Build structure for contribified Linux-PAM, plus some home-grown

modules for FreeBSD's standard authentication methods.  Although
the Linux-PAM modules are present in the contrib tree, we don't
use any of them.

The main library "libpam" is composed of sources taken from three
places.  First are the standard Linux-PAM libpam sources from the
contrib tree.  Second are the Linux-PAM "libpam_misc" sources, also
from the contrib tree.  In Linux these form a separate library.
But as Mike Smith pointed out to me, that seems pointless, so I
have combined them into the libpam library.  Third are some additional
sources from the "src/lib/libpam" tree with some common functions
that make it easier to write modules.  Those I wrote myself.

This work has been donated to FreeBSD by Juniper Networks, Inc.

lib/libpam/Makefile

@@ -0,0 +1,30 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+SUBDIR+=	libpam
+SUBDIR+=	modules
+
+.include <bsd.subdir.mk>

lib/libpam/Makefile.inc

@@ -0,0 +1,28 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+SHLIB_MAJOR=	1
+SHLIB_MINOR=	0

lib/libpam/libpam/Makefile

@@ -0,0 +1,81 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../contrib/libpam
+
+.PATH:		${PAMDIR}/libpam ${PAMDIR}/libpam_misc ${PAMDIR}/doc/man
+
+LIB=		pam
+CFLAGS+=	-I${PAMDIR}/libpam/include -I.
+CFLAGS+=	-DDEFAULT_MODULE_PATH=\"${LIBDIR}/\"
+CFLAGS+=	-DPAM_DYNAMIC
+#CFLAGS+=	-DPAM_STATIC
+NOPROFILE=	true
+INTERNALLIB=	true
+CLEANFILES+=	security
+
+# Files from ${PAMDIR}/libpam:
+SRCS=		pam_account.c pam_auth.c pam_data.c pam_delay.c \
+		pam_dispatch.c pam_end.c pam_env.c pam_handlers.c \
+		pam_item.c pam_log.c pam_misc.c pam_password.c \
+		pam_second.c pam_session.c pam_start.c pam_strerror.c
+HDRS1=		_pam_compat.h _pam_macros.h _pam_types.h \
+		pam_appl.h pam_malloc.h pam_modules.h
+MAN3+=		pam_authenticate.3 pam_chauthtok.3 pam_fail_delay.3 \
+		pam_open_session.3 pam_setcred.3 pam_start.3 \
+		pam_strerror.3
+MLINKS+=	pam_open_session.3 pam_close_session.3 \
+		pam_start.3 pam_end.3
+MAN8+=		pam.8
+MLINKS+=	pam.8 pam.conf.5 pam.8 pam.d.5
+
+# Files from ${PAMDIR}/libpam_misc:
+SRCS+=		help_env.c misc_conv.c xstrdup.c
+HDRS2=		pam_misc.h
+
+# Files from ${.CURDIR}:
+SRCS+=		pam_get_pass.c pam_prompt.c pam_std_option.c
+HDRS3=		pam_mod_misc.h
+
+all:		security
+
+beforedepend:	security
+
+beforeinstall:
+	cd ${PAMDIR}/libpam/include/security; \
+		${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
+		${HDRS1} ${DESTDIR}/usr/include/security
+	cd ${PAMDIR}/libpam_misc; \
+		${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
+		${HDRS2} ${DESTDIR}/usr/include/security
+	cd ${.CURDIR}; \
+		${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
+		${HDRS3} ${DESTDIR}/usr/include/security
+
+security:
+	ln -s ${PAMDIR}/libpam_misc security
+
+.include <bsd.lib.mk>

