diff options
author | Jakub Moc <jakub@gentoo.org> | 2006-06-08 09:28:53 +0000 |
---|---|---|
committer | Jakub Moc <jakub@gentoo.org> | 2006-06-08 09:28:53 +0000 |
commit | 498a6465701e1f98504734b06b50bf8e80c1aee9 (patch) | |
tree | ee9a733b6ad17374c69a9e62ea8962f18cf2bd3d /sys-auth/pam_skey | |
parent | Remove useless ChangeLog based on a request from dertobi123 in #gentoo-overla... (diff) | |
download | sunrise-498a6465701e1f98504734b06b50bf8e80c1aee9.tar.gz sunrise-498a6465701e1f98504734b06b50bf8e80c1aee9.tar.bz2 sunrise-498a6465701e1f98504734b06b50bf8e80c1aee9.zip |
New pam_skey ebuild, thanks to Ulrich Mueller and Dani Church in Bug 55279
svn path=/; revision=5
Diffstat (limited to 'sys-auth/pam_skey')
-rw-r--r-- | sys-auth/pam_skey/ChangeLog | 7 | ||||
-rw-r--r-- | sys-auth/pam_skey/Manifest | 20 | ||||
-rw-r--r-- | sys-auth/pam_skey/files/digest-pam_skey-1.1.4 | 3 | ||||
-rw-r--r-- | sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch | 1706 | ||||
-rw-r--r-- | sys-auth/pam_skey/files/pam_skey-system-auth.pam.d | 15 | ||||
-rw-r--r-- | sys-auth/pam_skey/pam_skey-1.1.4.ebuild | 34 |
6 files changed, 1785 insertions, 0 deletions
diff --git a/sys-auth/pam_skey/ChangeLog b/sys-auth/pam_skey/ChangeLog new file mode 100644 index 000000000..6a0058abf --- /dev/null +++ b/sys-auth/pam_skey/ChangeLog @@ -0,0 +1,7 @@ +# ChangeLog for sys-auth/pam_skey +# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2 +# $Header: $ + + 08 Jun 2006; Jakub Moc <jakub@gentoo.org> ChangeLog: + New ebuild, thanks to Ulrich Mueller and Dani Church in Bug 55279 + diff --git a/sys-auth/pam_skey/Manifest b/sys-auth/pam_skey/Manifest new file mode 100644 index 000000000..99669924a --- /dev/null +++ b/sys-auth/pam_skey/Manifest @@ -0,0 +1,20 @@ +AUX pam_skey-1.1.4-gentoo.patch 56392 RMD160 33fd94c5f147b0162b16a4c49aaa9aecf53a1abd SHA1 e09de55556f4ffbc9fe9486df2cbe109d66800ca SHA256 7047f7c7f6642d0a7bc6523bec09be32c77e58cd7f2be97445dd12e65447604e +MD5 626625c71e1602329c59b29789ffa48d files/pam_skey-1.1.4-gentoo.patch 56392 +RMD160 33fd94c5f147b0162b16a4c49aaa9aecf53a1abd files/pam_skey-1.1.4-gentoo.patch 56392 +SHA256 7047f7c7f6642d0a7bc6523bec09be32c77e58cd7f2be97445dd12e65447604e files/pam_skey-1.1.4-gentoo.patch 56392 +AUX pam_skey-system-auth.pam.d 494 RMD160 a3bb4380c57dcba61ba244b0a78f52ca6e926481 SHA1 cd2de470f99b5496fcbf1bc22dba53107a5a2fc8 SHA256 6f82c6ff0f7e6312affbb5b7d3f81a958105831826ff43fcd613619045ebe81f +MD5 69c0af39436f237670c7936c695e04ae files/pam_skey-system-auth.pam.d 494 +RMD160 a3bb4380c57dcba61ba244b0a78f52ca6e926481 files/pam_skey-system-auth.pam.d 494 +SHA256 6f82c6ff0f7e6312affbb5b7d3f81a958105831826ff43fcd613619045ebe81f files/pam_skey-system-auth.pam.d 494 +DIST pam_skey-1.1.4.tar.gz 82861 RMD160 ea195cbe4cd188d223d3bb7d0ffc51be0f3fc713 SHA1 289641fcbb4118f9ad3ce246e6ed07804ddd0125 SHA256 625e255e8c7ac27a85e2336d64cec46a83e246fe96e3e851c685dbf870c359bc +EBUILD pam_skey-1.1.4.ebuild 808 RMD160 d71734653691beb87d0d99bc8e5f1ece44b698ae SHA1 a80774795b890b508b4e5e8ae7a27408a8dcc6ff SHA256 d641e13f5a0147593da836b9ca524769dcd6a8add439d16b7856517044a51830 +MD5 a3f6bf217d2c6033bf7dea67d579c368 pam_skey-1.1.4.ebuild 808 +RMD160 d71734653691beb87d0d99bc8e5f1ece44b698ae pam_skey-1.1.4.ebuild 808 +SHA256 d641e13f5a0147593da836b9ca524769dcd6a8add439d16b7856517044a51830 pam_skey-1.1.4.ebuild 808 +MISC ChangeLog 242 RMD160 1980e163fac1689f1a2e4fcc679226c469412c8f SHA1 f4d45fba2ebaa6b77d7a3394be7c9ceb7d420aed SHA256 18e63007f3c01d7e009086d40d1342bb7ba2485cd743107a16771c6d0a05305b +MD5 17cb051662eed9077ccf2d24faca206c ChangeLog 242 +RMD160 1980e163fac1689f1a2e4fcc679226c469412c8f ChangeLog 242 +SHA256 18e63007f3c01d7e009086d40d1342bb7ba2485cd743107a16771c6d0a05305b ChangeLog 242 +MD5 1df89075dfcadb2f7a251660ed354be1 files/digest-pam_skey-1.1.4 241 +RMD160 9fda6553523e458b8a564cd15a2e00c1b4cda91a files/digest-pam_skey-1.1.4 241 +SHA256 57b3a9d58da17171b21b69d7cdde0c0863500eab7582715550c6358080570550 files/digest-pam_skey-1.1.4 241 diff --git a/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 b/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 new file mode 100644 index 000000000..82d8fdb41 --- /dev/null +++ b/sys-auth/pam_skey/files/digest-pam_skey-1.1.4 @@ -0,0 +1,3 @@ +MD5 5e3bbe897bdd665fbe9d3b647455a863 pam_skey-1.1.4.tar.gz 82861 +RMD160 ea195cbe4cd188d223d3bb7d0ffc51be0f3fc713 pam_skey-1.1.4.tar.gz 82861 +SHA256 625e255e8c7ac27a85e2336d64cec46a83e246fe96e3e851c685dbf870c359bc pam_skey-1.1.4.tar.gz 82861 diff --git a/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch b/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch new file mode 100644 index 000000000..a1403d0d2 --- /dev/null +++ b/sys-auth/pam_skey/files/pam_skey-1.1.4-gentoo.patch @@ -0,0 +1,1706 @@ +diff -Nur pam_skey-1.1.4/INSTALL pam_skey/INSTALL +--- pam_skey-1.1.4/INSTALL 2005-06-18 14:11:24.000000000 +0200 ++++ pam_skey/INSTALL 2006-03-06 09:26:55.000000000 +0100 +@@ -1,5 +1,39 @@ + $Id: INSTALL,v 1.1.1.1 2005/06/18 12:11:24 kreator Exp $ + ++Gentoo patch ++------------ ++Most everything below still holds, though the libraries required are now ++those used by Gentoo. Other S/Key libraries may work with a bit of ++tweaking. ++ ++The options listed for the module below are no longer valid. See the ++Gentoo patch section in README for details. ++ ++The intended method for configuring PAM is by using the newer module ++specification, with a line like: ++ ++auth [success=done ignore=ignore auth_err=die default=bad] /lib/security/pam_skey.so ++ ++This is a combination of the standard "sufficient" and "requisite" ++specifications: ++ ++- If the module returns PAM_SUCCESS, we are authenticated and no other ++ modules should be tested. ++- If the module returns PAM_IGNORE, then the module didn't accept its ++ input as an S/Key response, and the next module should try using ++ the input (using the try_first_pass option). ++- If the module returns PAM_AUTH_ERR, then the module accepted an ++ S/Key input but it was invalid. Do not try any more modules in the ++ stack; the user already chose S/Key authentication. ++- If the module returns any other code, it is a simple error in processing. ++ Set the error flag but try other modules, just in case. ++ ++The module is intended to be placed before another authentication module, ++like pam_unix.so; if not, it should be placed before pam_deny.so. ++ ++If the newer module specification is unavailable in your version of PAM, ++the "sufficient" specification will work. ++ + Required + -------- + For building this package you will probably need original Wietse Venema's +diff -Nur pam_skey-1.1.4/Makefile.in pam_skey/Makefile.in +--- pam_skey-1.1.4/Makefile.in 2005-06-18 14:11:24.000000000 +0200 ++++ pam_skey/Makefile.in 2006-03-06 09:26:55.000000000 +0100 +@@ -12,42 +12,26 @@ + LIBS=@LIBS@ @SKEYLIB@ @PAMLIB@ + LDFLAGS=@LDFLAGS@ + +-INSTALL=@INSTALL@ -m 644 ++INSTALL=@INSTALL@ ++INSTALL_LIB=${INSTALL} -m 755 + RM=@RM@ -f + CP=@CP@ -f + LN=@LN@ -s + AWK=@AWK@ + +-PAM_FILES=pam_skey.so.1 pam_skey_access.so.1 ++PAM_FILES=pam_skey.so + + all: $(PAM_FILES) + +-pam_skey.so.1: pam_skey.o +- $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS) +- +-pam_skey_access.so.1: pam_skey_access.o ++pam_skey.so: pam_skey.o + $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS) + + lint-pam_skey: + lclint $(CFLAGS) pam_skey.c + +-lint-pam_skey_access: +- lclint $(CFLAGS) pam_skey_access.c +- +-install: +- @if test ! -d $(INSTALLDIR); then \ +- echo "Missing $(INSTALLDIR). Problem with PAM installation?"; \ +- else \ +- for file in $(PAM_FILES); do \ +- if test ! -f "$(INSTALLDIR)/$$file"; then \ +- echo "Installing $$file in $(INSTALLDIR)"; \ +- $(INSTALL) "$$file" "$(INSTALLDIR)/$$file"; \ +- (cd $(INSTALLDIR) && $(LN) "$$file" `echo $$file | cut -d. -f1,2`); \ +- else \ +- echo "$$file exists - will not overwrite it"; \ +- fi \ +- done \ +- fi ++install: all ++ $(INSTALL) -d $(INSTALLDIR) ++ $(INSTALL_LIB) $(PAM_FILES) $(INSTALLDIR) + + clean: + $(RM) a.out core *.so.1 *.o *.bak +diff -Nur pam_skey-1.1.4/README pam_skey/README +--- pam_skey-1.1.4/README 2005-06-18 14:36:18.000000000 +0200 ++++ pam_skey/README 2006-03-06 09:26:55.000000000 +0100 +@@ -1,5 +1,77 @@ + $Id: README,v 1.2 2005/06/18 12:36:18 kreator Exp $ + ++Gentoo patch ++------------ ++ ++The Gentoo pam_skey patch changes the original module in a number of ways. ++The behavior of the module is changed to make it more consistent with the ++PAM design, and several changes were made throughout the code to make the ++module interact better with the skey library used by Gentoo. Many of ++these changes will break pam_skey's compatibility with other systems and ++libraries, but this is, after all, the Gentoo patch. ++ ++A (not necessarily) exhaustive list of the changes is as follows: ++- pam_skey_access.so is completely removed, since the Gentoo skey library ++ does not support the skey_access() call. ++- The pam_skey.so authentication code is completely rewritten. The ++ original code contained many references to the standard I/O library ++ (writing to stderr, etc.), as well as inconsistent communication with ++ the PAM libraries. Also, the authentication process is different, as ++ described below. ++- The options accepted by the pam_skey.so module are different, as ++ described below. ++ ++Four options are accepted by the pam_skey.so module: ++ debug - This option turns on debug logging. ++ try_first_pass - This option tells the module to first try using ++ the authentication token passed from the ++ previous module as an S/Key response, before ++ informing the user of the challenge. If the ++ token is not valid, the module will proceed with ++ the standard process of challenging the user ++ and requesting a response, subject to the ++ no_default_skey option below. ++ use_first_pass - This option is identical to the try_first_pass ++ option, except that if the token is not valid, ++ it will return silently without challenging the ++ user. ++ no_default_skey - This flag changes the behavior of pam_skey. ++ Instead of immediately challenging the user with ++ an S/Key challenge, it will present the user with ++ a standard "Password: " prompt. If the user enters ++ the password "s/key" (case insensitive), it will ++ then challenge the user. Any other input will ++ cause the module to pass the given password to the ++ next module in the authentication stack (usually ++ pam_unix.so with the try_first_pass option). ++ ++The exact behavior of pam_skey.so is detailed below: ++ ++1. Retrieve username from PAM, possibly querying the user for it. ++2. If the user does not have any S/Key information, return PAM_IGNORE to ++ proceed to the next module in the stack. ++3. If *_first_pass is enabled, check the given authentication token to see ++ if it is a valid response to the current S/Key challenge. If so, ++ return PAM_SUCCESS. ++ 3a. If the token is invalid and use_first_pass is enabled, return ++ PAM_IGNORE. ++4. If no_default_skey is enabled, issue a "Password: " prompt. ++ 4a. If the response is anything besides "s/key" (case insensitive), ++ store it as the authentication token and return PAM_IGNORE. ++5. Display the current S/Key challenge and request a response, with ++ input not echoed. If no_default_skey is enabled, this will only be ++ an S/Key response request; otherwise, it will request either an ++ S/Key response or a system passsword. ++ 5a. If an empty response is given, request the S/Key response again, ++ this time with input echoed. ++ 5b. If the response is a valid S/Key response, return PAM_SUCCESS. ++ Otherwise, return PAM_AUTHERR. ++6. If the response is a valid S/Key response, return PAM_SUCCESS. ++7. Otherwise, if no_default_skey is enabled (the user specifically ++ requested "s/key" authentication), return PAM_AUTHERR. ++8. Otherwise, store the response as the authentication token and ++ return PAM_IGNORE. ++ + About + ----- + This is complete pam_skey modul as interface to existing S/Key +diff -Nur pam_skey-1.1.4/autoconf/acconfig.h pam_skey/autoconf/acconfig.h +--- pam_skey-1.1.4/autoconf/acconfig.h 2005-06-18 14:11:24.000000000 +0200 ++++ pam_skey/autoconf/acconfig.h 2006-03-06 09:26:55.000000000 +0100 +@@ -1,17 +1,2 @@ + /* Define if we can include both string.h and strings.h */ + #undef STRING_WITH_STRINGS +- +-/* Define if you have Linux */ +-#undef LINUX +- +-/* Define if you have *BSD */ +-#undef BSD +- +-/* Define if not missing skeyaccess() */ +-#undef HAVE_SKEYACCESS +- +-/* Define if not missing skeyinfo() */ +-#undef HAVE_SKEYINFO +- +-/* Define if you have skeylookup() instead of skeyinfo() */ +-#undef HAVE_SKEYLOOKUP +diff -Nur pam_skey-1.1.4/autoconf/configure.in pam_skey/autoconf/configure.in +--- pam_skey-1.1.4/autoconf/configure.in 2005-06-18 14:11:24.000000000 +0200 ++++ pam_skey/autoconf/configure.in 2006-03-06 09:26:55.000000000 +0100 +@@ -10,21 +10,9 @@ + AC_LANG_C + AC_LANG_SAVE + +-dnl Get system type +-AC_CANONICAL_HOST +-MYHOST=$host_os +-case "$host_os" in +-*linux*) +- AC_DEFINE(LINUX) +- ;; +-*bsd*) +- AC_DEFINE(BSD) +- ;; +-esac +- + dnl Package information + PACKAGE=pam_skey +-VERSION=1.1 ++VERSION=1.4r1 + + dnl Standard installation path + AC_PREFIX_DEFAULT(/usr) +@@ -65,13 +53,9 @@ + AC_ARG_WITH(skey-inc, [ --with-skey-inc=DIR Directory containing skey include files], CFLAGS="${CFLAGS} -I${withval}") + + dnl Check for skey library +-AC_CHECK_LIB(socket, socket) +-AC_CHECK_LIB(nsl, gethostbyname) ++AC_CHECK_LIB(socket, socket, LIBS="${LIBS} -lsocket") ++AC_CHECK_LIB(nsl, gethostbyname, LIBS="${LIBS} -lnsl") + AC_CHECK_LIB(skey, skeyverify, SKEYLIB="-lskey", AC_MSG_ERROR(skey library not found or unknown interface)) +-AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS)) +-AC_CHECK_LIB(skey, skeyinfo, AC_DEFINE(HAVE_SKEYINFO), +- AC_CHECK_LIB(skey, skeylookup, AC_DEFINE(HAVE_SKEYLOOKUP)) +-) + + dnl Check against -G linker flag + hold_ldflags=$LDFLAGS +diff -Nur pam_skey-1.1.4/configure pam_skey/configure +--- pam_skey-1.1.4/configure 2005-06-18 14:36:18.000000000 +0200 ++++ pam_skey/configure 2006-03-06 09:27:41.000000000 +0100 +@@ -310,7 +310,7 @@ + # include <unistd.h> + #endif" + +-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS' ++ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS' + ac_subst_files='' + + # Initialize some variables set by options. +@@ -720,13 +720,13 @@ + /^X\(\/\).