New upstream version 0.76

292 files changed, 52813 insertions, 0 deletions

diff --git a/Linux-PAM/CHANGELOG b/Linux-PAM/CHANGELOG
new file mode 100644
index 00000000..f187f0f7
--- /dev/null
+++ b/Linux-PAM/CHANGELOG
@@ -0,0 +1,1582 @@
+
+$Id: CHANGELOG,v 1.1.1.2 2002/09/15 20:08:18 hartmans Exp $
+
+-----------------------------
+
+TODO:
+
+  - sanitize use of md5 throughout distribution.. Make a static
+    library for helping to develop modules that contains it and other
+    stuff. Also add sha-1 and ripemd-160 digest algorithms.
+  - once above is done. remove hacks from the secret@here module etc..
+  - remove prototype for gethostname in pam_access.c (Derrick)
+  - document PAM_INCOMPLETE changes
+  - verify that the PAM_INCOMPLETE interface is sensible.   Can we
+    catch errors? should we permit item changing etc., between
+    pam_authenticate re-invocations?
+  - verify that the PAM_INCOMPLETE interface works (auth seems ok..)
+  - add PAM_INCOMPLETE support to modules (partially added to pam_pwdb)
+  - work on RFC.
+  - do we still need to remove openlog/closelog from modules..?
+  - auth and acct support in pam_cracklib, "yes, I know the password
+    you just typed was valid, I just don't think it was very strong..."
+  - add in the pam_cap and pam_netid modules
+
+====================================================================
+Note, as of release 0.73, all checkins should be accompanied with a
+Bug ID. The bug IDs relate to sourceforge IDs.. (Of course, nothing is
+ever that simple. It turns out that at some point in Sourceforge's
+history all of the bug ids got bumped by 100000, so pretty much if you
+see a bug ID below that begins with a '1' and your attempted query
+fails, try adding 100000 to the number and trying again. I believe
+this only affects bugs before release 0.76.)
+
+You can query the related bug description with the following URL:
+
+ http://sourceforge.net/tracker/index.php?func=detail&aid=XXXXXX&group_id=6663&atid=106663
+
+Where you should replace XXXXXX with a bug-id.
+
+For general documentation completion work, I'm doing it all with
+respect to specific tasks. Open tasks are listed here:
+
+ http://sourceforge.net/pm/task.php?group_id=6663&group_project_id=2741&func=browse&set=open
+
+If you have found a bug in Linux-PAM (including a documentation bug,
+or a new feature request and/or patch), please consider filing such a
+bug report - outstanding bugs are listed here:
+
+ http://sourceforge.net/tracker/?atid=106663&group_id=6663&func=browse
+
+(to file another bug see the 'submit bug' button on that page).
+
+====================================================================
+
+0.76: please submit patches for this section with actual code/doc
+      patches!
+
+* pam_unix: fix for legacy crypt() support when the password entered
+  was long. (Bug 521314 - agmorgan).
+* pam_access no longer include gethostname() prototype complained from
+  David Lee (Bug 415423 - agmorgan).
+* make pam_nologin more secure by default, added two new module
+  arguments etc. - acting on suggestion from Nico (Bug 419307 -
+  agmorgan)
+* link in libpam to libpam_misc - since the latter uses functions in
+  the former it makes some sort of sense to do this (although, in the
+  static library case, I remain to be convinced). (Bug 565470 -
+  agmorgan).
+* absorbed some of the proposed darwin (OS X) changes from Luke Howard
+  (of PADL software) - hopefully will get the rest (see Rob Braun's
+  534205) by 0.77 (Bug 491466 - agmorgan).
+* README fix for pam_unix from Nalin (Bug 476971 - agmorgan).
+* add support for building pdf files from the documentation - request
+  from 'lolive' (Bug 471377 - agmorgan).
+* documented the equivalent '[..]' expressions for "required"
+  etc. Request from Ross Patterson (Bug 529078 - agmorgan).
+* '[...]' parsing: document it and also fix it to support '\]' escape
+  sequence. Feature request from Russell Kliese (Bug 517064 -
+  agmorgan).
+* pam_rootok: compilation warning noted by Tony den Haan wrt no
+  prototype for strcmp() (Bug 557322 - agmorgan).
+* documentation: (a few of mine in passing) and app documentation
+  suggestions regarding PAM environment variables and module
+  documentation changes regarding the conversation function from Jenn
+  Vesperman (Bug 527821, 527965 - agmorgan)
+* documentation: pam_time.sgml typo fixed, pam_motd exists now,
+  correct Red Hat comment about config files (Bugs 554274, 554261,
+  554182 - agmorgan)
+* pam_limits: added '%' domain for maxlogins limiting, now '*' and @group
+  have the old meaning (every) and '%' the new one (all)
+  (Bug 533664 - baggins)
+* pam_limits: put not so interesting log messages under debug arg
+  (Bug 533668 - baggins)
+* pam_access: added the 'fieldsep=' argument (Bug 547051 - agmorgan),
+  made a PAM_RHOST of "" equivalent to NULL (Bug 547521 - agmorgan).
+* pam_limits: keep well know behaviour of maxlogins default ('*') limit
+  (Bug 533664 - baggins)
+* pam_unix: more from Nalin log password changes (Bug 517743 - agmorgan)
+* pam_limits: make it use the priority value specified in config
+  (bug 530428 - baggins)
+* pam_unix: removed broken code in password update code. Report from
+  Len Lattanzi (Bug 507379 - agmorgan)
+* pam_mkhomedir: recurse directories. Patch from Nalin (Bug 476981 -
+  agmorgan)
+* pam_limits can handle negative priority limits now (which can apply
+  to the superuser too) - based on patch from Nalin. Also cleanup the
+  error handling that was very sloppy before. Also, courtesy of Berend
+  De Schouwe get the math right on login counting (Bug 476990, 476987,
+  493294 - agmorgan)
+* documentation: random typo fixes from Nalin and more stuff from me
+  (Bug 476949, Tasks 43507, 17426 - agmorgan)
+* A Tru64 fix (given other stuff has already resolved this, it
+  actually just a comment actually) from 'Eddie'. (Bug 418450 -
+  agmorgan)
+* pam_handlers: BSD fix from Dag-Erling Smørgrav and Anton Berezin
+  (Bug 486063 - agmorgan)
+* added the dynamic/* directory to the distribution. If you go in
+  there after building the rest of the tree, you'll make a pam.so
+  object that can be used by something like a java runtime with
+  dlopen. Its not very well tested - caveat emptor. (Bug 232194 -
+  agmorgan)
+* somehow pam_unix has started forcing the user prompt to be "login: ".
+  This is entirely inapropriate as it overrides PAM_USER_PROMPT. (Bug
+  486361 - agmorgan).
+* added a static module helper library object includes a few changes
+  to examples/xsh.c for testing purposes (added a simple shell wrapper
+  for running xsh with the sandbox libraries), and also modified the
+  pam_rhosts_auth module to use this new library. (Bug 490938, 409852
+  - agmorgan).
+* pam_unix: fix 'likeauth' to kill off the memory leak once and for all.
+  (Bug 483959 - vorlon)
+* pam_unix: restore handling of 'likeauth' argument to a known working
+  state; prettify AUTH_RETURN macro; remove redundant argv checks in
+  pam_sm_setcred() (Bugs 483959, 113596 - vorlon)
+* pam_cracklib: another try at implementing similar() from Harald
+  Welte and Nalin (Bugs 436053, 476957 - agmorgan)
+* pam_access: default access.conf file contained a type (console
+  instead of LOCAL) fix from Nalin (Bug 476934 - agmorgan)
+* pam_unix: fixed bizarre memory leak pointed out by Fernando Trias
+  (Bug 483959 - agmorgan)
+* misc string comparison length checking changes from Nalin. Modules
+  touched, pam_cracklib, pam_listfile, pam_unix, pam_wheel (Bug 476947 -
+  agmorgan)
+* pam_userdb: require that all of typed password matches that in
+  database report and fix from Vladimir Pastukhov. (Bug 484252 - agmorgan)
+* pam_malloc: revived malloc debugging code, now tied to
+  --enable-memory-debug and added strdup() support (Bug 485454 - agmorgan)
+* pam_tally: Nalin's fix for lastlog corruption (Bug 476985 - agmorgan)
+* pam_rhosts: Nalin adds support for '+hostname', and zdd fix
+  compilation warning. (Bug 476986 - agmorgan)
+* pam_motd: Nalin fixed compiler warning. (Bug 476938 - agmorgan)
+* pam_pwdb: Solar Designer pointed out that there was a problem with
+  the compatibility support for md5 password hashing. (Bug 460717,
+  476961 - agmorgan)
+* pam_issue: Nalin found segfaulting problems if the PAM_USER_PROMPT
+  is unset, found some similar problems with assumptions about
+  realloc. (Bug 476983 - agmorgan)
+* pam_env: 'weichangyang of hotmail' pointed out a wild string with no
+  valid '\0' was leading to problems with sshd and suggested fix (Bug
+  473034 - agmorgan)
+* MANDIR cleanup. It defaults to /usr/share/man, but can be overridden
+  using the --enable-mandir ./configure option, similarly for DOCDIR
+  from Nalin (Bug 476940 - agmorgan)
+* pam_filter cleanup (including moving the filter directory) Nalin
+  and Harald Welte (Bugs 436057, 476970 - agmorgan)
+* db3 is now recognized as a libdb candidate (Bug 435764 - agmorgan)
+* more changes (extracted from redhat version) courtesy of
+  Harald Welte (Bugs pam_limits=436061, pam_lastlog=436060,
+  pam_mkhomedir/pam_env=435991 - agmorgan)
+* fix for legacy behavior of pam_setcred and pam_close_session in
+  the case that pam_authenticate and pam_open_session hadn't been
+  called - bug report from Seongwan Park. (Bug 468724 - agmorgan)
+* some BSD updates and fixes from Mark Murray - including a slightly
+  more robust conversation function and some minimization of gcc
+  warnings. (Bugs 449203,463984 - agmorgan)
+* verified that the setcred stack didn't suffer from the bug I was
+  nervous about, add a new module pam_debug to help me test this.
+  fixed a libpam/pam_dispatch.c instrumentation line that I tripped
+  over when testing. Also restructured pam_warn to help here (Bug
+  424315 - agmorgan).
+* pam_unix/support.c: sample use of reentrant NSS function.  Not yet active,
+  because modules do not include _pam_aconf_h! (Bug 440107 - vorlon)
+* doc/Makefile changes - use $(mandir) [courtesy Harald Welte] (Bug
+  435760) and add some rules to make/delete the draft rfc I've been
+  working on (Task 17426 - agmorgan)
+* pam_modules.sgml: sourceforge has changed its CVS viewing software
+  (Bug 460491 - agmorgan)
+* pam_unix_passwd: got rid of an annoying warning (Bug 461089 - agmorgan)
+* configure.in, _pam_aconf.h.in: set the stage for fully reentrant PAM
+  modules, with some infrastructure to detect getxxbyxx_r() functions
+  (Bug 440107 - vorlon)
+* pam_unix: removed superfluous use of static variables in md5 and bigcrypt
+  routines, bringing us a step closer to thread-safeness.  Eliminated
+  some variable indirection along the way.  (Bug 440107 - vorlon)
+* pam_tally: remove #include of stdlib.h, which isn't needed by anything
+  found in this module.  Can be readded if we find a real need for it at
+  a later date. (Bug 436432 - vorlon)
+* pam_tally: added an #include (was it really needed?) and made the
+  pam_tally app install (with more pretty printing and a corrected
+  Makefile dependency) motivated by a (red hat diff) courtesy of Harald
+  Welte (Bug 436432 - agmorgan)
+* configure.in changes to help support non-Linux environments courtesy
+  of Scott T. Emery (Bug 422563 - agmorgan)
+* made a pam_cracklib enhancement to interpret -ve limits in a
+  sensible fashion contributed by Werner Puschitz (Bug 413162 -
+  agmorgan)
+* another fix for the latest number of rlimits available to pam_limits
+  (Bug 424060 - agmorgan)
+* removed stale link from pam_pwdb documentation (Bug 433460 - agmorgan)
+* pam_appl.sgml change - more discussion of choosing a service name
+  (Bug 417512 - agmorgan)
+* more specific linking requirements for -lndbm for pam_userdb - from
+  David Lee (Bug 417339 - agmorgan)
+* a large number of small changes to make AIX support better (Bug
+  416229 - agmorgan)
+* $(MAKE) instead of 'make' - from Scott T. Emery (Bug 422144 -
+  agmorgan)
+* c++ header fixes for pam_misc.h and pam_client.h - from Alexandre
+  Sagala (Bug 420270 - agmorgan)
+* pam_access fixes - looks out for trailing '.' - from Carlo Marcelo
+  Arenas Belon (Bug 419631 - agmorgan)
+* don't zero out password strings during pam_unix's password changing
+  function (Bug 419803 - vorlon)
+* propagate some definitions to the _pam_aconf.h file - from David Lee
+  (Bug 415419 - agmorgan)
+* solaris GCC OS_CFLAGS change from David Lee (Bug 415412 - agmorgan)
+* added a comment to this CHANGELOG to explain why most of the bugids
+  used below appear not to be known to sourceforge [try adding 100000
+  to the bugid number.] (Bug 414943 - agmorgan)
+* bumped version numbers and also added support for SONAME defines
+  that appear not to have survived the great autoconf experiment (Bug
+  414669 - agmorgan).
+
+0.75: Sat Apr  7 23:10:50 PDT 2001
+
+                          ** WARNING **
+
+This release contains backwardly incompatible changes to
+libpam. Prior versions were buggy - see bugfix for Bug 129775.