lib/libpam/libpam/pam_get_pass.c

@@ -0,0 +1,93 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <security/pam_modules.h>
+#include "pam_mod_misc.h"
+
+static int	 pam_conv_pass(pam_handle_t *, const char *, int);
+
+static int
+pam_conv_pass(pam_handle_t *pamh, const char *prompt, int options)
+{
+	int retval;
+	const void *item;
+	const struct pam_conv *conv;
+	struct pam_message msg;
+	const struct pam_message *msgs[1];
+	struct pam_response *resp;
+
+	if ((retval = pam_get_item(pamh, PAM_CONV, &item)) !=
+	    PAM_SUCCESS)
+		return retval;
+	conv = (const struct pam_conv *)item;
+	msg.msg_style = options & PAM_OPT_ECHO_PASS ?
+	    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
+	msg.msg = prompt;
+	msgs[0] = &msg;
+	if ((retval = conv->conv(1, msgs, &resp, conv->appdata_ptr)) !=
+	    PAM_SUCCESS)
+		return retval;
+	if ((retval = pam_set_item(pamh, PAM_AUTHTOK, resp[0].resp)) !=
+	    PAM_SUCCESS)
+		return retval;
+	memset(resp[0].resp, 0, strlen(resp[0].resp));
+	free(resp[0].resp);
+	free(resp);
+	return PAM_SUCCESS;
+}
+
+int
+pam_get_pass(pam_handle_t *pamh, const char **passp, const char *prompt,
+    int options)
+{
+	int retval;
+	const void *item = NULL;
+
+	/*
+	 * Grab the already-entered password if we might want to use it.
+	 */
+	if (options & (PAM_OPT_TRY_FIRST_PASS | PAM_OPT_USE_FIRST_PASS)) {
+		if ((retval = pam_get_item(pamh, PAM_AUTHTOK, &item)) !=
+		    PAM_SUCCESS)
+			return retval;
+	}
+
+	if (item == NULL) {
+		/* The user hasn't entered a password yet. */
+		if (options & PAM_OPT_USE_FIRST_PASS)
+			return PAM_AUTH_ERR;
+		/* Use the conversation function to get a password. */
+		if ((retval = pam_conv_pass(pamh, prompt, options)) !=
+		    PAM_SUCCESS ||
+		    (retval = pam_get_item(pamh, PAM_AUTHTOK, &item)) !=
+		    PAM_SUCCESS)
+			return retval;
+	}
+	*passp = (const char *)item;
+	return PAM_SUCCESS;
+}

lib/libpam/libpam/pam_mod_misc.h

@@ -0,0 +1,48 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#ifndef PAM_MOD_MISC_H
+#define PAM_MOD_MISC_H
+
+#include <sys/cdefs.h>
+
+/* Options */
+#define PAM_OPT_DEBUG			0x01
+#define PAM_OPT_NO_WARN			0x02
+#define PAM_OPT_USE_FIRST_PASS		0x04
+#define	PAM_OPT_TRY_FIRST_PASS		0x08
+#define PAM_OPT_USE_MAPPED_PASS		0x10
+#define PAM_OPT_ECHO_PASS		0x20
+
+__BEGIN_DECLS
+int	 pam_get_pass(pam_handle_t *, const char **, const char *, int);
+int	 pam_prompt(pam_handle_t *, int, const char *, char **);
+int	 pam_std_option(int *, const char *);
+__END_DECLS
+
+#endif

lib/libpam/libpam/pam_prompt.c

@@ -0,0 +1,62 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <security/pam_modules.h>
+#include "pam_mod_misc.h"
+
+/*
+ * Do a simple conversation which can consist of a message and/or a user
+ * response.
+ */
+int
+pam_prompt(pam_handle_t *pamh, int style, const char *prompt, char **user_msg)
+{
+	int retval;
+	const void *item;
+	const struct pam_conv *conv;
+	struct pam_message msg;
+	const struct pam_message *msgs[1];
+	struct pam_response *resp;
+
+	if ((retval = pam_get_item(pamh, PAM_CONV, &item)) !=
+	    PAM_SUCCESS)
+		return retval;
+	conv = (const struct pam_conv *)item;
+	msg.msg_style = style;
+	msg.msg = prompt != NULL ? prompt : "";
+	msgs[0] = &msg;
+	if ((retval = conv->conv(1, msgs, &resp, conv->appdata_ptr)) !=
+	    PAM_SUCCESS)
+		return retval;
+	if (user_msg != NULL)
+		*user_msg = resp[0].resp;
+	else if (resp[0].resp != NULL)
+		free(resp[0].resp);
+	free(resp);
+	return PAM_SUCCESS;
+}

lib/libpam/libpam/pam_std_option.c

@@ -0,0 +1,62 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <security/pam_modules.h>
+#include <string.h>
+#include "pam_mod_misc.h"
+
+/*
+ * If the given name is a standard option, set the corresponding flag in
+ * the options word and return 0.  Else return -1.
+ */
+int
+pam_std_option(int *options, const char *name)
+{
+	struct opttab {
+		const char *name;
+		int value;
+	};
+	static struct opttab std_options[] = {
+		{ "debug",		PAM_OPT_DEBUG },
+		{ "no_warn",		PAM_OPT_NO_WARN },
+		{ "use_first_pass",	PAM_OPT_USE_FIRST_PASS },
+		{ "try_first_pass",	PAM_OPT_TRY_FIRST_PASS },
+		{ "use_mapped_pass",	PAM_OPT_USE_MAPPED_PASS },
+		{ "echo_pass",		PAM_OPT_ECHO_PASS },
+		{ NULL,			0 }
+	};
+	struct opttab *p;
+
+	for (p = std_options;  p->name != NULL;  p++) {
+		if (strcmp(name, p->name) == 0) {
+			*options |= p->value;
+			return 0;
+		}
+	}
+	return -1;
+}