*/{ s//\1/; q; } + s/.*/./; q'` + srcdir=$ac_confdir +- if test ! -r $srcdir/$ac_unique_file; then ++ if test ! -r "$srcdir/$ac_unique_file"; then + srcdir=.. + fi + else + ac_srcdir_defaulted=no + fi +-if test ! -r $srcdir/$ac_unique_file; then ++if test ! -r "$srcdir/$ac_unique_file"; then + if test "$ac_srcdir_defaulted" = yes; then + { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2 + { (exit 1); exit 1; }; } +@@ -735,7 +735,7 @@ + { (exit 1); exit 1; }; } + fi + fi +-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null || ++(cd $srcdir && test -r "./$ac_unique_file") 2>/dev/null || + { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2 + { (exit 1); exit 1; }; } + srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'` +@@ -831,10 +831,6 @@ + _ACEOF + + cat <<\_ACEOF +- +-System types: +- --build=BUILD configure for building on BUILD [guessed] +- --host=HOST cross-compile to build programs to run on HOST [BUILD] + _ACEOF + fi + +@@ -948,7 +944,7 @@ + else + echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + fi +- cd "$ac_popdir" ++ cd $ac_popdir + done + fi + +@@ -1333,78 +1329,8 @@ + + + +-# Make sure we can run config.sub. +-$ac_config_sub sun4 >/dev/null 2>&1 || +- { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5 +-echo "$as_me: error: cannot run $ac_config_sub" >&2;} +- { (exit 1); exit 1; }; } +- +-echo "$as_me:$LINENO: checking build system type" >&5 +-echo $ECHO_N "checking build system type... $ECHO_C" >&6 +-if test "${ac_cv_build+set}" = set; then +- echo $ECHO_N "(cached) $ECHO_C" >&6 +-else +- ac_cv_build_alias=$build_alias +-test -z "$ac_cv_build_alias" && +- ac_cv_build_alias=`$ac_config_guess` +-test -z "$ac_cv_build_alias" && +- { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 +-echo "$as_me: error: cannot guess build type; you must specify one" >&2;} +- { (exit 1); exit 1; }; } +-ac_cv_build=`$ac_config_sub $ac_cv_build_alias` || +- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5 +-echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;} +- { (exit 1); exit 1; }; } +- +-fi +-echo "$as_me:$LINENO: result: $ac_cv_build" >&5 +-echo "${ECHO_T}$ac_cv_build" >&6 +-build=$ac_cv_build +-build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` +-build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` +-build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` +- +- +-echo "$as_me:$LINENO: checking host system type" >&5 +-echo $ECHO_N "checking host system type... $ECHO_C" >&6 +-if test "${ac_cv_host+set}" = set; then +- echo $ECHO_N "(cached) $ECHO_C" >&6 +-else +- ac_cv_host_alias=$host_alias +-test -z "$ac_cv_host_alias" && +- ac_cv_host_alias=$ac_cv_build_alias +-ac_cv_host=`$ac_config_sub $ac_cv_host_alias` || +- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5 +-echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;} +- { (exit 1); exit 1; }; } +- +-fi +-echo "$as_me:$LINENO: result: $ac_cv_host" >&5 +-echo "${ECHO_T}$ac_cv_host" >&6 +-host=$ac_cv_host +-host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` +-host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` +-host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` +- +- +-MYHOST=$host_os +-case "$host_os" in +-*linux*) +- cat >>confdefs.h <<\_ACEOF +-#define LINUX 1 +-_ACEOF +- +- ;; +-*bsd*) +- cat >>confdefs.h <<\_ACEOF +-#define BSD 1 +-_ACEOF +- +- ;; +-esac +- + PACKAGE=pam_skey +-VERSION=1.1 ++VERSION=1.4r1 + + + +@@ -1976,7 +1902,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -2034,7 +1961,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -2150,7 +2078,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -2204,7 +2133,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -2249,7 +2179,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -2293,7 +2224,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -2881,7 +2813,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3051,7 +2984,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3124,7 +3058,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3278,7 +3213,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3431,7 +3367,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3533,7 +3470,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3583,7 +3521,6 @@ + CFLAGS="${CFLAGS} -I${withval}" + fi; + +- + echo "$as_me:$LINENO: checking for socket in -lsocket" >&5 + echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6 + if test "${ac_cv_lib_socket_socket+set}" = set; then +@@ -3622,7 +3559,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3648,15 +3586,9 @@ + echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5 + echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6 + if test $ac_cv_lib_socket_socket = yes; then +- cat >>confdefs.h <<_ACEOF +-#define HAVE_LIBSOCKET 1 +-_ACEOF +- +- LIBS="-lsocket $LIBS" +- ++ LIBS="${LIBS} -lsocket" + fi + +- + echo "$as_me:$LINENO: checking for gethostbyname in -lnsl" >&5 + echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6 + if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then +@@ -3695,7 +3627,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3721,12 +3654,7 @@ + echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_gethostbyname" >&5 + echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6 + if test $ac_cv_lib_nsl_gethostbyname = yes; then +- cat >>confdefs.h <<_ACEOF +-#define HAVE_LIBNSL 1 +-_ACEOF +- +- LIBS="-lnsl $LIBS" +- ++ LIBS="${LIBS} -lnsl" + fi + + echo "$as_me:$LINENO: checking for skeyverify in -lskey" >&5 +@@ -3767,7 +3695,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -3800,218 +3729,6 @@ + { (exit 1); exit 1; }; } + fi + +-echo "$as_me:$LINENO: checking for skeyaccess in -lskey" >&5 +-echo $ECHO_N "checking for skeyaccess in -lskey... $ECHO_C" >&6 +-if test "${ac_cv_lib_skey_skeyaccess+set}" = set; then +- echo $ECHO_N "(cached) $ECHO_C" >&6 +-else +- ac_check_lib_save_LIBS=$LIBS +-LIBS="-lskey $LIBS" +-cat >conftest.$ac_ext <<_ACEOF +-/* confdefs.h. */ +-_ACEOF +-cat confdefs.h >>conftest.$ac_ext +-cat >>conftest.$ac_ext <<_ACEOF +-/* end confdefs.h. */ +- +-/* Override any gcc2 internal prototype to avoid an error. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-/* We use char because int might match the return type of a gcc2 +- builtin and then its argument prototype would still apply. */ +-char skeyaccess (); +-int +-main () +-{ +-skeyaccess (); +- ; +- return 0; +-} +-_ACEOF +-rm -f conftest.$ac_objext conftest$ac_exeext +-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 +- (eval $ac_link) 2>conftest.er1 +- ac_status=$? +- grep -v '^ *+' conftest.er1 >conftest.err +- rm -f conftest.er1 +- cat conftest.err >&5 +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' +- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 +- (eval $ac_try) 2>&5 +- ac_status=$? +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); }; } && +- { ac_try='test -s conftest$ac_exeext' +- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 +- (eval $ac_try) 2>&5 +- ac_status=$? +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); }; }; then +- ac_cv_lib_skey_skeyaccess=yes +-else +- echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +-ac_cv_lib_skey_skeyaccess=no +-fi +-rm -f conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +-LIBS=$ac_check_lib_save_LIBS +-fi +-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyaccess" >&5 +-echo "${ECHO_T}$ac_cv_lib_skey_skeyaccess" >&6 +-if test $ac_cv_lib_skey_skeyaccess = yes; then +- cat >>confdefs.h <<\_ACEOF +-#define HAVE_SKEYACCESS 1 +-_ACEOF +- +-fi +- +-echo "$as_me:$LINENO: checking for skeyinfo in -lskey" >&5 +-echo $ECHO_N "checking for skeyinfo in -lskey... $ECHO_C" >&6 +-if test "${ac_cv_lib_skey_skeyinfo+set}" = set; then +- echo $ECHO_N "(cached) $ECHO_C" >&6 +-else +- ac_check_lib_save_LIBS=$LIBS +-LIBS="-lskey $LIBS" +-cat >conftest.$ac_ext <<_ACEOF +-/* confdefs.h. */ +-_ACEOF +-cat confdefs.h >>conftest.$ac_ext +-cat >>conftest.$ac_ext <<_ACEOF +-/* end confdefs.h. */ +- +-/* Override any gcc2 internal prototype to avoid an error. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-/* We use char because int might match the return type of a gcc2 +- builtin and then its argument prototype would still apply. */ +-char skeyinfo (); +-int +-main () +-{ +-skeyinfo (); +- ; +- return 0; +-} +-_ACEOF +-rm -f conftest.$ac_objext conftest$ac_exeext +-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 +- (eval $ac_link) 2>conftest.er1 +- ac_status=$? +- grep -v '^ *+' conftest.er1 >conftest.err +- rm -f conftest.er1 +- cat conftest.err >&5 +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' +- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 +- (eval $ac_try) 2>&5 +- ac_status=$? +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); }; } && +- { ac_try='test -s conftest$ac_exeext' +- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 +- (eval $ac_try) 2>&5 +- ac_status=$? +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); }; }; then +- ac_cv_lib_skey_skeyinfo=yes +-else +- echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +-ac_cv_lib_skey_skeyinfo=no +-fi +-rm -f conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +-LIBS=$ac_check_lib_save_LIBS +-fi +-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyinfo" >&5 +-echo "${ECHO_T}$ac_cv_lib_skey_skeyinfo" >&6 +-if test $ac_cv_lib_skey_skeyinfo = yes; then +- cat >>confdefs.h <<\_ACEOF +-#define HAVE_SKEYINFO 1 +-_ACEOF +- +-else +- echo "$as_me:$LINENO: checking for skeylookup in -lskey" >&5 +-echo $ECHO_N "checking for skeylookup in -lskey... $ECHO_C" >&6 +-if test "${ac_cv_lib_skey_skeylookup+set}" = set; then +- echo $ECHO_N "(cached) $ECHO_C" >&6 +-else +- ac_check_lib_save_LIBS=$LIBS +-LIBS="-lskey $LIBS" +-cat >conftest.$ac_ext <<_ACEOF +-/* confdefs.h. */ +-_ACEOF +-cat confdefs.h >>conftest.$ac_ext +-cat >>conftest.$ac_ext <<_ACEOF +-/* end confdefs.h. */ +- +-/* Override any gcc2 internal prototype to avoid an error. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-/* We use char because int might match the return type of a gcc2 +- builtin and then its argument prototype would still apply. */ +-char skeylookup (); +-int +-main () +-{ +-skeylookup (); +- ; +- return 0; +-} +-_ACEOF +-rm -f conftest.$ac_objext conftest$ac_exeext +-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 +- (eval $ac_link) 2>conftest.er1 +- ac_status=$? +- grep -v '^ *+' conftest.er1 >conftest.err +- rm -f conftest.er1 +- cat conftest.err >&5 +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' +- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 +- (eval $ac_try) 2>&5 +- ac_status=$? +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); }; } && +- { ac_try='test -s conftest$ac_exeext' +- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 +- (eval $ac_try) 2>&5 +- ac_status=$? +- echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); }; }; then +- ac_cv_lib_skey_skeylookup=yes +-else +- echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +-ac_cv_lib_skey_skeylookup=no +-fi +-rm -f conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +-LIBS=$ac_check_lib_save_LIBS +-fi +-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeylookup" >&5 +-echo "${ECHO_T}$ac_cv_lib_skey_skeylookup" >&6 +-if test $ac_cv_lib_skey_skeylookup = yes; then +- cat >>confdefs.h <<\_ACEOF +-#define HAVE_SKEYLOOKUP 1 +-_ACEOF +- +-fi +- +- +-fi +- + + hold_ldflags=$LDFLAGS + echo "$as_me:$LINENO: checking for the ld -shared flag" >&5 +@@ -4041,7 +3758,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -4099,7 +3817,8 @@ + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && +- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? +@@ -4747,14 +4466,6 @@ + s,@ECHO_N@,$ECHO_N,;t t + s,@ECHO_T@,$ECHO_T,;t t + s,@LIBS@,$LIBS,;t t +-s,@build@,$build,;t t +-s,@build_cpu@,$build_cpu,;t t +-s,@build_vendor@,$build_vendor,;t t +-s,@build_os@,$build_os,;t t +-s,@host@,$host,;t t +-s,@host_cpu@,$host_cpu,;t t +-s,@host_vendor@,$host_vendor,;t t +-s,@host_os@,$host_os,;t t + s,@CC@,$CC,;t t + s,@CFLAGS@,$CFLAGS,;t t + s,@LDFLAGS@,$LDFLAGS,;t t +@@ -4945,6 +4656,11 @@ + *) ac_INSTALL=$ac_top_builddir$INSTALL ;; + esac + ++ if test x"$ac_file" != x-; then ++ { echo "$as_me:$LINENO: creating $ac_file" >&5 ++echo "$as_me: creating $ac_file" >&6;} ++ rm -f "$ac_file" ++ fi + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ +@@ -4983,12 +4699,6 @@ + fi;; + esac + done` || { (exit 1); exit 1; } +- +- if test x"$ac_file" != x-; then +- { echo "$as_me:$LINENO: creating $ac_file" >&5 +-echo "$as_me: creating $ac_file" >&6;} +- rm -f "$ac_file" +- fi + _ACEOF + cat >>$CONFIG_STATUS <<_ACEOF + sed "$ac_vpsub +diff -Nur pam_skey-1.1.4/defs.h.in pam_skey/defs.h.in +--- pam_skey-1.1.4/defs.h.in 2005-06-18 14:36:18.000000000 +0200 ++++ pam_skey/defs.h.in 2006-03-06 09:26:55.000000000 +0100 +@@ -1,96 +1,49 @@ +-/* defs.h.in. Generated from configure.in by autoheader. */ +-/* Define if we can include both string.h and strings.h */ +-#undef STRING_WITH_STRINGS +- +-/* Define if you have Linux */ +-#undef LINUX +- +-/* Define if you have *BSD */ +-#undef BSD ++/* defs.h.in. Generated automatically from configure.in by autoheader. */ + +-/* Define if not missing skeyaccess() */ +-#undef HAVE_SKEYACCESS +- +-/* Define if not missing skeyinfo() */ +-#undef HAVE_SKEYINFO ++/* Define if you have the ANSI C header files. */ ++#undef STDC_HEADERS + +-/* Define if you have skeylookup() instead of skeyinfo() */ +-#undef HAVE_SKEYLOOKUP ++/* Define if we can include both string.h and strings.h */ ++#undef STRING_WITH_STRINGS + +-/* Define to 1 if you have the `fprintf' function. */ ++/* Define if you have the fprintf function. */ + #undef HAVE_FPRINTF + +-/* Define to 1 if you have the <inttypes.h> header file. */ +-#undef HAVE_INTTYPES_H ++/* Define if you have the gethostbyname function. */ ++#undef HAVE_GETHOSTBYNAME + +-/* Define to 1 if you have the `nsl' library (-lnsl). */ +-#undef HAVE_LIBNSL ++/* Define if you have the snprintf function. */ ++#undef HAVE_SNPRINTF + +-/* Define to 1 if you have the `socket' library (-lsocket). */ +-#undef HAVE_LIBSOCKET ++/* Define if you have the strncmp function. */ ++#undef HAVE_STRNCMP + +-/* Define to 1 if you have the <memory.h> header file. */ +-#undef HAVE_MEMORY_H ++/* Define if you have the syslog function. */ ++#undef HAVE_SYSLOG + +-/* Define to 1 if you have the <pwd.h> header file. */ ++/* Define if you have the <pwd.h> header file. */ + #undef HAVE_PWD_H + +-/* Define to 1 if you have the <security/pam_appl.h> header file. */ ++/* Define if you have the <security/pam_appl.h> header file. */ + #undef HAVE_SECURITY_PAM_APPL_H + +-/* Define to 1 if you have the <security/pam_modules.h> header file. */ ++/* Define if you have the <security/pam_modules.h> header file. */ + #undef HAVE_SECURITY_PAM_MODULES_H + +-/* Define to 1 if you have the `snprintf' function. */ +-#undef HAVE_SNPRINTF +- +-/* Define to 1 if you have the <stdint.h> header file. */ +-#undef HAVE_STDINT_H +- +-/* Define to 1 if you have the <stdlib.h> header file. */ ++/* Define if you have the <stdlib.h> header file. */ + #undef HAVE_STDLIB_H + +-/* Define to 1 if you have the <strings.h> header file. */ +-#undef HAVE_STRINGS_H +- +-/* Define to 1 if you have the <string.h> header file. */ ++/* Define if you have the <string.h> header file. */ + #undef HAVE_STRING_H + +-/* Define to 1 if you have the `strncmp' function. */ +-#undef HAVE_STRNCMP +- +-/* Define to 1 if you have the `syslog' function. */ +-#undef HAVE_SYSLOG +- +-/* Define to 1 if you have the <syslog.h> header file. */ +-#undef HAVE_SYSLOG_H +- +-/* Define to 1 if you have the <sys/stat.h> header file. */ +-#undef HAVE_SYS_STAT_H ++/* Define if you have the <strings.h> header file. */ ++#undef HAVE_STRINGS_H + +-/* Define to 1 if you have the <sys/syslog.h> header file. */ ++/* Define if you have the <sys/syslog.h> header file. */ + #undef HAVE_SYS_SYSLOG_H + +-/* Define to 1 if you have the <sys/types.h> header file. */ ++/* Define if you have the <sys/types.h> header file. */ + #undef HAVE_SYS_TYPES_H + +-/* Define to 1 if you have the <unistd.h> header file. */ +-#undef HAVE_UNISTD_H +- +-/* Define to the address where bug reports for this package should be sent. */ +-#undef PACKAGE_BUGREPORT +- +-/* Define to the full name of this package. */ +-#undef PACKAGE_NAME +- +-/* Define to the full name and version of this package. */ +-#undef PACKAGE_STRING +- +-/* Define to the one symbol short name of this package. */ +-#undef PACKAGE_TARNAME +- +-/* Define to the version of this package. */ +-#undef PACKAGE_VERSION +- +-/* Define to 1 if you have the ANSI C header files. */ +-#undef STDC_HEADERS ++/* Define if you have the <syslog.h> header file. */ ++#undef HAVE_SYSLOG_H +diff -Nur pam_skey-1.1.4/pam_skey.c pam_skey/pam_skey.c +--- pam_skey-1.1.4/pam_skey.c 2005-06-18 14:36:18.000000000 +0200 ++++ pam_skey/pam_skey.c 2006-03-06 09:26:55.000000000 +0100 +@@ -1,5 +1,6 @@ + /* +- * (c) 2001 Dinko Korunic, kreator@srce.hr ++ * Rewrite (c) 2005 Dani Church, dani.church@gmail.com ++ * Original (c) 2001 Dinko Korunic, kreator@srce.hr + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +@@ -33,272 +34,146 @@ + #include <pwd.h> + #include <sys/types.h> + #include <syslog.h> ++#include <ctype.h> + + #define PAM_EXTERN extern + #undef PAM_STATIC + + #include <security/pam_appl.h> + #include <security/pam_modules.h> ++#include <security/_pam_macros.h> + + #include "skey.h" + #include "pam_skey.h" + #include "misc.h" + ++#define LOGDEBUG(x) if (mod_opt & _MOD_DEBUG) { syslog x ;} ++#define QUERY_USERNAME NULL /* Use default username prompt */ ++#define QUERY_PASSWORD "Password: " ++#define QUERY_RESPONSE_OR_PASSWORD "S/Key response or system password: " ++#define QUERY_RESPONSE "S/Key response: " ++ + PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + return PAM_SUCCESS; + } + ++/* ++ * The authentication module will return the following status codes: ++ * PAM_SUCCESS: Successful authentication via S/Key. ++ * PAM_IGNORE: The user doesn't have S/Key or doesn't want to use it. ++ * Continue with the next module, using try_first_pass. ++ * PAM_AUTH_ERR: The user asked to use S/Key, but failed the authentication. ++ * Don't try any more PAM modules. ++ * others: random errors, try next authentication method ++ */ ++ + PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { +- char challenge[CHALLENGE_MAXSIZE]; /* challenge to print in conv */ +- char msg_text[PAM_MAX_MSG_SIZE]; /* text for pam conv */ +- char *username = NULL; /* username spacer */ ++ const char *challenge; /* challenge to print in conv */ ++ const char *username = NULL; /* username spacer */ + char *response = NULL; /* response spacer */ +- struct skey skey; /* structure that contains skey information */ + int status; /* return status spacer */ +- unsigned mod_opt = _MOD_NONE_ON; /* module options */ ++ unsigned mod_opt=_MOD_NONE_ON; /* module options */ + + /* Get module options */ + mod_getopt(&mod_opt, argc, argv); + +- /* Get username */ +-#if defined LINUX || defined BSD +- if (pam_get_user(pamh, (const char **)&username, "login:") +-#else +- if (pam_get_user(pamh, (char **)&username, "login:") +-#endif +- != PAM_SUCCESS) +- { +- fprintf(stderr, "cannot determine username\n"); +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "cannot determine username"); +- return PAM_USER_UNKNOWN; +- } +- +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "got username %s", username); +- +-#ifdef HAVE_SKEYACCESS +- /* Check S/Key access permissions - user, host and port. Also include +- * sanity checks */ +- if (mod_opt & _MOD_ACCESS_CHECK) +- { +- char *host; /* points to host */ +- char *port; /* points to port */ +- struct passwd *pwuser; /* structure for getpw() */ +- +- /* Get host.. */ +-#if defined LINUX || defined BSD +- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) +-#else +- if (pam_get_item(pamh, PAM_RHOST, (void **)&host) +-#endif +- != PAM_SUCCESS) +- host = NULL; /* couldn't get host */ +- /* ..and port */ +-#if defined LINUX || defined BSD +- if (pam_get_item(pamh, PAM_TTY, (const void **)&port) +-#else +- if (pam_get_item(pamh, PAM_TTY, (void **)&port) +-#endif +- != PAM_SUCCESS) +- port = NULL; /* couldn't get port */ +- +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "checking s/key access for user %s," +- " host %s, port %s", username, +- (host != NULL) ? host : "*unknown*", +- (port != NULL) ? port : "*unknown*"); +- +- /* Get information from passwd file */ +- if ((pwuser = getpwnam(username)) == NULL) +- { +- fprintf(stderr, "no such user\n"); +- syslog(LOG_NOTICE, "cannot find user %s", username); +- return PAM_USER_UNKNOWN; /* perhaps even return PAM_ABORT here? */ ++ /* Get username (taken mainly from pam_unix) */ ++ status = pam_get_user(pamh, &username, QUERY_USERNAME); ++ if (status == PAM_SUCCESS) { ++ if (username == NULL || !isalnum(*username)) { ++ syslog(LOG_ERR, "bad username [%s]", username); ++ return PAM_USER_UNKNOWN; + } ++ LOGDEBUG((LOG_DEBUG, "username [%s] obtained", username)); ++ } else { ++ LOGDEBUG((LOG_DEBUG, "trouble reading username")); ++ if (status == PAM_CONV_AGAIN) ++ return PAM_INCOMPLETE; ++ return status; ++ } + +- /* Do actual checking - we assume skeyaccess() returns PERMIT which is +- * by default 1. Notice 4th argument is NULL - we will not perform +- * address checks on host itself */ +- if (skeyaccess(pwuser, port, host, NULL) != 1) +- { +- fprintf(stderr, "no s/key access permissions\n"); +- syslog(LOG_NOTICE, "no s/key access permissions for %s", +- username); +- return PAM_AUTH_ERR; +- } ++ /* Check whether or not this user has an S/Key */ ++ if (skey_haskey(username) != 0) { ++ LOGDEBUG((LOG_DEBUG, "user [%s] has no S/Key entry", username)); ++ return PAM_IGNORE; + } +- else + +-#endif /* HAVE_SKEYACCESS */ +- +- /* Only do check whether user has passwd entry */ +- if (getpwnam(username) == NULL) +- { +- fprintf(stderr, "no such user\n"); +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "cannot find user %s", +- username); +- return PAM_USER_UNKNOWN; ++ if ((mod_opt & _MOD_TRY_FIRST_PASS) || (mod_opt & _MOD_USE_FIRST_PASS)) { ++ status = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &response); ++ if (status != PAM_SUCCESS) { ++ syslog(LOG_ALERT, "pam_get_item returned error to pam_skey"); ++ return status; ++ } else if (response != NULL) { ++ if (skey_passcheck(username, response) != -1) { ++ return PAM_SUCCESS; ++ } else if (mod_opt & _MOD_USE_FIRST_PASS) { ++ return PAM_IGNORE; ++ } ++ } else if (mod_opt & _MOD_USE_FIRST_PASS) { ++ return PAM_AUTHTOK_RECOVER_ERR; + } +- +- /* Get S/Key information on user with skeyinfo() */ +-#ifdef HAVE_SKEYINFO +- switch (skeyinfo(&skey, username, NULL)) +-#else +-#ifdef HAVE_SKEYLOOKUP +- switch (skeylookup(&skey, username)) +-#endif /* HAVE_SKEYLOOKUP */ +-#endif /* HAVE_SKEYINFO */ +- { +- /* 0: OK */ +- case 0: +- break; +- /* -1: File error */ +- case -1: +-#if 0 +- /* XXX- This seems broken in (at least) logdaemon-5.8. It returns -1 +- * when user not found in keyfile. -kre */ +- fprintf(stderr, "s/key database error\n"); +- syslog(LOG_NOTICE, "s/key database error"); +- return PAM_AUTH_ERR; +-#endif +- /* 1: No such user in database */ +- case 1: +- /* We won't confuse the ordinary user telling him about missing skeys +- * -kre */ +-#if 0 +- fprintf(stderr, "no s/key for %s\n", username); +-#endif +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "no s/key for %s\n", username); +- return PAM_AUTH_ERR; + } +- +- /* Make challenge string */ +-#if defined(SKEY_MAX_HASHNAME_LEN) && defined(SKEY_MAX_SEED_LEN) +- snprintf(challenge, CHALLENGE_MAXSIZE, "otp-%.*s %d %.*s", +- SKEY_MAX_HASHNAME_LEN, skey_get_algorithm(), skey.n - 1, SKEY_MAX_SEED_LEN, skey.seed); +-#else +- snprintf(challenge, CHALLENGE_MAXSIZE, "s/key %d %s", +- skey.n - 1, skey.seed); +-#endif +- +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "got challenge %s for %s", challenge, +- username); +- +- /* Read response from last module's PAM_AUTHTOK */ +- if (mod_opt & _MOD_USE_FIRST_PASS) +- { +- /* Try to extract authtoken */ +-#if defined LINUX || defined BSD +- if (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&response) +-#else +- if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&response) +-#endif +- != PAM_SUCCESS) +- { +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "could not get PAM_AUTHTOK"); +- mod_opt &= ~_MOD_USE_FIRST_PASS; ++ ++ if (mod_opt & _MOD_NO_DEFAULT_SKEY) { ++ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_PASSWORD, 0, &response); ++ if (status != PAM_SUCCESS) { ++ _pam_delete(response) ++ return status; + } +- else +- { +- /* Got AUTHTOK, but it was empty */ +- if (empty_authtok(response)) +- { +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "empty PAM_AUTHTOK"); +- mod_opt &= ~_MOD_USE_FIRST_PASS; +- } +- else +- /* All OK, print challenge information */ +- fprintf(stderr, "challenge %s\n", challenge); ++ if (strcasecmp(response,"s/key")!=0) { ++ status = pam_set_item(pamh, PAM_AUTHTOK, response); ++ if (status != PAM_SUCCESS) ++ return status; ++ return PAM_IGNORE; + } ++ _pam_delete(response); + } + +- /* There was no PAM_AUTHTOK, or there was no such option in pam-conf +- * file */ +- if (!(mod_opt & _MOD_USE_FIRST_PASS)) +- { +- /* Prepare a complete message for conversation */ +- snprintf(msg_text, PAM_MAX_MSG_SIZE, +- "challenge %s\npassword: ", challenge); +- +- /* Talk with user */ +- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response) +- != PAM_SUCCESS) +- return PAM_SERVICE_ERR; +- +- /* Simulate standard S/Key login procedure - if empty token, turn on +- * ECHO and prompt again */ +- if (empty_authtok(response) && !(mod_opt & _MOD_ONLY_ONE_TRY)) +- { +- /* Was there echo off? */ +- if (mod_opt & _MOD_ECHO_OFF) +- { +- _pam_delete(response); +- fprintf(stderr, "(turning echo on)\n"); +- mod_opt &= ~_MOD_ECHO_OFF; +- +- /* Prepare a complete message for conversation */ +- snprintf(msg_text, PAM_MAX_MSG_SIZE, "password: "); +- +- /* Talk with user */ +- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response) +- != PAM_SUCCESS) +- return PAM_SERVICE_ERR; +- +- /* Got again empty response. Bailout and don't save auth token */ +- if (empty_authtok(response)) +- return PAM_AUTH_ERR; +- } +- else +- /* There was echo on already - just get out and don't save auth token +- * for other modules */ +- return PAM_AUTH_ERR; +- } ++ challenge = skey_keyinfo(username); ++ if (challenge == NULL) { ++ syslog(LOG_ALERT, "Could not retrieve S/Key challenge for [%s]", username); ++ return PAM_AUTHINFO_UNAVAIL; ++ } + +- /* XXX - ECHO ON puts '\n' at the end in Solaris 2.7! This is +- * cludge to get rid of this nasty `feature' -kre */ +- _pam_degarbage(response); +- +- /* Store auth token - that next module can use