+
+                          ** WARNING **
+
+* made 0.75 release (Bug 414665 - agmorgan)
+* pam_pwdb has been removed from the suggested pam.conf template. I've
+  replaced it with pam_unix. (Bug 227565 - agmorgan)
+* pam_limits - Richard M. Yumul reported that "<domain> -" didn't
+  work, first fix suggested by Werner Puschitz (Bug 404953 - agmorgan)
+* Nicolay Pelov suggested a simple fix for freebsd support (Bug 407282
+  - agmorgan)
+* Michel D'HOOGE submitted documentation fixes (Bug 408961 - agmorgan)
+* fix for module linking directions (Bug 133545 - agmorgan)
+* fix for glibc-2.2.2 compilation of pam_issue (Bug 133542 - agmorgan)
+* fix pam_userdb to make and link both .o files it needs - converse()
+  wasn't being linked! (Bug 132880 - agmorgan)
+* added some sys-admin documentation for the pam_tally module (Bug
+  126210 - agmorgan).
+* added a link to module examples from the module writers doc (Bug
+  131192 - agmorgan).
+* fixed a small security hole (more of a user confusion issue) with
+  the unix and pwdb password helper binaries. The beef is described in
+  the bug report, but no uid change was possible so no-one should
+  think they need to issue a security bulletin over this one! (Bug
+  112540 - agmorgan)
+* pam_lastlog needs to be linked with -lutil, also removed ambiguity
+  from sysadmin guide regarding this module being a 'session' module
+  (Bug 131549 - agmorgan).
+* pam_cracklib needs to be linked with -lcrypt (old password checking)
+  (Bug 131601 - agmorgan).
+* fixes for static library builds and also the examples when linked
+  with the debugging build of the libraries. (Bug 131783 - agmorgan)
+* fixed URL for original RFC to a cached kernel.org file. (Bug 131503
+  - agmorgan)
+* quoted the $CRACKLIB_DICTPATH test in configure.in (Bug 130130 -
+  agmorgan).
+* improved handling of the setcred/close_session and update chauthtok
+  stack. *Warning* This is a backwardly incompatable change, but 'more
+  sane' than before. (Bug 129775 - agmorgan)
+* bumped the version number, and added some code to assist in making
+  documentation releases (Bug 129644 - agmorgan).
+
+0.74: Sun Jan 21 22:36:08 PST 2001
+
+* made 0.74 release (Bug 129642 - agmorgan)
+* libpam - cleaned up a few non-static functions to be static and added
+  support for libpam to enforce things like pam_[gs]et_data() and
+  AUTHTOK rules for using the API. Also documented pam_[gs]et_item()
+  a little better including return codes (Bugs 129027, 128576 -
+  agmorgan).
+* pam_access - fixed the non-default config file option (Bug 127561 -
+  agmorgan)
+* pam.8 manual page clarified with respect to the default location for
+  finding modules, also added some text describing the [...] control
+  syntax. (Bug 127625 - agmorgan)
+* md5.h ia64 fixes for pam_unix and pam_pwdb (Bug 127700 - agmorgan)
+* removed requirement for c++ from the configure{.in,} files (Bug
+  128298 - agmorgan)
+* removed subdirectories from man page redirections (124396 - baggins)
+* per David Lee, fixed non-POSIX shell command in modules/pam_filter/Makefile
+  (Bug 126440 - vorlon)
+* modify format of pam_unix log messages to include service name
+  (Bug 126423 - vorlon)
+* prevent pam_unix from logging unknown usernames (Bug 126431 - vorlon)
+* changed format of pam_unix 'authentication failure' log messages to make
+  them clearer and more consistent (Bug 126036 - vorlon)
+* improved portability of pam_unix by eliminating Linux-specific utmp
+  defines in PAM_getlogin() (Bug 125704 - vorlon)
+* removed static variables from pam_tally (Bug 117434 - agmorgan)
+* added copyright message to pam_access module from original logdaemon
+  sources (Bug 125022 - agmorgan)
+* configure.in - removed the GCC -Wtraditional flag (Bug 124923 - agmorgan)
+* pam_mail - use PAM_PATH_MAILDIR as the location of mail spool
+  (Bug 124397 - baggins)
+* _pam_aconf.h.in, configure.in - added PAM_PATH_MAILDIR set via
+  --with-mailspool=dir option (default is _PAM_MAILDIR if defined
+  in paths.h otherwise /var/spool/mail (Bug 124397 - baggins)
+* removed unnecessary CVS Log tags from all over the source
+  (Bug 124391 - baggins)
+* pam_tally - check for PAM_TTY if PAM_RHOST is not set when writing
+  to faillog (Bug 124394 - baggins)
+* use O_NOFOLLOW if available when opening debug log (Bug 124385 - baggins)
+* pam_cracklib - removed comments about pam_unix not working with
+  pam_cracklib, added information about use_authtok parameter
+  (Bug 124388 - baggins)
+* pam_userdb - fixed wrong definition of struct pam_module (was pam_wheel)
+  (Bug 124386 - baggins)
+* fixed example/Makefile include path (Bug 124187, 127563(?) - agmorgan)
+* pam_userdb compiles on RH5x. Also removed circular dependency on
+  configure.in. Also bumped revision number to 0.74. (Bug 124136 -
+  agmorgan)
+
+0.73: Sat Dec  2 00:04:04 PST 2000
+
+* updated documentaion revisions and added 'make release' support
+  to the top level Makefile (Bug 124132 - agmorgan).
+* documented Qmail support in pam_mail (Bug 109219 - baggins)
+* add change_uid option to pam_limits, and set real uid only if
+  this option is present (Bug 124062 - baggins)
+* pam_limits - set real uid to the user for who we set limits.
+  (Bug 123972 - baggins)
+* removed static variables from pam_limits (thread safe now). (Bug
+  117450 - agmorgan).
+* removed static variable from pam_wheel (module should be thread safe
+  now). (Bug 112906 - agmorgan)
+* added support for '/' symbols in pam_time and pam_group config files
+  (support for modern terminal devices). Fixed infinite loop problem
+  with '\\[^\n]' in these files. (Bug 116076 - agmorgan)
+* avoid potential SIGPIPE when writing to helper binaries with (Bug
+  123399 - agmorgan)
+* replaced bogus logic in the pam_cracklib module for determining if
+  the replacement is too similar to the old password (Bug 115055 -
+  agmorgan)
+* added accessconf=<filename> feature to pam_access - request from
+  Aldrin Martoq and Meelis Roos (Bugs 111927,117240 - agmorgan)
+* fix for pam_limit module not dealing with all limits Adam J. Richter
+  (Bug 119554 - agmorgan)
+* comment fix describing fail_delay callback in _pam_types.h (Bug
+  112646 - agmorgan)
+* "likeauth" fix for pam_unix and pam_pwdb which (Bug 113596 - agmorgan)
+* fix for pam_unix (support.c) to avoid segfault with NULL password
+  (Bug 113238 - vorlon)
+* fix to pam_unix_passwd: try repeatedly to get a lock on the password
+  file, instead of failing immediately (Bug 108845 - fix vorlon)
+* fix to pam_shells: logged information was not formatted correctly
+  (extra comma) (Bug 111491 - fix vorlon)
+* fix for C++ application support (Bug 111645 - fix agmorgan)
+* fix for typo in pam_client.h (Bug 111648 - fix agmorgan)
+* removal of -lpam from pam_mkhomedir Makefile (Bug 116380 - fix agmorgan)
+* autoconf support [Task ID 15788, Bug ID 108297 - agmorgan with help!]
+ - bugfix for libpamc.h include file [Bug ID 117476 - agmorgan]
+ - bugfix for pam_filter.h inclusion [Bug ID 117474 - agmorgan]
+
+0.72: Mon Dec 13 22:41:11 PST 1999
+
+* patches from Debian (Ben Collins): pam_ftp supports event driven
+  conversations now; pwdb_chkpwd cleanup; pam_warn static compile fix;
+  user_db compiler warnings removed; debian defs file; pam_mail can
+  now be used as a session module
+* ndbm compilation option for user_db module (fix explained by Richard Khoo)
+* pam_cracklib bug fix
+* packaging fixes & build from scratch stuff (Konst Bulatnikov & Frodo
+  Looijaard)
+* -ldl appended to the libpam.so compilation make rule. (Charles Seeger)
+* Red Hat security patch for pam_pwdb forwarded by Debian! (Ben
+  Collins. Fix provided by Andrey as it caught the problem earlier in the
+  code.)
+* heuristic to prevent leaking filedescriptors to an agent. [This needs
+  to be better supported perhaps by an additional libpamc API function?]
+* pam_userdb segfault fix from (Ben Collins)
+* PAM draft spec extras added at request of 'sen_ml'
+
+0.71: Sun Nov  7 20:21:19 PST 1999
+
+* added -lc to linker pass for pam_nologin module (glibc is weird).
+* various header changes to lower the number of warnings on glibc
+  systems (Dan Yefimov)
+* merged a bunch of Debian fixes/patches/documentation (Ben Collins)
+  things touched: libpam (minor); doc/modules/pam_unix.sgml; pam_env
+  (plus docs); pam_mkhomedir (new module for new home directories on
+  the fly...); pam_motd (new module); pam_limits (adjust to match
+  docs); pam_issue (new module + doc) [Some of these were also
+  submitted by Thorsten Kukuk]
+* small hack to lower the number of warnings that pam_client.h was
+  generating.
+* debian and SuSE apparently can use the pam_ftp module, so
+  removed the obsolete comment about this from the docs. (Thorsten
+  Kukuk)
+
+0.70: Fri Oct  8 22:05:30 PDT 1999
+
+* bug fix for parsing of value=action tokens in libpam/pam_misc.c was
+  segfaulting (Jan Rekorajski and independently Matthew Melvin)
+* numerous fixes from Thorsten Kukuk (icluding much needed fixes for
+  bitrot in modules and some documentation) that got included in SuSE 6.2.
+* reentrancy issues in pam_unix and pam_cracklib resolved (Jan Rekorajski)
+* added hosts_equiv_rootok module option to pam_rhosts module (Tim Berger)
+* added comment about 'expose_account' module argument to admin and
+  module writers' docs (request from Michael K Johnson).
+* myriad of bug fixes for libpamc - library now built by default and
+  works with the biomouse fingerprint scanner agent/module
+  (distributed separately).
+
+0.69: Sun Aug  1 20:25:37 PDT 1999
+
+* c++ header #ifdef'ing for pam_appl.h (Tuomo Pyhala)
+* added pam_userdb module (Cristian Gafton)
+* minor documentation changes
+* added in revised pam_client library (libpamc). Not installed by
+  default yet, since the example agent/module combo is not very secure.
+* glibc fixes (Thorsten Kukuk, Adam J. Richter)
+
+0.68: Sun Jul  4 23:04:13 PDT 1999
+
+* completely new pam_unix module from Jan Rekorajski and Stephen Langasek
+* Jan Rekorajski pam_mail - support for Maildir format mailboxes
+* Jan Rekorajski pam_cracklib - support for old password comparison
+* Jan Rekorajski bug fix for pam_pwdb setcred reusing auth retval
+* Andrey's pam_tally patch (lstat -> fstat)
+* Robert Milkowski's additional pam_tally patches to **change format of
+  /var/log/faillog** to one from shadow-utils, add new option "per_user"
+  for pam_tally module, failure time logging, support for fail_line
+  field, and support for fail_locktime field with new option
+  no_lock_time.
+* pam_tally: clean up the tally application too.
+* Marcin Korzonek added process priority settings to pam_limits (bonus
+  points for adding to documentation!)
+* Andrey's pam_pwdb patch (cleanup + md5 endian fubar fix)
+* more binary prompt preparations (make misc conv more compatible with spec)
+* modified callback hook for fail delay to be more useful with event
+  driven applications (changed function prototype - suspect no one
+  will notice). Documented this in app developer guide.
+* documentation for pam_access from Tim Berger
+* syntax fixes for the documentation - a long time since I've built it :*(
+  added some more names to the CREDITS file.
+
+0.67: Sat Jun 19 14:01:24 PDT 1999
+
+* [dropped libpam_client - libpamc will be in the next release and
+   conforms to the developing spec in doc/specs/draft-morgan-pam.raw.
+   Sorry if you are keeping a PAM tree in CVS. CVS is a pain for
+   directories, but this directory was actually not referenced by
+   anything so the disruption should be light.]
+* updates to pam_tally from Tim
+* multiple updates from Stephen Langasek to pam_unix
+* pam_filter had some trouble compiling (bug report from Sridhar)
+* pam_wheel now attempts to identify the wheel group for the local
+  system instead of blindly assuming it is gid=0. In the case that
+  there is no "wheel" group, we default to assuming gid=0 is what was
+  meant - former behavior. (courtesy of Sridhar)
+* NIS+ changes to pam_unix module from Dmitry O Panov
+* hopefully, a fix for redefinition of LOG_AUTHPRIV (bug report Luke
+  Kenneth Casson Leighton)
+* fix for minor typo in pam_wheel documentation (Jacek Kopecky)
+* slightly more explanation of the [x=y] pam.conf syntax in the sys
+  admin guide.
+
+0.66: Mon Dec 28 20:22:23 PST 1998 <morgan@linux.kernel.org>
+
+* Started using cvs to keep track of changes to Linux-PAM.  This will
+  likely break some of the automated building stuff (RPMs etc..).
+* security bug fix to pam_unix and pam_tally from Andrey.
+* modules make file is now more automatic.  It should be possible to
+  unpack an external module in the modules directory and have it automatically
+  added to the build process.  Also added a modules/download-all script
+  that will make such downloading easier.  I'm happy to receive patches to
+  this file, informing the distribution of places from which to enrich itself.
+* removed pam_system_log stuff.  Thought about it long and hard: a
+  bad idea.  If libc cannot guarantee a thread safe syslog, it needs
+  to be fixed and compatibility with other PAM libraries was
+  unnecessarily strained.
+* SAG documentation changes: Seth Chaiklin
+* rhosts: problems with NIS lookup failures with the root-uid check.
+  As a work-around, I've partially eliminated the need for the lookup
+  by supplying two new arguments: no_uid_check, superuser=<username>.
