Switch to OpenPAM. Bump library version. Modules are now versioned, so

applications linked with Linux-PAM will still work. Remove pam_get_pass(); OpenPAM has pam_get_authtok(). Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}(). Remove pam_set_item(3) man page as OpenPAM has its own. Sponsored by: DARPA, NAI Labs
2002-03-05 21:56:25 +00:00 · 2002-03-05 21:56:25 +00:00 · 519b6a4c8f
commit 519b6a4c8f
parent d692f3fc1a
39 changed files with 240 additions and 531 deletions
--- a/lib/libpam/Makefile.inc
+++ b/lib/libpam/Makefile.inc
@ -24,7 +24,7 @@
 #
 #	$FreeBSD$

-SHLIB_MAJOR=	1
+SHLIB_MAJOR=	2
 SHLIB_MINOR=	0

 #WARNS?=		4
--- a/lib/libpam/libpam/Makefile
+++ b/lib/libpam/libpam/Makefile
@ -1,5 +1,13 @@
-# Copyright 1998 Juniper Networks, Inc.
+#-
+# Copyright (c) 1998 Juniper Networks, Inc.
 # All rights reserved.
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# Portions of this software was developed for the FreeBSD Project by
+# ThinkSec AS and NAI Labs, the Security Research Division of Network
+# Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+# ("CBOSS"), as part of the DARPA CHATS research program.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@ -9,6 +17,9 @@
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -22,110 +33,135 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-#	$FreeBSD$
+# $FreeBSD$
+#

-LIBPAM_VERSION_MAJOR=	0
-LIBPAM_VERSION_MINOR=	75
+OPENPAM		 = ${.CURDIR}/../../../contrib/openpam

-PAMDIR=		${.CURDIR}/../../../contrib/libpam
-MODOBJDIR=	../modules
+LIB		 = pam

-.PATH:		${PAMDIR}/libpam ${PAMDIR}/libpam_misc ${PAMDIR}/doc/man
+CFLAGS		+= -I${.CURDIR} -I${OPENPAM}/include
+CFLAGS		+= -DLIB_MAJ=${SHLIB_MAJOR}
+WARNS		?= 4

-LIB=		pam
-CFLAGS+=	-I${PAMDIR}/libpam/include -I${PAMDIR}/libpam_misc/include \
-		-I${PAMDIR}/libpamc/include -I. -I${.CURDIR}
-CFLAGS+=	-DDEFAULT_MODULE_PATH=\"${SHLIBDIR}/\" \
-		-DLIBPAM_VERSION_MAJOR=${LIBPAM_VERSION_MAJOR} \
-		-DLIBPAM_VERSION_MINOR=${LIBPAM_VERSION_MINOR}
-NOPROFILE=	yes
+SRCS		 =
+SRCS		+= openpam_dispatch.c
+SRCS		+= openpam_dynamic.c
+SRCS		+= openpam_findenv.c
+SRCS		+= openpam_get_option.c
+SRCS		+= openpam_load.c
+SRCS		+= openpam_log.c
+SRCS		+= openpam_set_option.c
+SRCS		+= openpam_ttyconv.c
+SRCS		+= pam_acct_mgmt.c
+SRCS		+= pam_authenticate.c
+SRCS		+= pam_chauthtok.c
+SRCS		+= pam_close_session.c
+SRCS		+= pam_end.c
+SRCS		+= pam_error.c
+SRCS		+= pam_get_authtok.c
+SRCS		+= pam_get_data.c
+SRCS		+= pam_get_item.c
+SRCS		+= pam_get_user.c
+SRCS		+= pam_getenv.c
+SRCS		+= pam_getenvlist.c
+SRCS		+= pam_info.c
+SRCS		+= pam_open_session.c
+SRCS		+= pam_prompt.c
+SRCS		+= pam_putenv.c
+SRCS		+= pam_set_data.c
+SRCS		+= pam_set_item.c
+SRCS		+= pam_setcred.c
+SRCS		+= pam_setenv.c
+SRCS		+= pam_start.c
+SRCS		+= pam_strerror.c
+SRCS		+= pam_verror.c
+SRCS		+= pam_vinfo.c
+SRCS		+= pam_vprompt.c

-# Files from ${PAMDIR}/libpam:
-SRCS=		pam_account.c pam_auth.c pam_data.c pam_delay.c \
-		pam_dispatch.c pam_end.c pam_env.c pam_handlers.c \
-		pam_item.c pam_log.c pam_misc.c pam_password.c \
-		pam_second.c pam_session.c pam_start.c \
-		pam_strerror.c
-HDRS1=		_pam_compat.h _pam_macros.h _pam_types.h \
-		pam_appl.h pam_malloc.h pam_modules.h
-MAN+=		pam_authenticate.3 pam_chauthtok.3 pam_fail_delay.3 \
-		pam_open_session.3 pam_setcred.3 pam_start.3 \
-		pam_strerror.3
-MLINKS+=	pam_open_session.3 pam_close_session.3 \
-		pam_start.3 pam_end.3
-MAN+=		pam.8
-MLINKS+=	pam.8 pam.conf.5 pam.8 pam.d.5
+MAN		 =
+MAN		+= openpam_get_option.3
+MAN		+= openpam_log.3
+MAN		+= openpam_set_option.3
+MAN		+= openpam_ttyconv.3
+MAN		+= pam.3
+MAN		+= pam_acct_mgmt.3
+MAN		+= pam_authenticate.3
+MAN		+= pam_chauthtok.3
+MAN		+= pam_close_session.3
+MAN		+= pam_end.3
+MAN		+= pam_error.3
+MAN		+= pam_get_authtok.3
+MAN		+= pam_get_data.3
+MAN		+= pam_get_item.3
+MAN		+= pam_get_user.3
+MAN		+= pam_getenv.3
+MAN		+= pam_getenvlist.3
+MAN		+= pam_info.3
+MAN		+= pam_open_session.3
+MAN		+= pam_prompt.3
+MAN		+= pam_putenv.3
+MAN		+= pam_set_data.3
+MAN		+= pam_set_item.3
+MAN		+= pam_setcred.3
+MAN		+= pam_setenv.3
+MAN		+= pam_sm_acct_mgmt.3
+MAN		+= pam_sm_authenticate.3
+MAN		+= pam_sm_chauthtok.3
+MAN		+= pam_sm_close_session.3
+MAN		+= pam_sm_open_session.3
+MAN		+= pam_sm_setcred.3
+MAN		+= pam_start.3
+MAN		+= pam_strerror.3