with `use_first_pass' */ +- if (pam_set_item(pamh, PAM_AUTHTOK, response) != PAM_SUCCESS) +- { +- syslog(LOG_NOTICE, "unable to save auth token"); +- return PAM_SERVICE_ERR; +- } ++ if (mod_opt & _MOD_NO_DEFAULT_SKEY) ++ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response); ++ else ++ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response); + +- /* cleanup conversation */ ++ if (status != PAM_SUCCESS) ++ return status; ++ ++ if (*response == '\0') { + _pam_delete(response); +- } +- +- /* Verify S/Key */ +- status = skeyverify(&skey, response); ++ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_RESPONSE, 1, &response); ++ if (status != PAM_SUCCESS) ++ return status; ++ status = pam_set_item(pamh, PAM_AUTHTOK, response); ++ status = skey_passcheck(username, response); ++ _pam_delete(response); ++ if (status != -1) ++ return PAM_SUCCESS; ++ return PAM_AUTH_ERR; ++ } + +- switch (status) +- { +- /* 0: Verify successful, database updated */ +- case 0: +- break; +- /* -1: Error of some sort; database unchanged */ +- /* 1: Verify failed, database unchanged */ +- case -1: +- case 1: +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "verify for %s failed, database" +- " unchanged", username); +- return PAM_AUTH_ERR; ++ status = pam_set_item(pamh, PAM_AUTHTOK, response); ++ status = skey_passcheck(username, response); ++ if (status != -1) { ++ _pam_delete(response); ++ return PAM_SUCCESS; ++ } ++ ++ if (mod_opt & _MOD_NO_DEFAULT_SKEY) { ++ _pam_delete(response); ++ return PAM_AUTH_ERR; + } + +- /* Success by default */ +- return PAM_SUCCESS; ++ status = pam_set_item(pamh, PAM_AUTHTOK, response); ++ return PAM_IGNORE; + } + + /* Get module optional parameters */ +@@ -332,50 +207,43 @@ + } + + /* This will talk to user through PAM_CONV */ +-static int mod_talk_touser(pam_handle_t *pamh, unsigned *mod_opt, +- char *msg_text, char **response) ++static int mod_talk_touser(pam_handle_t *pamh, unsigned mod_opt, ++ const char *info_text, const char *prompt_text, int echo_on, char **response) + { +- struct pam_message message; +- const struct pam_message *pmessage = &message; ++ struct pam_message message[2], *pmessage[2]; + struct pam_conv *conv = NULL; + struct pam_response *presponse = NULL; +- ++ int i=0; ++ + /* Better safe than sorry */ + *response = NULL; + + /* Be paranoid */ + memset(&message, 0, sizeof(message)); + +- /* Turn on/off PAM echo */ +- if (*mod_opt & _MOD_ECHO_OFF) +- message.msg_style = PAM_PROMPT_ECHO_OFF; +- else +- message.msg_style = PAM_PROMPT_ECHO_ON; ++ pmessage[0] = &message[0]; ++ pmessage[1] = &message[1]; ++ ++ /* Set info text, if any */ ++ if (info_text) { ++ message[i].msg = info_text; ++ message[i].msg_style = PAM_TEXT_INFO; ++ i++; ++ } + +- /* Point to conversation text */ +- message.msg = msg_text; ++ /* Set prompt text */ ++ message[i].msg = prompt_text; ++ message[i].msg_style = echo_on ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; ++ i++; + + /* Do conversation and see if all is OK */ +-#if defined LINUX || defined BSD +- if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) +-#else +- if (pam_get_item(pamh, PAM_CONV, (void **)&conv) +-#endif +- != PAM_SUCCESS) +- { +- if (*mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "error in conversation"); ++ if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) != PAM_SUCCESS) { ++ LOGDEBUG((LOG_DEBUG, "error in conversation")); + return PAM_SERVICE_ERR; + } +- +- /* Convert into pam_response - only 1 reply expected */ +-#if defined LINUX || defined BSD +- if (conv->conv(1, &pmessage, &presponse, ++ /* Convert into pam_response */ ++ if (conv->conv(i, (const struct pam_message **)pmessage, &presponse, + conv->appdata_ptr) +-#else +- if (conv->conv(1, (struct pam_message **)&pmessage, &presponse, +- conv->appdata_ptr) +-#endif + != PAM_SUCCESS) + { + _pam_delete(presponse->resp); +@@ -385,10 +253,10 @@ + if (presponse != NULL) + { + /* Save address */ +- *response = presponse->resp; ++ *response = presponse[i-1].resp; + /* To ensure that response address will not be erased */ +- presponse->resp = NULL; +- _pam_drop(presponse); ++ presponse[i-1].resp = NULL; ++ _pam_drop_reply(presponse,i); + } + else + return PAM_SERVICE_ERR; +diff -Nur pam_skey-1.1.4/pam_skey.h pam_skey/pam_skey.h +--- pam_skey-1.1.4/pam_skey.h 2005-06-18 14:36:18.000000000 +0200 ++++ pam_skey/pam_skey.h 2006-03-06 09:26:55.000000000 +0100 +@@ -22,29 +22,25 @@ + */ + + /* Prototypes */ +-#ifndef BSD +-extern int skeyinfo(struct skey *, char *, char *); /* ORGH! Not in skey.h */ +-#endif +- + static void mod_getopt(unsigned *, int, const char **); +-static int mod_talk_touser(pam_handle_t *, unsigned *, char *, char **); ++static int mod_talk_touser(pam_handle_t *, unsigned, const char *, const char *, int, char **); + + /* free() macro */ +-#define _pam_drop(X) \ ++/*#define _pam_drop(X) \ + if (X != NULL) \ + { \ + free(X); \ + X = NULL; \ +-} ++}*/ + + /* Secure overwrite */ +-#define _pam_overwrite(x) \ ++/*#define _pam_overwrite(x) \ + { \ + register char *__xx__; \ + if ((__xx__ = (x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ +-} ++}*/ + + /* Drop-in secure replacement - we do not want cleartext passwords lying + * scattered around */ +@@ -56,7 +52,7 @@ + + /* This will get us rid of first '\n' in response string and cut-off the + * rest of the string. It should be ASCIIZ, of course */ +-#define _pam_degarbage(x) \ ++/*#define _pam_degarbage(x) \ + { \ + register char *__xx__; \ + if ((__xx__ = (x))) \ +@@ -70,30 +66,25 @@ + else \ + __xx__++; \ + } \ +-} ++}*/ + + /* Handy empty AUTHTOK macro */ + #define empty_authtok(a) (a == NULL || !*a || *a == '\n') + +-/* Maximum challenge size. It should be 64, but be sure */ +-#define CHALLENGE_MAXSIZE 128 +- + /* Define module flags */ +-#define _MOD_NONE_ON 0x0000 /* Generic flag */ +-#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */ +-#define _MOD_DEBUG 0x0001 /* Debugging options on */ +-#define _MOD_ECHO_OFF 0x0002 /* PAM_ECHO_OFF */ +-#define _MOD_ACCESS_CHECK 0x0004 /* Check S/Key access permissions */ +-#define _MOD_USE_FIRST_PASS 0x0008 /* Use PAM_AUTHTOK */ +-#define _MOD_ONLY_ONE_TRY 0x0010 /* Only one try, no matter of echo */ +-#define _MOD_SPACER 0x0020 /* Currently unused */ ++#define _MOD_NONE_ON 0x0000 /* Generic flag */ ++#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */ ++#define _MOD_DEBUG 0x0001 /* Debugging options on */ ++#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */ ++#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */ ++#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */ + + /* Setup defaults - use echo off only */ +-#define _MOD_DEFAULT_FLAG _MOD_ECHO_OFF ++#define _MOD_DEFAULT_FLAG _MOD_NONE_ON + #define _MOD_DEFAULT_MASK _MOD_ALL_ON + + /* Number of parameters currently known */ +-#define _MOD_ARGS 8 ++#define _MOD_ARGS 4 + + /* Structure for