lib/libpam/libpam/security/pam_mod_misc.h

@@ -0,0 +1,48 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#ifndef PAM_MOD_MISC_H
+#define PAM_MOD_MISC_H
+
+#include <sys/cdefs.h>
+
+/* Options */
+#define PAM_OPT_DEBUG			0x01
+#define PAM_OPT_NO_WARN			0x02
+#define PAM_OPT_USE_FIRST_PASS		0x04
+#define	PAM_OPT_TRY_FIRST_PASS		0x08
+#define PAM_OPT_USE_MAPPED_PASS		0x10
+#define PAM_OPT_ECHO_PASS		0x20
+
+__BEGIN_DECLS
+int	 pam_get_pass(pam_handle_t *, const char **, const char *, int);
+int	 pam_prompt(pam_handle_t *, int, const char *, char **);
+int	 pam_std_option(int *, const char *);
+__END_DECLS
+
+#endif

lib/libpam/modules/Makefile

@@ -0,0 +1,36 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+SUBDIR+=	pam_cleartext_pass_ok
+.if defined(MAKE_KERBEROS4)
+SUBDIR+=	pam_kerberosIV
+.endif
+SUBDIR+=	pam_radius
+SUBDIR+=	pam_skey
+SUBDIR+=	pam_tacplus
+SUBDIR+=	pam_unix
+
+.include <bsd.subdir.mk>

lib/libpam/modules/Makefile.inc

@@ -0,0 +1,28 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+BINDIR=		${LIBDIR}
+BINMODE=	${LIBMODE}

lib/libpam/modules/pam_cleartext_pass_ok/Makefile

@@ -0,0 +1,38 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+PROG=		pam_cleartext_pass_ok.so
+SRCS=		pam_cleartext_pass_ok.c
+CFLAGS+=	-I${PAMDIR}/libpam/include
+CFLAGS+=	-fpic
+CFLAGS+=	-Wall
+LDFLAGS+=	-shared
+LDADD+=		-lskey -lgcc_pic
+NOMAN=		true
+
+.include <bsd.prog.mk>

lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c

@@ -0,0 +1,65 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <stdio.h>
+#include <skey.h>
+
+#define PAM_SM_AUTH
+#include <security/pam_modules.h>
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+    const char **argv)
+{
+	int retval;
+	const void *item;
+	const char *user;
+	const char *tty;
+	const char *rhost;
+
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		return retval;
+	if ((retval = pam_get_item(pamh, PAM_TTY, &item)) != PAM_SUCCESS)
+		return retval;
+	tty = (const char *)item;
+	if ((retval = pam_get_item(pamh, PAM_RHOST, &item)) != PAM_SUCCESS)
+		return retval;
+	rhost = (const char *)item;
+	/*
+	 * The cast in the next statement is necessary only because the
+	 * declaration of skeyaccess is wrong.
+	 */
+	return skeyaccess((char *)user, tty, rhost, NULL) ?
+	    PAM_SUCCESS : PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}

lib/libpam/modules/pam_kerberosIV/Makefile

@@ -0,0 +1,42 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+PROG=		pam_kerberosIV.so
+SRCS=		pam_kerberosIV.c klogin.c
+CFLAGS+=	-fpic
+CFLAGS+=	-Wall
+CFLAGS+=	-I${PAMDIR}/libpam/include
+CFLAGS+=	-I${.CURDIR}/../../libpam
+CFLAGS+=	-DKERBEROS
+LDFLAGS+=	-shared
+LDFLAGS+=	-L../../libpam
+DPADD+=		${LIBKRB} ${LIBDES} ${LIBGCC_PIC}
+LDADD+=		-lpam -lkrb -ldes -lgcc_pic
+NOMAN=		true
+
+.include <bsd.prog.mk>

lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c

@@ -0,0 +1,106 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <sys/param.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define PAM_SM_AUTH
+#include <security/pam_modules.h>
+
+#include "pam_mod_misc.h"
+
+#define PASSWORD_PROMPT	"Password:"
+
+extern int klogin(struct passwd *, char *, char *, char *);
+
+/* Globals used by klogin.c */
+int	notickets = 1;
+int	noticketsdontcomplain = 1;
+char	*krbtkfile_env;
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+    const char **argv)
+{
+	int retval;
+	const char *user;
+	char *principal;
+	char *instance;
+	const char *password;
+	char localhost[MAXHOSTNAMELEN + 1];
+	struct passwd *pwd;
+	int options;
+	int i;
+
+	options = 0;
+	for (i = 0;  i < argc;  i++)
+		pam_std_option(&options, argv[i]);
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		return retval;
+	if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
+	    options)) != PAM_SUCCESS)
+		return retval;
+	if (gethostname(localhost, sizeof localhost - 1) == -1)
+		return PAM_SYSTEM_ERR;
+	if ((principal = strdup(user)) == NULL)
+		return PAM_BUF_ERR;
+	if ((instance = strchr(principal, '.')) != NULL)
+		*instance++ = '\0';
+	else
+		instance = "";
+	if ((pwd = getpwnam(user)) != NULL &&
+	    klogin(pwd, instance, localhost, (char *)password) == 0) {
+		if (!(flags & PAM_SILENT) && notickets &&
+		    !noticketsdontcomplain)
+			pam_prompt(pamh, PAM_ERROR_MSG,
+			    "Warning: no Kerberos tickets issued", NULL);
+		/*
+		 * XXX - I think the ticket file really isn't supposed to
+		 * be even created until pam_sm_setcred() is called.
+		 */
+		if (krbtkfile_env != NULL)
+			setenv("KRBTKFILE", krbtkfile_env, 1);
+		retval = PAM_SUCCESS;
+	} else
+		retval = PAM_AUTH_ERR;
+	/*
+	 * The PAM infrastructure will obliterate the cleartext
+	 * password before returning to the application.
+	 */
+	free(principal);
+	return retval;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}

lib/libpam/modules/pam_radius/Makefile

@@ -0,0 +1,41 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+PROG=		pam_radius.so
+SRCS=		pam_radius.c
+CFLAGS+=	-fpic
+CFLAGS+=	-Wall
+CFLAGS+=	-I${PAMDIR}/libpam/include
+CFLAGS+=	-I${.CURDIR}/../../libpam
+LDFLAGS+=	-shared
+LDFLAGS+=	-L../../libpam
+DPADD+=		${LIBRADIUS} ${LIBGCC_PIC}
+LDADD+=		-lpam -lradius -lgcc_pic
+NOMAN=		true
+
+.include <bsd.prog.mk>