-# Files from ${PAMDIR}/libpamc:
-HDRS0=		pam_client.h
+# Local additions
+SRCS		+= pam_debug_log.c
+SRCS		+= pam_std_option.c

-# Files from ${PAMDIR}/libpam_misc:
-SRCS+=		help_env.c misc_conv.c
-HDRS2=		pam_misc.h
+HEADERS		 =
+HEADERS		+= security/openpam.h
+HEADERS		+= security/pam_appl.h
+HEADERS		+= security/pam_constants.h
+HEADERS		+= security/pam_modules.h
+HEADERS		+= security/pam_types.h

-# Files from ${.CURDIR}:
-SRCS+=		pam_get_pass.c pam_prompt.c pam_std_option.c pam_debug_log.c
-HDRS3=		pam_mod_misc.h
-MAN+=		pam_set_item.3
-MLINKS+=	pam_set_item.3 pam_get_item.3
+ADD_HEADERS	 = pam_mod_misc.h

-# Static PAM modules:
-STATIC_MODULES+= ${MODOBJDIR}/pam_deny/libpam_deny.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_ftp/libpam_ftp.a
-.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
-STATIC_MODULES+= ${MODOBJDIR}/pam_kerberosIV/libpam_kerberosIV.a
-.endif
-.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
-STATIC_MODULES+= ${MODOBJDIR}/pam_krb5/libpam_krb5.a
-.endif
-STATIC_MODULES+= ${MODOBJDIR}/pam_lastlog/libpam_lastlog.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_login_access/libpam_login_access.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_nologin/libpam_nologin.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_opie/libpam_opie.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_opieaccess/libpam_opieaccess.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_permit/libpam_permit.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_radius/libpam_radius.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_rootok/libpam_rootok.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_securetty/libpam_securetty.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_self/libpam_self.a
-.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH)
-STATIC_MODULES+= ${MODOBJDIR}/pam_ssh/libpam_ssh.a
-.endif
-STATIC_MODULES+= ${MODOBJDIR}/pam_tacplus/libpam_tacplus.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_unix/libpam_unix.a
-STATIC_MODULES+= ${MODOBJDIR}/pam_wheel/libpam_wheel.a
+# Static modules
+MODULE_DIR	 = ../modules
+.include "${.CURDIR}/${MODULE_DIR}/modules.inc"
+STATIC_MODULES	 = ${MODULES:C/.*/${MODULE_DIR}\/&\/lib&.a/}
+STATICOBJS	+= openpam_static_modules.o
+CLEANFILES	+= openpam_static.o

-STATICOBJS+=	pam_static_modules.o
-CLEANFILES+=	pam_static.o
-
-_EXTRADEPEND:	pam_static.c
+_EXTRADEPEND: openpam_static.c
 	${MKDEPCMD} -f ${DEPENDFILE} -a ${MKDEP} \
 	    ${CFLAGS:M-nostdinc*} ${CFLAGS:M-[BID]*} \
 	    ${.ALLSRC}

 .if ${OBJFORMAT} == elf
-CLEANFILES+=	setdef0.o _pam_static_modules.o setdef1.o \
+CLEANFILES+=	setdef0.o openpam_static_modules.o setdef1.o \
 		setdef0.c setdef1.c setdefs.h

-pam_static_modules.o:	pam_static.o ${STATIC_MODULES}
+openpam_static_modules.o: openpam_static.o ${STATIC_MODULES}
 	${LD} -o ${.TARGET} -r --whole-archive ${.ALLSRC}
 .else
-pam_static_modules.o:	pam_static.o ${STATIC_MODULES}
+openpam_static_modules.o: openpam_static.o ${STATIC_MODULES}
 	${LD} -o ${.TARGET} -r -Bforcearchive ${.ALLSRC}
 .endif

+# Headers
 beforeinstall:
-	cd ${PAMDIR}/libpamc/include/security; \
-		${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
-		${HDRS0} ${DESTDIR}/usr/include/security
-	cd ${PAMDIR}/libpam/include/security; \
-		${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
-		${HDRS1} ${DESTDIR}/usr/include/security
-	cd ${PAMDIR}/libpam_misc/include/security; \
-		${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
-		${HDRS2} ${DESTDIR}/usr/include/security
-	cd ${.CURDIR}; \
-		${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
-		${HDRS3} ${DESTDIR}/usr/include/security
+.for HEADER in ${HEADERS}
+	${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
+	    ${OPENPAM}/include/${HEADER} ${DESTDIR}/usr/include/${HEADER}
+.endfor
+.for HEADER in ${ADD_HEADERS}
+	${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \
+	    ${.CURDIR}/${HEADER} ${DESTDIR}/usr/include/security/${HEADER}
+.endfor

 .include <bsd.lib.mk>
+.PATH: ${OPENPAM}/include
+.PATH: ${OPENPAM}/lib
+.PATH: ${OPENPAM}/doc/man
--- a/lib/libpam/libpam/pam_debug_log.c
+++ b/lib/libpam/libpam/pam_debug_log.c
@ -27,7 +27,6 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");

-#include <security/pam_modules.h>
 #include <libgen.h>
 #include <stdarg.h>
 #include <stdio.h>
@ -35,7 +34,9 @@ __FBSDID("$FreeBSD$");
 #include <string.h>
 #include <syslog.h>