+  As a general rule this is more pluggable, since this module might be
+  used as an authentication scheme for a network service that does not
+  need root privilege...
+* authenticate retval -> setcred for pam_pwdb (likeauth arg).
+* pam_pwdb event driven support
+* non openlog pam_listfile logging
+* BUGFIX: close filedescriptor in pam_group and pam_time (Emmanuel Galanos)
+* Chris Adams' mailhash change for pam_mail module
+* fixed malloc failure check in pam_handlers.c (follow up to comment
+  by Brad M. Garcia).
+* update to _pam_compat.h (Brad M. Garcia)
+* support static modules in libpam again (Brad M. Garcia)
+* libpam/pam_misc.c for egcs to grok the code (Brad M. Garcia)
+* added a solaris-2.5.1 defs file (revived by Derrick J Brashear)
+* pam_listfile logs failed attempts
+* added a comment (Michael K Johnson pointed it out) about sgml2latex
+  having a new syntax.  I'll make it the change real when I upgrade...
+* a little more text to the RFC, spelling fix from William J Buffam.
+* minor changes to pam_securetty to accommodate event driven support.
+
+0.65: Sun Apr  5 22:29:09 PDT 1998 <morgan@linux.kernel.org>
+
+* added event driven programming extensions to libpam
+ - added PAM_INCOMPLETE handling to libpam/pam_dispatch.c
+ - added PAM_CONV_AGAIN which is a new conversation response that
+   should be mapped to PAM_INCOMPLETE by the module.
+ - ensured that the pam_get_user() function can resume
+ - changes to pam_strerror to accommodate above return codes
+ - clean up _pam_former_state at pam_end()
+ - ensured that former state is correctly initialized
+ - added resumption tests to pam_authenticate(), pam_chauthtok()
+ - added PAM_FAIL_DELAY item for pausing on failure
+
+* improved _pam_macros.h so that macros can be used as single commands
+  (Andrey)
+
+* reimplemented logging to avoid bad interactions with libc.  Added
+  new functions, pam_[,v]system_log() to libpam's API.  A programmer
+  can check for this function's availablility by checking if
+  HAVE_PAM_SYSTEM_LOG is #defined.
+
+* removed the reduce conflict from pam_conv1 creation -- I can sleep
+  again now. :^]
+
+* made building of static and dynamic libpam separate.  This is
+  towards making it possible to build both under Solaris (for Derrick)
+
+* made USE_CRACKLIB a condition in unix module (Luke Kenneth Casson Leighton)
+
+* automated (quiet) config installation (Andrey)
+
+0.64: Thu Feb 19 23:30:24 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* miscellaneous patches for building under Solaris (Derrick J Brashear)
+
+* removed STATIC support from a number of module Makefiles.  Notably,
+  these modules are those that use libpwdb and caused difficulties
+  satisfying the build process. (Please submit patches to fix this...;)
+
+* reomved the union for binary packet conversations from
+  (_pam_types.h).  This is now completely implemented in libpam_client.
+
+* Andrey's patch for working environment variable handling in
+  sh_secret module.
+
+* made the libpam_misc conversation function a bit more flexible with
+  respect to binary conversations.
+
+* added top level define (DEBUG_REL) for compiling in the form of
+  a debugging release.  I use this on a Red Hat 4.2 system with little
+  chance of crashing the system as a whole.  (Andrey has another
+  implementation of this -- with a spec file to match..)
+
+0.63: Wed Jan 28 22:55:30 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* added libpam_client "convention" library.  This makes explicit the
+  use of PAM_BINARY_PROMPT.  It is a first cut, so don't take it too
+  seriously yet.  Comments/suggestions for improvements are very
+  welcome.  Note, this library does not compile by default.  It will
+  be enabled when it is judged stable.  The library comes with two
+  module/agent pairs and can be used with ssh using a patch available
+  from my pre-release directory [where you got this file.]
+
+* backward compatibility patch for libpam/pam_handlers.c (PAM_IGNORE
+  was working with neither "requistie" nor "required") and a DEBUG'ing
+  compile time bug with pam_dispatch.c (Savochkin Andrey Vladimirovich)
+
+* minor Makefile change from (Savochkin Andrey Vladimirovich)
+
+* added pam_afsauth, pam_afspass, pam_restrict, and pam_syslog hooks
+  (Derrick J Brashear)
+
+* pam_access use of uname(2) problematic (security problem
+  highlighted by Olaf Kirch).
+
+* pam_listfile went a bit crazy reading group membersips (problem
+  highlighted by Olaf Kirch and patched independently by Cristian
+  Gafton and Savochkin Andrey Vladimirovich)
+
+* compatibility hooks for solaris and hpux (Derrick J Brashear)
+
+* 64 bit Linux/alpha bug fixed in pam_rhosts (Andrew D. Isaacson)
+
+0.62: Wed Jan 14 14:10:55 PST 1998   Andrew Morgan <morgan@linux.kernel.org>
+
+* Derrick J Brashear's patches: adds the HP stuff missed in the first
+  patch; adds SunOS support; adds support for the Solaris native ld
+  instead of requiring gnu ld.
+
+* last line of .rhosts file need not contain a newline. (Bug reported by
+  Thompson Freeman.)
+
+0.61: Thu Jan  8 22:57:44 PST 1998  Andrew Morgan <morgan@linux.kernel.org>
+
+* complete rewrite of the "control flag" logic.  Formerly, we were
+  limited to four flags: requisite, required, sufficient, optional.
+  We can now use these keywords _and_ a great deal more besides.
+  The extra logic was inspired by Vipin Samar, a preliminary patch was
+  written by Andy Berkheimer, but I "had some ideas of my own" and
+  that's what I've actually included.  The basic idea is to allow the
+  admin to custom build a control flag with a series of token=value
+  pairs inside square brackets.  Eg., '[default=die success=ok]' which
+  is pretty close to a synonym for 'requisite'.  I'll try to document it
+  better in the sys-admin guide but I'm pretty sure it is a change for
+  the better....  If what is in the sys-admin guide is not good enough
+  for you, just take a look at the source for libpam ;^)
+
+0.59: Thu Jan  8 22:27:22 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* better handling of empty lines in .rhosts file.  (Formerly, we asked
+  the nameserver about them!) Fix from Hugh Daschbach.
+
+* _broke_some_binary_compatibility_ with previous versions to become
+  compliant with X/Open's XSSO spec.  Specifically, this has been
+  by changing the prototype for pam_strerror().
+
+* altered the convention for the conversation mechanism to agree
+  with that of Sun.  (number of responses 'now=' number of messages
+  with help from Cristian for finding a bug.. Cristian also found a
+  nasty speradic segfault bug -- Thanks!)
+
+* added NIS+ support to pam_unix_*
+
+* fixed a "regular file checking" problem with the ~/.rhosts sanity
+  check.  Added "privategroup" option to permit group write permission
+  on the ~/.rhosts file in the case that the group owner has the same
+  name as the authenticating user.  :*) "promiscuous" and "suppress"
+  were not usable!
+
+* added glibc compatibility to pam_rhosts_auth (protected __USE_MISC
+  with #ifndef since my libc already defines it!).
+
+* Security fix from Savochkin Andrey Vladimirovich with suggested
+  modification from Olaf Seibert.
+
+* preC contains mostly code clean-ups and a number of changes to
+  _pam_macros.
+
+0.58: whenever
+
+* pam_getenvlist() has a more robust definition (XSSO) than was previously
+  thought.  It would seem that we no longer need pam_misc_copy_env()
+  which was there to provide the robustness that pam_getenvlist()
+  lacked before...
+
+  Accordingly, I have REMOVED the prototype from libpam_misc. (The
+  function, however, will remain in the library as a wrapper for
+  legacy apps, but will likely be removed from libpam_misc-1.0.) PLEASE
+  FIX YOUR APPS *BEFORE* WE GET THERE!
+
+* Alexy Nogin reported garbage output from pam_env in the case of
+  a non-existent environment variable.
+
+* 'fixed' pwdb compilation for pam_wheel.  Not very cleanly
+  done.. Mmmm. Should really clean up the entire source tree...
+
+* added prototypes for mapping functions
+
+			<**WARNING**>
+
+  various constants have had there names changed.  Numerical values have
+  been retained but be aware some source old modules/applications will
+  need to be fixed before recompilation.
+
+			</**WARNING**>
+
+* appended documentation to README for pam_rhosts module (Nicolai
+  Langfeldt).
+
+* verified X/Open compatibility of header files - note, where we differ
+  it is at the level of compilation warnings and the use of 'const char *'
+  instead of 'char *'.  Previously, Sun(X/open) have revised their spec
+  to be more 'const'-ervative in the light of comments from Linux-PAM
+  development.
+
+* Ooops! PAM_AUTHTOKEN_REQD should have been PAM_NEW_AUTHTOK_REQD.
+
+	changed: pam_pwdb(pam_unix_acct) (also bug fix for
+	_shadow_acct_mgmt_exp() return value), pam_stress,
+	libpam/pam_dispatch, blank, xsh.
+
+* New: PAM_AUTHTOK_EXPIRED - password has expired.
+
+* Ooops! PAM_CRED_ESTABLISH (etc.) should have been PAM_ESTABLISH_CRED
+  etc... (changed - this may break some people's modules - PLEASE TAKE
+  NOTE!)
+	changed: pam_group, pam_mail, blank, xsh; module and appl
+	docs, pam_setcred manual page.
+
+* renamed internal _pam_handle structure to be pam_handle as per XSSO.
+
+* added PAM_RADIO_TYPE  (for multiple choice input method).  Also
+  added PAM_BINARY_{MSG,PROMPT} (for interaction out of sight of user
+  - this could be used for RSA type authentication but is currently
+  just there for experimental purposes).  The _BINARY_ types are now
+  usable with hooks in the libpam_misc conversation function. Still
+  have to add PAM_RADIO_TYPE.
+
+* added pam_access module (Alexei Nogin)
+
+* added documentation for pam_lastlog.  Also modified the module to
+  not (by default) print "welcome to your new account" when it cannot
+  find a utmp entry for the user (you can turn this on with the
+  "never" argument).
+
+* small correction to the pam_fail_delay manual page.  Either the appl or
+  the modules header file will prototype this function.
+
+* added "bigcrypt" (DEC's C2) algorithm(0) to pam_pwdb. (Andy Phillips)
+
+* *BSD tweaking for various #include's etc. (pam_lastlog, pam_rhosts,
+  pam_wheel, libpam/pam_handlers). (Michael Smith)
+
+* added configuration directory $SCONFIGED for module specific
+  configuration files.
+
+* added two new "linked" man pages (pam.conf(8) and pam.d(8))
+
+* included a reasonable default for /etc/pam.conf (which can be
+  translated to /etc/pam.d/* files with the pam_conv1 binary)
+
+* fixed the names of the new configuration files in
+   conf/pam_conv1/pam_conv.y
+
+* fixed make check.
+
+* pam_lastlog fixed to handle UID in virgin part of /var/log/lastlog
+  (bug report from Ronald Wahl).
+
+* grammar fix in pam_cracklib
+
+* segfault avoided in pam_pwdb (getting user). Updating of passwords
+  that are directed to a "new" database are more robust now (bug noted
+  by Michael K. Johnson).  Added "unix" module argument for migrating
+  passwords from another database to /etc/passwd. (documentation
+  updated).  Removed "bad username []" warning for empty passwords -
+  on again if you supply the 'debug' module argument.
+
+* ctrl-D respected in conversation function (libpam_misc)
+
+* Removed -DPAM_FAIL_DELAY_ON from top-level Makefile. Nothing in
+  the distribution uses it.  I guess this change happened a while
+  back, basically I'm trying to make the module parts of the
+  distribution "source compatible" with the RFC definition of PAM.
+  This implementation of PAM is a superset of that definition. I have
+  added the following symbols to the Linux-PAM header files:
+
+	PAM_DATA_SILENT (see _pam_types.h)
+	HAVE_PAM_FAIL_DELAY (see _pam_types.h)
+	PAM_DATA_REPLACE (see _pam_modules.h)
+
+  Any module (or application) that wants to utilize these features,
+  should check (#ifdef) for these tokens before using the associated
+  functionality.  (Credit to Michael K. Johnson for pointing out my
+  earlier omission: not documenting this change :*)
+
+* first stab at making modules more independent of full library
+  source.  Modules converted:
+	pam_deny
+	pam_permit
+	pam_lastlog
+	pam_pwdb
+
+* pam_env.c: #include <errno.h> added to ease GNU libc use. (Michael
+  K. Johnson)
+
+* pam_unix_passwd fixes to shadow aging code (Eliot Frank)
+
+* added README for pam_tally
+
+0.57: Fri Apr  4 23:00:45 PST 1997  Andrew Morgan <morgan@parc.power.net>
+
+* added "nodelay" argument to pam_pwdb.  This can be used to turn off
+  the call to pam_fail_delay that takes effect when the user fails to
+  authenticate themself.
+
+* added "suppress" argument to pam_rhosts_auth module. This will stop
+  printing the "rlogin failure message" when the user does not have a
+  .rhosts file.
+
+* Extra fixes for FAKEROOT in Makefiles (Savochkin Andrey
+  Vladimirovich)
+
+* pam_tally added to tree courtesy of Tim Baverstock
+
+* pam_rhosts_auth was failing to read NFS mounted .rhosts
+  files. (Fixed by Peter Allgeyer). Refixed and further enhanced
+  (netgroups) by Nicolai Langfeldt. [Credit also to G.Wilford for some
+  changes that were not actually included..]
+
+* optional (#ifdef PAM_READ_BOTH_CONFS) support for parsing of pam.d/
+  AND pam.conf files (Elliot Lee).
+
+* Added (and signed) Cristian's PGP key. (I've never met him, but I am
+  convinced the key belongs to the guy that is making the PAM rpms and
+  also producing libpwdb. Please note, I will not be signing anyone
+  else's key without a personal introduction..)