lib/libpam/modules/pam_radius/pam_radius.c

@@ -0,0 +1,298 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <sys/param.h>
+#include <pwd.h>
+#include <radlib.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#define PAM_SM_AUTH
+#include <security/pam_modules.h>
+
+#include "pam_mod_misc.h"
+
+#define MAX_CHALLENGE_MSGS	10
+#define PASSWORD_PROMPT	"RADIUS password:"
+
+/* Option names, including the "=" sign. */
+#define OPT_CONF		"conf="
+#define OPT_TMPL		"template_user="
+
+static int	 build_access_request(struct rad_handle *, const char *,
+		    const char *, const void *, size_t);
+static int	 do_accept(pam_handle_t *, struct rad_handle *);
+static int	 do_challenge(pam_handle_t *, struct rad_handle *,
+		    const char *);
+
+/*
+ * Construct an access request, but don't send it.  Returns 0 on success,
+ * -1 on failure.
+ */
+static int
+build_access_request(struct rad_handle *radh, const char *user,
+    const char *pass, const void *state, size_t state_len)
+{
+	char	 host[MAXHOSTNAMELEN];
+
+	if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) {
+		syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh));
+		return -1;
+	}
+	if ((user != NULL &&
+	    rad_put_string(radh, RAD_USER_NAME, user) == -1) ||
+	    (pass != NULL &&
+	    rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) ||
+	    (gethostname(host, sizeof host) != -1 &&
+	    rad_put_string(radh, RAD_NAS_IDENTIFIER, host) == -1)) {
+		syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
+		return -1;
+	}
+	if (state != NULL && rad_put_attr(radh, RAD_STATE, state,
+	    state_len) == -1) {
+		syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh));
+		return -1;
+	}
+	if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) {
+		syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh));
+		return -1;
+	}
+	return 0;
+}
+
+static int
+do_accept(pam_handle_t *pamh, struct rad_handle *radh)
+{
+	int attrtype;
+	const void *attrval;
+	size_t attrlen;
+	char *s;
+
+	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
+		if (attrtype == RAD_USER_NAME) {
+			s = rad_cvt_string(attrval, attrlen);
+			if (s == NULL) {
+				syslog(LOG_CRIT,
+				    "rad_cvt_string: out of memory");
+				return -1;
+			}
+			pam_set_item(pamh, PAM_USER, s);
+			free(s);
+		}
+	}
+	if (attrtype == -1) {
+		syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
+		return -1;
+	}
+	return 0;
+}
+
+static int
+do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
+{
+	int retval;
+	int attrtype;
+	const void *attrval;
+	size_t attrlen;
+	const void *state;
+	size_t statelen;
+	struct pam_message msgs[MAX_CHALLENGE_MSGS];
+	const struct pam_message *msg_ptrs[MAX_CHALLENGE_MSGS];
+	struct pam_response *resp;
+	int num_msgs;
+	const void *item;
+	const struct pam_conv *conv;
+
+	state = NULL;
+	statelen = 0;
+	num_msgs = 0;
+	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
+		switch (attrtype) {
+
+		case RAD_STATE:
+			state = attrval;
+			statelen = attrlen;
+			break;
+
+		case RAD_REPLY_MESSAGE:
+			if (num_msgs >= MAX_CHALLENGE_MSGS) {
+				syslog(LOG_CRIT,
+				    "Too many RADIUS challenge messages");
+				return PAM_SERVICE_ERR;
+			}
+			msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen);
+			if (msgs[num_msgs].msg == NULL) {
+				syslog(LOG_CRIT,
+				    "rad_cvt_string: out of memory");
+				return PAM_SERVICE_ERR;
+			}
+			msgs[num_msgs].msg_style = PAM_TEXT_INFO;
+			msg_ptrs[num_msgs] = &msgs[num_msgs];
+			num_msgs++;
+			break;
+		}
+	}
+	if (attrtype == -1) {
+		syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
+		return PAM_SERVICE_ERR;
+	}
+	if (num_msgs == 0) {
+		msgs[num_msgs].msg = strdup("(null RADIUS challenge): ");
+		if (msgs[num_msgs].msg == NULL) {
+			syslog(LOG_CRIT, "Out of memory");
+			return PAM_SERVICE_ERR;
+		}
+		msgs[num_msgs].msg_style = PAM_TEXT_INFO;
+		msg_ptrs[num_msgs] = &msgs[num_msgs];
+		num_msgs++;
+	}
+	msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON;
+	if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) {
+		syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV");
+		return retval;
+	}
+	conv = (const struct pam_conv *)item;
+	if ((retval = conv->conv(num_msgs, msg_ptrs, &resp,
+	    conv->appdata_ptr)) != PAM_SUCCESS)
+		return retval;
+	if (build_access_request(radh, user, resp[num_msgs-1].resp, state,
+	    statelen) == -1)
+		return PAM_SERVICE_ERR;
+	memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp));
+	free(resp[num_msgs-1].resp);
+	free(resp);
+	while (num_msgs > 0)
+		free((void *)msgs[--num_msgs].msg);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+    const char **argv)
+{
+	struct rad_handle *radh;
+	const char *user;
+	const char *pass;
+	const char *conf_file = NULL;
+	const char *template_user = NULL;
+	int options = 0;
+	int retval;
+	int i;
+	int e;
+
+	for (i = 0;  i < argc;  i++) {
+		size_t len;
+
+		pam_std_option(&options, argv[i]);
+		if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0)
+			conf_file = argv[i] + len;
+		else if (strncmp(argv[i], OPT_TMPL,
+		    (len = strlen(OPT_TMPL))) == 0)
+			template_user = argv[i] + len;
+	}
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		return retval;
+	if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT,
+	    options)) != PAM_SUCCESS)
+		return retval;
+
+	if ((radh = rad_open()) == NULL) {
+		syslog(LOG_CRIT, "rad_open failed");
+		return PAM_SERVICE_ERR;
+	}
+	if (rad_config(radh, conf_file) == -1) {
+		syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh));
+		rad_close(radh);
+		return PAM_SERVICE_ERR;
+	}
+	if (build_access_request(radh, user, pass, NULL, 0) == -1) {
+		rad_close(radh);
+		return PAM_SERVICE_ERR;
+	}
+	for ( ; ; ) {
+		switch (rad_send_request(radh)) {
+
+		case RAD_ACCESS_ACCEPT:
+			e = do_accept(pamh, radh);
+			rad_close(radh);
+			if (e == -1)
+				return PAM_SERVICE_ERR;
+			if (template_user != NULL) {
+				const void *item;
+				const char *user;
+
+				/*
+				 * If the given user name doesn't exist in
+				 * the local password database, change it
+				 * to the value given in the "template_user"
+				 * option.
+				 */
+				retval = pam_get_item(pamh, PAM_USER, &item);
+				if (retval != PAM_SUCCESS)
+					return retval;
+				user = (const char *)item;
+				if (getpwnam(user) == NULL)
+					pam_set_item(pamh, PAM_USER,
+					    template_user);
+			}
+			return PAM_SUCCESS;
+
+		case RAD_ACCESS_REJECT:
+			rad_close(radh);
+			return PAM_AUTH_ERR;
+
+		case RAD_ACCESS_CHALLENGE:
+			if ((retval = do_challenge(pamh, radh, user)) !=
+			    PAM_SUCCESS) {
+				rad_close(radh);
+				return retval;
+			}
+			break;
+
+		case -1:
+			syslog(LOG_CRIT, "rad_send_request: %s",
+			    rad_strerror(radh));
+			rad_close(radh);
+			return PAM_AUTHINFO_UNAVAIL;
+
+		default:
+			syslog(LOG_CRIT,
+			    "rad_send_request: unexpected return value");
+			rad_close(radh);
+			return PAM_SERVICE_ERR;
+		}
+	}
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}