-#include "pam_mod_misc.h"
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+#include <security/pam_mod_misc.h>

 #define	FMTBUFSIZ	256

@ -114,7 +115,7 @@ _pam_verbose_error(pam_handle_t *pamh, struct options *options,
 		va_start(ap, format);
 		asprintf(&fmtbuf, "%s: %s: %s", modname, function, format);
 		vasprintf(&statusmsg, fmtbuf, ap);
-		pam_prompt(pamh, PAM_ERROR_MSG, statusmsg, NULL);
+		pam_error(pamh, "%s", statusmsg);
 		free(statusmsg);
 		free(fmtbuf);
 		va_end(ap);
--- a/lib/libpam/libpam/pam_get_pass.c
+++ b/lib/libpam/libpam/pam_get_pass.c
@ -1,98 +0,0 @@
-/*-
- * Copyright 1998 Juniper Networks, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#include <stdlib.h>
-#include <string.h>
-#include <security/pam_modules.h>
-#include "pam_mod_misc.h"
-
-static int	 pam_conv_pass(pam_handle_t *, const char *, struct options *);
-
-static int
-pam_conv_pass(pam_handle_t *pamh, const char *prompt, struct options *options)
-{
-	const struct pam_conv *conv;
-	struct pam_message msg;
-	const struct pam_message *msgs[1];
-	struct pam_response *resp;
-	const void *item;
-	int retval;
-
-	retval = pam_get_item(pamh, PAM_CONV, &item);
-	if (retval != PAM_SUCCESS)
-		return retval;
-	conv = (const struct pam_conv *)item;
-	msg.msg_style = pam_test_option(options, PAM_OPT_ECHO_PASS, NULL) ?
-	    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
-	msg.msg = prompt;
-	msgs[0] = &msg;
-	retval = conv->conv(1, msgs, &resp, conv->appdata_ptr);
-	if (retval != PAM_SUCCESS)
-		return retval;
-	retval = pam_set_item(pamh, PAM_AUTHTOK, resp[0].resp);
-	if (retval != PAM_SUCCESS)
-		return retval;
-	memset(resp[0].resp, 0, strlen(resp[0].resp));
-	free(resp[0].resp);
-	free(resp);
-	return PAM_SUCCESS;
-}
-
-int
-pam_get_pass(pam_handle_t *pamh, const char **passp, const char *prompt,
-    struct options *options)
-{
-	int retval;
-	const void *item = NULL;
-
-	/*
-	 * Grab the already-entered password if we might want to use it.
-	 */
-	if (pam_test_option(options, PAM_OPT_TRY_FIRST_PASS, NULL) ||
-	    pam_test_option(options, PAM_OPT_USE_FIRST_PASS, NULL)) {
-		retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
-		if (retval != PAM_SUCCESS)
-			return retval;
-	}
-
-	if (item == NULL) {
-		/* The user hasn't entered a password yet. */
-		if (pam_test_option(options, PAM_OPT_USE_FIRST_PASS, NULL))
-			return PAM_AUTH_ERR;
-		/* Use the conversation function to get a password. */
-		retval = pam_conv_pass(pamh, prompt, options);
-		if (retval != PAM_SUCCESS)
-			return retval;
-		retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
-		if (retval != PAM_SUCCESS)
-			return retval;
-	}
-	*passp = (const char *)item;
-	return PAM_SUCCESS;
-}
--- a/lib/libpam/libpam/pam_mod_misc.h
+++ b/lib/libpam/libpam/pam_mod_misc.h
@ -54,8 +54,6 @@ struct options {
 };