+
+* fixed erroneous syslog warning in pam_listfile (Savochkin Andrey
+  Vladimirovich, whole file reformatted by Cristian)
+
+* modified pam_securetty to return PAM_IGNORE in the case that the user's
+  name is not known to the system (was previously, PAM_USER_UNKNOWN). The
+  Rationale is that pam_securetty's sole purpose is to prevent superuser
+  login anywhere other than at the console. It is not its concern that the
+  user is unknown - only that they are _not_ root. Returning
+  PAM_IGNORE, however, insures that the pam_securetty can never be used to
+  "authenticate" a non-existent user. (Cristian Gafton with bug report from
+  Roger Hu)
+
+* Modified pam_nologin to display the no-login message when the user
+  is not known. The return value in this case is still PAM_USER_UNKNOWN.
+  (Bug report from Cristian Gafton)
+
+* Added NEED_LCKPWD for pam_unix/ This is used to define the locking
+  functions and should only be turned on if you don't have them in
+  your libc.
+
+* tidied up pam_lastlog and pam_pwdb: removed function that was never used.
+
+* Note for package maintainers: I have added $(FAKEROOT) to the list of
+  environment variables.  This should help greatly when you build PAM
+  in a subdirectory.  I've gone through the tree and tried to make
+  everything compatible with it.
+
+* added pam_env (courtesy of Dave Kinchlea)
+
+* removed pam_passwd+ from the tree.  It has not been maintained in a
+  long time and running a shell script was basically insecure. I've
+  indicated where you can pick up the source if you want it.
+
+* #define HAVE_PAM_FAIL_DELAY . Applications can conditionally compile
+  with this if they want to see if the facility is available. It is
+  now always available. (corresponding compilation cleanups..)
+
+* _pam_sanitize() added to pam_misc. It purges the PAM_AUTHTOK and
+  PAM_OLDAUTHTOK items. (calls replaced in pam_auth and pam_password)
+
+* pam_rhosts now knows about the '+' entry. Since I think this is a
+  dangerous thing, I have required that the sysadmin supply the
+  "promiscuous" flag for it in the corresponding configuration file
+  before it will work.
+
+* FULL_LINUX_PAM_SOURCE_TREE exported from the top level make file.
+  If you want to build a module, you can test for this to determine if
+  it should take its directions from above or supply default locations
+  for installation. Etc.
+
+0.56: Sat Feb 15 12:21:01 PST 1997 <morgan@parc.power.net>
+
+* pam_handlers.c can now interpret the pam.d/ service config tree:
+	- if /etc/pam.d/ exists /etc/pam.conf is IGNORED
+	  (otherwise /etc/pam.conf is treated as before)
+	- given /etc/pam.d/
+	  . config files are named (in lower case) by service-name
+	  . config files have same syntax as /etc/pam.conf except	
+	    that the "service-name" field is not present. (there
+	    are thus three manditory fields (and arguments are
+	    optional):
+
+		module-type  control-flag  module-path  optional-args...
+
+	    )
+
+* included conf/pam_conv1 for converting pam.conf to a pam.d/ version
+  1.0 directory tree. This program reads a pam.conf file on the
+  standard input stream and creates ./pam.d/ (in the local directory)
+  and fills it with ./pam.d/"service-name" files.
+
+	*> Note: It will fail if ./pam.d/ already exists.
+
+  PLEASE REPORT ANY BUGS WITH THIS CONVERSION PROGRAM... It currently
+  cannot retain comments from the old conf file, so take care to do this
+  by hand. Also, please email me with the fix that makes the
+  shift/reduce conflict go away...
+
+* Added default module path to libpam for modules (see pam_handlers.c)
+  it makes use of Makfile defined symbol: DEFAULT_MODULE_PATH which is
+  inhereted from the defs/* variable $(SECUREDIR). Removed module
+  paths from the sample pam.conf file as they are no longer needed.
+
+* pam_pwdb can now verify read protected passwords when it is not run
+  by root.  This is via a helper binary that is setuid root.
+
+* pam_permit now prompts for a username if it is not already determined
+
+* pam_rhosts now honors "debug" and no longer hardwire's "root" as the
+  superuser's name.
+
+* pam_securetty now honors the "debug" flag
+
+* trouble parsing extra spaces fixed in pam_time and pam_group
+
+* added Michael K. Johnson's PGP key to the pgp.keys.asc list
+
+* pam_end->env not being free()'d: fixed
+
+* manuals relocated to section 3
+
+* fixed bug in pam_mail.c, and enhanced to recognize '~' as a prefix
+  to indicate the $HOME of the user (courtesy David
+  Kinchlea). *Changed* from a "session" module to an "auth"
+  module. It cannot be used to authenticate a user, but it can be used
+  in setting credentials.
+
+* fixed a stupid bug in pam_warn.. Only PAM_SERVICE was being read :*(
+
+* pam_radius rewritten to exclusively make use of libpwdb. (minor fix
+  to Makefile for cleaning up - AGM)
+
+* pam_limits extended to limit the total number of logins on a system
+  at any given time.
+
+* libpam and libpam_misc use $(MAJOR_REL) and $(MINOR_REL) to set their
+  version numbers [defined in top level makefile]
+
+* bugfix in sed command in defs/redhat.defs (AGM's fault)
+
+* The following was related to a possibility of buffer overruns in
+  the syslogging code: removed fixed length array from syslogging
+  function in the following modules [capitalized the log identifier
+  so the sysadmin can "know" these are fixed on the local system],
+
+	pam_ftp, pam_stress, pam_rootok, pam_securetty,
+	pam_listfile, pam_shells, pam_warn, pam_lastlog
+  and
+	pam_unix_passwd (where it was definitely _not_ exploitable)
+
+0.55: Sat Jan  4 14:43:02 PST 1997, Andrew Morgan <morgan@parc.power.net>
+
+* added "requisite" control_flag to /etc/pam.conf syntax. [See
+  Sys. Admin. Guide for explanation] changes to pam_handlers.c
+
+* completely new handling of garbled pam.conf lines. The modus
+  operandi now is to assume that any errors in the line are minor.
+  Errors of this sort should *most definitely* lead to the module
+  failing, however, just ignoring the line (as was the case
+  previously) can lead to gaping security holes(! Not foreseen by the
+  RFC). The "motivation" for the RFC's comments about ignoring garbled
+  lines is present in spirit in the new code: basically a garbled line
+  is treated like an instance of the pam_deny.so module.
+  changes to pam_handlers.c and pam_dispatch.c .
+
+* patched libpam, to (a) call _pam_init_handlers from pam_start() and
+  (b) to log a text error if there are no modules defined for a given
+  service when a call to a module is requested. [pam_start() and
+  pam_dispatch() were changed].
+
+* patched pam_securetty to deal with "/dev/" prefix on PAM_TTY item.
+
+* reorganized the modules/Makefile to include *ALL* modules. It is now
+  the responsibility of the modules themselves to test whether they can
+  be compiled locally or not.
+
+* modified pam_group to add to the getgroups() list rather than overwrite
+  it. [In the case of "HAVE_LIBPWDB" we use the pwdb_..() calls to
+  translate the group names.]. Module now pays attention to
+  PAM_CRED_.. flag(!)
+
+* identified and removed bugs in field reading code of pam_time and
+  (thus) pam_group.
+
+* Cristian's patches to pam_listfile module, corresponding change to
+  documentation.
+
+* I've discovered &ero; for sgml!
+  Added pam_time documentation to the admin guide.
+
+* added manual pages: pam.8, pam_start.2(=pam_end.2),
+  pam_authenticate.2, pam_setcred.2, pam_strerror.2,
+  pam_open_session.2(=pam_close_session.2) and pam_chauthtok.2 .
+
+* added new modules:
+
+	- pam_mail (tells the user if they have any new mail
+	  and sets their MAIL env variable)
+	- pam_lastlog (reports on the last time this user called
+	  this module)
+
+* new module hooks provided.
+
+* added a timeout feature to the conversation function in
+  libpam_misc. Documented it in the application developers' guide.
+
+* fixed bug in pam_misc_paste_env() function..
+
+* slight modifications to wheel and rhosts writeup.
+
+* more security issues added to module and application guides.
+
+--
+Things present but not mentioned in previous release (sorry)
+
+* pam_pwdb module now resets the "last_change" entry before updating a
+  password.
+--
+
+Sat Nov 30 19:30:20 PST 1996, Andrew Morgan <morgan@parc.power.net>
+
+* added environment handling to libpam. involved change to _pam_types.h
+  also added supplementary functions to libpam_misc
+
+* added pam_radius - Cristian
+
+* slight speed up for pam_rhosts
+
+* significantly enhanced sys-admin documentation (8 p -> 41 p in
+  PostScript). Added to other documentation too.  Mostly the changes
+  in the other docs concern the new PAM-environment support, there is
+  also some coverage of libpam_misc in the App. Developers' guide.
+
+* Cristian's patches to pam_limits and pam_pwdb. Fixing bugs. (MORE added)
+  
+* adopted Cristian's _pam_macros.h file to help with common macros and
+  debugging stuff, gone through tree tidying up debugging lines to use
+  this [not complete].
+
+	- for consistency replaced DROP() with _pam_drop()
+
+* commented memory debugging in top level makefile
+
+* added the following modules
+
+    - pam_warn	log information to syslog(3) about service application
+    - pam_ftp	if user is 'ftp' then set PAM_RUSER/PAM_RHOST with password
+    (comment about nologin added to last release's notes)
+
+* modified the pam_listfile module. It now declares a meaningful static
+  structure name.
+
+Sun Nov 10 13:26:39 PST 1996, Andrew Morgan <morgan@parc.power.net>
+
+		**PLEASE *RE*AMEND YOUR PERSONAL LINKS**
+
+  ------->  http://parc.power.net/morgan/Linux-PAM/index.html  <-------
+
+		**PLEASE *RE*AMEND YOUR PERSONAL LINKS**
+
+A brief summary of what has changed:
+
+* many modules have been modified to accomodate fixing the pam_get_user()
+  change. Please take note if you have a module in this distribution.
+
+* pam_unix is now the pam_unix that Red Hat has been using and which
+  should be fairly well debugged.
+
+   - I've added some #ifdef's to make it compile for me, and also
+     updated it with respect to the libpam-0.53, so have a look at the
+     .../modules/pam_unix/Makefile to enable cracklib and shadow features
+
+	** BECAUSE OF THIS, I cannot guarantee this code works as it **
+	** did for Red Hat. Please test and report any problems.     **
+
+* the pam_unix of .52 (renamed to pam_pwdb) has been enhanced and made
+  more flexible with by implementing it with respect to the new
+  "Password Database Library" see
+
+	http://parc.power.net/morgan/libpwdb/index.html
+
+  modules included in this release that require this library to
+  function are the following:
+
+	- pam_pwdb (ne pam_unix-0.52 + some enhancements)
+	- pam_wheel
+	- pam_limits
+	- pam_nologin
+
+* Added some optional code for memory debugging. In order to support
+  this you have to enable MEMORY_DEBUG in the top level makefile and
+  also #define MEMORY_DEBUG in your applications when they are compiled.
+  The extra code resides in libpam (compiled if MEMORY_DEBUG is defined)
+  and the macros for malloc etc. are to be found at the end of
+  _pam_types.h
+
+* used above code to locate two memory leaks in pam_unix module and two
+  in libpam (pam_handlers.h)
+
+* pam_get_user() now sets the PAM_USER item. After reading the Sun
+  manual page again, it was clear that it should do this. Various
+  modules have been assuming this and now I have modified most of them
+  to account for this change. Additionally, pam_get_user() is now
+  located in the module include file; modules are supposed to be the
+  ones that use it(!) [Note, this is explicitly contrary to the Sun
+  manual page, but in the spirit of the Linux distribution to date.]
+
+* replaced -D"LINUX" with -D"LINUX_PAM" as this is more explicit and less
+  likely to be confused with -D"linux".
+  Also, modified the libpam #include files to behave more like the Sun
+  ones #ifndef LINUX_PAM.
+
+* removed <bf/ .. / from documentation titles. This was not giving
+  politically correct html..
+ 
+----- My vvvvvvvvvvvvvvvvvvv was a long time ago ;*] -----
+
+Wed Sep  4 23:57:19 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu>
+
+0. Before I begin, Linux-PAM has a new primary distribution site (kindly
+donated by Power Net Inc., Los Angeles)
+
+		**PLEASE AMMEND YOUR PERSONAL LINKS**
+
+      ------->  http://www.power.net/morgan/Linux-PAM  <-------
+
+		**PLEASE AMMEND YOUR PERSONAL LINKS**
+
+1. I'm hoping to make the next release a bug-fix release... So please find
+   all the bugs(! ;^)
+
+2. here are the changes for .52:
+
+* minor changes to module documentation [Incidently, it is now
+  available on-line from the WWW page above]. More changes to follow in
+  the next two releases. PLEASE EMAIL me or the list if there is
+  anything that isn't clear!
+
+* completely changed the unix module. Now a single module for all four
+  management groups (this meant that I could define all functions as
+  static that were not part of the pam_sm_... scheme. AGM)
+
+  - Shadow support added
+PASSWD  - Elliot's account management included, and enhanced by Cristian Gafton.
+  - MD5 password support added by Cristian Gafton.
+  - maxtries for authentication now enforced.
+  - Password changing function in pam_unix now works!
+    Although obviously, I'm not going to *guarantee* it ;^) .
+  - stole Marek's locking code from the Red Hat unix module.
+    [ If you like you can #ifdef it in or out ... ]
+
+    You can configure the module more from its Makefile in
+    0.52/modules/pam_unix/
+
+    If you are nervous that it will destroy your /etc/passwd or shadow
+    files then EDIT the 0.52/modules/pam_unix/pam_unix_pass.-c file.
+    Here is the warning comment from this file...
