method for configuring PAM is by using the newer module
++specification, with a line like:
++
++auth [success=done ignore=ignore auth_err=die default=bad] /lib/security/pam_skey.so
++
++This is a combination of the standard "sufficient" and "requisite"
++specifications:
++
++- If the module returns PAM_SUCCESS, we are authenticated and no other
++ modules should be tested.
++- If the module returns PAM_IGNORE, then the module didn't accept its
++ input as an S/Key response, and the next module should try using
++ the input (using the try_first_pass option).
++- If the module returns PAM_AUTH_ERR, then the module accepted an
++ S/Key input but it was invalid. Do not try any more modules in the
++ stack; the user already chose S/Key authentication.
++- If the module returns any other code, it is a simple error in processing.
++ Set the error flag but try other modules, just in case.
++
++The module is intended to be placed before another authentication module,
++like pam_unix.so; if not, it should be placed before pam_deny.so.
++
++If the newer module specification is unavailable in your version of PAM,
++the "sufficient" specification will work.
++
+ Required
+ --------
+ For building this package you will probably need original Wietse Venema's
+diff -Nur pam_skey-1.1.4/Makefile.in pam_skey/Makefile.in
+--- pam_skey-1.1.4/Makefile.in 2005-06-18 14:11:24.000000000 +0200
++++ pam_skey/Makefile.in 2006-03-06 09:26:55.000000000 +0100
+@@ -12,42 +12,26 @@
+ LIBS=@LIBS@ @SKEYLIB@ @PAMLIB@
+ LDFLAGS=@LDFLAGS@
+
+-INSTALL=@INSTALL@ -m 644
++INSTALL=@INSTALL@
++INSTALL_LIB=${INSTALL} -m 755
+ RM=@RM@ -f
+ CP=@CP@ -f
+ LN=@LN@ -s
+ AWK=@AWK@
+
+-PAM_FILES=pam_skey.so.1 pam_skey_access.so.1
++PAM_FILES=pam_skey.so
+
+ all: $(PAM_FILES)
+
+-pam_skey.so.1: pam_skey.o
+- $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS)
+-
+-pam_skey_access.so.1: pam_skey_access.o
++pam_skey.so: pam_skey.o
+ $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS)
+
+ lint-pam_skey:
+ lclint $(CFLAGS) pam_skey.c
+
+-lint-pam_skey_access:
+- lclint $(CFLAGS) pam_skey_access.c
+-
+-install:
+- @if test ! -d $(INSTALLDIR); then \
+- echo "Missing $(INSTALLDIR). Problem with PAM installation?"; \
+- else \
+- for file in $(PAM_FILES); do \
+- if test ! -f "$(INSTALLDIR)/$$file"; then \
+- echo "Installing $$file in $(INSTALLDIR)"; \
+- $(INSTALL) "$$file" "$(INSTALLDIR)/$$file"; \
+- (cd $(INSTALLDIR) && $(LN) "$$file" `echo $$file | cut -d. -f1,2`); \
+- else \
+- echo "$$file exists - will not overwrite it"; \
+- fi \
+- done \
+- fi
++install: all
++ $(INSTALL) -d $(INSTALLDIR)
++ $(INSTALL_LIB) $(PAM_FILES) $(INSTALLDIR)
+
+ clean:
+ $(RM) a.out core *.so.1 *.o *.bak
+diff -Nur pam_skey-1.1.4/README pam_skey/README
+--- pam_skey-1.1.4/README 2005-06-18 14:36:18.000000000 +0200
++++ pam_skey/README 2006-03-06 09:26:55.000000000 +0100
+@@ -1,5 +1,77 @@
+ $Id: README,v 1.2 2005/06/18 12:36:18 kreator Exp $
+
++Gentoo patch
++------------
++
++The Gentoo pam_skey patch changes the original module in a number of ways.
++The behavior of the module is changed to make it more consistent with the
++PAM design, and several changes were made throughout the code to make the
++module interact better with the skey library used by Gentoo. Many of
++these changes will break pam_skey's compatibility with other systems and
++libraries, but this is, after all, the Gentoo patch.
++
++A (not necessarily) exhaustive list of the changes is as follows:
++- pam_skey_access.so is completely removed, since the Gentoo skey library
++ does not support the skey_access() call.
++- The pam_skey.so authentication code is completely rewritten. The
++ original code contained many references to the standard I/O library
++ (writing to stderr, etc.), as well as inconsistent communication with
++ the PAM libraries. Also, the authentication process is different, as
++ described below.
++- The options accepted by the pam_skey.so module are different, as
++ described below.
++
++Four options are accepted by the pam_skey.so module:
++ debug - This option turns on debug logging.
++ try_first_pass - This option tells the module to first try using
++ the authentication token passed from the
++ previous module as an S/Key response, before
++ informing the user of the challenge. If the
++ token is not valid, the module will proceed with
++ the standard process of challenging the user
++ and requesting a response, subject to the
++ no_default_skey option below.
++ use_first_pass - This option is identical to the try_first_pass
++ option, except that if the token is not valid,
++ it will return silently without challenging the
++ user.
++ no_default_skey - This flag changes the behavior of pam_skey.
++ Instead of immediately challenging the user with
++ an S/Key challenge, it will present the user with
++ a standard "Password: " prompt. If the user enters
++ the password "s/key" (case insensitive), it will
++ then challenge the user. Any other input will
++ cause the module to pass the given password to the
++ next module in the authentication stack (usually
++ pam_unix.so with the try_first_pass option).
++
++The exact behavior of pam_skey.so is detailed below:
++
++1. Retrieve username from PAM, possibly querying the user for it.
++2. If the user does not have any S/Key information, return PAM_IGNORE to
++ proceed to the next module in the stack.
++3. If *_first_pass is enabled, check the given authentication token to see
++ if it is a valid response to the current S/Key challenge. If so,
++ return PAM_SUCCESS.
++ 3a. If the token is invalid and use_first_pass is enabled, return
++ PAM_IGNORE.
++4. If no_default_skey is enabled, issue a "Password: " prompt.
++ 4a. If the response is anything besides "s/key" (case insensitive),
++ store it as the authentication token and return PAM_IGNORE.
++5. Display the current S/Key challenge and request a response, with
++ input not echoed. If no_default_skey is enabled, this will only be
++ an S/Key response request; otherwise, it will request either an
++ S/Key response or a system passsword.
++ 5a. If an empty response is given, request the S/Key response again,
++ this time with input echoed.
++ 5b. If the response is a valid S/Key response, return PAM_SUCCESS.
++ Otherwise, return PAM_AUTHERR.
++6. If the response is a valid S/Key response, return PAM_SUCCESS.
++7. Otherwise, if no_default_skey is enabled (the user specifically
++ requested "s/key" authentication), return PAM_AUTHERR.
++8. Otherwise, store the response as the authentication token and
++ return PAM_IGNORE.