 __BEGIN_DECLS
-int	pam_get_pass(pam_handle_t *, const char **, const char *, struct options *);
-int	pam_prompt(pam_handle_t *, int, const char *, char **);
 void	pam_std_option(struct options *, struct opttab *, int, const char **);
 int	pam_test_option(struct options *, enum opt, char **);
 void	pam_set_option(struct options *, enum opt);
--- a/lib/libpam/libpam/pam_prompt.c
+++ b/lib/libpam/libpam/pam_prompt.c
@ -1,64 +0,0 @@
-/*-
- * Copyright 1998 Juniper Networks, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#include <security/pam_modules.h>
-#include <stdlib.h>
-#include "pam_mod_misc.h"
-
-/*
- * Do a simple conversation which can consist of a message and/or a user
- * response.
- */
-int
-pam_prompt(pam_handle_t *pamh, int style, const char *prompt, char **user_msg)
-{
-	const struct pam_conv *conv;
-	struct pam_message msg;
-	const struct pam_message *msgs[1];
-	struct pam_response *resp;
-	const void *item;
-	int retval;
-
-	retval = pam_get_item(pamh, PAM_CONV, &item);
-	if (retval != PAM_SUCCESS)
-		return retval;
-	conv = (const struct pam_conv *)item;
-	msg.msg_style = style;
-	msg.msg = prompt != NULL ? prompt : "";
-	msgs[0] = &msg;
-	retval = conv->conv(1, msgs, &resp, conv->appdata_ptr);
-	if (retval != PAM_SUCCESS)
-		return retval;
-	if (user_msg != NULL)
-		*user_msg = resp[0].resp;
-	else if (resp[0].resp != NULL)
-		free(resp[0].resp);
-	free(resp);
-	return PAM_SUCCESS;
-}
--- a/lib/libpam/libpam/pam_set_item.3
+++ b/lib/libpam/libpam/pam_set_item.3
@ -1,156 +0,0 @@
-.\"-
-.\" Copyright (c) 2001 Networks Associates Technologies, Inc.
-.\" All rights reserved.
-.\"
-.\" This software was developed for the FreeBSD Project by ThinkSec AS and
-.\" NAI Labs, the Security Research Division of Network Associates, Inc.
-.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
-.\" DARPA CHATS research program.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 3. The name of the author may not be used to endorse or promote products
-.\"    derived from this software without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd November 27, 2001
-.Dt PAM_SET_ITEM 3
-.Os
-.Sh NAME
-.Nm pam_set_item ,
-.Nm pam_get_item
-.Nd setting authentication parameters
-.Sh LIBRARY
-.Lb libpam
-.Sh SYNOPSIS
-.In security/pam_modules.h
-.Ft int
-.Fn pam_set_item "pam_handle_t *pamh" "int type" "const void *item"
-.Ft int
-.Fn pam_get_item "const pam_handle_t *pamh" "int type" "const void **item"
-.Sh DESCRIPTION
-The
-.Fn pam_set_item
-and
-.Fn pam_get_item
-allow applications and modules to store and retrieve a variety of
-authentication parameters, or
-.Dq items .
-Each item is identified by an integer constant.
-The following items are defined:
-.Bl -tag -width ".Dv PAM_USER_PROMPT"
-.It Dv PAM_SERVICE
-(string)
-The name of the requesting service.
-.It Dv PAM_USER
-(string)
-The name of the user the application wants to authenticate.
-.It Dv PAM_USER_PROMPT
-(string)
-The string which will be used to prompt the user for an authentication
-token.
-.It Dv PAM_TTY
-(string)
-The name of the current terminal (for terminal-oriented applications)
-or display (for X11 applications).
-.It Dv PAM_RUSER
-(string)
-The name of the requesting user.
-.It Dv PAM_RHOST
-(string)
-The name of the host the requesting user is logging in from.
-.It Dv PAM_AUTHTOK
-(opaque)
-The current authentication token.
-This item is only accessible from PAM modules.
-.It Dv PAM_OLDAUTHTOK
-(opaque)
-The expired authentication token.
-This item is only accessible from PAM modules.
-.It Dv PAM_CONV
-.Pq Vt "struct pam_conv"
-The current conversation function.
-The
-.Vt pam_conv
-structure is defined as follows:
-.Bd -literal
-struct pam_conv {
-    int (*conv)(int num_msg,
-        const struct pam_message **msg,
-        struct pam_response **resp,
-        void *appdata_ptr);
-    void *appdata_ptr;
-};
-.Ed
-.It Dv PAM_FAIL_DELAY
-.Pq Vt delay_fn
-A pointer to a callback function that should be called when a module
-wants to introduce a delay after a failed authentication to discourage
-brute-force attacks.
-.El
-.Sh RETURN VALUES
-The
-.Fn pam_set_item
-and
-.Fn pam_get_item
-functions return one of the following values:
-.Bl -tag -width ".Dv PAM_SYSTEM_ERR"
-.It Dv PAM_SUCCESS
-The operation succeeded.
-.It Dv PAM_SYSTEM_ERR
-The
-.Fa pamh
-argument was invalid.
-.It Dv PAM_BUF_ERR
-A call to
-.Xr malloc 3
-failed, or the
-.Fa item
-argument to
-.Fn pam_get_item
-was
-.Dv NULL .
-.It Dv PAM_BAD_ITEM
-The specified
-.Fa item
-does not exist or is not accessible to the caller.
-.El
-.Pp
-The
-.Xr pam_strerror 3
-function can be used to translate these return codes to descriptive
-messages.
-.Sh SEE ALSO
-.Xr pam_start 3 ,
-.Xr pam_strerror 3 ,
-.Xr pam 8
-.Sh STANDARDS
-.Rs
-.%T "DCE-RFC 86.0"
-.%D "October 1995"
-.Re
-.Pp
-Note: the
-.Dv PAM_USER_PROMPT
-and
-.Dv PAM_FAIL_DELAY
-items are non-standard extensions.
--- a/lib/libpam/libpam/pam_std_option.c
+++ b/lib/libpam/libpam/pam_std_option.c
@ -27,11 +27,12 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");

-#include <security/pam_modules.h>
 #include <stdio.h>
 #include <string.h>
 #include <syslog.h>
-#include "pam_mod_misc.h"
+
+#include <security/pam_appl.h>
+#include <security/pam_mod_misc.h>

 /* Everyone has to have these options. It is not an error to
 * specify them and then not use them.
--- a/lib/libpam/libpam/security/pam_mod_misc.h
+++ b/lib/libpam/libpam/security/pam_mod_misc.h
@ -54,8 +54,6 @@ struct options {
 };

 __BEGIN_DECLS
-int	pam_get_pass(pam_handle_t *, const char **, const char *, struct options *);
-int	pam_prompt(pam_handle_t *, int, const char *, char **);
 void	pam_std_option(struct options *, struct opttab *, int, const char **);
 int	pam_test_option(struct options *, enum opt, char **);
 void	pam_set_option(struct options *, enum opt);
--- a/lib/libpam/modules/Makefile
+++ b/lib/libpam/modules/Makefile
@ -24,29 +24,7 @@
 #
 #	$FreeBSD$

-SUBDIR+=	pam_deny
-SUBDIR+=	pam_ftp
-.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
-SUBDIR+=	pam_kerberosIV
-.endif
-.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
-SUBDIR+=	pam_krb5
-.endif
-SUBDIR+=	pam_lastlog
-SUBDIR+=	pam_login_access
-SUBDIR+=	pam_nologin
-SUBDIR+=	pam_opie
-SUBDIR+=	pam_opieaccess
-SUBDIR+=	pam_permit
-SUBDIR+=	pam_radius
-SUBDIR+=	pam_rootok
-SUBDIR+=	pam_securetty
-SUBDIR+=	pam_self
-.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH)
-SUBDIR+=	pam_ssh
-.endif
-SUBDIR+=	pam_tacplus
-SUBDIR+=	pam_unix
-SUBDIR+=	pam_wheel
+.include "modules.inc"
+SUBDIR		 = ${MODULES}

 .include <bsd.subdir.mk>
--- a/lib/libpam/modules/Makefile.inc
+++ b/lib/libpam/modules/Makefile.inc
@ -1,6 +1,6 @@
 # $FreeBSD$