+
+-------------8<-----------------
+/*                           <WARNING>
+ *
+ * Uncomment the following #define if you are paranoid, and do not
+ * want to risk losing your /etc/passwd or shadow files.
+ * It works for me (AGM) but there are no guarantees.
+ *
+ *                          </WARNING>
+ */
+/* #define TMP__FILE */
+------------->8-----------------
+
+  *** If anyone has any trouble, please *say*. Your problem will be
+      fixed in the next release. Also please feel free to scour the
+      code for race conditions etc... 
+
+[* The above change requires that you purge your /usr/lib/security
+   directory of the old pam_unix_XXX.so modules: they will NOT be deleted
+   with a 'make remove'.]
+
+* the prototype for the cleanup function supplied to pam_set_data used
+  to return "int". According to Sun it should be "void". CHANGED.
+
+* added some definitions for the 'error_status' mask values that are
+  passed to the cleanup function associated with each
+  module-data-item. These numbers were needed to keep up with changing
+  a data item (see for example the code in pam_unix/support.-c that
+  manages the maximum number of retries so far). Will see what Sun says
+  (current indications are positive); this may be undone before 1.0 is
+  released.  Here are the definitions (from pam_modules.h).
+
+#define PAM_DATA_SILENT    0x40000000     /* used to suppress messages... */
+#define PAM_DATA_REPLACE   0x20000000     /* used when replacing a data item */
+
+* Changed the .../conf/pam.conf file. It now points to the new
+  pam_unix module for 'su' and 'passwd' [can get these as SimpleApps --
+  I use them for testing. A more extensive selection of applications is
+  available from Red Hat...]
+
+* corrected a bug in pam_dispatch. Basically, the problem was that if
+  all the modules were "sufficient" then the return value for this
+  function was never set. The net effect was that _pam_dispatch_aux
+  returned success when all the sufficient modules failed. :^( I think
+  this is the correct fix to a problem that the Red Hat folks had
+  found...
+
+sopwith* Removed advisory locking from libpam (thanks for the POSIX patch
+  goes to Josh Wilmes's, my apologies for not using it in the
+  end.). Advisory locking did not seem sufficiently secure for libpam.
+  Thanks to Werner Almesberger for identifying the corresponding "denial
+  of service attack". :*(
+
+* related to fix, have introduced a lock file /var/lock/subsys/PAM
+  that can be used to indicate the system should pay attention to
+  advisory locking on /etc/pam.conf file. To implement this you need to
+  define PAM_LOCKING though. (see .52/libpam)
+
+* modified pam_fail_delay() function. Couldn't find the "not working"
+  problem indicated by Michael, but modified it to do pseudo-random
+  delays based on the values indicated by pam_fail_delay() -- the
+  function "that may eventually go away"... Although Sun is warming to
+  the idea.
+
+* new modules include:
+
+	pam_shells    - authentication for users with a shell listed in
+			/etc/shells. Erik Troan <ewt@redhat.com>
+
+	pam_listfile  - authentication based on the contents of files.
+			Set to be more general than the above in the
+			future. UNTESTED. Elliot Lee <@redhat.com>
+			[Note, this module compiles with a non-trivial
+			warning: AGM]
+
+Thu Aug  8 22:32:15 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* modified makefiles to take more of their installation instructions
+  from the top level makefile. Desired for integration into the Debian
+  distribution, and generally a good idea.
+
+* fixed memory arithmetic in pam_handlers
+  -- still need to track down why failure to load modules can lead to
+  authentication succeding..
+
+* added tags for new modules (smartcards from Alex -- just a promise
+  at this stage) and a new module from Elliot Lee; pam_securetty
+
+* I have not had time to smooth out the wrinkles with it, but Alex's
+  pam_unix modifications are provided in pam_unix-alex (in the modules
+  directory) they will not be compiled by 'make all' and I can't even
+  say if they do compile... I will try to look at them for .52 but, in
+  the mean time please feel free to study/fix/discuss what is there.
+
+* pam_rhosts module. Removed code for manually setting the ruser
+  etc. This was not very secure.
+
+* [remade .ps docs to be in letter format -- my printer complains
+  about a4]
+
+Sunday July, 7 12:45:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* No longer accompanying the Linux-PAM release with apps installed.
+  [Will provide what was here in a separate package.. (soon)
+lib   Also see http://www.redhat.com/pam for some more (in .rpm form...)]
+
+* renamed libmisc to libpam_misc. It is currently configured to only compile
+  the static library. For some strange reason (perhaps someone can
+  investigate) my Linux 2.0.0 kernel with RedHat 3.0.3 system
+  segfaults when I compile it to be a dynamic library. The segfault
+  seems to be inside the call to the ** dl_XXX ** function...!?
+
+  There is a simple flag in the libpam_misc/Makefile to turn on dynamic
+  compiles.
+
+* Added a little unofficial code for delay support in libpam (will probably
+  disappear later..) There is some documentation for it in the pam_modules
+  doc now. That will obviously go too.
+
+* rewritten pam_time to use *logic* to specify the stringing together of
+  users/times/terminals etc.. (what was there before was superficially
+  logical but basically un-predictable!)
+
+* added pam_group. Its syntax is almost identical to pam_time but it
+  has another field added; a list of groups to make the user a member
+  of if they pass the previous tests. It seems to not co-exist too well
+  with the groups in the /etc/group but I hope to have that fixed by
+  the next release...
+
+* minor re-formatting of pam_modules documentation
+
+* removed ...// since it wasn't being used and didn't look like it
+  would be!
+
+GCCSunday 23 22:35:00 PST 1996   (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* The major change is the addition of a new module: pam_time for
+  restricting access on terminals at given times for indicated users
+  it comes with its own configuration file /etc/security/time.conf
+  and the sample file simply restricts 'you' from satisfying the blank
+  application if they try to use blank from any tty*
+
+* Small changes include
+- altered pam.conf to demonstrate above new module (try typing username: you)
+- very minor changes to the docs (pam_appl and pam_modules)
+
+Saturday June 2 01:40:00 PST 1996  (Andrew Morgan <morgan@physics.ucla.edu>)
+
+*** PLEASE READ THE README, it has changed ***
+
+* NOTE, 'su' exhibits a "system error", when static linking is
+  used. This is because the pam_unix_... module currently only has
+  partial static linking support. This is likely to change on Monday
+  June 3, when Alex makes his latest version availible. I will include
+  the updated module in next release.
+
+changes for .42:
+
+* modified the way in which libpam/pam_modules.h defines prototypes for
+  the pam_sm_ functions. Now the module must declare which functions it
+  is to provide *before* the #include <security/pam_modules.h> line.
+  (for contrasting examples, see the pam_deny and pam_rootok modules)
+  This removed the ugly hack of defining functions that are never called
+  to overcome  warnings... This seems much tidier.
+insterted* updated the TODO list. (changed mailing list address)
+* updated README in .../modules to reflect modifications to static
+  compliation protocol
+* modified the pam_modules documentation to describe this.
+* corrected last argument of pam_get_item( ... ) in
+  pam_appl/modules.sgml, to "const void **".
+* altered GNU GPL's in the documentation, and various other parts of
+  the distribution. *Please check* that any code you are responsible for
+  is corrected.
+* Added ./Copyright (please check that it is acceptable)
+* updated ./README to make current and indicate the new mailing list
+  address
+* have completely rewritten pam_filter. It now runs modular filter
+  executables (stored in /usr/sbin/pam_filter/) This should make it
+  trivial for others to write their own filters.. If you want yours
+  included in the distribution please email the list/me.
+* changes to libpam; there was a silly bug with multiple arguments on a
+  pam.conf line that was broken with a '\<LF>'.
+* 'su' rearranged code (to make better use of PAM)
+  *Also* now uses POSIX signals--this should help the Alpha port.
+* 'passwd' now uses getlogin() to determine who's passwords to change.
+
+Sunday May 26 9:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* fixed module makefiles to create needed dynamic/static subdirectories
+
+Saturday May 25 20:30:27.8 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* LOTS has changed regarding how the modules/libpam are built.
+*  Michael's mostly complete changes for static support--see below
+  (Andrew got a little carried away and automated the static linking
+  of modules---bugs are likely mine ;( )
+* Thanks mostly to Michael, libpam now compiles without a single warning :^]
+* made static modules/library optional.
+CFLAGS* added 'make sterile' to top level makefile. This does extraclean and remove
+* added Michael and Joseph to documentation credits (and a subsection for
+  future documentation of static module support in pam_modules.sgml)
+* libpam; many changes to makefiles and also automated the inclusion of
+  static module objects in pam_static.c
+* modified modules for automated static/dynamic support. Added static & 
+  dynamic subdirectories, as instructed by Michael
+* removed an annoying syslog message from pam_filter: "parent exited.."
+* updated todo list (anyone know anything about svgalib/X? we probably should
+  have some support for these...)
+
+Friday May 24 16:30:15 EDT 1996 (Michael K. Johnson <johnsonm@redhat.com>)
+
+* Added first (incomplete) cut at static support.
+  This includes:
+   . changes in libpam, including a new file, pam_static.c
+   . changes to modules including exporting struct of function pointers
+   . static and dynamic linking can be combined
+   . right now, the only working combinations are just dynamic
+     linking and dynamic libpam.so with static modules linked
+     into libpam.so.  That's on the list of things to fix...
+   . modules are built differently depending on whether they
+     are static or dynamic.  Therefore, there are two directories
+     under each module directory, one for static, and one for
+     dynamic modules.
+* Fixed random brokenness in the Makefiles.  [ foo -nt bar ] is
+  rather redundant in a makefile, for instance.  Also, passing
+   on the command line is broken because it cannot be
+  overridden in any way (even adding important parts) in lower-level
+  makefiles.
+* Unfortunately, fixing some of the brokenness meant that I used
+  GNU-specific stuff.  However, I *think* that there was GNU-specific
+  stuff already.  And I think that we should just use the GNU
+  extensions, because any platform that GNU make doesn't port to
+  easily will be hard to port to anyway.  It also won't be likely
+passwd  to handle autoconf, which was Ted's suggestion for getting
+  around limitations in standard make...
+  For now, I suggest that we just use some simple GNU-specific
+  extensions.
+
+Monday May 20 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* added some text to pam_modules.sgml
+* corrected Marek's name in all documentation
+* made pam_stress conform to chauthtok conventions -- ie can now request
+  old password before proceeding.
+* included Alex's latest unix module
+* included Al's + password strength checking module
+* included pam_rootok module
+* fixed too many bugs in libpam.. all subtly related to the argument lists
+  or use of syslog. Added more debugging lines here too.
+* fixed the pam.conf file
+* deleted pam_test module. It is pretty old and basically superceeded
+  by pam_stress
+
+Friday May 9 1:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* updated documentaion, added Al Longyear to credits and corrected the
+  spelling of Jeff's name(!). Most changes to pam.sgml (even added a figure!)
+* new module pam_rhosts_auth (from Al Longyear)
+* new apps rlogind and ftpd (a patch) from Al.
+* modified 'passwd' to not call pam_authenticate (note, none of the
+  modules respect this convention yet!)
+* fixed bug in libpam that caused trouble if the last line of a
+  pam.conf file ends with a module name and no newline character
+* also made more compatable with documentation, in that bad lines in
+  pam.conf are now ignored rather than causing libpam to return an
+  error to the app.
+* libpam now overwrites the AUTHTOKs when returning from
+  pam_authenticate and pam_chauthtok calls (as per Sun/RFC too)
+* libpam is now installed as libpam.so.XXX in a way that ldconfig can
+  handle!
+
+
+Wednesday May 1 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* removed .../test directory, use .../examples from now on.
+* added .../apps directory for fully functional applications
+  - the apps directory contains directories that actually contain the apps.
+    the idea is to make application compilation conditional on the presence
+    of the directory. Note, there are entries in the Makefile for
+    'login' and 'ftpd' that are ready for installation... Email me if
+    you want to reserve a directory name for an application you are
+    working on...
+* similar changes to .../modules makefile [entries for pam_skey and
+  pam_kerberos created---awaiting the directories.] Email me if you
+  want to register another module...
+* minor changes to docs.. Not really worth reprinting them quite yet!
+  [save the trees]
+* added misc_conv to libmisc. it is a generic conversation function
+  for text based applications. [would be nice to see someone create
+  an Xlib and/or svgalib version]
+* fixed ctrl-z/c bug with pam_filter module [try xsh with the default
+  pam.conf file]
+* added 'required' argument to 'pam_stress' module.
+* added a TODO list... other suggestions to the list please.
+
+Saturday April 7 00:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+* Alex and Marek please note I have altered _pam_auth_unix a little, to
+  make it get the passwords with the "proper method" (and also fixed it
+  to not have as many compiler warnings)
+* updated the conf/pam.conf file
+* added new example application examples/xsh.c (like blank but invokes
+  /bin/sh)
+* Marc's patches for examples/blank.c (and AGM's too)
+* fixed stacking of modules in libpam/pam_handlers.c
+* fixed RESETing in libpam/pam_item.c
+* added new module modules/pam_filter/ to demonstrate the possibility
+  of inserting an arbitrary filter between the terminal and the
+  application that could do customized logging etc... (see use of
+  bin/xsh as defined in conf/pam.conf)
+
+
+Saturday March 16 19:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+These notes are for 0.3 I don't think I've left anything important
+out, but I will use emacs 'C-x v a' next time! (Thanks Jeff)
+
+	* not much has changed with the functionality of the Linux-PAM lib
+	  .../libpam
+		- pam_password calls module twice with different arguments
+		- added const to some of the function arguments
+		- added PAM_MAX_MES_ to <security/_pam_types.h>
+		- was a lot over zealous about purging old passwords...
+		  I have removed much of this from source to make it
+		  more compatible with SUN.
+		- moved some PAM_... tokens to pam_modules.h from _pam_types.h
+		  (no-one should notice)
+
+	* added three modules: pam_permit pam_deny pam_stress
+	  no prizes for guessing what the first two do. The third is
+	  a reasonably complete (functional) module. Is intended for testing
+	  applications with.
