diff options
author | 2006-07-02 13:21:55 +0000 | |
---|---|---|
committer | 2006-07-02 13:21:55 +0000 | |
commit | e8b00ee86540d72a2115dd9d0c45c5ec6201d14e (patch) | |
tree | 8c1d743a5a81901bf4ca8d1244099c5985e54fb2 /sys-auth/pam_skey/files | |
parent | mail-filter/MailScanner - add missing virtual/cron RDEPEND, quoting, mkdir ->... (diff) | |
download | sunrise-e8b00ee86540d72a2115dd9d0c45c5ec6201d14e.tar.gz sunrise-e8b00ee86540d72a2115dd9d0c45c5ec6201d14e.tar.bz2 sunrise-e8b00ee86540d72a2115dd9d0c45c5ec6201d14e.zip |
sys-auth/pam_skey: move big patch to gentooexperimental.org to fix repoman errors
svn path=/sunrise/; revision=422
Diffstat (limited to 'sys-auth/pam_skey/files')
-rw-r--r-- | sys-auth/pam_skey/files/digest-pam_skey-1.1.4 | 3 | ||||
-rw-r--r-- | sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch | 1706 |
2 files changed, 3 insertions, 1706 deletions
diff --git a/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 b/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 index 82d8fdb41..f337bc101 100644 --- a/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 +++ b/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 @@ -1,3 +1,6 @@ +MD5 975f02a2a796983fa2932bcfe40ae8a9 pam_skey-1.1.4-gentoo.patch.bz2 12842 +RMD160 ad720e27129e528e9c3fb0c0608d892644ac9bf0 pam_skey-1.1.4-gentoo.patch.bz2 12842 +SHA256 bcaf914cea94ac84247f3007d766de054932fbe347bb7f3faaa6a68774e93134 pam_skey-1.1.4-gentoo.patch.bz2 12842 MD5 5e3bbe897bdd665fbe9d3b647455a863 pam_skey-1.1.4.tar.gz 82861 RMD160 ea195cbe4cd188d223d3bb7d0ffc51be0f3fc713 pam_skey-1.1.4.tar.gz 82861 SHA256 625e255e8c7ac27a85e2336d64cec46a83e246fe96e3e851c685dbf870c359bc pam_skey-1.1.4.tar.gz 82861 diff --git a/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch b/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch deleted file mode 100644 index a1403d0d2..000000000 --- a/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch +++ /dev/null @@ -1,1706 +0,0 @@ -diff -Nur pam_skey-1.1.4/INSTALL pam_skey/INSTALL ---- pam_skey-1.1.4/INSTALL 2005-06-18 14:11:24.000000000 +0200 -+++ pam_skey/INSTALL 2006-03-06 09:26:55.000000000 +0100 -@@ -1,5 +1,39 @@ - $Id: INSTALL,v 1.1.1.1 2005/06/18 12:11:24 kreator Exp $ - -+Gentoo patch -+------------ -+Most everything below still holds, though the libraries required are now -+those used by Gentoo. Other S/Key libraries may work with a bit of -+tweaking. -+ -+The options listed for the module below are no longer valid. See the -+Gentoo patch section in README for details. -+ -+The intended method for configuring PAM is by using the newer module -+specification, with a line like: -+ -+auth [success=done ignore=ignore auth_err=die default=bad] /lib/security/pam_skey.so -+ -+This is a combination of the standard "sufficient" and "requisite" -+specifications: -+ -+- If the module returns PAM_SUCCESS, we are authenticated and no other -+ modules should be tested. -+- If the module returns PAM_IGNORE, then the module didn't accept its -+ input as an S/Key response, and the next module should try using -+ the input (using the try_first_pass option). -+- If the module returns PAM_AUTH_ERR, then the module accepted an -+ S/Key input but it was invalid. Do not try any more modules in the -+ stack; the user already chose S/Key authentication. -+- If the module returns any other code, it is a simple error in processing. -+ Set the error flag but try other modules, just in case. -+ -+The module is intended to be placed before another authentication module, -+like pam_unix.so; if not, it should be placed before pam_deny.so. -+ -+If the newer module specification is unavailable in your version of PAM, -+the "sufficient" specification will work. -+ - Required - -------- - For building this package you will probably need original Wietse Venema's -diff -Nur pam_skey-1.1.4/Makefile.in pam_skey/Makefile.in ---- pam_skey-1.1.4/Makefile.in 2005-06-18 14:11:24.000000000 +0200 -+++ pam_skey/Makefile.in 2006-03-06 09:26:55.000000000 +0100 -@@ -12,42 +12,26 @@ - LIBS=@LIBS@ @SKEYLIB@ @PAMLIB@ - LDFLAGS=@LDFLAGS@ - --INSTALL=@INSTALL@ -m 644 -+INSTALL=@INSTALL@ -+INSTALL_LIB=${INSTALL} -m 755 - RM=@RM@ -f - CP=@CP@ -f - LN=@LN@ -s - AWK=@AWK@ - --PAM_FILES=pam_skey.so.1 pam_skey_access.so.1 -+PAM_FILES=pam_skey.so - - all: $(PAM_FILES) - --pam_skey.so.1: pam_skey.o -- $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS) -- --pam_skey_access.so.1: pam_skey_access.o -+pam_skey.so: pam_skey.o - $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS) - - lint-pam_skey: - lclint $(CFLAGS) pam_skey.c - --lint-pam_skey_access: -- lclint $(CFLAGS) pam_skey_access.c -- --install: -- @if test ! -d $(INSTALLDIR); then \ -- echo "Missing $(INSTALLDIR). Problem with PAM installation?"; \ -- else \ -- for file in $(PAM_FILES); do \ -- if test ! -f "$(INSTALLDIR)/$$file"; then \ -- echo "Installing $$file in $(INSTALLDIR)"; \ -- $(INSTALL) "$$file" "$(INSTALLDIR)/$$file"; \ -- (cd $(INSTALLDIR) && $(LN) "$$file" `echo $$file | cut -d. -f1,2`); \ -- else \ -- echo "$$file exists - will not overwrite it"; \ -- fi \ -- done \ -- fi -+install: all -+ $(INSTALL) -d $(INSTALLDIR) -+ $(INSTALL_LIB) $(PAM_FILES) $(INSTALLDIR) - - clean: - $(RM) a.out core *.so.1 *.o *.bak -diff -Nur pam_skey-1.1.4/README pam_skey/README ---- pam_skey-1.1.4/README 2005-06-18 14:36:18.000000000 +0200 -+++ pam_skey/README 2006-03-06 09:26:55.000000000 +0100 -@@ -1,5 +1,77 @@ - $Id: README,v 1.2 2005/06/18 12:36:18 kreator Exp $ - -+Gentoo patch -+------------ -+ -+The Gentoo pam_skey patch changes the original module in a number of ways. -+The behavior of the module is changed to make it more consistent with the -+PAM design, and several changes were made throughout the code to make the -+module interact better with the skey library used by Gentoo. Many of -+these changes will break pam_skey's compatibility with other systems and -+libraries, but this is, after all, the Gentoo patch. -+ -+A (not necessarily) exhaustive list of the changes is as follows: -+- pam_skey_access.so is completely removed, since the Gentoo skey library -+ does not support the skey_access() call. -+- The pam_skey.so authentication code is completely rewritten. The -+ original code contained many references to the standard I/O library -+ (writing to stderr, etc.), as well as inconsistent communication with -+ the PAM libraries. Also, the authentication process is different, as -+ described below. -+- The options accepted by the pam_skey.so module are different, as -+ described below. -+ -+Four options are accepted by the pam_skey.so module: -+ debug - This option turns on debug logging. -+ try_first_pass - This option tells the module to first try using -+ the authentication token passed from the -+ previous module as an S/Key response, before -+ informing the user of the challenge. If the -+ token is not valid, the module will proceed with -+ the standard process of challenging the user -+ and requesting a response, subject to the -+ no_default_skey option below. -+ use_first_pass - This option is identical to the try_first_pass -+ option, except that if the token is not valid, -+ it will return silently without challenging the -+ user. -+ no_default_skey - This flag changes the behavior of pam_skey. -+ Instead of immediately challenging the user with -+ an S/Key challenge, it will present the user with -+ a standard "Password: " prompt. If the user enters -+ the password "s/key" (case insensitive), it will -+ then challenge the user. Any other input will -+ cause the module to pass the given password to the -+ next module in the authentication stack (usually -+ pam_unix.so with the try_first_pass option). -+ -+The exact behavior of pam_skey.so is detailed below: -+ -+1. Retrieve username from PAM, possibly querying the user for it. -+2. If the user does not have any S/Key information, return PAM_IGNORE to -+ proceed to the next module in the stack. -+3. If *_first_pass is enabled, check the given authentication token to see -+ if it is a valid response to the current S/Key challenge. If so, -+ return PAM_SUCCESS. -+ 3a. If the token is invalid and use_first_pass is enabled, return -+ PAM_IGNORE. -+4. If no_default_skey is enabled, issue a "Password: " prompt. -+ 4a. If the response is anything besides "s/key" (case insensitive), -+ store it as the authentication token and return PAM_IGNORE. -+5. Display the current S/Key challenge and request a response, with -+ input not echoed. If no_default_skey is enabled, this will only be -+ an S/Key response request; otherwise, it will request either an -+ S/Key response or a system passsword. -+ 5a. If an empty response is given, request the S/Key response again, -+ this time with input echoed. -+ 5b. If the response is a valid S/Key response, return PAM_SUCCESS. -+ Otherwise, return PAM_AUTHERR. -+6. If the response is a valid S/Key response, return PAM_SUCCESS. -+7. Otherwise, if no_default_skey is enabled (the user specifically -+ requested "s/key" authentication), return PAM_AUTHERR. -+8. Otherwise, store the response as the authentication token and -+ return PAM_IGNORE. -+ - About - ----- - This is complete pam_skey modul as interface to existing S/Key -diff -Nur pam_skey-1.1.4/autoconf/acconfig.h pam_skey/autoconf/acconfig.h ---- pam_skey-1.1.4/autoconf/acconfig.h 2005-06-18 14:11:24.000000000 +0200 -+++ pam_skey/autoconf/acconfig.h 2006-03-06 09:26:55.000000000 +0100 -@@ -1,17 +1,2 @@ - /* Define if we can include both string.h and strings.h */ - #undef STRING_WITH_STRINGS -- --/* Define if you have Linux */ --#undef LINUX -- --/* Define if you have *BSD */ --#undef BSD -- --/* Define if not missing skeyaccess() */ --#undef HAVE_SKEYACCESS -- --/* Define if not missing skeyinfo() */ --#undef HAVE_SKEYINFO -- --/* Define if you have skeylookup() instead of skeyinfo() */ --#undef HAVE_SKEYLOOKUP -diff -Nur pam_skey-1.1.4/autoconf/configure.in pam_skey/autoconf/configure.in ---- pam_skey-1.1.4/autoconf/configure.in 2005-06-18 14:11:24.000000000 +0200 -+++ pam_skey/autoconf/configure.in 2006-03-06 09:26:55.000000000 +0100 -@@ -10,21 +10,9 @@ - AC_LANG_C - AC_LANG_SAVE - --dnl Get system type --AC_CANONICAL_HOST --MYHOST=$host_os --case "$host_os" in --*linux*) -- AC_DEFINE(LINUX) -- ;; --*bsd*) -- AC_DEFINE(BSD) -- ;; --esac -- - dnl Package information - PACKAGE=pam_skey --VERSION=1.1 -+VERSION=1.4r1 - - dnl Standard installation path - AC_PREFIX_DEFAULT(/usr) -@@ -65,13 +53,9 @@ - AC_ARG_WITH(skey-inc, [ --with-skey-inc=DIR Directory containing skey include files], CFLAGS="${CFLAGS} -I${withval}") - - dnl Check for skey library --AC_CHECK_LIB(socket, socket) --AC_CHECK_LIB(nsl, gethostbyname) -+AC_CHECK_LIB(socket, socket, LIBS="${LIBS} -lsocket") -+AC_CHECK_LIB(nsl, gethostbyname, LIBS="${LIBS} -lnsl") - AC_CHECK_LIB(skey, skeyverify, SKEYLIB="-lskey", AC_MSG_ERROR(skey library not found or unknown interface)) --AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS)) --AC_CHECK_LIB(skey, skeyinfo, AC_DEFINE(HAVE_SKEYINFO), -- AC_CHECK_LIB(skey, skeylookup, AC_DEFINE(HAVE_SKEYLOOKUP)) --) - - dnl Check against -G linker flag - hold_ldflags=$LDFLAGS -diff -Nur pam_skey-1.1.4/configure pam_skey/configure ---- pam_skey-1.1.4/configure 2005-06-18 14:36:18.000000000 +0200 -+++ pam_skey/configure 2006-03-06 09:27:41.000000000 +0100 -@@ -310,7 +310,7 @@ - # include <unistd.h> - #endif" - --ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS' -+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS' - ac_subst_files='' - - # Initialize some variables set by options. -@@ -720,13 +720,13 @@ - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - srcdir=$ac_confdir -- if test ! -r $srcdir/$ac_unique_file; then -+ if test ! -r "$srcdir/$ac_unique_file"; then - srcdir=.. - fi - else - ac_srcdir_defaulted=no - fi --if test ! -r $srcdir/$ac_unique_file; then -+if test ! -r "$srcdir/$ac_unique_file"; then - if test "$ac_srcdir_defaulted" = yes; then - { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2 - { (exit 1); exit 1; }; } -@@ -735,7 +735,7 @@ - { (exit 1); exit 1; }; } - fi - fi --(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null || -+(cd $srcdir && test -r "./$ac_unique_file") 2>/dev/null || - { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2 - { (exit 1); exit 1; }; } - srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'` -@@ -831,10 +831,6 @@ - _ACEOF - - cat <<\_ACEOF -- --System types: -- --build=BUILD configure for building on BUILD [guessed] -- --host=HOST cross-compile to build programs to run on HOST [BUILD] - _ACEOF - fi - -@@ -948,7 +944,7 @@ - else - echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 - fi -- cd "$ac_popdir" -+ cd $ac_popdir - done - fi - -@@ -1333,78 +1329,8 @@ - - - --# Make sure we can run config.sub. --$ac_config_sub sun4 >/dev/null 2>&1 || -- { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5 --echo "$as_me: error: cannot run $ac_config_sub" >&2;} -- { (exit 1); exit 1; }; } -- --echo "$as_me:$LINENO: checking build system type" >&5 --echo $ECHO_N "checking build system type... $ECHO_C" >&6 --if test "${ac_cv_build+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- ac_cv_build_alias=$build_alias --test -z "$ac_cv_build_alias" && -- ac_cv_build_alias=`$ac_config_guess` --test -z "$ac_cv_build_alias" && -- { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 --echo "$as_me: error: cannot guess build type; you must specify one" >&2;} -- { (exit 1); exit 1; }; } --ac_cv_build=`$ac_config_sub $ac_cv_build_alias` || -- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5 --echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;} -- { (exit 1); exit 1; }; } -- --fi --echo "$as_me:$LINENO: result: $ac_cv_build" >&5 --echo "${ECHO_T}$ac_cv_build" >&6 --build=$ac_cv_build --build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` --build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` --build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` -- -- --echo "$as_me:$LINENO: checking host system type" >&5 --echo $ECHO_N "checking host system type... $ECHO_C" >&6 --if test "${ac_cv_host+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- ac_cv_host_alias=$host_alias --test -z "$ac_cv_host_alias" && -- ac_cv_host_alias=$ac_cv_build_alias --ac_cv_host=`$ac_config_sub $ac_cv_host_alias` || -- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5 --echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;} -- { (exit 1); exit 1; }; } -- --fi --echo "$as_me:$LINENO: result: $ac_cv_host" >&5 --echo "${ECHO_T}$ac_cv_host" >&6 --host=$ac_cv_host --host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` --host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` --host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` -- -- --MYHOST=$host_os --case "$host_os" in --*linux*) -- cat >>confdefs.h <<\_ACEOF --#define LINUX 1 --_ACEOF -- -- ;; --*bsd*) -- cat >>confdefs.h <<\_ACEOF --#define BSD 1 --_ACEOF -- -- ;; --esac -- - PACKAGE=pam_skey --VERSION=1.1 -+VERSION=1.4r1 - - - -@@ -1976,7 +1902,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -2034,7 +1961,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -2150,7 +2078,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -2204,7 +2133,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -2249,7 +2179,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -2293,7 +2224,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -2881,7 +2813,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3051,7 +2984,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3124,7 +3058,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3278,7 +3213,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3431,7 +3367,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3533,7 +3470,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3583,7 +3521,6 @@ - CFLAGS="${CFLAGS} -I${withval}" - fi; - -- - echo "$as_me:$LINENO: checking for socket in -lsocket" >&5 - echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6 - if test "${ac_cv_lib_socket_socket+set}" = set; then -@@ -3622,7 +3559,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3648,15 +3586,9 @@ - echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5 - echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6 - if test $ac_cv_lib_socket_socket = yes; then -- cat >>confdefs.h <<_ACEOF --#define HAVE_LIBSOCKET 1 --_ACEOF -- -- LIBS="-lsocket $LIBS" -- -+ LIBS="${LIBS} -lsocket" - fi - -- - echo "$as_me:$LINENO: checking for gethostbyname in -lnsl" >&5 - echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6 - if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then -@@ -3695,7 +3627,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3721,12 +3654,7 @@ - echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_gethostbyname" >&5 - echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6 - if test $ac_cv_lib_nsl_gethostbyname = yes; then -- cat >>confdefs.h <<_ACEOF --#define HAVE_LIBNSL 1 --_ACEOF -- -- LIBS="-lnsl $LIBS" -- -+ LIBS="${LIBS} -lnsl" - fi - - echo "$as_me:$LINENO: checking for skeyverify in -lskey" >&5 -@@ -3767,7 +3695,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -3800,218 +3729,6 @@ - { (exit 1); exit 1; }; } - fi - --echo "$as_me:$LINENO: checking for skeyaccess in -lskey" >&5 --echo $ECHO_N "checking for skeyaccess in -lskey... $ECHO_C" >&6 --if test "${ac_cv_lib_skey_skeyaccess+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- ac_check_lib_save_LIBS=$LIBS --LIBS="-lskey $LIBS" --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF --/* end confdefs.h. */ -- --/* Override any gcc2 internal prototype to avoid an error. */ --#ifdef __cplusplus --extern "C" --#endif --/* We use char because int might match the return type of a gcc2 -- builtin and then its argument prototype would still apply. */ --char skeyaccess (); --int --main () --{ --skeyaccess (); -- ; -- return 0; --} --_ACEOF --rm -f conftest.$ac_objext conftest$ac_exeext --if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 -- (eval $ac_link) 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -- (eval $ac_try) 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; } && -- { ac_try='test -s conftest$ac_exeext' -- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -- (eval $ac_try) 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; }; then -- ac_cv_lib_skey_skeyaccess=yes --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- --ac_cv_lib_skey_skeyaccess=no --fi --rm -f conftest.err conftest.$ac_objext \ -- conftest$ac_exeext conftest.