flexible argument parsing */ + typedef struct +@@ -108,11 +99,7 @@ + { + /* String Mask Flag */ + {"debug", _MOD_ALL_ON, _MOD_DEBUG}, +- {"echo=off", _MOD_ALL_ON, _MOD_ECHO_OFF}, +- {"echo=on", _MOD_ALL_ON^_MOD_ECHO_OFF, _MOD_NONE_ON}, +- {"access_check=on", _MOD_ALL_ON, _MOD_ACCESS_CHECK}, +- {"access_check=off", _MOD_ALL_ON^_MOD_ACCESS_CHECK, _MOD_NONE_ON}, ++ {"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS}, + {"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, +- {"try_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, +- {"only_one_try", _MOD_ALL_ON, _MOD_ONLY_ONE_TRY} ++ {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY} + }; +diff -Nur pam_skey-1.1.4/pam_skey_access.c pam_skey/pam_skey_access.c +--- pam_skey-1.1.4/pam_skey_access.c 2005-06-18 14:36:18.000000000 +0200 ++++ pam_skey/pam_skey_access.c 1970-01-01 01:00:00.000000000 +0100 +@@ -1,161 +0,0 @@ +-/* +- * (c) 2001 Dinko Korunic, kreator@srce.hr +- * +- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +- * +- * S/KEY is a trademark of Bellcore. +- * Mink is the former name of the S/KEY authentication system. +- * +- * Programs that had some influence in development of this source: +- * Wietse Venema's logdaemon package +- * Olaf Kirch's Linux S/Key package +- * Linux-PAM modules and templates +- * Wyman Miles' pam_securid module +- * +- * Should you choose to use and/or modify this source code, please do so +- * under the terms of the GNU General Public License under which this +- * program is distributed. +- */ +- +-static char rcsid[] = "$Id: pam_skey_access.c,v 1.2 2005/06/18 12:36:18 kreator Exp $"; +- +-#include "defs.h" +- +-#include <stdio.h> +-#include <stdlib.h> +-#include <string.h> +-#ifdef STRING_WITH_STRINGS +-# include <strings.h> +-#endif +-#include <unistd.h> +-#include <pwd.h> +-#include <sys/types.h> +-#include <syslog.h> +- +-#define PAM_EXTERN extern +-#undef PAM_STATIC +- +-#include <security/pam_appl.h> +-#include <security/pam_modules.h> +- +-#include "skey.h" +-#include "pam_skey.h" +-#include "misc.h" +- +-PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags, +- int argc, const char **argv) +-{ +- return PAM_SUCCESS; +-} +- +-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, +- int argc, const char **argv) +-{ +- char *username = NULL; /* will point to username */ +- unsigned mod_opt = _MOD_NONE_ON; /* module options */ +- char *host; /* will point to host */ +- char *port; /* will point to port */ +- struct passwd *pwuser; +- +- /* Get module options */ +- mod_getopt(&mod_opt, argc, argv); +- +- /* Get username */ +-#if defined LINUX || defined BSD +- if (pam_get_user(pamh, (const char **)&username, "login:")!=PAM_SUCCESS) +-#else +- if (pam_get_user(pamh, (char **)&username, "login:")!=PAM_SUCCESS) +-#endif +- { +- fprintf(stderr, "cannot determine username\n"); +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "cannot determine username"); +- return PAM_AUTHINFO_UNAVAIL; +- } +- +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "got username %s", username); +- +- /* Check S/Key access permissions - user, host and port. Also include +- * sanity checks */ +- /* Get host.. */ +-#if defined LINUX || defined BSD +- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) +-#else +- if (pam_get_item(pamh, PAM_RHOST, (void **)&host) +-#endif +- != PAM_SUCCESS) +- host = NULL; +- /* ..and port */ +-#ifdef LINUX +- if (pam_get_item(pamh, PAM_TTY, (const void **)&port) +-#else +- if (pam_get_item(pamh, PAM_TTY, (void **)&port) +-#endif +- != PAM_SUCCESS) +- port = NULL; +- +- if (mod_opt & _MOD_DEBUG) +- syslog(LOG_DEBUG, "checking s/key access for user %s," +- " host %s, port %s", username, +- (host != NULL) ? host : "*unknown*", +- (port != NULL) ? port : "*unknown*"); +- +- /* Get information from passwd file */ +- if ((pwuser = getpwnam(username)) == NULL) +- { +- fprintf(stderr, "no such user\n"); +- syslog(LOG_NOTICE, "cannot find user %s", +- username); +- return PAM_AUTHINFO_UNAVAIL; +- } +- +-#ifdef HAVE_SKEYACCESS +- +- /* Do actual checking - we assume skeyaccess() returns PERMIT which is +- * by default 1. Notice 4th argument is NULL - we will not perform +- * address checks on host itself */ +- if (skeyaccess(pwuser, port, host, NULL) != 1) +- { +- fprintf(stderr, "no s/key access permissions\n"); +- syslog(LOG_NOTICE, "no s/key access permissions for %s", +- username); +- return PAM_AUTH_ERR; +- } +- +-#endif /* HAVE_SKEYACCESS */ +- +- return PAM_SUCCESS; +-} +- +-/* Get module optional parameters */ +-static void mod_getopt(unsigned *mod_opt, int mod_argc, const char **mod_argv) +-{ +- int i; +- +- /* Setup runtime defaults */ +- *mod_opt |= _MOD_DEFAULT_FLAG; +- *mod_opt &= _MOD_DEFAULT_MASK; +- +- /* Setup runtime options */ +- while (mod_argc--) +- { +- for (i = 0; i < _MOD_ARGS; ++i) +- { +- if (mod_args[i].token != NULL && +- !strncmp(*mod_argv, mod_args[i].token, +- strlen(mod_args[i].token))) +- break; +- } +- if (i >= _MOD_ARGS) +- syslog(LOG_ERR, "unknown option %s", *mod_argv); +- else +- { +- *mod_opt &= mod_args[i].mask; /* Turn off */ +- *mod_opt |= mod_args[i].flag; /* Turn on */ +- } +- ++mod_argv; +- } +-} + diff --git a/sys-auth/pam_skey/files/pam_skey-system-auth.pam.d b/sys-auth/pam_skey/files/pam_skey-system-auth.pam.d new file mode 100644 index 000000000..4a28d8dda --- /dev/null +++ b/sys-auth/pam_skey/files/pam_skey-system-auth.pam.d @@ -0,0 +1,15 @@ +#%PAM-1.0 + +auth required pam_env.so +auth [success=done ignore=ignore auth_err=die default=bad] pam_skey.so +auth sufficient pam_unix.so likeauth nullok try_first_pass +auth required pam_deny.so + +account required pam_unix.so + +password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 +password sufficient pam_unix.so nullok md5 shadow use_authtok +password required pam_deny.so + +session required pam_limits.so +session required pam_unix.so diff --git a/sys-auth/pam_skey/pam_skey-1.1.4.ebuild b/sys-auth/pam_skey/pam_skey-1.1.4.ebuild new file mode 100644 index 000000000..3ac016ffd --- /dev/null +++ b/sys-auth/pam_skey/pam_skey-1.1.4.ebuild @@ -0,0 +1,34 @@ +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +inherit eutils pam + +DESCRIPTION="pam interface to existing S/Key library/interface" +HOMEPAGE="http://freshmeat.net/projects/pam_skey/" +SRC_URI="http://kreator.esa.fer.hr/projects/tarballs/${P}.tar.gz" + #http://dchurch.ath.cx/${P}-gentoo-${PR}.patch.bz2" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86" +IUSE="" +DEPEND=">=sys-libs/pam-0.78-r3 + >=app-admin/skey-1.1.5-r4" +S=${WORKDIR}/${PN} + +src_unpack() { + unpack ${A} + cd ${S} + epatch ${FILESDIR}/${P}-gentoo.patch +} + +src_compile() { + econf --libdir="/lib" || die "econf failed" + emake || die "emake failed" +} + +src_install() { + make DESTDIR=${D} install || die + dodoc README INSTALL + newpamd ${FILESDIR}/pam_skey-system-auth.pam.d system-auth +} |