+
+	* fixed a few pieces of examples/blank.c so that it works (with
+	  pam_stress)
+
+	* ammended the documentation. Looking better, but suggestions/comments
+	  very welcome!
+
+Sunday March 10 10:50:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+These notes are for Linux-PAM release 0.21.  They cover what's changed
+since I relased 0.2.
+
+	* am now using RCS
+	* substantially changed ./README
+	* fixed bug reading \\\n in pam.conf file
+	* small changes to documentation
+	* added `blank' application to ./examples (could be viewed as
+	  a `Linux-PAM aware' application template.)
+	* oops. now including pam_passwd.o and pam_session.o in pamlib.so
+	* compute md5 checksums for all the source when making a release
+	    - added `make check' and `make RCScheck' to compute md5 checksums
+	* create a second tar file with all the RCS files in.
+	* removed the .html and .txt docs, supplying sgml sources instead.
+	    - see README for info on where to get .ps files
+
+Thursday March 6 0:44:?? PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+These notes are for Linux-PAM release 0.2.  They cover what's changed
+since Marc Ewing relased 0.1.
+
+**** Please note. All of the directories in this release have been modified
+**** slightly to conform to the new pamlib. A couple of new directories have
+**** been added. As well as some documentation. If some of your code
+**** was in the previous release. Feel free to update it, but please
+**** try to conform to the new headers and Makefiles.
+
+* Andrew Morgan (morgan@physics.ucla.edu) is making this release
+ availible, Marc has been busy...!
+
+* Marc's pam-0.1/lib has been (quietly) enhanced and integrated into
+ Alex Yurie's collected tree of library and module code
+ (linux-pam.prop.1.tar.gz). Most of the changes are to do with error
+ checking. Some more robustness in the reading of the pam.conf file
+ and the addition of the pam_get_user() function.
+
+* The pam_*.h files have been reorganized to logically enforce the
+ separation of modules from applications. [Don't panic! Apart from
+ changing references of the form
+
+	#include "pam_appl.h"
+
+ to
+
+	#include <security/pam_appl.h>
+
+ The reorganization should be backwardly compatable (ie. a module
+ written for SUN will be as compatable as it was before with the
+ previous version ;)~ ]
+
+ (All of the source in this tree now conforms to this scheme...)
+
+ The new reorganization means that modules can be compiled with a
+ single header, <security/pam_modules.h>, and applications with
+ <security/pam_appl.h>.
+
+* I have tried to remove all the compiler warnings from the updated
+ "pamlib/*.c" files. On my system, (with a slightly modified <dlfcn.h>
+ email me if it interests you..) there are only two warnings that
+ remain: they are that ansi does not permit void --> fn ptr
+ assignment. K&Rv2 doesn't mention this....? As a matter of principle,
+ if anyone knows how to get rid of that warning... please
+ tell. Thanks! "-pedantic"
+
+* you can "make all" as a plain user, but
+
+* to "make install" you must be root. The include files are placed in
+ /usr/include/security. The libpam.so library is installed in /usr/lib
+ and the modules in /usr/lib/security. The two test binaries
+ are installed in the Linux-PAM-0.2/bin directory and a chance is given to
+ replace your /etc/pam.conf file with the one in Linux-PAM-0.2/conf.
+
+* I have included some documentation (pretty preliminary at the
+moment) which I have been working on in .../doc .
+
+I have had a little trouble with the modules, but atleast there are no
+segfaults! Please try it out and discuss your results... I actually
+hope it all works for you. But, Email any bugs/suggestions to the
+Linux-PAM list: linux-pam@mit.edu .....
+
+Regards,
+
+Andrew Morgan
+(morgan@physics.ucla.edu)
+
+
+Sat Feb 17 17:30:24 EST 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu)
+
+	* conf directory created with example of pam_conf
+	* stable code from pam_unix is added to modules/pam_unix
+	* test/test.c now requests username and password and attempts
+	  to perform authentication
+
diff --git a/Linux-PAM/Copyright b/Linux-PAM/Copyright
new file mode 100644
index 00000000..2f27a2ee
--- /dev/null
+++ b/Linux-PAM/Copyright
@@ -0,0 +1,41 @@
+Unless otherwise *explicitly* stated the following text describes the
+licensed conditions under which the contents of this Linux-PAM release
+may be distributed:
+
+-------------------------------------------------------------------------
+Redistribution and use in source and binary forms of Linux-PAM, with
+or without modification, are permitted provided that the following
+conditions are met:
+
+1. Redistributions of source code must retain any existing copyright
+   notice, and this entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce all prior and current
+   copyright notices, this list of conditions, and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+3. The name of any author may not be used to endorse or promote
+   products derived from this software without their specific prior
+   written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License, in which case the provisions of the GNU
+GPL are required INSTEAD OF the above restrictions.  (This clause is
+necessary due to a potential conflict between the GNU GPL and the
+restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+-------------------------------------------------------------------------
+
diff --git a/Linux-PAM/Make.Rules.in b/Linux-PAM/Make.Rules.in
new file mode 100644
index 00000000..cb537d16
--- /dev/null
+++ b/Linux-PAM/Make.Rules.in
@@ -0,0 +1,110 @@
+##
+## $Id: Make.Rules.in,v 1.1.1.2 2002/09/15 20:08:19 hartmans Exp $
+##
+## @configure_input@
+##
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+includedir = @includedir@
+
+absolute_srcdir = @LOCALSRCDIR@
+absolute_objdir = @LOCALOBJDIR@
+
+# major and minor numbers of this release
+MAJOR_REL=@LIBPAM_VERSION_MAJOR@
+MINOR_REL=@LIBPAM_VERSION_MINOR@
+
+# The following is the generic set of compiler options for compiling
+# Linux-PAM. True, they are a little anal. Pay attention to the comments
+# they generate.
+
+HEADER_DIRS=-I./include -I$(absolute_srcdir)/libpam/include \
+	-I$(absolute_objdir) -I$(absolute_srcdir)/libpamc/include
+WARNINGS=@WARNINGS@
+OS_CFLAGS=@OS_CFLAGS@
+PIC=@PIC@
+
+# Mode to install shared libraries with
+SHLIBMODE=@SHLIBMODE@
+
+NEED_LINK_LIB_C=@PAM_NEEDS_LIBC@
+HAVE_LCKPWDF=@HAVE_LCKPWDF@
+HAVE_LIBCRACK=@HAVE_LIBCRACK@
+HAVE_LIBCRYPT=@HAVE_LIBCRYPT@
+HAVE_LIBUTIL=@HAVE_LIBUTIL@
+HAVE_NDBM_H=@HAVE_NDBM_H@
+HAVE_LIBNDBM=@HAVE_LIBNDBM@
+HAVE_LIBDB=@HAVE_LIBDB@
+HAVE_LIBFL=@HAVE_LIBFL@
+HAVE_LIBNSL=@HAVE_LIBNSL@
+HAVE_LIBPWDB=@HAVE_LIBPWDB@
+
+ifeq (@HAVE_LIBFLEX@,yes)
+LINK_LIBLEX=-lfl
+else
+ifeq (@HAVE_LIBLEX@,yes)
+LINK_LIBLEX=-ll
+endif
+endif
+
+# documentation support
+HAVE_SGML2TXT=@HAVE_SGML2TXT@
+HAVE_SGML2HTML=@HAVE_SGML2HTML@
+HAVE_PS2PDF=@HAVE_PS2PDF@
+PSER=@PSER@
+DOCDIR=@DOCDIR@
+MANDIR=@MANDIR@
+
+# configuration settings
+WITH_DEBUG=@WITH_DEBUG@
+WITH_MEMORY_DEBUG=@WITH_MEMORY_DEBUG@
+WITH_LIBDEBUG=@WITH_LIBDEBUG@
+WITH_PAMLOCKING=@WITH_PAMLOCKING@
+WITH_LCKPWDF=@WITH_LCKPWDF@
+STATIC_LIBPAM=@STATIC_LIBPAM@
+DYNAMIC_LIBPAM=@DYNAMIC_LIBPAM@
+STATIC=@STATIC@
+DYNAMIC=@DYNAMIC@
+
+# Location of libraries when installed on the system
+FAKEROOT=@FAKEROOT@
+SECUREDIR=@SECUREDIR@
+SCONFIGD=@SCONFIGDIR@
+SUPLEMENTED=@SUPLEMENTED@
+INCLUDED=@INCLUDEDIR@/security
+CRACKLIB_DICTPATH=@CRACKLIB_DICTPATH@
+
+# generic build setup
+OS=@OS@
+CC=@CC@
+CFLAGS=$(WARNINGS) -D$(OS) $(OS_CFLAGS) $(HEADER_DIRS) @CONF_CFLAGS@
+LD=@LD@
+LD_D=@LD_D@
+LD_L=@LD_L@
+LDCONFIG=@LDCONFIG@
+DYNTYPE=@DYNTYPE@
+USESONAME=@USESONAME@
+NEEDSONAME=@NEEDSONAME@
+SOSWITCH=@SOSWITCH@
+LIBDL=@LIBDL@
+MKDIR=@MKDIR@
+INSTALL=@INSTALL@
+RANLIB=@RANLIB@
+STRIP=@STRIP@
+CC_STATIC=@CC_STATIC@
+
+LINKLIBS = $(NEED_LINK_LIB_C) $(LIBDL)
diff --git a/Linux-PAM/Makefile b/Linux-PAM/Makefile
new file mode 100644
index 00000000..cdc8505a
--- /dev/null
+++ b/Linux-PAM/Makefile
@@ -0,0 +1,78 @@
+##
+## $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:19 hartmans Exp $
+##
+
+## Note, ideally I would prefer it if this top level makefile did
+## not get created by autoconf. As I find typing 'make' and relying
+## on it to take care of all dependencies much more friendly than
+## the multi-stage autoconf+make and also worry about updates to
+## configure.in not getting propagated down the tree. (AGM) [I realise
+## that this may not prove possible, but at least I tried.. Sigh.]
+
+DISTNAME=Linux-PAM
+
+ifeq ($(shell test \! -f Make.Rules || echo yes),yes)
+    include Make.Rules
+endif
+
+THINGSTOMAKE = modules libpam libpamc libpam_misc doc examples
+
+all: $(THINGSTOMAKE)
+
+prep:
+	rm -f security
+	ln -sf . security
+
+clean:
+	if [ ! -f Make.Rules ]; then touch Make.Rules ; fi
+	for i in $(THINGSTOMAKE) ; do $(MAKE) -C $$i clean ; done
+	rm -f security *~ *.orig *.rej Make.Rules #*#
+
+distclean: clean
+	rm -f Make.Rules _pam_aconf.h
+	rm -f config.status config.cache config.log core
+
+maintainer-clean: distclean
+	@echo files should be ok for packaging now.
+
+# NB _pam_aconf.h.in changes will remake this too
+Make.Rules: configure Make.Rules.in _pam_aconf.h.in
+	@echo XXX - not sure how to preserve past configure options..
+	@echo XXX - so not attempting to. Feel free to run ./configure
+	@echo XXX - by hand, with the options you want.
+	./configure
+
+_pam_aconf.h: Make.Rules
+
+configure: configure.in
+	@echo
+	@echo You do not appear to have an up-to-date ./configure file.
+	@echo Please run autoconf, and then ./configure [..options..]
+	@echo
+	@rm -f configure
+	@exit 1
+
+$(THINGSTOMAKE): _pam_aconf.h prep
+	$(MAKE) -C $@ all
+
+install: _pam_aconf.h prep
+	$(MKDIR) $(FAKEROOT)$(INCLUDED)
+	$(INSTALL) -m 444 security/_pam_aconf.h $(FAKEROOT)$(INCLUDED)
+	for x in $(THINGSTOMAKE) ; do $(MAKE) -C $$x install ; done
+
+remove:
+	rm -f $(FAKEROOT)$(INCLUDED)/_pam_aconf.h
+	for x in $(THINGSTOMAKE) ; do $(MAKE) -C $$x remove ; done
+
+release:
+	@if [ ! -f Make.Rules ]; then echo $(MAKE) Make.Rules first ;exit 1 ;fi
+	@if [ ! -L ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) ]; then \
+	   echo generating ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) link ; \
+	   ln -sf $(DISTNAME) ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) ; \
+	   echo to ../$(DISTNAME) . ; fi
+	@diff ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/Make.Rules Make.Rules
+	$(MAKE) distclean
+	cd .. ; tar zvfc $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL).tar.gz \
+		--exclude CVS --exclude .cvsignore --exclude '.#*' \
+		$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/*
+
diff --git a/Linux-PAM/README b/Linux-PAM/README
new file mode 100644
index 00000000..8aab912a
--- /dev/null
+++ b/Linux-PAM/README
@@ -0,0 +1,28 @@
+#
+# $Id: README,v 1.1.1.1 2001/04/29 04:16:21 hartmans Exp $
+#
+
+Hello!
+
+Thanks for downloading Linux-PAM.
+
+NOTES:
+
+How to use it is as follows:
+
+      ./configure --help | less
+      ./configure <your-options>
+      make
+
+Note, if you are worried - don't even think about doing the next line
+(most Linux distributions already support PAM out of the box, so if
+something goes wrong with installing the code from this version your
+box may stop working..)
+
+      make install
+
+That said, please report problems to me.