$ac_ext --LIBS=$ac_check_lib_save_LIBS --fi --echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyaccess" >&5 --echo "${ECHO_T}$ac_cv_lib_skey_skeyaccess" >&6 --if test $ac_cv_lib_skey_skeyaccess = yes; then -- cat >>confdefs.h <<\_ACEOF --#define HAVE_SKEYACCESS 1 --_ACEOF -- --fi -- --echo "$as_me:$LINENO: checking for skeyinfo in -lskey" >&5 --echo $ECHO_N "checking for skeyinfo in -lskey... $ECHO_C" >&6 --if test "${ac_cv_lib_skey_skeyinfo+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- ac_check_lib_save_LIBS=$LIBS --LIBS="-lskey $LIBS" --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF --/* end confdefs.h. */ -- --/* Override any gcc2 internal prototype to avoid an error. */ --#ifdef __cplusplus --extern "C" --#endif --/* We use char because int might match the return type of a gcc2 -- builtin and then its argument prototype would still apply. */ --char skeyinfo (); --int --main () --{ --skeyinfo (); -- ; -- return 0; --} --_ACEOF --rm -f conftest.$ac_objext conftest$ac_exeext --if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 -- (eval $ac_link) 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -- (eval $ac_try) 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; } && -- { ac_try='test -s conftest$ac_exeext' -- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -- (eval $ac_try) 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; }; then -- ac_cv_lib_skey_skeyinfo=yes --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- --ac_cv_lib_skey_skeyinfo=no --fi --rm -f conftest.err conftest.$ac_objext \ -- conftest$ac_exeext conftest.$ac_ext --LIBS=$ac_check_lib_save_LIBS --fi --echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyinfo" >&5 --echo "${ECHO_T}$ac_cv_lib_skey_skeyinfo" >&6 --if test $ac_cv_lib_skey_skeyinfo = yes; then -- cat >>confdefs.h <<\_ACEOF --#define HAVE_SKEYINFO 1 --_ACEOF -- --else -- echo "$as_me:$LINENO: checking for skeylookup in -lskey" >&5 --echo $ECHO_N "checking for skeylookup in -lskey... $ECHO_C" >&6 --if test "${ac_cv_lib_skey_skeylookup+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- ac_check_lib_save_LIBS=$LIBS --LIBS="-lskey $LIBS" --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF --/* end confdefs.h. */ -- --/* Override any gcc2 internal prototype to avoid an error. */ --#ifdef __cplusplus --extern "C" --#endif --/* We use char because int might match the return type of a gcc2 -- builtin and then its argument prototype would still apply. */ --char skeylookup (); --int --main () --{ --skeylookup (); -- ; -- return 0; --} --_ACEOF --rm -f conftest.$ac_objext conftest$ac_exeext --if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 -- (eval $ac_link) 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -- (eval $ac_try) 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; } && -- { ac_try='test -s conftest$ac_exeext' -- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -- (eval $ac_try) 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; }; then -- ac_cv_lib_skey_skeylookup=yes --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- --ac_cv_lib_skey_skeylookup=no --fi --rm -f conftest.err conftest.$ac_objext \ -- conftest$ac_exeext conftest.$ac_ext --LIBS=$ac_check_lib_save_LIBS --fi --echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeylookup" >&5 --echo "${ECHO_T}$ac_cv_lib_skey_skeylookup" >&6 --if test $ac_cv_lib_skey_skeylookup = yes; then -- cat >>confdefs.h <<\_ACEOF --#define HAVE_SKEYLOOKUP 1 --_ACEOF -- --fi -- -- --fi -- - - hold_ldflags=$LDFLAGS - echo "$as_me:$LINENO: checking for the ld -shared flag" >&5 -@@ -4041,7 +3758,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -4099,7 +3817,8 @@ - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && -- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? -@@ -4747,14 +4466,6 @@ - s,@ECHO_N@,$ECHO_N,;t t - s,@ECHO_T@,$ECHO_T,;t t - s,@LIBS@,$LIBS,;t t --s,@build@,$build,;t t --s,@build_cpu@,$build_cpu,;t t --s,@build_vendor@,$build_vendor,;t t --s,@build_os@,$build_os,;t t --s,@host@,$host,;t t --s,@host_cpu@,$host_cpu,;t t --s,@host_vendor@,$host_vendor,;t t --s,@host_os@,$host_os,;t t - s,@CC@,$CC,;t t - s,@CFLAGS@,$CFLAGS,;t t - s,@LDFLAGS@,$LDFLAGS,;t t -@@ -4945,6 +4656,11 @@ - *) ac_INSTALL=$ac_top_builddir$INSTALL ;; - esac - -+ if test x"$ac_file" != x-; then -+ { echo "$as_me:$LINENO: creating $ac_file" >&5 -+echo "$as_me: creating $ac_file" >&6;} -+ rm -f "$ac_file" -+ fi - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ -@@ -4983,12 +4699,6 @@ - fi;; - esac - done` || { (exit 1); exit 1; } -- -- if test x"$ac_file" != x-; then -- { echo "$as_me:$LINENO: creating $ac_file" >&5 --echo "$as_me: creating $ac_file" >&6;} -- rm -f "$ac_file" -- fi - _ACEOF - cat >>$CONFIG_STATUS <<_ACEOF - sed "$ac_vpsub -diff -Nur pam_skey-1.1.4/defs.h.in pam_skey/defs.h.in ---- pam_skey-1.1.4/defs.h.in 2005-06-18 14:36:18.000000000 +0200 -+++ pam_skey/defs.h.in 2006-03-06 09:26:55.000000000 +0100 -@@ -1,96 +1,49 @@ --/* defs.h.in. Generated from configure.in by autoheader. */ --/* Define if we can include both string.h and strings.h */ --#undef STRING_WITH_STRINGS -- --/* Define if you have Linux */ --#undef LINUX -- --/* Define if you have *BSD */ --#undef BSD -+/* defs.h.in. Generated automatically from configure.in by autoheader. */ - --/* Define if not missing skeyaccess() */ --#undef HAVE_SKEYACCESS -- --/* Define if not missing skeyinfo() */ --#undef HAVE_SKEYINFO -+/* Define if you have the ANSI C header files. */ -+#undef STDC_HEADERS - --/* Define if you have skeylookup() instead of skeyinfo() */ --#undef HAVE_SKEYLOOKUP -+/* Define if we can include both string.h and strings.h */ -+#undef STRING_WITH_STRINGS - --/* Define to 1 if you have the `fprintf' function. */ -+/* Define if you have the fprintf function. */ - #undef HAVE_FPRINTF - --/* Define to 1 if you have the <inttypes.h> header file. */ --#undef HAVE_INTTYPES_H -+/* Define if you have the gethostbyname function. */ -+#undef HAVE_GETHOSTBYNAME - --/* Define to 1 if you have the `nsl' library (-lnsl). */ --#undef HAVE_LIBNSL -+/* Define if you have the snprintf function. */ -+#undef HAVE_SNPRINTF - --/* Define to 1 if you have the `socket' library (-lsocket). */ --#undef HAVE_LIBSOCKET -+/* Define if you have the strncmp function. */ -+#undef HAVE_STRNCMP - --/* Define to 1 if you have the <memory.h> header file. */ --#undef HAVE_MEMORY_H -+/* Define if you have the syslog function. */ -+#undef HAVE_SYSLOG - --/* Define to 1 if you have the <pwd.h> header file. */ -+/* Define if you have the <pwd.h> header file. */ - #undef HAVE_PWD_H - --/* Define to 1 if you have the <security/pam_appl.h> header file. */ -+/* Define if you have the <security/pam_appl.h> header file. */ - #undef HAVE_SECURITY_PAM_APPL_H - --/* Define to 1 if you have the <security/pam_modules.h> header file. */ -+/* Define if you have the <security/pam_modules.h> header file. */ - #undef HAVE_SECURITY_PAM_MODULES_H - --/* Define to 1 if you have the `snprintf' function. */ --#undef HAVE_SNPRINTF -- --/* Define to 1 if you have the <stdint.h> header file. */ --#undef HAVE_STDINT_H -- --/* Define to 1 if you have the <stdlib.h> header file. */ -+/* Define if you have the <stdlib.h> header file. */ - #undef HAVE_STDLIB_H - --/* Define to 1 if you have the <strings.h> header file. */ --#undef HAVE_STRINGS_H -- --/* Define to 1 if you have the <string.h> header file. */ -+/* Define if you have the <string.h> header file. */ - #undef HAVE_STRING_H - --/* Define to 1 if you have the `strncmp' function. */ --#undef HAVE_STRNCMP -- --/* Define to 1 if you have the `syslog' function. */ --#undef HAVE_SYSLOG -- --/* Define to 1 if you have the <syslog.h> header file. */ --#undef HAVE_SYSLOG_H -- --/* Define to 1 if you have the <sys/stat.h> header file. */ --#undef HAVE_SYS_STAT_H -+/* Define if you have the <strings.h> header file. */ -+#undef HAVE_STRINGS_H - --/* Define to 1 if you have the <sys/syslog.h> header file. */ -+/* Define if you have the <sys/syslog.h> header file. */ - #undef HAVE_SYS_SYSLOG_H - --/* Define to 1 if you have the <sys/types.h> header file. */ -+/* Define if you have the <sys/types.h> header file. */ - #undef HAVE_SYS_TYPES_H - --/* Define to 1 if you have the <unistd.h> header file. */ --#undef HAVE_UNISTD_H -- --/* Define to the address where bug reports for this package should be sent. */ --#undef PACKAGE_BUGREPORT -- --/* Define to the full name of this package. */ --#undef PACKAGE_NAME -- --/* Define to the full name and version of this package. */ --#undef PACKAGE_STRING -- --/* Define to the one symbol short name of this package. */ --#undef PACKAGE_TARNAME -- --/* Define to the version of this package. */ --#undef PACKAGE_VERSION -- --/* Define to 1 if you have the ANSI C header files. */ --#undef STDC_HEADERS -+/* Define if you have the <syslog.h> header file. */ -+#undef HAVE_SYSLOG_H -diff -Nur pam_skey-1.1.4/pam_skey.c pam_skey/pam_skey.c ---- pam_skey-1.1.4/pam_skey.c 2005-06-18 14:36:18.000000000 +0200 -+++ pam_skey/pam_skey.c 2006-03-06 09:26:55.000000000 +0100 -@@ -1,5 +1,6 @@ - /* -- * (c) 2001 Dinko Korunic, kreator@srce.hr -+ * Rewrite (c) 2005 Dani Church, dani.church@gmail.com -+ * Original (c) 2001 Dinko Korunic, kreator@srce.hr - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -@@ -33,272 +34,146 @@ - #include <pwd.h> - #include <sys/types.h> - #include <syslog.h> -+#include <ctype.h> - - #define PAM_EXTERN extern - #undef PAM_STATIC - - #include <security/pam_appl.h> - #include <security/pam_modules.h> -+#include <security/_pam_macros.h> - - #include "skey.h" - #include "pam_skey.h" - #include "misc.h" - -+#define LOGDEBUG(x) if (mod_opt & _MOD_DEBUG) { syslog x ;} -+#define QUERY_USERNAME NULL /* Use default username prompt */ -+#define QUERY_PASSWORD "Password: " -+#define QUERY_RESPONSE_OR_PASSWORD "S/Key response or system password: " -+#define QUERY_RESPONSE "S/Key response: " -+ - PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags, - int argc, const char **argv) - { - return PAM_SUCCESS; - } - -+/* -+ * The authentication module will return the following status codes: -+ * PAM_SUCCESS: Successful authentication via S/Key. -+ * PAM_IGNORE: The user doesn't have S/Key or doesn't want to use it. -+ * Continue with the next module, using try_first_pass. -+ * PAM_AUTH_ERR: The user asked to use S/Key, but failed the authentication. -+ * Don't try any more PAM modules. -+ * others: random errors, try next authentication method -+ */ -+ - PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv) - { -- char challenge[CHALLENGE_MAXSIZE]; /* challenge to print in conv */ -- char msg_text[PAM_MAX_MSG_SIZE]; /* text for pam conv */ -- char *username = NULL; /* username spacer */ -+ const char *challenge; /* challenge to print in conv */ -+ const char *username = NULL; /* username spacer */ - char *response = NULL; /* response spacer */ -- struct skey skey; /* structure that contains skey information */ - int status; /* return status spacer */ -- unsigned mod_opt = _MOD_NONE_ON; /* module options */ -+ unsigned mod_opt=_MOD_NONE_ON; /* module options */ - - /* Get module options */ - mod_getopt(&mod_opt, argc, argv); - -- /* Get username */ --#if defined LINUX || defined BSD -- if (pam_get_user(pamh, (const char **)&username, "login:") --#else -- if (pam_get_user(pamh, (char **)&username, "login:") --#endif -- != PAM_SUCCESS) -- { -- fprintf(stderr, "cannot determine username\n"); -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "cannot determine username"); -- return PAM_USER_UNKNOWN; -- } -- -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "got username %s", username); -- --#ifdef HAVE_SKEYACCESS -- /* Check S/Key access permissions - user, host and port. Also include -- * sanity checks */ -- if (mod_opt & _MOD_ACCESS_CHECK) -- { -- char *host; /* points to host */ -- char *port; /* points to port */ -- struct passwd *pwuser; /* structure for getpw() */ -- -- /* Get host.. */ --#if defined LINUX || defined BSD -- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) --#else -- if (pam_get_item(pamh, PAM_RHOST, (void **)&host) --#endif -- != PAM_SUCCESS) -- host = NULL; /* couldn't get host */ -- /* ..and port */ --#if defined LINUX || defined BSD -- if (pam_get_item(pamh, PAM_TTY, (const void **)&port) --#else -- if (pam_get_item(pamh, PAM_TTY, (void **)&port) --#endif -- != PAM_SUCCESS) -- port = NULL; /* couldn't get port */ -- -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "checking s/key access for user %s," -- " host %s, port %s", username, -- (host != NULL) ? host : "*unknown*", -- (port != NULL) ? port : "*unknown*"); -- -- /* Get information from passwd file */ -- if ((pwuser = getpwnam(username)) == NULL) -- { -- fprintf(stderr, "no such user\n"); -- syslog(LOG_NOTICE, "cannot find user %s", username); -- return PAM_USER_UNKNOWN; /* perhaps even return PAM_ABORT here? */ -+ /* Get username (taken mainly from pam_unix) */ -+ status = pam_get_user(pamh, &username, QUERY_USERNAME); -+ if (status == PAM_SUCCESS) { -+ if (username == NULL || !isalnum(*username)) { -+ syslog(LOG_ERR, "bad username [%s]", username); -+ return PAM_USER_UNKNOWN; - } -+ LOGDEBUG((LOG_DEBUG, "username [%s] obtained", username)); -+ } else { -+ LOGDEBUG((LOG_DEBUG, "trouble reading username")); -+ if (status == PAM_CONV_AGAIN) -+ return PAM_INCOMPLETE; -+ return status; -+ } - -- /* Do actual checking - we assume skeyaccess() returns PERMIT which is -- * by default 1. Notice 4th argument is NULL - we will not perform -- * address checks on host itself */ -- if (skeyaccess(pwuser, port, host, NULL) != 1) -- { -- fprintf(stderr, "no s/key access permissions\n"); -- syslog(LOG_NOTICE, "no s/key access permissions for %s", -- username); -- return PAM_AUTH_ERR; -- } -+ /* Check whether or not this user has an S/Key */ -+ if (skey_haskey(username) != 0) { -+ LOGDEBUG((LOG_DEBUG, "user [%s] has no S/Key entry", username)); -+ return PAM_IGNORE; - } -- else - --#endif /* HAVE_SKEYACCESS */ -- -- /* Only do check whether user has passwd entry */ -- if (getpwnam(username) == NULL) -- { -- fprintf(stderr, "no such user\n"); -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "cannot find user %s", -- username); -- return PAM_USER_UNKNOWN; -+ if ((mod_opt & _MOD_TRY_FIRST_PASS) || (mod_opt & _MOD_USE_FIRST_PASS)) { -+ status = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &response); -+ if (status != PAM_SUCCESS) { -+ syslog(LOG_ALERT, "pam_get_item returned error to pam_skey"); -+ return status; -+ } else if (response != NULL) { -+ if (skey_passcheck(username, response) != -1) { -+ return PAM_SUCCESS; -+ } else if (mod_opt & _MOD_USE_FIRST_PASS) { -+ return PAM_IGNORE; -+ } -+ } else if (mod_opt & _MOD_USE_FIRST_PASS) { -+ return PAM_AUTHTOK_RECOVER_ERR; - } -- -- /* Get S/Key information on user with skeyinfo() */ --#ifdef HAVE_SKEYINFO -- switch (skeyinfo(&skey, username, NULL)) --#else --#ifdef HAVE_SKEYLOOKUP -- switch (skeylookup(&skey, username)) --#endif /* HAVE_SKEYLOOKUP */ --#endif /* HAVE_SKEYINFO */ -- { -- /* 0: OK */ -- case 0: -- break; -- /* -1: File error */ -- case -1: --#if 0 -- /* XXX- This seems broken in (at least) logdaemon-5.8. It returns -1 -- * when user not found in keyfile. -kre */ -- fprintf(stderr, "s/key database error\n"); -- syslog(LOG_NOTICE, "s/key database error"); -- return PAM_AUTH_ERR; --#endif -- /* 1: No such user in database */ -- case 1: -- /* We won't confuse the ordinary user telling him about missing skeys -- * -kre */ --#if 0 -- fprintf(stderr, "no s/key for %s\n", username); --#endif -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "no s/key for %s\n", username); -- return PAM_AUTH_ERR; - } -- -- /* Make challenge string */ --#if defined(SKEY_MAX_HASHNAME_LEN) && defined(SKEY_MAX_SEED_LEN) -- snprintf(challenge, CHALLENGE_MAXSIZE, "otp-%.*s %d %.*s", -- SKEY_MAX_HASHNAME_LEN, skey_get_algorithm(), skey.n - 1, SKEY_MAX_SEED_LEN, skey.seed); --#else -- snprintf(challenge, CHALLENGE_MAXSIZE, "s/key %d %s", -- skey.n - 1, skey.seed); --#endif -- -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "got challenge %s for %s", challenge, -- username); -- -- /* Read response from last module's PAM_AUTHTOK */ -- if (mod_opt & _MOD_USE_FIRST_PASS) -- { -- /* Try to extract authtoken */ --#if defined LINUX || defined BSD -- if (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&response) --#else -- if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&response) --#endif -- != PAM_SUCCESS) -- { -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "could not get PAM_AUTHTOK"); -- mod_opt &= ~_MOD_USE_FIRST_PASS; -+ -+ if (mod_opt & _MOD_NO_DEFAULT_SKEY) { -+ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_PASSWORD, 0, &response); -+ if (status != PAM_SUCCESS) { -+ _pam_delete(response) -+ return status; - } -- else -- { -- /* Got AUTHTOK, but it was empty */ -- if (empty_authtok(response)) -- { -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "empty PAM_AUTHTOK"); -- mod_opt &= ~_MOD_USE_FIRST_PASS; -- } -- else -- /* All OK, print challenge information */ -- fprintf(stderr, "challenge %s\n", challenge); -+ if (strcasecmp(response,"s/key")!=0) { -+ status = pam_set_item(pamh, PAM_AUTHTOK, response); -+ if (status != PAM_SUCCESS) -+ return status; -+ return PAM_IGNORE; - } -+ _pam_delete(response); - } - -- /* There was no PAM_AUTHTOK, or there was no such option in pam-conf -- * file */ -- if (!(mod_opt & _MOD_USE_FIRST_PASS)) -- { -- /* Prepare a complete message for conversation */ -- snprintf(msg_text, PAM_MAX_MSG_SIZE, -- "challenge %s\npassword: ", challenge); -- -- /* Talk with user */ -- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response) -- != PAM_SUCCESS) -- return PAM_SERVICE_ERR; -- -- /* Simulate standard S/Key login procedure - if empty token, turn on -- * ECHO and prompt again */ -- if (empty_authtok(response) && !