-PAMDIR=		${.CURDIR}/../../../../contrib/libpam
+PAMDIR=		${.CURDIR}/../../../../contrib/openpam

 INTERNALLIB=	yes
 INTERNALSTATICLIB=yes
--- a/lib/libpam/modules/modules.inc
+++ b/lib/libpam/modules/modules.inc
@ -0,0 +1,27 @@
+# $FreeBSD$
+
+MODULES		 =
+MODULES		+= pam_deny
+MODULES		+= pam_ftp
+.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
+MODULES		+= pam_kerberosIV
+.endif
+.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
+MODULES		+= pam_krb5
+.endif
+MODULES		+= pam_lastlog
+MODULES		+= pam_login_access
+MODULES		+= pam_nologin
+MODULES		+= pam_opie
+MODULES		+= pam_opieaccess
+MODULES		+= pam_permit
+MODULES		+= pam_radius
+MODULES		+= pam_rootok
+MODULES		+= pam_securetty
+MODULES		+= pam_self
+.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH)
+MODULES		+= pam_ssh
+.endif
+MODULES		+= pam_tacplus
+MODULES		+= pam_unix
+MODULES		+= pam_wheel
--- a/lib/libpam/modules/pam_deny/Makefile
+++ b/lib/libpam/modules/pam_deny/Makefile
@ -25,7 +25,7 @@
 #	$FreeBSD$

 LIB=		pam_deny
-SHLIB_NAME=	pam_deny.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_deny.c
 MAN=		pam_deny.8

--- a/lib/libpam/modules/pam_ftp/Makefile
+++ b/lib/libpam/modules/pam_ftp/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_ftp
-SHLIB_NAME=	pam_ftp.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_ftp.c
 MAN=		pam_ftp.8

--- a/lib/libpam/modules/pam_ftp/pam_ftp.c
+++ b/lib/libpam/modules/pam_ftp/pam_ftp.c
@ -56,9 +56,11 @@ __FBSDID("$FreeBSD$");
 #include <security/pam_modules.h>
 #include <security/pam_mod_misc.h>

-#include <security/_pam_macros.h>
-
-enum { PAM_OPT_NO_ANON=PAM_OPT_STD_MAX, PAM_OPT_IGNORE, PAM_OPT_USERS };
+enum {
+	PAM_OPT_NO_ANON = PAM_OPT_STD_MAX,
+	PAM_OPT_IGNORE,
+	PAM_OPT_USERS
+};

 static struct opttab other_options[] = {
 	{ "no_anon",	PAM_OPT_NO_ANON },
@ -150,10 +152,9 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
 		PAM_LOG("Doing non-anonymous");
 	}

-	retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, prompt, &token);
+	retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &token, "%s", prompt);
 	if (retval != PAM_SUCCESS)
-		PAM_RETURN(retval == PAM_CONV_AGAIN
-			? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL);
+		PAM_RETURN(PAM_AUTHINFO_UNAVAIL);

 	PAM_LOG("Got password");

@ -173,13 +174,13 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
 				}
 			}
 		}
-		else
+		else {
 			PAM_LOG("Ignoring supplied password structure");
+		}

 		PAM_LOG("Done anonymous");

 		retval = PAM_SUCCESS;
-
 	}
 	else {
 		pam_set_item(pamh, PAM_AUTHTOK, token);
--- a/lib/libpam/modules/pam_kerberosIV/Makefile
+++ b/lib/libpam/modules/pam_kerberosIV/Makefile
@ -25,7 +25,7 @@
 #	$FreeBSD$

 LIB=		pam_kerberosIV
-SHLIB_NAME=	pam_kerberosIV.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_kerberosIV.c klogin.c
 CFLAGS+=	-DKERBEROS
 DPADD=		${LIBKRB} ${LIBCRYPTO} ${LIBCOM_ERR}
--- a/lib/libpam/modules/pam_krb5/Makefile
+++ b/lib/libpam/modules/pam_krb5/Makefile
@ -25,7 +25,7 @@
 #	$FreeBSD$

 LIB=		pam_krb5
-SHLIB_NAME=	pam_krb5.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_krb5.c
 DPADD=		${LIBKRB5} ${LIBGSSAPI} ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} \
 		${LIBCOM_ERR} ${LIBROKEN}
--- a/lib/libpam/modules/pam_lastlog/Makefile
+++ b/lib/libpam/modules/pam_lastlog/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_lastlog
-SHLIB_NAME=	pam_lastlog.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_lastlog.c
 DPADD=		${LIBUTIL}
 LDADD=		-lutil
--- a/lib/libpam/modules/pam_lastlog/pam_lastlog.c
+++ b/lib/libpam/modules/pam_lastlog/pam_lastlog.c
@ -124,7 +124,6 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	struct utmp utmp;
 	struct lastlog ll;
 	const char *rhost, *user, *tty;
-	char *buf;
 	off_t llpos;
 	int fd, pam_err;

@ -164,22 +163,14 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	if ((flags & PAM_SILENT) == 0) {
 		if (read(fd, &ll, sizeof(ll)) == sizeof(ll) &&
 		    ll.ll_time != 0) {
-			asprintf(&buf, "Last login: %.*s ", 24 - 5,
+			pam_info(pamh, "Last login: %.*s ", 24 - 5,
 			    ctime(&ll.ll_time));
-			if (buf != NULL) {
-				pam_prompt(pamh, PAM_TEXT_INFO, buf, NULL);
-				free(buf);
-			}
 			if (*ll.ll_host != '\0')
-				asprintf(&buf, "from %.*s\n",
+				pam_info(pamh, "from %.*s\n",
 				    (int)sizeof(ll.ll_host), ll.ll_host);
 			else
-				asprintf(&buf, "on %.*s\n",
+				pam_info(pamh, "on %.*s\n",
 				    (int)sizeof(ll.ll_line), ll.ll_line);
-			if (buf != NULL) {
-				pam_prompt(pamh, PAM_TEXT_INFO, buf, NULL);
-				free(buf);
-			}
 		}
 		if (lseek(fd, llpos, L_SET) != llpos)
 			goto file_err;
--- a/lib/libpam/modules/pam_login_access/Makefile
+++ b/lib/libpam/modules/pam_login_access/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_login_access
-SHLIB_NAME=	pam_login_access.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_login_access.c login_access.c
 MAN=		pam_login_access.8