++
+ About
+ -----
+ This is complete pam_skey modul as interface to existing S/Key
+diff -Nur pam_skey-1.1.4/autoconf/acconfig.h pam_skey/autoconf/acconfig.h
+--- pam_skey-1.1.4/autoconf/acconfig.h 2005-06-18 14:11:24.000000000 +0200
++++ pam_skey/autoconf/acconfig.h 2006-03-06 09:26:55.000000000 +0100
+@@ -1,17 +1,2 @@
+ /* Define if we can include both string.h and strings.h */
+ #undef STRING_WITH_STRINGS
+-
+-/* Define if you have Linux */
+-#undef LINUX
+-
+-/* Define if you have *BSD */
+-#undef BSD
+-
+-/* Define if not missing skeyaccess() */
+-#undef HAVE_SKEYACCESS
+-
+-/* Define if not missing skeyinfo() */
+-#undef HAVE_SKEYINFO
+-
+-/* Define if you have skeylookup() instead of skeyinfo() */
+-#undef HAVE_SKEYLOOKUP
+diff -Nur pam_skey-1.1.4/autoconf/configure.in pam_skey/autoconf/configure.in
+--- pam_skey-1.1.4/autoconf/configure.in 2005-06-18 14:11:24.000000000 +0200
++++ pam_skey/autoconf/configure.in 2006-03-06 09:26:55.000000000 +0100
+@@ -10,21 +10,9 @@
+ AC_LANG_C
+ AC_LANG_SAVE
+
+-dnl Get system type
+-AC_CANONICAL_HOST
+-MYHOST=$host_os
+-case "$host_os" in
+-*linux*)
+- AC_DEFINE(LINUX)
+- ;;
+-*bsd*)
+- AC_DEFINE(BSD)
+- ;;
+-esac
+-
+ dnl Package information
+ PACKAGE=pam_skey
+-VERSION=1.1
++VERSION=1.4r1
+
+ dnl Standard installation path
+ AC_PREFIX_DEFAULT(/usr)
+@@ -65,13 +53,9 @@
+ AC_ARG_WITH(skey-inc, [ --with-skey-inc=DIR Directory containing skey include files], CFLAGS="${CFLAGS} -I${withval}")
+
+ dnl Check for skey library
+-AC_CHECK_LIB(socket, socket)
+-AC_CHECK_LIB(nsl, gethostbyname)
++AC_CHECK_LIB(socket, socket, LIBS="${LIBS} -lsocket")
++AC_CHECK_LIB(nsl, gethostbyname, LIBS="${LIBS} -lnsl")
+ AC_CHECK_LIB(skey, skeyverify, SKEYLIB="-lskey", AC_MSG_ERROR(skey library not found or unknown interface))
+-AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
+-AC_CHECK_LIB(skey, skeyinfo, AC_DEFINE(HAVE_SKEYINFO),
+- AC_CHECK_LIB(skey, skeylookup, AC_DEFINE(HAVE_SKEYLOOKUP))
+-)
+
+ dnl Check against -G linker flag
+ hold_ldflags=$LDFLAGS
+diff -Nur pam_skey-1.1.4/configure pam_skey/configure
+--- pam_skey-1.1.4/configure 2005-06-18 14:36:18.000000000 +0200
++++ pam_skey/configure 2006-03-06 09:27:41.000000000 +0100
+@@ -310,7 +310,7 @@
+ # include <unistd.h>
+ #endif"
+
+-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS'
++ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS'
+ ac_subst_files=''
+
+ # Initialize some variables set by options.
+@@ -720,13 +720,13 @@
+ /^X\(\/\).*/{ s//\1/; q; }
+ s/.*/./; q'`
+ srcdir=$ac_confdir
+- if test ! -r $srcdir/$ac_unique_file; then
++ if test ! -r "$srcdir/$ac_unique_file"; then
+ srcdir=..
+ fi
+ else
+ ac_srcdir_defaulted=no
+ fi
+-if test ! -r $srcdir/$ac_unique_file; then
++if test ! -r "$srcdir/$ac_unique_file"; then
+ if test "$ac_srcdir_defaulted" = yes; then
+ { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
+ { (exit 1); exit 1; }; }
+@@ -735,7 +735,7 @@
+ { (exit 1); exit 1; }; }
+ fi
+ fi
+-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
++(cd $srcdir && test -r "./$ac_unique_file") 2>/dev/null ||
+ { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
+ { (exit 1); exit 1; }; }
+ srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
+@@ -831,10 +831,6 @@
+ _ACEOF
+
+ cat <<\_ACEOF
+-
+-System types:
+- --build=BUILD configure for building on BUILD [guessed]
+- --host=HOST cross-compile to build programs to run on HOST [BUILD]
+ _ACEOF
+ fi
+
+@@ -948,7 +944,7 @@
+ else
+ echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+ fi
+- cd "$ac_popdir"
++ cd $ac_popdir
+ done
+ fi
+
+@@ -1333,78 +1329,8 @@
+
+
+
+-# Make sure we can run config.sub.
+-$ac_config_sub sun4 >/dev/null 2>&1 ||
+- { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5
+-echo "$as_me: error: cannot run $ac_config_sub" >&2;}
+- { (exit 1); exit 1; }; }
+-
+-echo "$as_me:$LINENO: checking build system type" >&5
+-echo $ECHO_N "checking build system type... $ECHO_C" >&6
+-if test "${ac_cv_build+set}" = set; then
+- echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+- ac_cv_build_alias=$build_alias
+-test -z "$ac_cv_build_alias" &&
+- ac_cv_build_alias=`$ac_config_guess`
+-test -z "$ac_cv_build_alias" &&
+- { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+-echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+- { (exit 1); exit 1; }; }
+-ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
+- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5
+-echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;}
+- { (exit 1); exit 1; }; }
+-
+-fi
+-echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+-echo "${ECHO_T}$ac_cv_build" >&6
+-build=$ac_cv_build
+-build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+-build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+-build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+-
+-
+-echo "$as_me:$LINENO: checking host system type" >&5
+-echo $ECHO_N "checking host system type... $ECHO_C" >&6
+-if test "${ac_cv_host+set}" = set; then
+- echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+- ac_cv_host_alias=$host_alias
+-test -z "$ac_cv_host_alias" &&
+- ac_cv_host_alias=$ac_cv_build_alias
+-ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
+- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5
+-echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;}
+- { (exit 1); exit 1; }; }
+-
+-fi
+-echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+-echo "${ECHO_T}$ac_cv_host" >&6
+-host=$ac_cv_host
+-host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+-host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+-host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+-
+-
+-MYHOST=$host_os
+-case "$host_os" in
+-*linux*)
+- cat >>confdefs.h <<\_ACEOF
+-#define LINUX 1
+-_ACEOF
+-
+- ;;
+-*bsd*)
+- cat >>confdefs.h <<\_ACEOF
+-#define BSD 1
+-_ACEOF
+-
+- ;;
+-esac
+-
+ PACKAGE=pam_skey
+-VERSION=1.1
++VERSION=1.4r1
+
+
+
+@@ -1976,7 +1902,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -2034,7 +1961,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -2150,7 +2078,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -2204,7 +2133,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -2249,7 +2179,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -2293,7 +2224,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -2881,7 +2813,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3051,7 +2984,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3124,7 +3058,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3278,7 +3213,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3431,7 +3367,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3533,7 +3470,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3583,7 +3521,6 @@