lib/libpam/modules/pam_skey/Makefile

@@ -0,0 +1,41 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+PROG=		pam_skey.so
+SRCS=		pam_skey.c
+CFLAGS+=	-fpic
+CFLAGS+=	-Wall
+CFLAGS+=	-I${PAMDIR}/libpam/include
+CFLAGS+=	-I${.CURDIR}/../../libpam
+LDFLAGS+=	-shared
+LDFLAGS+=	-L../../libpam
+DPADD+=		${LIBSKEY} ${LIBGCC_PIC}
+LDADD+=		-lpam -lskey -lgcc_pic
+NOMAN=		true
+
+.include <bsd.prog.mk>

lib/libpam/modules/pam_skey/pam_skey.c

@@ -0,0 +1,106 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <syslog.h>	/* XXX */
+
+#include <stdio.h>
+#include <string.h>
+#include <skey.h>
+
+#define PAM_SM_AUTH
+#include <security/pam_modules.h>
+
+#include "pam_mod_misc.h"
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+    const char **argv)
+{
+	int retval;
+	const char *user;
+	const char *response;
+	struct skey skey;
+	char challenge[128];
+	char prompt[128];
+	char resp_buf[128];
+	int options;
+	int i;
+	int e;
+
+	options = 0;
+	for (i = 0;  i < argc;  i++)
+		pam_std_option(&options, argv[i]);
+	/*
+	 * It doesn't make sense to use a password that has already been
+	 * typed in, since we haven't presented the challenge to the user
+	 * yet.
+	 */
+	options &= ~(PAM_OPT_USE_FIRST_PASS | PAM_OPT_TRY_FIRST_PASS);
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		return retval;
+	if (skeyinfo(&skey, user, challenge) != 0)
+		return PAM_AUTH_ERR;
+	snprintf(prompt, sizeof prompt, "%s\nPassword: ", challenge);
+	if ((retval = pam_get_pass(pamh, &response, prompt, options)) !=
+	    PAM_SUCCESS)
+		return retval;
+	if (response[0] == '\0' && !(options & PAM_OPT_ECHO_PASS)) {
+		options |= PAM_OPT_ECHO_PASS;
+		snprintf(prompt, sizeof prompt,
+			 "%s\nPassword [echo on]: ", challenge);
+		if ((retval = pam_get_pass(pamh, &response, prompt,
+		    options)) != PAM_SUCCESS)
+			return retval;
+	}
+	/*
+	 * Skeyinfo closed the database file, so we have to call skeylookup
+	 * to open it again.
+	 */
+	if ((e = skeylookup(&skey, user)) != 0) {
+		if (e == -1) {
+			syslog(LOG_ERR, "Error opening S/Key database");
+			return PAM_SERVICE_ERR;
+		} else
+			return PAM_AUTH_ERR;
+	}
+	/* We have to copy the response, because skeyverify mucks with it. */
+	snprintf(resp_buf, sizeof resp_buf, "%s", response);
+	/*
+	 * Skeyverify is supposed to return -1 only if an error occurs.
+	 * But it returns -1 even if the response string isn't in the form
+	 * it expects.  Thus we can't log an error and can only check for
+	 * success or lack thereof.
+	 */
+	return skeyverify(&skey, resp_buf) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}

lib/libpam/modules/pam_tacplus/Makefile

@@ -0,0 +1,41 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+PROG=		pam_tacplus.so
+SRCS=		pam_tacplus.c
+CFLAGS+=	-fpic
+CFLAGS+=	-Wall
+CFLAGS+=	-I${PAMDIR}/libpam/include
+CFLAGS+=	-I${.CURDIR}/../../libpam
+LDFLAGS+=	-shared
+LDFLAGS+=	-L../../libpam
+DPADD+=		${LIBTACPLUS} ${LIBGCC_PIC}
+LDADD+=		-lpam -ltacplus -lgcc_pic
+NOMAN=		true
+
+.include <bsd.prog.mk>