--- a/lib/libpam/modules/pam_nologin/Makefile
+++ b/lib/libpam/modules/pam_nologin/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_nologin
-SHLIB_NAME=	pam_nologin.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_nologin.c
 DPADD=		${LIBUTIL}
 LDADD=		-lutil
--- a/lib/libpam/modules/pam_nologin/pam_nologin.c
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.c
@ -108,7 +108,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	if (mtmp != NULL) {
 		read(fd, mtmp, st.st_size);
 		mtmp[st.st_size] = '\0';
-		pam_prompt(pamh, PAM_ERROR_MSG, mtmp, NULL);
+		pam_error(pamh, "%s", mtmp, NULL);
 		free(mtmp);
 	}
 	
--- a/lib/libpam/modules/pam_opie/Makefile
+++ b/lib/libpam/modules/pam_opie/Makefile
@ -26,7 +26,7 @@
 #	$FreeBSD$

 LIB=		pam_opie
-SHLIB_NAME=	pam_opie.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_opie.c
 DPADD=		${LIBOPIE}
 LDADD=		-lopie
--- a/lib/libpam/modules/pam_opie/pam_opie.c
+++ b/lib/libpam/modules/pam_opie/pam_opie.c
@ -78,7 +78,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	char challenge[OPIE_CHALLENGE_MAX];
 	char prompt[OPIE_CHALLENGE_MAX+22];
 	char resp[OPIE_SECRET_MAX];
-	const char *user;
+	char *user;
 	const char *response;

 	pam_std_option(&options, other_options, argc, argv);
@ -124,7 +124,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	
 	for (i = 0; i < 2; i++) {
 		snprintf(prompt, sizeof prompt, promptstr[i], challenge);
-		retval = pam_get_pass(pamh, &response, prompt, &options);
+		retval = pam_get_authtok(pamh, &response, prompt);
 		if (retval != PAM_SUCCESS) {
 			opieunlock();
 			PAM_RETURN(retval);
--- a/lib/libpam/modules/pam_opieaccess/Makefile
+++ b/lib/libpam/modules/pam_opieaccess/Makefile
@ -1,7 +1,7 @@
 # $FreeBSD$

 LIB=		pam_opieaccess
-SHLIB_NAME=	${LIB}.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		${LIB}.c
 DPADD=		${LIBOPIE}
 LDADD=		-lopie
--- a/lib/libpam/modules/pam_permit/Makefile
+++ b/lib/libpam/modules/pam_permit/Makefile
@ -25,7 +25,7 @@
 #	$FreeBSD$

 LIB=		pam_permit
-SHLIB_NAME=	pam_permit.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_permit.c
 MAN=		pam_permit.8

--- a/lib/libpam/modules/pam_radius/Makefile
+++ b/lib/libpam/modules/pam_radius/Makefile
@ -25,7 +25,7 @@
 #	$FreeBSD$

 LIB=		pam_radius
-SHLIB_NAME=	pam_radius.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_radius.c
 DPADD=		${LIBRADIUS}
 LDADD=		-lradius
--- a/lib/libpam/modules/pam_radius/pam_radius.c
+++ b/lib/libpam/modules/pam_radius/pam_radius.c
@ -237,7 +237,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char

 	PAM_LOG("Got user: %s", user);

-	retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
+	retval = pam_get_authtok(pamh, &pass, PASSWORD_PROMPT);
 	if (retval != PAM_SUCCESS)
 		PAM_RETURN(retval);

@ -285,7 +285,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 				 * to the value given in the "template_user"
 				 * option.
 				 */
-				retval = pam_get_item(pamh, PAM_USER, &tmpuser);
+				retval = pam_get_item(pamh, PAM_USER,
+				    (const void **)&tmpuser);
 				if (retval != PAM_SUCCESS)
 					PAM_RETURN(retval);
 				if (getpwnam(tmpuser) == NULL) {
--- a/lib/libpam/modules/pam_rootok/Makefile
+++ b/lib/libpam/modules/pam_rootok/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_rootok
-SHLIB_NAME=	pam_rootok.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_rootok.c
 MAN=		pam_rootok.8

--- a/lib/libpam/modules/pam_securetty/Makefile
+++ b/lib/libpam/modules/pam_securetty/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_securetty
-SHLIB_NAME=	pam_securetty.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_securetty.c
 MAN=		pam_securetty.8

--- a/lib/libpam/modules/pam_self/Makefile
+++ b/lib/libpam/modules/pam_self/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_self
-SHLIB_NAME=	pam_self.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_self.c
 MAN=		pam_self.8

--- a/lib/libpam/modules/pam_ssh/Makefile
+++ b/lib/libpam/modules/pam_ssh/Makefile
@ -4,7 +4,7 @@
 SSHSRC=	${.CURDIR}/../../../../crypto/openssh

 LIB=		pam_ssh
-SHLIB_NAME=	pam_ssh.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_ssh.c
 CFLAGS+=	-I${SSHSRC}
 DPADD=		${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT} ${LIBUTIL}
--- a/lib/libpam/modules/pam_ssh/pam_ssh.c
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.c
@ -49,6 +49,7 @@ __FBSDID("$FreeBSD$");
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <syslog.h>
 #include <unistd.h>