(mod_opt & _MOD_ONLY_ONE_TRY)) -- { -- /* Was there echo off? */ -- if (mod_opt & _MOD_ECHO_OFF) -- { -- _pam_delete(response); -- fprintf(stderr, "(turning echo on)\n"); -- mod_opt &= ~_MOD_ECHO_OFF; -- -- /* Prepare a complete message for conversation */ -- snprintf(msg_text, PAM_MAX_MSG_SIZE, "password: "); -- -- /* Talk with user */ -- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response) -- != PAM_SUCCESS) -- return PAM_SERVICE_ERR; -- -- /* Got again empty response. Bailout and don't save auth token */ -- if (empty_authtok(response)) -- return PAM_AUTH_ERR; -- } -- else -- /* There was echo on already - just get out and don't save auth token -- * for other modules */ -- return PAM_AUTH_ERR; -- } -+ challenge = skey_keyinfo(username); -+ if (challenge == NULL) { -+ syslog(LOG_ALERT, "Could not retrieve S/Key challenge for [%s]", username); -+ return PAM_AUTHINFO_UNAVAIL; -+ } - -- /* XXX - ECHO ON puts '\n' at the end in Solaris 2.7! This is -- * cludge to get rid of this nasty `feature' -kre */ -- _pam_degarbage(response); -- -- /* Store auth token - that next module can use with `use_first_pass' */ -- if (pam_set_item(pamh, PAM_AUTHTOK, response) != PAM_SUCCESS) -- { -- syslog(LOG_NOTICE, "unable to save auth token"); -- return PAM_SERVICE_ERR; -- } -+ if (mod_opt & _MOD_NO_DEFAULT_SKEY) -+ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response); -+ else -+ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response); - -- /* cleanup conversation */ -+ if (status != PAM_SUCCESS) -+ return status; -+ -+ if (*response == '\0') { - _pam_delete(response); -- } -- -- /* Verify S/Key */ -- status = skeyverify(&skey, response); -+ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_RESPONSE, 1, &response); -+ if (status != PAM_SUCCESS) -+ return status; -+ status = pam_set_item(pamh, PAM_AUTHTOK, response); -+ status = skey_passcheck(username, response); -+ _pam_delete(response); -+ if (status != -1) -+ return PAM_SUCCESS; -+ return PAM_AUTH_ERR; -+ } - -- switch (status) -- { -- /* 0: Verify successful, database updated */ -- case 0: -- break; -- /* -1: Error of some sort; database unchanged */ -- /* 1: Verify failed, database unchanged */ -- case -1: -- case 1: -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "verify for %s failed, database" -- " unchanged", username); -- return PAM_AUTH_ERR; -+ status = pam_set_item(pamh, PAM_AUTHTOK, response); -+ status = skey_passcheck(username, response); -+ if (status != -1) { -+ _pam_delete(response); -+ return PAM_SUCCESS; -+ } -+ -+ if (mod_opt & _MOD_NO_DEFAULT_SKEY) { -+ _pam_delete(response); -+ return PAM_AUTH_ERR; - } - -- /* Success by default */ -- return PAM_SUCCESS; -+ status = pam_set_item(pamh, PAM_AUTHTOK, response); -+ return PAM_IGNORE; - } - - /* Get module optional parameters */ -@@ -332,50 +207,43 @@ - } - - /* This will talk to user through PAM_CONV */ --static int mod_talk_touser(pam_handle_t *pamh, unsigned *mod_opt, -- char *msg_text, char **response) -+static int mod_talk_touser(pam_handle_t *pamh, unsigned mod_opt, -+ const char *info_text, const char *prompt_text, int echo_on, char **response) - { -- struct pam_message message; -- const struct pam_message *pmessage = &message; -+ struct pam_message message[2], *pmessage[2]; - struct pam_conv *conv = NULL; - struct pam_response *presponse = NULL; -- -+ int i=0; -+ - /* Better safe than sorry */ - *response = NULL; - - /* Be paranoid */ - memset(&message, 0, sizeof(message)); - -- /* Turn on/off PAM echo */ -- if (*mod_opt & _MOD_ECHO_OFF) -- message.msg_style = PAM_PROMPT_ECHO_OFF; -- else -- message.msg_style = PAM_PROMPT_ECHO_ON; -+ pmessage[0] = &message[0]; -+ pmessage[1] = &message[1]; -+ -+ /* Set info text, if any */ -+ if (info_text) { -+ message[i].msg = info_text; -+ message[i].msg_style = PAM_TEXT_INFO; -+ i++; -+ } - -- /* Point to conversation text */ -- message.msg = msg_text; -+ /* Set prompt text */ -+ message[i].msg = prompt_text; -+ message[i].msg_style = echo_on ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; -+ i++; - - /* Do conversation and see if all is OK */ --#if defined LINUX || defined BSD -- if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) --#else -- if (pam_get_item(pamh, PAM_CONV, (void **)&conv) --#endif -- != PAM_SUCCESS) -- { -- if (*mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "error in conversation"); -+ if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) != PAM_SUCCESS) { -+ LOGDEBUG((LOG_DEBUG, "error in conversation")); - return PAM_SERVICE_ERR; - } -- -- /* Convert into pam_response - only 1 reply expected */ --#if defined LINUX || defined BSD -- if (conv->conv(1, &pmessage, &presponse, -+ /* Convert into pam_response */ -+ if (conv->conv(i, (const struct pam_message **)pmessage, &presponse, - conv->appdata_ptr) --#else -- if (conv->conv(1, (struct pam_message **)&pmessage, &presponse, -- conv->appdata_ptr) --#endif - != PAM_SUCCESS) - { - _pam_delete(presponse->resp); -@@ -385,10 +253,10 @@ - if (presponse != NULL) - { - /* Save address */ -- *response = presponse->resp; -+ *response = presponse[i-1].resp; - /* To ensure that response address will not be erased */ -- presponse->resp = NULL; -- _pam_drop(presponse); -+ presponse[i-1].resp = NULL; -+ _pam_drop_reply(presponse,i); - } - else - return PAM_SERVICE_ERR; -diff -Nur pam_skey-1.1.4/pam_skey.h pam_skey/pam_skey.h ---- pam_skey-1.1.4/pam_skey.h 2005-06-18 14:36:18.000000000 +0200 -+++ pam_skey/pam_skey.h 2006-03-06 09:26:55.000000000 +0100 -@@ -22,29 +22,25 @@ - */ - - /* Prototypes */ --#ifndef BSD --extern int skeyinfo(struct skey *, char *, char *); /* ORGH! Not in skey.h */ --#endif -- - static void mod_getopt(unsigned *, int, const char **); --static int mod_talk_touser(pam_handle_t *, unsigned *, char *, char **); -+static int mod_talk_touser(pam_handle_t *, unsigned, const char *, const char *, int, char **); - - /* free() macro */ --#define _pam_drop(X) \ -+/*#define _pam_drop(X) \ - if (X != NULL) \ - { \ - free(X); \ - X = NULL; \ --} -+}*/ - - /* Secure overwrite */ --#define _pam_overwrite(x) \ -+/*#define _pam_overwrite(x) \ - { \ - register char *__xx__; \ - if ((__xx__ = (x))) \ - while (*__xx__) \ - *__xx__++ = '\0'; \ --} -+}*/ - - /* Drop-in secure replacement - we do not want cleartext passwords lying - * scattered around */ -@@ -56,7 +52,7 @@ - - /* This will get us rid of first '\n' in response string and cut-off the - * rest of the string. It should be ASCIIZ, of course */ --#define _pam_degarbage(x) \ -+/*#define _pam_degarbage(x) \ - { \ - register char *__xx__; \ - if ((__xx__ = (x))) \ -@@ -70,30 +66,25 @@ - else \ - __xx__++; \ - } \ --} -+}*/ - - /* Handy empty AUTHTOK macro */ - #define empty_authtok(a) (a == NULL || !