lib/libpam/modules/pam_tacplus/pam_tacplus.c

@@ -0,0 +1,256 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <sys/param.h>
+
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <taclib.h>
+#include <unistd.h>
+
+#define PAM_SM_AUTH
+#include <security/pam_modules.h>
+
+#include "pam_mod_misc.h"
+
+/* Option names, including the "=" sign. */
+#define OPT_CONF		"conf="
+#define OPT_TMPL		"template_user="
+
+typedef int (*set_func)(struct tac_handle *, const char *);
+
+static int	 do_item(pam_handle_t *, struct tac_handle *, int,
+		    set_func, const char *);
+static char	*get_msg(struct tac_handle *);
+static int	 set_msg(struct tac_handle *, const char *);
+
+static int
+do_item(pam_handle_t *pamh, struct tac_handle *tach, int item,
+    set_func func, const char *funcname)
+{
+	int retval;
+	const void *value;
+
+	if ((retval = pam_get_item(pamh, item, &value)) != PAM_SUCCESS)
+	    return retval;
+	if (value != NULL && (*func)(tach, (const char *)value) == -1) {
+		syslog(LOG_CRIT, "%s: %s", funcname, tac_strerror(tach));
+		tac_close(tach);
+		return PAM_SERVICE_ERR;
+	}
+	return PAM_SUCCESS;
+}
+
+static char *
+get_msg(struct tac_handle *tach)
+{
+	char *msg;
+
+	if ((msg = tac_get_msg(tach)) == NULL) {
+		syslog(LOG_CRIT, "tac_get_msg: %s", tac_strerror(tach));
+		tac_close(tach);
+		return NULL;
+	}
+	return msg;
+}
+
+static int
+set_msg(struct tac_handle *tach, const char *msg)
+{
+	if (tac_set_msg(tach, msg) == -1) {
+		syslog(LOG_CRIT, "tac_set_msg: %s", tac_strerror(tach));
+		tac_close(tach);
+		return -1;
+	}
+	return 0;
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+    const char **argv)
+{
+	int retval;
+	struct tac_handle *tach;
+	const char *conf_file = NULL;
+	const char *template_user = NULL;
+	int options = 0;
+	int i;
+
+	for (i = 0;  i < argc;  i++) {
+		size_t len;
+
+		pam_std_option(&options, argv[i]);
+		if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0)
+			conf_file = argv[i] + len;
+		else if (strncmp(argv[i], OPT_TMPL,
+		    (len = strlen(OPT_TMPL))) == 0)
+			template_user = argv[i] + len;
+	}
+
+	if ((tach = tac_open()) == NULL) {
+		syslog(LOG_CRIT, "tac_open failed");
+		return PAM_SERVICE_ERR;
+	}
+	if (tac_config(tach, conf_file) == -1) {
+		syslog(LOG_ALERT, "tac_config: %s", tac_strerror(tach));
+		tac_close(tach);
+		return PAM_SERVICE_ERR;
+	}
+	if (tac_create_authen(tach, TAC_AUTHEN_LOGIN, TAC_AUTHEN_TYPE_ASCII,
+	    TAC_AUTHEN_SVC_LOGIN) == -1) {
+		syslog(LOG_CRIT, "tac_create_authen: %s", tac_strerror(tach));
+		tac_close(tach);
+		return PAM_SERVICE_ERR;
+	}
+	if ((retval = do_item(pamh, tach, PAM_USER,
+	    tac_set_user, "tac_set_user")) != PAM_SUCCESS)
+		return retval;
+	if ((retval = do_item(pamh, tach, PAM_TTY,
+	    tac_set_port, "tac_set_port")) != PAM_SUCCESS)
+		return retval;
+	if ((retval = do_item(pamh, tach, PAM_RHOST,
+	    tac_set_rem_addr, "tac_set_rem_addr")) != PAM_SUCCESS)
+		return retval;
+	for ( ; ; ) {
+		char *srvr_msg;
+		size_t msg_len;
+		const char *user_msg;
+		char *data_msg;
+		int sflags;
+		int status;
+		int echo;
+
+		if ((sflags = tac_send_authen(tach)) == -1) {
+			syslog(LOG_CRIT, "tac_send_authen: %s",
+			    tac_strerror(tach));
+			tac_close(tach);
+			return PAM_AUTHINFO_UNAVAIL;
+		}
+		status = TAC_AUTHEN_STATUS(sflags);
+		echo = TAC_AUTHEN_NOECHO(sflags) ? 0 : PAM_OPT_ECHO_PASS;
+		switch (status) {
+
+		case TAC_AUTHEN_STATUS_PASS:
+			tac_close(tach);
+			if (template_user != NULL) {
+				const void *item;
+				const char *user;
+
+				/*
+				 * If the given user name doesn't exist in
+				 * the local password database, change it
+				 * to the value given in the "template_user"
+				 * option.
+				 */
+				retval = pam_get_item(pamh, PAM_USER, &item);
+				if (retval != PAM_SUCCESS)
+					return retval;
+				user = (const char *)item;
+				if (getpwnam(user) == NULL)
+					pam_set_item(pamh, PAM_USER,
+					    template_user);
+			}
+			return PAM_SUCCESS;
+
+		case TAC_AUTHEN_STATUS_FAIL:
+			tac_close(tach);
+			return PAM_AUTH_ERR;
+
+		case TAC_AUTHEN_STATUS_GETUSER:
+		case TAC_AUTHEN_STATUS_GETPASS:
+			if ((srvr_msg = get_msg(tach)) == NULL)
+				return PAM_SERVICE_ERR;
+			if (status == TAC_AUTHEN_STATUS_GETUSER)
+				retval = pam_get_user(pamh, &user_msg,
+				    srvr_msg[0] != '\0' ? srvr_msg : NULL);
+			else if (status == TAC_AUTHEN_STATUS_GETPASS)
+				retval = pam_get_pass(pamh, &user_msg,
+				    srvr_msg[0] != '\0' ? srvr_msg :
+				    "Password:", options | echo);
+			free(srvr_msg);
+			if (retval != PAM_SUCCESS) {
+				/* XXX - send a TACACS+ abort packet */
+				tac_close(tach);
+				return retval;
+			}
+			if (set_msg(tach, user_msg) == -1)
+				return PAM_SERVICE_ERR;
+			break;
+
+		case TAC_AUTHEN_STATUS_GETDATA:
+			if ((srvr_msg = get_msg(tach)) == NULL)
+				return PAM_SERVICE_ERR;
+			retval = pam_prompt(pamh,
+			    (options|echo) & PAM_OPT_ECHO_PASS ?
+			    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
+			    srvr_msg[0] != '\0' ? srvr_msg : "Data:",
+			    &data_msg);
+			free(srvr_msg);
+			if (retval != PAM_SUCCESS) {
+				/* XXX - send a TACACS+ abort packet */
+				tac_close(tach);
+				return retval;
+			}
+			retval = set_msg(tach, data_msg);
+			memset(data_msg, 0, strlen(data_msg));
+			free(data_msg);
+			if (retval == -1)
+				return PAM_SERVICE_ERR;
+			break;
+
+		case TAC_AUTHEN_STATUS_ERROR:
+			srvr_msg = (char *)tac_get_data(tach, &msg_len);
+			if (srvr_msg != NULL && msg_len != 0) {
+				syslog(LOG_CRIT, "tac_send_authen:"
+				    " server detected error: %s", srvr_msg);
+				free(srvr_msg);
+			} else
+				syslog(LOG_CRIT,
+				    "tac_send_authen: server detected error");
+			tac_close(tach);
+			return PAM_AUTHINFO_UNAVAIL;
+			break;
+
+		case TAC_AUTHEN_STATUS_RESTART:
+		case TAC_AUTHEN_STATUS_FOLLOW:
+		default:
+			syslog(LOG_CRIT,
+			    "tac_send_authen: unexpected status %#x", status);
+			tac_close(tach);
+			return PAM_AUTHINFO_UNAVAIL;
+		}
+	}
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}