+ CFLAGS="${CFLAGS} -I${withval}"
+ fi;
+
+-
+ echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
+ echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6
+ if test "${ac_cv_lib_socket_socket+set}" = set; then
+@@ -3622,7 +3559,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3648,15 +3586,9 @@
+ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
+ echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6
+ if test $ac_cv_lib_socket_socket = yes; then
+- cat >>confdefs.h <<_ACEOF
+-#define HAVE_LIBSOCKET 1
+-_ACEOF
+-
+- LIBS="-lsocket $LIBS"
+-
++ LIBS="${LIBS} -lsocket"
+ fi
+
+-
+ echo "$as_me:$LINENO: checking for gethostbyname in -lnsl" >&5
+ echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6
+ if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then
+@@ -3695,7 +3627,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3721,12 +3654,7 @@
+ echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_gethostbyname" >&5
+ echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6
+ if test $ac_cv_lib_nsl_gethostbyname = yes; then
+- cat >>confdefs.h <<_ACEOF
+-#define HAVE_LIBNSL 1
+-_ACEOF
+-
+- LIBS="-lnsl $LIBS"
+-
++ LIBS="${LIBS} -lnsl"
+ fi
+
+ echo "$as_me:$LINENO: checking for skeyverify in -lskey" >&5
+@@ -3767,7 +3695,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -3800,218 +3729,6 @@
+ { (exit 1); exit 1; }; }
+ fi
+
+-echo "$as_me:$LINENO: checking for skeyaccess in -lskey" >&5
+-echo $ECHO_N "checking for skeyaccess in -lskey... $ECHO_C" >&6
+-if test "${ac_cv_lib_skey_skeyaccess+set}" = set; then
+- echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+- ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lskey $LIBS"
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h. */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
+-/* end confdefs.h. */
+-
+-/* Override any gcc2 internal prototype to avoid an error. */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-/* We use char because int might match the return type of a gcc2
+- builtin and then its argument prototype would still apply. */
+-char skeyaccess ();
+-int
+-main ()
+-{
+-skeyaccess ();
+- ;
+- return 0;
+-}
+-_ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+- (eval $ac_link) 2>conftest.er1
+- ac_status=$?
+- grep -v '^ *+' conftest.er1 >conftest.err
+- rm -f conftest.er1
+- cat conftest.err >&5
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+- (eval $ac_try) 2>&5
+- ac_status=$?
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); }; } &&
+- { ac_try='test -s conftest$ac_exeext'
+- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+- (eval $ac_try) 2>&5
+- ac_status=$?
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); }; }; then
+- ac_cv_lib_skey_skeyaccess=yes
+-else
+- echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-ac_cv_lib_skey_skeyaccess=no
+-fi
+-rm -f conftest.err conftest.$ac_objext \
+- conftest$ac_exeext conftest.$ac_ext
+-LIBS=$ac_check_lib_save_LIBS
+-fi
+-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyaccess" >&5
+-echo "${ECHO_T}$ac_cv_lib_skey_skeyaccess" >&6
+-if test $ac_cv_lib_skey_skeyaccess = yes; then
+- cat >>confdefs.h <<\_ACEOF
+-#define HAVE_SKEYACCESS 1
+-_ACEOF
+-
+-fi
+-
+-echo "$as_me:$LINENO: checking for skeyinfo in -lskey" >&5
+-echo $ECHO_N "checking for skeyinfo in -lskey... $ECHO_C" >&6
+-if test "${ac_cv_lib_skey_skeyinfo+set}" = set; then
+- echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+- ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lskey $LIBS"
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h. */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
+-/* end confdefs.h. */
+-
+-/* Override any gcc2 internal prototype to avoid an error. */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-/* We use char because int might match the return type of a gcc2
+- builtin and then its argument prototype would still apply. */
+-char skeyinfo ();
+-int
+-main ()
+-{
+-skeyinfo ();
+- ;
+- return 0;
+-}
+-_ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+- (eval $ac_link) 2>conftest.er1
+- ac_status=$?
+- grep -v '^ *+' conftest.er1 >conftest.err
+- rm -f conftest.er1
+- cat conftest.err >&5
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+- (eval $ac_try) 2>&5
+- ac_status=$?
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); }; } &&
+- { ac_try='test -s conftest$ac_exeext'
+- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+- (eval $ac_try) 2>&5
+- ac_status=$?
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); }; }; then
+- ac_cv_lib_skey_skeyinfo=yes
+-else
+- echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-ac_cv_lib_skey_skeyinfo=no
+-fi
+-rm -f conftest.err conftest.$ac_objext \
+- conftest$ac_exeext conftest.$ac_ext
+-LIBS=$ac_check_lib_save_LIBS
+-fi
+-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyinfo" >&5
+-echo "${ECHO_T}$ac_cv_lib_skey_skeyinfo" >&6
+-if test $ac_cv_lib_skey_skeyinfo = yes; then
+- cat >>confdefs.h <<\_ACEOF
+-#define HAVE_SKEYINFO 1
+-_ACEOF
+-
+-else
+- echo "$as_me:$LINENO: checking for skeylookup in -lskey" >&5
+-echo $ECHO_N "checking for skeylookup in -lskey... $ECHO_C" >&6
+-if test "${ac_cv_lib_skey_skeylookup+set}" = set; then
+- echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+- ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lskey $LIBS"
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h. */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
+-/* end confdefs.h. */
+-
+-/* Override any gcc2 internal prototype to avoid an error. */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-/* We use char because int might match the return type of a gcc2
+- builtin and then its argument prototype would still apply. */
+-char skeylookup ();
+-int
+-main ()
+-{
+-skeylookup ();
+- ;
+- return 0;
+-}
+-_ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+- (eval $ac_link) 2>conftest.er1
+- ac_status=$?
+- grep -v '^ *+' conftest.er1 >conftest.err
+- rm -f conftest.er1
+- cat conftest.err >&5
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+- (eval $ac_try) 2>&5
+- ac_status=$?
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); }; } &&
+- { ac_try='test -s conftest$ac_exeext'
+- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+- (eval $ac_try) 2>&5
+- ac_status=$?
+- echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); }; }; then
+- ac_cv_lib_skey_skeylookup=yes
+-else
+- echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-ac_cv_lib_skey_skeylookup=no
+-fi
+-rm -f conftest.err conftest.$ac_objext \
+- conftest$ac_exeext conftest.$ac_ext
+-LIBS=$ac_check_lib_save_LIBS
+-fi
+-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeylookup" >&5
+-echo "${ECHO_T}$ac_cv_lib_skey_skeylookup" >&6
+-if test $ac_cv_lib_skey_skeylookup = yes; then
+- cat >>confdefs.h <<\_ACEOF
+-#define HAVE_SKEYLOOKUP 1
+-_ACEOF
+-
+-fi
+-
+-
+-fi
+-
+
+ hold_ldflags=$LDFLAGS
+ echo "$as_me:$LINENO: checking for the ld -shared flag" >&5
+@@ -4041,7 +3758,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -4099,7 +3817,8 @@
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+@@ -4747,14 +4466,6 @@
+ s,@ECHO_N@,$ECHO_N,;t t
+ s,@ECHO_T@,$ECHO_T,;t t
+ s,@LIBS@,$LIBS,;t t
+-s,@build@,$build,;t t
+-s,@build_cpu@,$build_cpu,;t t
+-s,@build_vendor@,$build_vendor,;t t
+-s,@build_os@,$build_os,;t t
+-s,@host@,$host,;t t
+-s,@host_cpu@,$host_cpu,;t t
+-s,@host_vendor@,$host_vendor,;t t
+-s,@host_os@,$host_os,;t t
+ s,@CC@,$CC,;t t
+ s,@CFLAGS@,$CFLAGS,;t t
+ s,@LDFLAGS@,$LDFLAGS,;t t
+@@ -4945,6 +4656,11 @@
+ *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
+ esac
+
++ if test x"$ac_file" != x-; then
++ { echo "$as_me:$LINENO: creating $ac_file" >&5
++echo "$as_me: creating $ac_file" >&6;}
++ rm -f "$ac_file"
++ fi
+ # Let's still pretend it is `configure' which instantiates (i.e., don't
+ # use $as_me), people would be surprised to read:
+ # /* config.h. Generated by config.status. */
+@@ -4983,12 +4699,6 @@
+ fi;;
+ esac
+ done` || { (exit 1); exit 1; }
+-
+- if test x"$ac_file" != x-; then
+- { echo "$as_me:$LINENO: creating $ac_file" >&5
+-echo "$as_me: creating $ac_file" >&6;}
+- rm -f "$ac_file"
+- fi
+ _ACEOF
+ cat >>$CONFIG_STATUS <<_ACEOF
+ sed "$ac_vpsub
+diff -Nur pam_skey-1.1.4/defs.h.in pam_skey/defs.h.in
+--- pam_skey-1.1.4/defs.h.in 2005-06-18 14:36:18.000000000 +0200
++++ pam_skey/defs.h.in 2006-03-06 09:26:55.000000000 +0100
+@@ -1,96 +1,49 @@
+-/* defs.h.in. Generated from configure.in by autoheader. */
+-/* Define if we can include both string.h and strings.h */
+-#undef STRING_WITH_STRINGS
+-
+-/* Define if you have Linux */
+-#undef LINUX
+-
+-/* Define if you have *BSD */
+-#undef BSD
++/* defs.h.in. Generated automatically from configure.in by autoheader. */
+
+-/* Define if not missing skeyaccess() */
+-#undef HAVE_SKEYACCESS
+-
+-/* Define if not missing skeyinfo() */
+-#undef HAVE_SKEYINFO
++/* Define if you have the ANSI C header files. */
++#undef STDC_HEADERS
+
+-/* Define if you have skeylookup() instead of skeyinfo() */
+-#undef HAVE_SKEYLOOKUP
++/* Define if we can include both string.h and strings.h */
++#undef STRING_WITH_STRINGS
+
+-/* Define to 1 if you have the `fprintf' function. */
++/* Define if you have the fprintf function. */
+ #undef HAVE_FPRINTF
+
+-/* Define to 1 if you have the <inttypes.h> header file. */
+-#undef HAVE_INTTYPES_H
++/* Define if you have the gethostbyname function. */
++#undef HAVE_GETHOSTBYNAME
+
+-/* Define to 1 if you have the `nsl' library (-lnsl). */
+-#undef HAVE_LIBNSL
++/* Define if you have the snprintf function. */
++#undef HAVE_SNPRINTF
+
+-/* Define to 1 if you have the `socket' library (-lsocket). */
+-#undef HAVE_LIBSOCKET
++/* Define if you have the strncmp function. */
++#undef HAVE_STRNCMP
+
+-/* Define to 1 if you have the <memory.h> header file. */
+-#undef HAVE_MEMORY_H
++/* Define if you have the syslog function. */
++#undef HAVE_SYSLOG
+
+-/* Define to 1 if you have the <pwd.h> header file. */
++/* Define if you have the <pwd.h> header file. */
+ #undef HAVE_PWD_H
+
+-/* Define to 1 if you have the <security/pam_appl.h> header file. */
++/* Define if you have the <security/pam_appl.h> header file. */
+ #undef HAVE_SECURITY_PAM_APPL_H
+
+-/* Define to 1 if you have the <security/pam_modules.h> header file. */
++/* Define if you have the <security/pam_modules.h> header file. */
+ #undef HAVE_SECURITY_PAM_MODULES_H
+
+-/* Define to 1 if you have the `snprintf' function. */
+-#undef HAVE_SNPRINTF
+-
+-/* Define to 1 if you have the <stdint.h> header file. */
+-#undef HAVE_STDINT_H
+-
+-/* Define to 1 if you have the <stdlib.h> header file. */
++/* Define if you have the <stdlib.h> header file. */
+ #undef HAVE_STDLIB_H
+
+-/* Define to 1 if you have the <strings.h> header file. */
+-#undef HAVE_STRINGS_H
+-
+-/* Define to 1 if you have the <string.h> header file. */
++/* Define if you have the <string.h> header file. */
+ #undef HAVE_STRING_H
+
+-/* Define to 1 if you have the `strncmp' function. */
+-#undef HAVE_STRNCMP
+-
+-/* Define to 1 if you have the `syslog' function. */
+-#undef HAVE_SYSLOG
+-
+-/* Define to 1 if you have the <syslog.h> header file. */
+-#undef HAVE_SYSLOG_H
+-
+-/* Define to 1 if you have the <sys/stat.h> header file. */
+-#undef HAVE_SYS_STAT_H
++/* Define if you have the <strings.h> header file. */
++#undef HAVE_STRINGS_H
+
+-/* Define to 1 if you have the <sys/syslog.h> header file. */
++/* Define if you have the <sys/syslog.h> header file. */
+ #undef HAVE_SYS_SYSLOG_H
+
+-/* Define to 1 if you have the <sys/types.h> header file. */
++/* Define if you have the <sys/types.h> header file. */
+ #undef HAVE_SYS_TYPES_H
+
+-/* Define to 1 if you have the <unistd.h> header file. */
+-#undef HAVE_UNISTD_H
+-
+-/* Define to the address where bug reports for this package should be sent. */
+-#undef PACKAGE_BUGREPORT
+-
+-/* Define to the full name of this package. */
+-#undef PACKAGE_NAME
+-
+-/* Define to the full name and version of this package. */
+-#undef PACKAGE_STRING
+-
+-/* Define to the one symbol short name of this package. */
+-#undef PACKAGE_TARNAME
+-
+-/* Define to the version of this package. */
+-#undef PACKAGE_VERSION
+-
+-/* Define to 1 if you have the ANSI C header files. */
+-#undef STDC_HEADERS
++/* Define if you have the <syslog.h> header file. */
++#undef HAVE_SYSLOG_H
+diff -Nur pam_skey-1.1.4/pam_skey.c pam_skey/pam_skey.c
+--- pam_skey-1.1.4/pam_skey.c 2005-06-18 14:36:18.000000000 +0200
++++ pam_skey/pam_skey.c 2006-03-06 09:26:55.000000000 +0100
+@@ -1,5 +1,6 @@
+ /*
+- * (c) 2001 Dinko Korunic, kreator@srce.hr
++ * Rewrite (c) 2005 Dani Church, dani.church@gmail.com
++ * Original (c) 2001 Dinko Korunic, kreator@srce.hr
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+@@ -33,272 +34,146 @@
+ #include <pwd.h>
+ #include <sys/types.h>
+ #include <syslog.h>
++#include <ctype.h>
+
+ #define PAM_EXTERN extern
+ #undef PAM_STATIC
+
+ #include <security/pam_appl.h>
+ #include <security/pam_modules.h>
++#include <security/_pam_macros.h>
+
+ #include "skey.h"
+ #include "pam_skey.h"
+ #include "misc.h"
+
++#define LOGDEBUG(x) if (mod_opt & _MOD_DEBUG) { syslog x ;}
++#define QUERY_USERNAME NULL /* Use default username prompt */
++#define QUERY_PASSWORD "Password: "
++#define QUERY_RESPONSE_OR_PASSWORD "S/Key response or system password: "
++#define QUERY_RESPONSE "S/Key response: "
++
+ PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+ {
+ return PAM_SUCCESS;
+ }
+
++/*
++ * The authentication module will return the following status codes:
++ * PAM_SUCCESS: Successful authentication via S/Key.