 #define	PAM_SM_AUTH
@ -199,7 +200,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 	 * Pass prompt message to application and receive
 	 * passphrase.
 	 */
-	retval = pam_get_pass(pamh, &pass, NEED_PASSPHRASE, &options);
+	retval = pam_get_authtok(pamh, &pass, NEED_PASSPHRASE);
 	if (retval != PAM_SUCCESS)
 		PAM_RETURN(retval);
 	OpenSSL_add_all_algorithms();	/* required for DSA */
--- a/lib/libpam/modules/pam_tacplus/Makefile
+++ b/lib/libpam/modules/pam_tacplus/Makefile
@ -25,7 +25,7 @@
 #	$FreeBSD$

 LIB=		pam_tacplus
-SHLIB_NAME=	pam_tacplus.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_tacplus.c
 DPADD=		${LIBTACPLUS}
 LDADD=		-ltacplus
--- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c
+++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c
@ -228,9 +228,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
 				retval = pam_get_user(pamh, &user_msg,
 				    srvr_msg[0] != '\0' ? srvr_msg : NULL);
 			else if (status == TAC_AUTHEN_STATUS_GETPASS)
-				retval = pam_get_pass(pamh, &user_msg,
+				retval = pam_get_authtok(pamh, &user_msg,
 				    srvr_msg[0] != '\0' ? srvr_msg :
-				    "Password:", &options);
+				    "Password:");
 			free(srvr_msg);
 			if (retval != PAM_SUCCESS) {
 				/* XXX - send a TACACS+ abort packet */
@ -246,9 +246,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
 				PAM_RETURN(PAM_SERVICE_ERR);
 			retval = pam_prompt(pamh,
 			    pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
-				? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
-			    srvr_msg[0] != '\0' ? srvr_msg : "Data:",
-			    &data_msg);
+			        ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
+			    &data_msg,
+			    "%s",
+			    srvr_msg[0] != '\0' ? srvr_msg : "Data:");
 			free(srvr_msg);
 			if (retval != PAM_SUCCESS) {
 				/* XXX - send a TACACS+ abort packet */
--- a/lib/libpam/modules/pam_unix/Makefile
+++ b/lib/libpam/modules/pam_unix/Makefile
@ -25,7 +25,7 @@
 #	$FreeBSD$

 LIB=		pam_unix
-SHLIB_NAME=	pam_unix.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_unix.c pw_copy.c pw_yp.c pw_util.c ypxfr_misc.c ${GENSRCS}
 CFLAGS=		-DYP -Dyp_error=warnx \
 		-I${.OBJDIR} \
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@ -162,8 +162,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 			PAM_RETURN(PAM_SUCCESS);
 		}
 		else {
-			retval = pam_get_pass(pamh, &pass, password_prompt,
-			    &options);
+			retval = pam_get_authtok(pamh, &pass, password_prompt);
 			if (retval != PAM_SUCCESS)
 				PAM_RETURN(retval);
 			PAM_LOG("Got password");
@ -186,8 +185,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
 		 * User unknown.
 		 * Encrypt a dummy password so as to not give away too much.
 		 */
-		retval = pam_get_pass(pamh, &pass, password_prompt,
-		    &options);
+		retval = pam_get_authtok(pamh, &pass, password_prompt);
 		if (retval != PAM_SUCCESS)
 			PAM_RETURN(retval);
 		PAM_LOG("Got password");
@ -232,7 +230,6 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
 	int retval;
 	const char *rhost, *tty, *user;
 	char rhostip[MAXHOSTNAMELEN];
-	char buf[128];

 	pam_std_option(&options, other_options, argc, argv);

@ -283,10 +280,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
 			PAM_RETURN(PAM_ACCT_EXPIRED);
 		} else if (pwd->pw_expire - tp.tv_sec < warntime &&
 		    (flags & PAM_SILENT) == 0) {
-			snprintf(buf, sizeof(buf),
-			    "Warning: your account expires on %s",
+			pam_error(pamh, "Warning: your account expires on %s",
 			    ctime(&pwd->pw_expire));
-			pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL);
 		}
 	}

@ -298,10 +293,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
 			retval = PAM_NEW_AUTHTOK_REQD;
 		} else if (pwd->pw_change - tp.tv_sec < warntime &&
 		    (flags & PAM_SILENT) == 0) {
-			snprintf(buf, sizeof(buf),
-			    "Warning: your password expires on %s",
+			pam_error(pamh, "Warning: your password expires on %s",
 			    ctime(&pwd->pw_change));
-			pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL);
 		}
 	}

@ -410,8 +403,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			PAM_RETURN(PAM_SUCCESS);
 		}
 		else {
-			retval = pam_get_pass(pamh, &pass,
-			    PASSWORD_PROMPT_EXPIRED, &options);
+			retval = pam_get_authtok(pamh, &pass,
+			    PASSWORD_PROMPT_EXPIRED);
 			if (retval != PAM_SUCCESS)
 				PAM_RETURN(retval);
 			PAM_LOG("Got password: %s", pass);
@ -456,7 +449,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		while (retry++ < MAX_TRIES) {
 			new_pass = NULL;
 			retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
-			    NEW_PASSWORD_PROMPT_1, &new_pass);
+			    &new_pass, "%s", NEW_PASSWORD_PROMPT_1);

 			if (new_pass == NULL)
 				new_pass = strdup("");
@ -464,7 +457,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			if (retval == PAM_SUCCESS) {
 				new_pass_ = NULL;
 				retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
-				    NEW_PASSWORD_PROMPT_2, &new_pass_);
+				    &new_pass_, "%s", NEW_PASSWORD_PROMPT_2);

 				if (new_pass_ == NULL)
 					new_pass_ = strdup("");
@ -605,13 +598,13 @@ local_passwd(const char *user, const char *pass)
 * Copyright (c) 1995 Bill Paul <wpaul@ctr.columbia.edu>
 */
 int
-yp_passwd(const char *user, const char *pass)
+yp_passwd(const char *user __unused, const char *pass)
 {
-	struct master_yppasswd master_yppasswd;
+	struct master_yppasswd master_yppwd;
 	struct passwd *pwd;
 	struct rpc_err err;
 	struct timeval tv;
-	struct yppasswd yppasswd;
+	struct yppasswd yppwd;
 	CLIENT *clnt;
 	login_cap_t *lc;
 	int    *status;
@ -640,29 +633,29 @@ yp_passwd(const char *user, const char *pass)