lib/libpam/modules/pam_unix/Makefile

@@ -0,0 +1,41 @@
+# Copyright 1998 Juniper Networks, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+
+PROG=		pam_unix.so
+SRCS=		pam_unix.c
+CFLAGS+=	-fpic
+CFLAGS+=	-Wall
+CFLAGS+=	-I${PAMDIR}/libpam/include
+CFLAGS+=	-I${.CURDIR}/../../libpam
+LDFLAGS+=	-shared
+LDFLAGS+=	-L../../libpam
+DPADD+=		${LIBGCC_PIC}
+LDADD+=		-lpam -lgcc_pic
+NOMAN=		true
+
+.include <bsd.prog.mk>

lib/libpam/modules/pam_unix/pam_unix.c

@@ -0,0 +1,88 @@
+/*-
+ * Copyright 1998 Juniper Networks, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define PAM_SM_AUTH
+#include <security/pam_modules.h>
+
+#include "pam_mod_misc.h"
+
+#define PASSWORD_PROMPT	"Password:"
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+    const char **argv)
+{
+	int retval;
+	const char *user;
+	const char *password;
+	struct passwd *pwd;
+	char *encrypted;
+	int options;
+	int i;
+
+	options = 0;
+	for (i = 0;  i < argc;  i++)
+		pam_std_option(&options, argv[i]);
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		return retval;
+	if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
+	    options)) != PAM_SUCCESS)
+		return retval;
+	if ((pwd = getpwnam(user)) != NULL) {
+		encrypted = crypt(password, pwd->pw_passwd);
+		if (password[0] == '\0' && pwd->pw_passwd != '\0')
+			encrypted = ":";
+
+		retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
+		    PAM_SUCCESS : PAM_AUTH_ERR;
+	} else {
+		/*
+		 * User unknown.  Encrypt anyway so that it takes the
+		 * same amount of time.
+		 */
+		crypt(password, "xx");
+		retval = PAM_AUTH_ERR;
+	}
+	/*
+	 * The PAM infrastructure will obliterate the cleartext
+	 * password before returning to the application.
+	 */
+	return retval;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;
+}