++ * PAM_IGNORE: The user doesn't have S/Key or doesn't want to use it.
++ * Continue with the next module, using try_first_pass.
++ * PAM_AUTH_ERR: The user asked to use S/Key, but failed the authentication.
++ * Don't try any more PAM modules.
++ * others: random errors, try next authentication method
++ */
++
+ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+ {
+- char challenge[CHALLENGE_MAXSIZE]; /* challenge to print in conv */
+- char msg_text[PAM_MAX_MSG_SIZE]; /* text for pam conv */
+- char *username = NULL; /* username spacer */
++ const char *challenge; /* challenge to print in conv */
++ const char *username = NULL; /* username spacer */
+ char *response = NULL; /* response spacer */
+- struct skey skey; /* structure that contains skey information */
+ int status; /* return status spacer */
+- unsigned mod_opt = _MOD_NONE_ON; /* module options */
++ unsigned mod_opt=_MOD_NONE_ON; /* module options */
+
+ /* Get module options */
+ mod_getopt(&mod_opt, argc, argv);
+
+- /* Get username */
+-#if defined LINUX || defined BSD
+- if (pam_get_user(pamh, (const char **)&username, "login:")
+-#else
+- if (pam_get_user(pamh, (char **)&username, "login:")
+-#endif
+- != PAM_SUCCESS)
+- {
+- fprintf(stderr, "cannot determine username\n");
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "cannot determine username");
+- return PAM_USER_UNKNOWN;
+- }
+-
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "got username %s", username);
+-
+-#ifdef HAVE_SKEYACCESS
+- /* Check S/Key access permissions - user, host and port. Also include
+- * sanity checks */
+- if (mod_opt & _MOD_ACCESS_CHECK)
+- {
+- char *host; /* points to host */
+- char *port; /* points to port */
+- struct passwd *pwuser; /* structure for getpw() */
+-
+- /* Get host.. */
+-#if defined LINUX || defined BSD
+- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host)
+-#else
+- if (pam_get_item(pamh, PAM_RHOST, (void **)&host)
+-#endif
+- != PAM_SUCCESS)
+- host = NULL; /* couldn't get host */
+- /* ..and port */
+-#if defined LINUX || defined BSD
+- if (pam_get_item(pamh, PAM_TTY, (const void **)&port)
+-#else
+- if (pam_get_item(pamh, PAM_TTY, (void **)&port)
+-#endif
+- != PAM_SUCCESS)
+- port = NULL; /* couldn't get port */
+-
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "checking s/key access for user %s,"
+- " host %s, port %s", username,
+- (host != NULL) ? host : "*unknown*",
+- (port != NULL) ? port : "*unknown*");
+-
+- /* Get information from passwd file */
+- if ((pwuser = getpwnam(username)) == NULL)
+- {
+- fprintf(stderr, "no such user\n");
+- syslog(LOG_NOTICE, "cannot find user %s", username);
+- return PAM_USER_UNKNOWN; /* perhaps even return PAM_ABORT here? */
++ /* Get username (taken mainly from pam_unix) */
++ status = pam_get_user(pamh, &username, QUERY_USERNAME);
++ if (status == PAM_SUCCESS) {
++ if (username == NULL || !isalnum(*username)) {
++ syslog(LOG_ERR, "bad username [%s]", username);
++ return PAM_USER_UNKNOWN;
+ }
++ LOGDEBUG((LOG_DEBUG, "username [%s] obtained", username));
++ } else {
++ LOGDEBUG((LOG_DEBUG, "trouble reading username"));
++ if (status == PAM_CONV_AGAIN)
++ return PAM_INCOMPLETE;
++ return status;
++ }
+
+- /* Do actual checking - we assume skeyaccess() returns PERMIT which is
+- * by default 1. Notice 4th argument is NULL - we will not perform
+- * address checks on host itself */
+- if (skeyaccess(pwuser, port, host, NULL) != 1)
+- {
+- fprintf(stderr, "no s/key access permissions\n");
+- syslog(LOG_NOTICE, "no s/key access permissions for %s",
+- username);
+- return PAM_AUTH_ERR;
+- }
++ /* Check whether or not this user has an S/Key */
++ if (skey_haskey(username) != 0) {
++ LOGDEBUG((LOG_DEBUG, "user [%s] has no S/Key entry", username));
++ return PAM_IGNORE;
+ }
+- else
+
+-#endif /* HAVE_SKEYACCESS */
+-
+- /* Only do check whether user has passwd entry */
+- if (getpwnam(username) == NULL)
+- {
+- fprintf(stderr, "no such user\n");
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "cannot find user %s",
+- username);
+- return PAM_USER_UNKNOWN;
++ if ((mod_opt & _MOD_TRY_FIRST_PASS) || (mod_opt & _MOD_USE_FIRST_PASS)) {
++ status = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &response);
++ if (status != PAM_SUCCESS) {
++ syslog(LOG_ALERT, "pam_get_item returned error to pam_skey");
++ return status;
++ } else if (response != NULL) {
++ if (skey_passcheck(username, response) != -1) {
++ return PAM_SUCCESS;
++ } else if (mod_opt & _MOD_USE_FIRST_PASS) {
++ return PAM_IGNORE;
++ }
++ } else if (mod_opt & _MOD_USE_FIRST_PASS) {
++ return PAM_AUTHTOK_RECOVER_ERR;
+ }
+-
+- /* Get S/Key information on user with skeyinfo() */
+-#ifdef HAVE_SKEYINFO
+- switch (skeyinfo(&skey, username, NULL))
+-#else
+-#ifdef HAVE_SKEYLOOKUP
+- switch (skeylookup(&skey, username))
+-#endif /* HAVE_SKEYLOOKUP */
+-#endif /* HAVE_SKEYINFO */
+- {
+- /* 0: OK */
+- case 0:
+- break;
+- /* -1: File error */
+- case -1:
+-#if 0
+- /* XXX- This seems broken in (at least) logdaemon-5.8. It returns -1
+- * when user not found in keyfile. -kre */
+- fprintf(stderr, "s/key database error\n");
+- syslog(LOG_NOTICE, "s/key database error");
+- return PAM_AUTH_ERR;
+-#endif
+- /* 1: No such user in database */
+- case 1:
+- /* We won't confuse the ordinary user telling him about missing skeys
+- * -kre */
+-#if 0
+- fprintf(stderr, "no s/key for %s\n", username);
+-#endif
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "no s/key for %s\n", username);
+- return PAM_AUTH_ERR;
+ }
+-
+- /* Make challenge string */