+
+Andrew Morgan
+<morgan@kernel.org>
+<agmorgan@users.sourceforge.net>
diff --git a/Linux-PAM/_pam_aconf.h.in b/Linux-PAM/_pam_aconf.h.in
new file mode 100644
index 00000000..14c6f9fd
--- /dev/null
+++ b/Linux-PAM/_pam_aconf.h.in
@@ -0,0 +1,99 @@
+/*
+ * $Id: _pam_aconf.h.in,v 1.1.1.2 2002/09/15 20:08:20 hartmans Exp $
+ *
+ * 
+ */
+
+#ifndef PAM_ACONF_H
+#define PAM_ACONF_H
+
+/* lots of stuff gets written to /tmp/pam-debug.log */
+#undef DEBUG
+
+/* build libraries with different names (suffixed with 'd') */
+#undef WITH_LIBDEBUG
+
+/* provide a global locking facility within libpam */
+#undef PAM_LOCKING
+
+/* GNU systems as a class, all have the feature.h file */
+#undef HAVE_FEATURES_H
+#ifdef HAVE_FEATURES_H
+# define _SVID_SOURCE
+# define _BSD_SOURCE
+# define __USE_BSD
+# define __USE_SVID
+# define __USE_MISC
+# define _GNU_SOURCE
+# include <features.h>
+#endif /* HAVE_FEATURES_H */
+
+/* we have libcrack available */
+#undef HAVE_LIBCRACK
+
+/* we have libcrypt - its not part of libc (do we need both definitions?) */
+#undef HAVE_LIBCRYPT
+#undef HAVE_CRYPT_H
+
+/* we have libndbm and/or libdb */
+#undef HAVE_DB_H
+#undef HAVE_NDBM_H
+
+/* have libfl (Flex) */
+#undef HAVE_LIBFL
+
+/* have libnsl - instead of libc support */
+#undef HAVE_LIBNSL
+
+/* have libpwdb - don't expect this to be important for much longer */
+#undef HAVE_LIBPWDB
+
+/* have gethostname() declared */
+#undef HAVE_GETHOSTNAME
+
+#undef HAVE_GETTIMEOFDAY
+#undef HAVE_MKDIR
+#undef HAVE_SELECT
+#undef HAVE_STRCSPN
+#undef HAVE_STRDUP
+#undef HAVE_STRERROR
+#undef HAVE_STRSPN
+#undef HAVE_STRSTR
+#undef HAVE_STRTOL
+#undef HAVE_UNAME
+
+/* Define if reentrant declarations of standard nss functions are available */
+#undef HAVE_GETPWNAM_R
+#undef HAVE_GETGRNAM_R
+
+/* ugly hack to partially support old pam_strerror syntax */
+#undef UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT
+
+/* read both confs - read /etc/pam.d and /etc/pam.conf in serial */
+#undef PAM_READ_BOTH_CONFS
+
+#undef HAVE_PATHS_H
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+/* location of the mail spool directory */
+#undef PAM_PATH_MAILDIR
+
+/* where should we include setfsuid's prototype from? If this is not
+   defined, we get it from unistd.h */
+#undef HAVE_SYS_FSUID_H
+
+/* track all memory allocations and liberations */
+#undef MEMORY_DEBUG
+#ifdef MEMORY_DEBUG
+/*
+ * this is basically a hack - we need to include a semiarbitrary
+ * number of headers to ensure that we don't get silly prototype/macro
+ * confusion.
+ */
+# include <string.h>
+# include <stdlib.h>
+# include <security/pam_malloc.h>
+#endif /* MEMORY_DEBUG */
+
+#endif /* PAM_ACONF_H */
diff --git a/Linux-PAM/bin/README b/Linux-PAM/bin/README
new file mode 100644
index 00000000..427a871a
--- /dev/null
+++ b/Linux-PAM/bin/README
@@ -0,0 +1,30 @@
+##
+# $Id: README,v 1.1.1.1 2001/04/29 04:16:25 hartmans Exp $
+##
+
+(now we are getting networked apps, be careful to try and test on a
+securely isolated system!)
+
+N=2 <-- blank xsh
+
+Following a 'make install' (which should be done as root) in the
+parent directory this directory will contain $N binaries. The source
+for these programs is in ../examples. They are various short programs
+to use and otherwise test-drive the Linux-PAM libraries/modules with.
+
+These programs grant no privileges, but they give an idea of how well
+the modules are working.
+
+blank is new as of Linux-PAM-0.21. If you are writing/modifying an
+application it might be a place to start...
+
+xsh is new as of Linux-PAM-0.31, it is identical to blank, but invokes
+/bin/sh if the user is authenticated.
+
+[other apps are to be found in SimplePAMApps and many more on Red
+Hat's server.. http://www.redhat.com/]
+
+Best wishes
+
+Andrew
+(morgan@parc.power.net)
diff --git a/Linux-PAM/conf/Makefile b/Linux-PAM/conf/Makefile
new file mode 100644
index 00000000..a668607b
--- /dev/null
+++ b/Linux-PAM/conf/Makefile
@@ -0,0 +1,34 @@
+#
+# $Id: Makefile,v 1.1.1.1 2001/04/29 04:16:25 hartmans Exp $
+#
+#
+
+dummy:
+	@echo "*** This is not a top level Makefile!"
+
+##########################################################
+
+all:
+	$(MAKE) -C pam_conv1 all
+
+install: $(FAKEROOT)$(CONFIGED)/pam.conf
+	$(MAKE) -C pam_conv1 install
+
+$(FAKEROOT)$(CONFIGED)/pam.conf: ./pam.conf
+	bash -f ./install_conf
+
+remove:
+	rm -f $(FAKEROOT)$(CONFIGED)/pam.conf
+	$(MAKE) -C pam_conv1 remove
+
+check:
+	bash -f ./md5itall
+
+lclean:
+	rm -f core *~ .ignore_age
+
+clean: lclean
+	$(MAKE) -C pam_conv1 clean
+
+extraclean: lclean
+	$(MAKE) -C pam_conv1 extraclean
diff --git a/Linux-PAM/conf/install b/Linux-PAM/conf/install
new file mode 100755
index 00000000..2eae3671
--- /dev/null
+++ b/Linux-PAM/conf/install
@@ -0,0 +1,178 @@
+#!/bin/sh
+#
+# [This file was lifted from an X distribution. There was no explicit
+# copyright in the file, but the following text was associated with it.
+# should anyone from the X Consortium wish to alter the following
+# text. Please email <morgan@parc.power.net> Thanks. ]
+#
+# --------------------------
+# The X Consortium maintains and distributes the X Window System and
+# related software and documentation in coordinated releases. A release
+# consists of two distinct parts:
+# 
+# 1) Specifications and Sample implementations of X Consortium
+# standards, and
+# 
+# 2) software and documentation contributed by the general X Consortium
+# community.
+# 
+# The timing and contents of a release are determined by the Consortium
+# staff based on the needs and desires of the Members and the advice of
+# the Advisory Board, tempered by the resource constraints of the
+# Consortium.
+# 
+# Members have access to all X Consortium produced software and
+# documentation prior to release to the public. Each Member can receive
+# pre-releases and public releases at no charge. In addition, Members
+# have access to software and documentation while it is under
+# development, and can periodically request snapshots of the development
+# system at no charge.
+# 
+# The X Consortium also maintains an electronic mail system for
+# reporting problems with X Consortium produced software and
+# documentation. Members have access to all bug reports, as well as all
+# software patches as they are incrementally developed by the Consortium
+# staff between releases.
+# 
+# In general, all materials included in X Consortium releases are
+# copyrighted and contain permission notices granting unrestricted use,
+# sales and redistribution rights provided that the copyrights and the
+# permission notices are left intact. All materials are provided "as
+# is," without express or implied warranty.
+# --------------------------
+#
+# This accepts bsd-style install arguments and makes the appropriate calls
+# to the System V install.
+#
+
+flags=""
+dst=""
+src=""
+dostrip=""
+owner=""
+mode=""
+
+while [ x$1 != x ]; do
+    case $1 in 
+	-c) shift
+	    continue;;
+
+	-m) flags="$flags $1 $2 "
+	    mode="$2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) flags="$flags -u $2 "
+	    owner="$2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) flags="$flags $1 $2 "
+	    shift
+	    shift
+	    continue;;
+
+	-s) dostrip="strip"
+	    shift
+	    continue;;
+
+	*)  if [ x$src = x ] 
+	    then
+		src=$1
+	    else
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+case "$mode" in
+"")
+	;;
+*)
+	case "$owner" in
+	"")
+		flags="$flags -u root"
+		;;
+	esac
+	;;
+esac
+
+if [ x$src = x ] 
+then
+	echo "$0:  no input file specified"
+	exit 1
+fi
+
+if [ x$dst = x ] 
+then
+	echo "$0:  no destination specified"
+	exit 1
+fi
+
+
+# set up some variable to be used later
+
+rmcmd=""
+srcdir="."
+
+# if the destination isn't a directory we'll need to copy it first
+
+if [ ! -d $dst ]
+then
+	dstbase=`basename $dst`
+	cp $src /tmp/$dstbase
+	rmcmd="rm -f /tmp/$dstbase"
+	src=$dstbase
+	srcdir=/tmp
+	dst="`echo $dst | sed 's,^\(.*\)/.*$,\1,'`"
+	if [ x$dst = x ]
+	then
+		dst="."
+	fi
+fi
+
+
+# If the src file has a directory, copy it to /tmp to make install happy
+
+srcbase=`basename $src`
+
+if [ "$src" != "$srcbase" -a "$src" != "./$srcbase" ] 
+then
+	cp $src /tmp/$srcbase
+	src=$srcbase
+	srcdir=/tmp
+	rmcmd="rm -f /tmp/$srcbase"
+fi
+
+# do the actual install
+
+if [ -f /usr/sbin/install ]
+then
+	installcmd=/usr/sbin/install
+elif [ -f /etc/install ]
+then
+	installcmd=/etc/install
+else
+	installcmd=install
+fi
+
+# This rm is commented out because some people want to be able to
+# install through symbolic links.  Uncomment it if it offends you.
+rm -f $dst/$srcbase
+(cd $srcdir ; $installcmd -f $dst $flags $src)
+
+if [ x$dostrip = xstrip ]
+then
+	strip $dst/$srcbase
+fi
+
+# and clean up
+
+$rmcmd
+
+exit
+
diff --git a/Linux-PAM/conf/install_conf b/Linux-PAM/conf/install_conf
new file mode 100755
index 00000000..7a2acd98
--- /dev/null
+++ b/Linux-PAM/conf/install_conf
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+CONFILE="$FAKEROOT"$CONFIGED/pam.conf
+IGNORE_AGE=./.ignore_age
+CONF=./pam.conf
+
+echo
+
+if [ -f "$IGNORE_AGE" ]; then
+	echo "you don't want to be bothered with the age of your $CONFILE file"
+	yes="n"
+elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then
+	if [ -f "$CONFILE" ]; then
+		echo "\
+An older Linux-PAM configuration file already exists ($CONFILE)"
+		WRITE=overwrite
+	fi
+	echo -n "\
+Do you wish to copy the $CONF file in this distribution
+to $CONFILE ? (y/n) [n] "
+	read yes
+else
+	yes=n
+fi
+
+if [ "$yes" = "y" ]; then
+	echo "  copying $CONF to $CONFILE"
+	cp $CONF $CONFILE
+else
+	touch "$IGNORE_AGE"
+	echo "  Skipping $CONF installation"
+fi
+
+echo
+
+exit 0
diff --git a/Linux-PAM/conf/md5itall b/Linux-PAM/conf/md5itall
new file mode 100755
index 00000000..2f532b31
--- /dev/null
+++ b/Linux-PAM/conf/md5itall
@@ -0,0 +1,43 @@
+#!/bin/bash
+#
+# $Id: md5itall,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $
+#
+# Created by Andrew G. Morgan (morgan@parc.power.net)
+#
+
+MD5SUM=md5sum
+CHKFILE1=./.md5sum
+CHKFILE2=./.md5sum-new
+
+which $MD5SUM > /dev/null
+result=$?
+
+if [ -x "$MD5SUM" ] || [ $result -eq 0 ]; then
+	rm -f $CHKFILE2
+	echo -n "computing md5 checksums."
+	for x in `cat ../.filelist` ; do
+		(cd ../.. ; $MD5SUM $x) >> $CHKFILE2
+		echo -n "."
+	done
+	echo
+	if [ -f "$CHKFILE1" ]; then
+		echo "\
+---> Note, since the last \`make check', the following file(s) have changed:
+==========================================================================="
+		diff $CHKFILE1 $CHKFILE2
+		if [ $? -eq 0 ]; then
+			echo "\
+--------------------------- Nothing has changed ---------------------------"
+		fi
+		echo "\
+==========================================================================="
+	fi
+	rm -f "$CHKFILE1"
+	mv "$CHKFILE2" "$CHKFILE1"
+	chmod 400 "$CHKFILE1"
+else
+	echo "\
+Please install \`$MD5SUM'.
+[It is used to check the integrity of this distribution]
+---> no check done."
+fi
diff --git a/Linux-PAM/conf/mkdirp b/Linux-PAM/conf/mkdirp
new file mode 100755
index 00000000..b0e04b05
--- /dev/null
+++ b/Linux-PAM/conf/mkdirp
@@ -0,0 +1,50 @@
+#!/bin/sh
+#
+# this is a wrapper for difficult mkdir programs...