 	/* Initialize password information */
 	if (suser_override) {
-		master_yppasswd.newpw.pw_passwd = strdup(pwd->pw_passwd);
-		master_yppasswd.newpw.pw_name = strdup(pwd->pw_name);
-		master_yppasswd.newpw.pw_uid = pwd->pw_uid;
-		master_yppasswd.newpw.pw_gid = pwd->pw_gid;
-		master_yppasswd.newpw.pw_expire = pwd->pw_expire;
-		master_yppasswd.newpw.pw_change = pwd->pw_change;
-		master_yppasswd.newpw.pw_fields = pwd->pw_fields;
-		master_yppasswd.newpw.pw_gecos = strdup(pwd->pw_gecos);
-		master_yppasswd.newpw.pw_dir = strdup(pwd->pw_dir);
-		master_yppasswd.newpw.pw_shell = strdup(pwd->pw_shell);
-		master_yppasswd.newpw.pw_class = pwd->pw_class != NULL ?
+		master_yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd);
+		master_yppwd.newpw.pw_name = strdup(pwd->pw_name);
+		master_yppwd.newpw.pw_uid = pwd->pw_uid;
+		master_yppwd.newpw.pw_gid = pwd->pw_gid;
+		master_yppwd.newpw.pw_expire = pwd->pw_expire;
+		master_yppwd.newpw.pw_change = pwd->pw_change;
+		master_yppwd.newpw.pw_fields = pwd->pw_fields;
+		master_yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos);
+		master_yppwd.newpw.pw_dir = strdup(pwd->pw_dir);
+		master_yppwd.newpw.pw_shell = strdup(pwd->pw_shell);
+		master_yppwd.newpw.pw_class = pwd->pw_class != NULL ?
 					strdup(pwd->pw_class) : strdup("");
-		master_yppasswd.oldpass = strdup("");
-		master_yppasswd.domain = yp_domain;
+		master_yppwd.oldpass = strdup("");
+		master_yppwd.domain = yp_domain;
 	} else {
-		yppasswd.newpw.pw_passwd = strdup(pwd->pw_passwd);
-		yppasswd.newpw.pw_name = strdup(pwd->pw_name);
-		yppasswd.newpw.pw_uid = pwd->pw_uid;
-		yppasswd.newpw.pw_gid = pwd->pw_gid;
-		yppasswd.newpw.pw_gecos = strdup(pwd->pw_gecos);
-		yppasswd.newpw.pw_dir = strdup(pwd->pw_dir);
-		yppasswd.newpw.pw_shell = strdup(pwd->pw_shell);
-		yppasswd.oldpass = strdup("");
+		yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd);
+		yppwd.newpw.pw_name = strdup(pwd->pw_name);
+		yppwd.newpw.pw_uid = pwd->pw_uid;
+		yppwd.newpw.pw_gid = pwd->pw_gid;
+		yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos);
+		yppwd.newpw.pw_dir = strdup(pwd->pw_dir);
+		yppwd.newpw.pw_shell = strdup(pwd->pw_shell);
+		yppwd.oldpass = strdup("");
 	}

 	if (login_setcryptfmt(lc, "md5", NULL) == NULL)
@ -680,9 +673,9 @@ yp_passwd(const char *user, const char *pass)
 	salt[27] = '\0';

 	if (suser_override)
-		master_yppasswd.newpw.pw_passwd = crypt(pass, salt);
+		master_yppwd.newpw.pw_passwd = crypt(pass, salt);
 	else
-		yppasswd.newpw.pw_passwd = crypt(pass, salt);
+		yppwd.newpw.pw_passwd = crypt(pass, salt);

 	if (suser_override) {
 		if ((clnt = clnt_create(sockname, MASTER_YPPASSWDPROG,
@ -711,9 +704,9 @@ yp_passwd(const char *user, const char *pass)
 	clnt->cl_auth = authunix_create_default();

 	if (suser_override)
-		status = yppasswdproc_update_master_1(&master_yppasswd, clnt);
+		status = yppasswdproc_update_master_1(&master_yppwd, clnt);
 	else
-		status = yppasswdproc_update_1(&yppasswd, clnt);
+		status = yppasswdproc_update_1(&yppwd, clnt);

 	clnt_geterr(clnt, &err);

--- a/lib/libpam/modules/pam_wheel/Makefile
+++ b/lib/libpam/modules/pam_wheel/Makefile
@ -25,7 +25,7 @@
 # $FreeBSD$

 LIB=		pam_wheel
-SHLIB_NAME=	pam_wheel.so
+SHLIB_NAME=	${LIB}.so.${SHLIB_MAJOR}
 SRCS=		pam_wheel.c
 MAN=		pam_wheel.8

--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$");
 #include <unistd.h>

 #include <security/pam_appl.h>
-#include <security/pam_misc.h>
+#include <security/openpam.h>

 #include "login.h"
 #include "pathnames.h"
@ -154,7 +154,7 @@ static char		*tty;
 * PAM data
 */
 static pam_handle_t	*pamh = NULL;
-static struct pam_conv	 pamc = { misc_conv, NULL };
+static struct pam_conv	 pamc = { openpam_ttyconv, NULL };
 static int		 pam_err;
 static int		 pam_silent = PAM_SILENT;
 static int		 pam_cred_established;
@ -513,7 +513,7 @@ main(int argc, char *argv[])
 	/*
 	 * We're done with PAM now; our parent will deal with the rest.
 	 */
-	pam_end(pamh, PAM_DATA_SILENT);
+	pam_end(pamh, 0);
 	pamh = NULL;

 	/*