+-#if defined(SKEY_MAX_HASHNAME_LEN) && defined(SKEY_MAX_SEED_LEN)
+- snprintf(challenge, CHALLENGE_MAXSIZE, "otp-%.*s %d %.*s",
+- SKEY_MAX_HASHNAME_LEN, skey_get_algorithm(), skey.n - 1, SKEY_MAX_SEED_LEN, skey.seed);
+-#else
+- snprintf(challenge, CHALLENGE_MAXSIZE, "s/key %d %s",
+- skey.n - 1, skey.seed);
+-#endif
+-
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "got challenge %s for %s", challenge,
+- username);
+-
+- /* Read response from last module's PAM_AUTHTOK */
+- if (mod_opt & _MOD_USE_FIRST_PASS)
+- {
+- /* Try to extract authtoken */
+-#if defined LINUX || defined BSD
+- if (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&response)
+-#else
+- if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&response)
+-#endif
+- != PAM_SUCCESS)
+- {
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "could not get PAM_AUTHTOK");
+- mod_opt &= ~_MOD_USE_FIRST_PASS;
++
++ if (mod_opt & _MOD_NO_DEFAULT_SKEY) {
++ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_PASSWORD, 0, &response);
++ if (status != PAM_SUCCESS) {
++ _pam_delete(response)
++ return status;
+ }
+- else
+- {
+- /* Got AUTHTOK, but it was empty */
+- if (empty_authtok(response))
+- {
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "empty PAM_AUTHTOK");
+- mod_opt &= ~_MOD_USE_FIRST_PASS;
+- }
+- else
+- /* All OK, print challenge information */
+- fprintf(stderr, "challenge %s\n", challenge);
++ if (strcasecmp(response,"s/key")!=0) {
++ status = pam_set_item(pamh, PAM_AUTHTOK, response);
++ if (status != PAM_SUCCESS)
++ return status;
++ return PAM_IGNORE;
+ }
++ _pam_delete(response);
+ }
+
+- /* There was no PAM_AUTHTOK, or there was no such option in pam-conf
+- * file */
+- if (!(mod_opt & _MOD_USE_FIRST_PASS))
+- {
+- /* Prepare a complete message for conversation */
+- snprintf(msg_text, PAM_MAX_MSG_SIZE,
+- "challenge %s\npassword: ", challenge);
+-
+- /* Talk with user */
+- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response)
+- != PAM_SUCCESS)
+- return PAM_SERVICE_ERR;
+-
+- /* Simulate standard S/Key login procedure - if empty token, turn on
+- * ECHO and prompt again */
+- if (empty_authtok(response) && !(mod_opt & _MOD_ONLY_ONE_TRY))
+- {
+- /* Was there echo off? */
+- if (mod_opt & _MOD_ECHO_OFF)
+- {
+- _pam_delete(response);
+- fprintf(stderr, "(turning echo on)\n");
+- mod_opt &= ~_MOD_ECHO_OFF;
+-
+- /* Prepare a complete message for conversation */
+- snprintf(msg_text, PAM_MAX_MSG_SIZE, "password: ");
+-
+- /* Talk with user */
+- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response)
+- != PAM_SUCCESS)
+- return PAM_SERVICE_ERR;
+-
+- /* Got again empty response. Bailout and don't save auth token */
+- if (empty_authtok(response))
+- return PAM_AUTH_ERR;
+- }
+- else
+- /* There was echo on already - just get out and don't save auth token
+- * for other modules */
+- return PAM_AUTH_ERR;
+- }
++ challenge = skey_keyinfo(username);
++ if (challenge == NULL) {
++ syslog(LOG_ALERT, "Could not retrieve S/Key challenge for [%s]", username);
++ return PAM_AUTHINFO_UNAVAIL;
++ }
+
+- /* XXX - ECHO ON puts '\n' at the end in Solaris 2.7! This is
+- * cludge to get rid of this nasty `feature' -kre */
+- _pam_degarbage(response);
+-
+- /* Store auth token - that next module can use with `use_first_pass' */
+- if (pam_set_item(pamh, PAM_AUTHTOK, response) != PAM_SUCCESS)
+- {
+- syslog(LOG_NOTICE, "unable to save auth token");
+- return PAM_SERVICE_ERR;
+- }
++ if (mod_opt & _MOD_NO_DEFAULT_SKEY)
++ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response);
++ else
++ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response);
+
+- /* cleanup conversation */
++ if (status != PAM_SUCCESS)
++ return status;
++
++ if (*response == '\0') {
+ _pam_delete(response);
+- }
+-
+- /* Verify S/Key */
+- status = skeyverify(&skey, response);
++ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_RESPONSE, 1, &response);
++ if (status != PAM_SUCCESS)
++ return status;
++ status = pam_set_item(pamh, PAM_AUTHTOK, response);
++ status = skey_passcheck(username, response);
++ _pam_delete(response);
++ if (status != -1)
++ return PAM_SUCCESS;
++ return PAM_AUTH_ERR;
++ }
+
+- switch (status)
+- {
+- /* 0: Verify successful, database updated */
+- case 0:
+- break;
+- /* -1: Error of some sort; database unchanged */
+- /* 1: Verify failed, database unchanged */
+- case -1:
+- case 1:
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "verify for %s failed, database"
+- " unchanged", username);
+- return PAM_AUTH_ERR;
++ status = pam_set_item(pamh, PAM_AUTHTOK, response);
++ status = skey_passcheck(username, response);
++ if (status != -1) {
++ _pam_delete(response);
++ return PAM_SUCCESS;
++ }
++
++ if (mod_opt & _MOD_NO_DEFAULT_SKEY) {
++ _pam_delete(response);
++ return PAM_AUTH_ERR;
+ }
+
+- /* Success by default */
+- return PAM_SUCCESS;
++ status = pam_set_item(pamh, PAM_AUTHTOK, response);
++ return PAM_IGNORE;
+ }
+
+ /* Get module optional parameters */
+@@ -332,50 +207,43 @@
+ }
+
+ /* This will talk to user through PAM_CONV */
+-static int mod_talk_touser(pam_handle_t *pamh, unsigned *mod_opt,
+- char *msg_text, char **response)
++static int mod_talk_touser(pam_handle_t *pamh, unsigned mod_opt,
++ const char *info_text, const char *prompt_text, int echo_on, char **response)
+ {
+- struct pam_message message;
+- const struct pam_message *pmessage = &message;
++ struct pam_message message[2], *pmessage[2];
+ struct pam_conv *conv = NULL;
+ struct pam_response *presponse = NULL;
+-
++ int i=0;
++
+ /* Better safe than sorry */
+ *response = NULL;
+
+ /* Be paranoid */