*a || *a == '\n') - --/* Maximum challenge size. It should be 64, but be sure */ --#define CHALLENGE_MAXSIZE 128 -- - /* Define module flags */ --#define _MOD_NONE_ON 0x0000 /* Generic flag */ --#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */ --#define _MOD_DEBUG 0x0001 /* Debugging options on */ --#define _MOD_ECHO_OFF 0x0002 /* PAM_ECHO_OFF */ --#define _MOD_ACCESS_CHECK 0x0004 /* Check S/Key access permissions */ --#define _MOD_USE_FIRST_PASS 0x0008 /* Use PAM_AUTHTOK */ --#define _MOD_ONLY_ONE_TRY 0x0010 /* Only one try, no matter of echo */ --#define _MOD_SPACER 0x0020 /* Currently unused */ -+#define _MOD_NONE_ON 0x0000 /* Generic flag */ -+#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */ -+#define _MOD_DEBUG 0x0001 /* Debugging options on */ -+#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */ -+#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */ -+#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */ - - /* Setup defaults - use echo off only */ --#define _MOD_DEFAULT_FLAG _MOD_ECHO_OFF -+#define _MOD_DEFAULT_FLAG _MOD_NONE_ON - #define _MOD_DEFAULT_MASK _MOD_ALL_ON - - /* Number of parameters currently known */ --#define _MOD_ARGS 8 -+#define _MOD_ARGS 4 - - /* Structure for flexible argument parsing */ - typedef struct -@@ -108,11 +99,7 @@ - { - /* String Mask Flag */ - {"debug", _MOD_ALL_ON, _MOD_DEBUG}, -- {"echo=off", _MOD_ALL_ON, _MOD_ECHO_OFF}, -- {"echo=on", _MOD_ALL_ON^_MOD_ECHO_OFF, _MOD_NONE_ON}, -- {"access_check=on", _MOD_ALL_ON, _MOD_ACCESS_CHECK}, -- {"access_check=off", _MOD_ALL_ON^_MOD_ACCESS_CHECK, _MOD_NONE_ON}, -+ {"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS}, - {"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, -- {"try_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, -- {"only_one_try", _MOD_ALL_ON, _MOD_ONLY_ONE_TRY} -+ {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY} - }; -diff -Nur pam_skey-1.1.4/pam_skey_access.c pam_skey/pam_skey_access.c ---- pam_skey-1.1.4/pam_skey_access.c 2005-06-18 14:36:18.000000000 +0200 -+++ pam_skey/pam_skey_access.c 1970-01-01 01:00:00.000000000 +0100 -@@ -1,161 +0,0 @@ --/* -- * (c) 2001 Dinko Korunic, kreator@srce.hr -- * -- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -- * -- * S/KEY is a trademark of Bellcore. -- * Mink is the former name of the S/KEY authentication system. -- * -- * Programs that had some influence in development of this source: -- * Wietse Venema's logdaemon package -- * Olaf Kirch's Linux S/Key package -- * Linux-PAM modules and templates -- * Wyman Miles' pam_securid module -- * -- * Should you choose to use and/or modify this source code, please do so -- * under the terms of the GNU General Public License under which this -- * program is distributed. -- */ -- --static char rcsid[] = "$Id: pam_skey_access.c,v 1.2 2005/06/18 12:36:18 kreator Exp $"; -- --#include "defs.h" -- --#include <stdio.h> --#include <stdlib.h> --#include <string.h> --#ifdef STRING_WITH_STRINGS --# include <strings.h> --#endif --#include <unistd.h> --#include <pwd.h> --#include <sys/types.h> --#include <syslog.h> -- --#define PAM_EXTERN extern --#undef PAM_STATIC -- --#include <security/pam_appl.h> --#include <security/pam_modules.h> -- --#include "skey.h" --#include "pam_skey.h" --#include "misc.h" -- --PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags, -- int argc, const char **argv) --{ -- return PAM_SUCCESS; --} -- --PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, -- int argc, const char **argv) --{ -- char *username = NULL; /* will point to username */ -- unsigned mod_opt = _MOD_NONE_ON; /* module options */ -- char *host; /* will point to host */ -- char *port; /* will point to port */ -- struct passwd *pwuser; -- -- /* Get module options */ -- mod_getopt(&mod_opt, argc, argv); -- -- /* Get username */ --#if defined LINUX || defined BSD -- if (pam_get_user(pamh, (const char **)&username, "login:")!=PAM_SUCCESS) --#else -- if (pam_get_user(pamh, (char **)&username, "login:")!=PAM_SUCCESS) --#endif -- { -- fprintf(stderr, "cannot determine username\n"); -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "cannot determine username"); -- return PAM_AUTHINFO_UNAVAIL; -- } -- -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "got username %s", username); -- -- /* Check S/Key access permissions - user, host and port. Also include -- * sanity checks */ -- /* Get host.. */ --#if defined LINUX || defined BSD -- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) --#else -- if (pam_get_item(pamh, PAM_RHOST, (void **)&host) --#endif -- != PAM_SUCCESS) -- host = NULL; -- /* ..and port */ --#ifdef LINUX -- if (pam_get_item(pamh, PAM_TTY, (const void **)&port) --#else -- if (pam_get_item(pamh, PAM_TTY, (void **)&port) --#endif -- != PAM_SUCCESS) -- port = NULL; -- -- if (mod_opt & _MOD_DEBUG) -- syslog(LOG_DEBUG, "checking s/key access for user %s," -- " host %s, port %s", username, -- (host != NULL) ? host : "*unknown*", -- (port != NULL) ? port : "*unknown*"); -- -- /* Get information from passwd file */ -- if ((pwuser = getpwnam(username)) == NULL) -- { -- fprintf(stderr, "no such user\n"); -- syslog(LOG_NOTICE, "cannot find user %s", -- username); -- return PAM_AUTHINFO_UNAVAIL; -- } -- --#ifdef HAVE_SKEYACCESS -- -- /* Do actual checking - we assume skeyaccess() returns PERMIT which is -- * by default 1. Notice 4th argument is NULL - we will not perform -- * address checks on host itself */ -- if (skeyaccess(pwuser, port, host, NULL) != 1) -- { -- fprintf(stderr, "no s/key access permissions\n"); -- syslog(LOG_NOTICE, "no s/key access permissions for %s", -- username); -- return PAM_AUTH_ERR; -- } -- --#endif /* HAVE_SKEYACCESS */ -- -- return PAM_SUCCESS; --} -- --/* Get module optional parameters */ --static void mod_getopt(unsigned *mod_opt, int mod_argc, const char **mod_argv) --{ -- int i; -- -- /* Setup runtime defaults */ -- *mod_opt |= _MOD_DEFAULT_FLAG; -- *mod_opt &= _MOD_DEFAULT_MASK; -- -- /* Setup runtime options */ -- while (mod_argc--) -- { -- for (i = 0; i < _MOD_ARGS; ++i) -- { -- if (mod_args[i].token != NULL && -- !strncmp(*mod_argv, mod_args[i].token, -- strlen(mod_args[i].token))) -- break; -- } -- if (i >= _MOD_ARGS) -- syslog(LOG_ERR, "unknown option %s", *mod_argv); -- else -- { -- *mod_opt &= mod_args[i].mask; /* Turn off */ -- *mod_opt |= mod_args[i].flag; /* Turn on */ -- } -- ++mod_argv; -- } --} - |