+ memset(&message, 0, sizeof(message));
+
+- /* Turn on/off PAM echo */
+- if (*mod_opt & _MOD_ECHO_OFF)
+- message.msg_style = PAM_PROMPT_ECHO_OFF;
+- else
+- message.msg_style = PAM_PROMPT_ECHO_ON;
++ pmessage[0] = &message[0];
++ pmessage[1] = &message[1];
++
++ /* Set info text, if any */
++ if (info_text) {
++ message[i].msg = info_text;
++ message[i].msg_style = PAM_TEXT_INFO;
++ i++;
++ }
+
+- /* Point to conversation text */
+- message.msg = msg_text;
++ /* Set prompt text */
++ message[i].msg = prompt_text;
++ message[i].msg_style = echo_on ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
++ i++;
+
+ /* Do conversation and see if all is OK */
+-#if defined LINUX || defined BSD
+- if (pam_get_item(pamh, PAM_CONV, (const void **)&conv)
+-#else
+- if (pam_get_item(pamh, PAM_CONV, (void **)&conv)
+-#endif
+- != PAM_SUCCESS)
+- {
+- if (*mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "error in conversation");
++ if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) != PAM_SUCCESS) {
++ LOGDEBUG((LOG_DEBUG, "error in conversation"));
+ return PAM_SERVICE_ERR;
+ }
+-
+- /* Convert into pam_response - only 1 reply expected */
+-#if defined LINUX || defined BSD
+- if (conv->conv(1, &pmessage, &presponse,
++ /* Convert into pam_response */
++ if (conv->conv(i, (const struct pam_message **)pmessage, &presponse,
+ conv->appdata_ptr)
+-#else
+- if (conv->conv(1, (struct pam_message **)&pmessage, &presponse,
+- conv->appdata_ptr)
+-#endif
+ != PAM_SUCCESS)
+ {
+ _pam_delete(presponse->resp);
+@@ -385,10 +253,10 @@
+ if (presponse != NULL)
+ {
+ /* Save address */
+- *response = presponse->resp;
++ *response = presponse[i-1].resp;
+ /* To ensure that response address will not be erased */
+- presponse->resp = NULL;
+- _pam_drop(presponse);
++ presponse[i-1].resp = NULL;
++ _pam_drop_reply(presponse,i);
+ }
+ else
+ return PAM_SERVICE_ERR;
+diff -Nur pam_skey-1.1.4/pam_skey.h pam_skey/pam_skey.h
+--- pam_skey-1.1.4/pam_skey.h 2005-06-18 14:36:18.000000000 +0200
++++ pam_skey/pam_skey.h 2006-03-06 09:26:55.000000000 +0100
+@@ -22,29 +22,25 @@
+ */
+
+ /* Prototypes */
+-#ifndef BSD
+-extern int skeyinfo(struct skey *, char *, char *); /* ORGH! Not in skey.h */
+-#endif
+-
+ static void mod_getopt(unsigned *, int, const char **);
+-static int mod_talk_touser(pam_handle_t *, unsigned *, char *, char **);
++static int mod_talk_touser(pam_handle_t *, unsigned, const char *, const char *, int, char **);
+
+ /* free() macro */
+-#define _pam_drop(X) \
++/*#define _pam_drop(X) \
+ if (X != NULL) \
+ { \
+ free(X); \
+ X = NULL; \
+-}
++}*/
+
+ /* Secure overwrite */
+-#define _pam_overwrite(x) \
++/*#define _pam_overwrite(x) \
+ { \
+ register char *__xx__; \
+ if ((__xx__ = (x))) \
+ while (*__xx__) \
+ *__xx__++ = '\0'; \
+-}
++}*/
+
+ /* Drop-in secure replacement - we do not want cleartext passwords lying
+ * scattered around */
+@@ -56,7 +52,7 @@
+
+ /* This will get us rid of first '\n' in response string and cut-off the
+ * rest of the string. It should be ASCIIZ, of course */
+-#define _pam_degarbage(x) \
++/*#define _pam_degarbage(x) \
+ { \
+ register char *__xx__; \
+ if ((__xx__ = (x))) \
+@@ -70,30 +66,25 @@
+ else \
+ __xx__++; \
+ } \
+-}
++}*/
+
+ /* Handy empty AUTHTOK macro */
+ #define empty_authtok(a) (a == NULL || !*a || *a == '\n')
+
+-/* Maximum challenge size. It should be 64, but be sure */
+-#define CHALLENGE_MAXSIZE 128
+-
+ /* Define module flags */
+-#define _MOD_NONE_ON 0x0000 /* Generic flag */
+-#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */
+-#define _MOD_DEBUG 0x0001 /* Debugging options on */
+-#define _MOD_ECHO_OFF 0x0002 /* PAM_ECHO_OFF */
+-#define _MOD_ACCESS_CHECK 0x0004 /* Check S/Key access permissions */
+-#define _MOD_USE_FIRST_PASS 0x0008 /* Use PAM_AUTHTOK */
+-#define _MOD_ONLY_ONE_TRY 0x0010 /* Only one try, no matter of echo */
+-#define _MOD_SPACER 0x0020 /* Currently unused */
++#define _MOD_NONE_ON 0x0000 /* Generic flag */
++#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */
++#define _MOD_DEBUG 0x0001 /* Debugging options on */
++#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */
++#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */
++#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */
+
+ /* Setup defaults - use echo off only */
+-#define _MOD_DEFAULT_FLAG _MOD_ECHO_OFF
++#define _MOD_DEFAULT_FLAG _MOD_NONE_ON
+ #define _MOD_DEFAULT_MASK _MOD_ALL_ON
+
+ /* Number of parameters currently known */
+-#define _MOD_ARGS 8
++#define _MOD_ARGS 4
+
+ /* Structure for flexible argument parsing */
+ typedef struct
+@@ -108,11 +99,7 @@
+ {
+ /* String Mask Flag */
+ {"debug", _MOD_ALL_ON, _MOD_DEBUG},
+- {"echo=off", _MOD_ALL_ON, _MOD_ECHO_OFF},
+- {"echo=on", _MOD_ALL_ON^_MOD_ECHO_OFF, _MOD_NONE_ON},
+- {"access_check=on", _MOD_ALL_ON, _MOD_ACCESS_CHECK},
+- {"access_check=off", _MOD_ALL_ON^_MOD_ACCESS_CHECK, _MOD_NONE_ON},
++ {"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS},
+ {"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},
+- {"try_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},
+- {"only_one_try", _MOD_ALL_ON, _MOD_ONLY_ONE_TRY}
++ {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY}
+ };
+diff -Nur pam_skey-1.1.4/pam_skey_access.c pam_skey/pam_skey_access.c
+--- pam_skey-1.1.4/pam_skey_access.c 2005-06-18 14:36:18.000000000 +0200
++++ pam_skey/pam_skey_access.c 1970-01-01 01:00:00.000000000 +0100
+@@ -1,161 +0,0 @@
+-/*
+- * (c) 2001 Dinko Korunic, kreator@srce.hr
+- *
+- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+- *
+- * S/KEY is a trademark of Bellcore.
+- * Mink is the former name of the S/KEY authentication system.
+- *
+- * Programs that had some influence in development of this source:
+- * Wietse Venema's logdaemon package
+- * Olaf Kirch's Linux S/Key package
+- * Linux-PAM modules and templates
+- * Wyman Miles' pam_securid module
+- *
+- * Should you choose to use and/or modify this source code, please do so
+- * under the terms of the GNU General Public License under which this
+- * program is distributed.
+- */
+-
+-static char rcsid[] = "$Id: pam_skey_access.c,v 1.2 2005/06/18 12:36:18 kreator Exp $";
+-
+-#include "defs.h"
+-
+-#include <stdio.h>
+-#include <stdlib.h>
+-#include <string.h>
+-#ifdef STRING_WITH_STRINGS
+-# include <strings.h>
+-#endif
+-#include <unistd.h>
+-#include <pwd.h>
+-#include <sys/types.h>
+-#include <syslog.h>
+-
+-#define PAM_EXTERN extern
+-#undef PAM_STATIC
+-
+-#include <security/pam_appl.h>
+-#include <security/pam_modules.h>
+-
+-#include "skey.h"
+-#include "pam_skey.h"
+-#include "misc.h"
+-
+-PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags,
+- int argc, const char **argv)
+-{
+- return PAM_SUCCESS;
+-}
+-
+-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
+- int argc, const char **argv)
+-{
+- char *username = NULL; /* will point to username */
+- unsigned mod_opt = _MOD_NONE_ON; /* module options */
+- char *host; /* will point to host */
+- char *port; /* will point to port */
+- struct passwd *pwuser;
+-
+- /* Get module options */
+- mod_getopt(&mod_opt, argc, argv);
+-
+- /* Get username */
+-#if defined LINUX || defined BSD
+- if (pam_get_user(pamh, (const char **)&username, "login:")!=PAM_SUCCESS)
+-#else
+- if (pam_get_user(pamh, (char **)&username, "login:")!=PAM_SUCCESS)
+-#endif
+- {
+- fprintf(stderr, "cannot determine username\n");
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "cannot determine username");
+- return PAM_AUTHINFO_UNAVAIL;
+- }
+-
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "got username %s", username);
+-
+- /* Check S/Key access permissions - user, host and port. Also include
+- * sanity checks */
+- /* Get host.. */
+-#if defined LINUX || defined BSD
+- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host)
+-#else
+- if (pam_get_item(pamh, PAM_RHOST, (void **)&host)
+-#endif
+- != PAM_SUCCESS)
+- host = NULL;
+- /* ..and port */
+-#ifdef LINUX
+- if (pam_get_item(pamh, PAM_TTY, (const void **)&port)
+-#else
+- if (pam_get_item(pamh, PAM_TTY, (void **)&port)
+-#endif
+- != PAM_SUCCESS)
+- port = NULL;
+-
+- if (mod_opt & _MOD_DEBUG)
+- syslog(LOG_DEBUG, "checking s/key access for user %s,"
+- " host %s, port %s", username,
+- (host != NULL) ? host : "*unknown*",
+- (port != NULL) ? port : "*unknown*");
+-
+- /* Get information from passwd file */
+- if ((pwuser = getpwnam(username)) == NULL)
+- {
+- fprintf(stderr, "no such user\n");
+- syslog(LOG_NOTICE, "cannot find user %s",
+- username);
+- return PAM_AUTHINFO_UNAVAIL;
+- }
+-
+-#ifdef HAVE_SKEYACCESS
+-
+- /* Do actual checking - we assume skeyaccess() returns PERMIT which is
+- * by default 1. Notice 4th argument is NULL - we will not perform
+- * address checks on host itself */
+- if (skeyaccess(pwuser, port, host, NULL) != 1)
+- {
+- fprintf(stderr, "no s/key access permissions\n");
+- syslog(LOG_NOTICE, "no s/key access permissions for %s",
+- username);
+- return PAM_AUTH_ERR;
+- }
+-
+-#endif /* HAVE_SKEYACCESS */
+-
+- return PAM_SUCCESS;
+-}
+-
+-/* Get module optional parameters */
+-static void mod_getopt(unsigned *mod_opt, int mod_argc, const char **mod_argv)
+-{
+- int i;
+-
+- /* Setup runtime defaults */
+- *mod_opt |= _MOD_DEFAULT_FLAG;
+- *mod_opt &= _MOD_DEFAULT_MASK;
+-
+- /* Setup runtime options */
+- while (mod_argc--)
+- {
+- for (i = 0; i < _MOD_ARGS; ++i)
+- {
+- if (mod_args[i].token != NULL &&
+- !strncmp(*mod_argv, mod_args[i].token,
+- strlen(mod_args[i].token)))
+- break;
+- }
+- if (i >= _MOD_ARGS)
+- syslog(LOG_ERR, "unknown option %s", *mod_argv);
+- else
+- {
+- *mod_opt &= mod_args[i].mask; /* Turn off */
+- *mod_opt |= mod_args[i].flag; /* Turn on */
+- }
+- ++mod_argv;
+- }
+-}
+
diff --git a/sys-auth/pam_skey/files/pam_skey-system-auth.pam.d b/sys-auth/pam_skey/files/pam_skey-system-auth.pam.d
new file mode 100644
index 000000000..4a28d8dda
--- /dev/null
+++ b/sys-auth/pam_skey/files/pam_skey-system-auth.pam.d
@@ -0,0 +1,15 @@
+#%PAM-1.0
+
+auth required pam_env.so
+auth [success=done ignore=ignore auth_err=die default=bad] pam_skey.so
+auth sufficient pam_unix.so likeauth nullok try_first_pass
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+password sufficient pam_unix.so nullok md5 shadow use_authtok
+password required pam_deny.so
+
+session required pam_limits.so
+session required pam_unix.so