+#
+
+for d in $*
+do
+	if [ ! -d $d ]; then
+		mkdir -p $d
+		if [ $? -ne 0 ]; then exit $? ; fi
+	fi
+done
+
+exit 0
+
+##########################################################################
+# if your mkdir does not support the -p option delete the above lines and
+# use what follows:
+--------------------
+#!/bin/sh
+
+#VERBOSE=yes
+Cwd=`pwd`
+
+for d in $*
+do
+	if [ "`echo $d|cut -c1`" != "/" ]; then 
+		x=`pwd`/$d
+	else
+		x=$d
+	fi
+	x="`echo $x|sed -e 'yX/X X'`"
+	cd /
+	for s in $x
+	do
+		if [ -d $s ]; then
+			if [ -n "$VERBOSE" ]; then echo -n "[$s/]"; fi
+			cd $s
+		else
+			mkdir $s
+			if [ $? -ne 0 ]; then exit $? ; fi
+			if [ -n "$VERBOSE" ]; then echo -n "$s/"; fi
+			cd $s
+		fi
+	done
+	if [ -n "$VERBOSE" ]; then echo ; fi
+	cd $Cwd
+done
+
+exit 0
diff --git a/Linux-PAM/conf/pam.conf b/Linux-PAM/conf/pam.conf
new file mode 100644
index 00000000..395b7ba3
--- /dev/null
+++ b/Linux-PAM/conf/pam.conf
@@ -0,0 +1,126 @@
+# ---------------------------------------------------------------------------#
+# /etc/pam.conf								     #
+#									     #
+# Last modified by Andrew G. Morgan <morgan@kernel.org>		             #
+# ---------------------------------------------------------------------------#
+# $Id: pam.conf,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $
+# ---------------------------------------------------------------------------#
+# serv.	module	   ctrl	      module [path]	...[args..]		     #
+# name	type	   flag							     #
+# ---------------------------------------------------------------------------#
+#
+# The PAM configuration file for the `chfn' service
+#
+chfn	auth       required   pam_unix.so
+chfn	account    required   pam_unix.so
+chfn	password   required   pam_cracklib.so retry=3
+chfn	password   required   pam_unix.so shadow md5 use_authtok
+#
+# The PAM configuration file for the `chsh' service
+#
+chsh	auth       required   pam_unix.so
+chsh	account    required   pam_unix.so
+chsh	password   required   pam_cracklib.so retry=3
+chsh	password   required   pam_unix.so shadow md5 use_authtok
+#
+# The PAM configuration file for the `ftp' service
+#
+ftp	auth       requisite  pam_listfile.so \
+		item=user sense=deny file=/etc/ftpusers onerr=succeed
+ftp	auth       requisite  pam_shells.so
+ftp	auth       required   pam_unix.so
+ftp	account    required   pam_unix.so
+#
+# The PAM configuration file for the `imap' service
+#
+imap	auth       required   pam_unix.so
+imap	account    required   pam_unix.so
+#
+# The PAM configuration file for the `login' service
+#
+login	auth       requisite  pam_securetty.so
+login	auth       required   pam_unix.so
+login	auth       optional   pam_group.so
+login	account    requisite  pam_time.so
+login	account    required   pam_unix.so
+login	password   required   pam_cracklib.so retry=3
+login	password   required   pam_unix.so shadow md5 use_authtok
+login	session    required   pam_unix.so
+#
+# The PAM configuration file for the `netatalk' service
+#
+netatalk	auth       required   pam_unix.so
+netatalk	account    required   pam_unix.so
+#
+# The PAM configuration file for the `other' service
+#
+other	auth       required   pam_deny.so
+other	auth       required   pam_warn.so
+other	account    required   pam_deny.so
+other	password   required   pam_deny.so
+other	password   required   pam_warn.so
+other	session    required   pam_deny.so
+#
+# The PAM configuration file for the `passwd' service
+#
+passwd	password   requisite  pam_cracklib.so retry=3
+passwd	password   required   pam_unix.so shadow md5 use_authtok
+#
+# The PAM configuration file for the `rexec' service
+#
+rexec	auth       requisite  pam_securetty.so
+rexec	auth       requisite  pam_nologin.so
+rexec	auth       sufficient pam_rhosts_auth.so
+rexec	auth       required   pam_unix.so
+rexec	account    required   pam_unix.so
+rexec	session    required   pam_unix.so
+rexec	session    required   pam_limits.so
+#
+# The PAM configuration file for the `rlogin' service
+# this application passes control to `login' if it fails
+#
+rlogin	auth       requisite  pam_securetty.so
+rlogin	auth       requisite  pam_nologin.so
+rlogin	auth       required   pam_rhosts_auth.so
+rlogin	account    required   pam_unix.so
+rlogin	password   required   pam_cracklib.so retry=3
+rlogin	password   required   pam_unix.so shadow md5 use_authtok
+rlogin	session    required   pam_unix.so
+rlogin	session    required   pam_limits.so
+#
+# The PAM configuration file for the `rsh' service
+#
+rsh	auth       requisite  pam_securetty.so
+rsh	auth       requisite  pam_nologin.so
+rsh	auth       sufficient pam_rhosts_auth.so
+rsh	auth       required   pam_unix.so
+rsh	account    required   pam_unix.so
+rsh	session    required   pam_unix.so
+rsh	session    required   pam_limits.so
+#
+# The PAM configuration file for the `samba' service
+#
+samba	auth       required   pam_unix.so
+samba	account    required   pam_unix.so
+#
+# The PAM configuration file for the `su' service
+#
+su	auth       required   pam_wheel.so
+su	auth       sufficient pam_rootok.so
+su	auth       required   pam_unix.so
+su	account    required   pam_unix.so
+su	session    required   pam_unix.so
+#
+# The PAM configuration file for the `vlock' service
+#
+vlock	auth       required   pam_unix.so
+#
+# The PAM configuration file for the `xdm' service
+#
+xdm	auth       required   pam_unix.so
+xdm	account    required   pam_unix.so
+#
+# The PAM configuration file for the `xlock' service
+#
+xlock	auth       required   pam_unix.so
+
diff --git a/Linux-PAM/conf/pam_conv1/Makefile b/Linux-PAM/conf/pam_conv1/Makefile
new file mode 100644
index 00000000..f23c8aa6
--- /dev/null
+++ b/Linux-PAM/conf/pam_conv1/Makefile
@@ -0,0 +1,46 @@
+#
+# $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:22 hartmans Exp $
+#
+
+include ../../Make.Rules
+
+#
+ifeq ($(OS),solaris)
+
+clean:
+      @echo not available in Solaris
+
+all:
+      @echo not available in Solaris
+
+install:
+      @echo not available in Solaris
+
+else
+
+all: pam_conv1
+
+pam_conv1: pam_conv.tab.c lex.yy.c
+	$(CC) -o pam_conv1 pam_conv.tab.c $(LINK_LIBLEX)
+
+pam_conv.tab.c: pam_conv.y lex.yy.c
+	bison pam_conv.y
+
+lex.yy.c: pam_conv.lex
+	flex pam_conv.lex
+
+lclean:
+	rm -f core pam_conv1 lex.yy.c pam_conv.tab.c *.o *~
+	rm -rf ./pam.d pam_conv.output
+
+clean: lclean
+
+install: pam_conv1
+	cp -f ./pam_conv1 ../../bin
+
+endif
+
+remove:
+	rm -f ../../bin/pam_conv1
+
+extraclean: remove clean
diff --git a/Linux-PAM/conf/pam_conv1/README b/Linux-PAM/conf/pam_conv1/README
new file mode 100644
index 00000000..3a750d73
--- /dev/null
+++ b/Linux-PAM/conf/pam_conv1/README
@@ -0,0 +1,10 @@
+$Id: README,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $
+
+This directory contains a untility to convert pam.conf files to a pam.d/
+tree. The conversion program takes pam.conf from the standard input and
+creates the pam.d/ directory in the current directory.
+
+The program will fail if ./pam.d/ already exists.
+
+Andrew Morgan, February 1997
+
diff --git a/Linux-PAM/conf/pam_conv1/pam_conv.lex b/Linux-PAM/conf/pam_conv1/pam_conv.lex
new file mode 100644
index 00000000..addc60ae
--- /dev/null
+++ b/Linux-PAM/conf/pam_conv1/pam_conv.lex
@@ -0,0 +1,42 @@
+
+%{
+/*
+ * $Id: pam_conv.lex,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $
+ *
+ * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+ *
+ * This file is covered by the Linux-PAM License (which should be
+ * distributed with this file.)
+ */
+
+    const static char lexid[]=
+	"$Id: pam_conv.lex,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $\n"
+	"Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>\n";
+
+    extern int current_line;
+%}
+
+%%
+
+"#"[^\n]*         ; /* skip comments (sorry) */
+
+"\\\n" {
+    ++current_line;
+}
+
+([^\n\t ]|[\\][^\n])+ {
+    return TOK;
+}
+
+[ \t]+      ; /* Ignore */
+
+<<EOF>> {
+    return EOFILE;
+}
+
+[\n] {
+    ++current_line;
+    return NL;
+}
+
+%%
diff --git a/Linux-PAM/conf/pam_conv1/pam_conv.y b/Linux-PAM/conf/pam_conv1/pam_conv.y
new file mode 100644
index 00000000..0cbfa5f8
--- /dev/null
+++ b/Linux-PAM/conf/pam_conv1/pam_conv.y
@@ -0,0 +1,204 @@
+%{
+
+/*
+ * $Id: pam_conv.y,v 1.1.1.2 2002/09/15 20:08:22 hartmans Exp $
+ *
+ * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+ *
+ * This file is covered by the Linux-PAM License (which should be
+ * distributed with this file.)
+ */
+
+    const static char bisonid[]=
+	"$Id: pam_conv.y,v 1.1.1.2 2002/09/15 20:08:22 hartmans Exp $\n"
+	"Copyright (c) Andrew G. Morgan 1997-8 <morgan@linux.kernel.org>\n";
+
+#include <string.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+
+    int current_line=1;
+    extern char *yytext;
+
+/* XXX - later we'll change this to be the specific conf file(s) */
+#define newpamf stderr
+
+#define PAM_D                "./pam.d"
+#define PAM_D_MODE           0755
+#define PAM_D_MAGIC_HEADER   \
+    "#%PAM-1.0\n" \
+    "#[For version 1.0 syntax, the above header is optional]\n"
+
+#define PAM_D_FILE_FMT       PAM_D "/%s"
+
+    const char *old_to_new_ctrl_flag(const char *old);
+    void yyerror(const char *format, ...);
+%}
+
+%union {
+    int def;
+    char *string;
+}
+
+%token NL EOFILE TOK
+
+%type <string> tok path tokenls
+
+%start complete
+
+%%
+
+complete
+:
+| complete NL
+| complete line
+| complete EOFILE {
+    return 0;
+}
+;
+
+line
+: tok tok tok path tokenls NL {
+    char *filename;
+    FILE *conf;
+    int i;
+
+    /* make sure we have lower case */
+    for (i=0; $1[i]; ++i) {
+	$1[i] = tolower($1[i]);
+    }
+
+    /* $1 = service-name */
+    yyerror("Appending to " PAM_D "/%s", $1);
+
+    filename = malloc(strlen($1) + sizeof(PAM_D) + 6);
+    sprintf(filename, PAM_D_FILE_FMT, $1);
+    conf = fopen(filename, "r");
+    if (conf == NULL) {
+	/* new file */
+	conf = fopen(filename, "w");
+	if (conf != NULL) {
+	    fprintf(conf, PAM_D_MAGIC_HEADER);
+	    fprintf(conf,
+		    "#\n"
+		    "# The PAM configuration file for the `%s' service\n"
+		    "#\n", $1);
+	}
+    } else {
+	fclose(conf);
+	conf = fopen(filename, "a");
+    }
+    if (conf == NULL) {
+	yyerror("trouble opening %s - aborting", filename);
+	exit(1);
+    }
+    free(filename);
+
+    /* $2 = module-type */
+    fprintf(conf, "%-10s", $2);
+    free($2);
+
+    /* $3 = required etc. */
+    {
+	const char *trans;
+
+	trans = old_to_new_ctrl_flag($3);
+	free($3);
+	fprintf(conf, " %-10s", trans);
+    }
+
+    /* $4 = module-path */
+    fprintf(conf, " %s", $4);
+    free($4);
+
+    /* $5 = arguments */
+    if ($5 != NULL) {
+	fprintf(conf, " \\\n\t\t%s", $5);
+	free($5);
+    }
+
+    /* end line */
+    fprintf(conf, "\n");
+
+    fclose(conf);
+}
+| error NL {
+    yyerror("malformed line");
+}
+;
+
+tokenls
+: {
+    $$=NULL;
+}
+| tokenls tok {
+    int len;
+
+    if ($1) {
+	len = strlen($1) + strlen($2) + 2;
+	$$ = malloc(len);
+	sprintf($$,"%s %s",$1,$2);
+	free($1);
+	free($2);
+    } else {
+	$$ = $2;
+    }
+}
+;
+
+path
+: TOK {
+    /* XXX - this could be used to check if file present */
+    $$ = strdup(yytext);
+}
+
+tok
+: TOK {
+    $$ = strdup(yytext);
+}
+
+%%
+
+#include "lex.yy.c"
+
+const char *old_to_new_ctrl_flag(const char *old)
+{
+    static const char *clist[] = {
+	"requisite",
+	"required",
+	"sufficient",
+	"optional",
+	NULL,
+    };
+    int i;
+
+    for (i=0; clist[i]; ++i) {
+	if (strcasecmp(clist[i], old) == 0) {
+	    break;
+	}
+    }
+
+    return clist[i];
+}
+
+void yyerror(const char *format, ...)
+{
+    va_list args;
+
+    fprintf(stderr, "line %d: ", current_line);
+    va_start(args, format);
+    vfprintf(stderr, format, args);
+    va_end(args);
+    fprintf(stderr, "\n");
+}
+
+int main(int argc, char *argv[])
+{
+    if (mkdir(PAM_D, PAM_D_MODE) != 0) {
+	yyerror(PAM_D " already exists.. aborting");
+	exit(1);
+    }
+    yyparse();
+    exit(0);
+}
diff --git a/Linux-PAM/configure b/Linux-PAM/configure
new file mode 100755
index 00000000..270184c7
--- /dev/null
+++ b/Linux-PAM/configure
@@ -0,0 +1,3887 @@
+#! /bin/sh
+
+# Guess values for system-dependent variables and create Makefiles.
+# Generated automatically using autoconf version 2.13 
+# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
+#
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+
+# Defaults:
+ac_help=
+ac_default_prefix=/usr/local
+# Any additions from configure.in:
+ac_default_prefix=
+ac_help="$ac_help
+  --enable-debug           specify you are building with debugging on"
+ac_help="$ac_help
+  --enable-memory-debug    specify you want every malloc etc. call tracked"
+ac_help="$ac_help
+  --enable-libdebug        specify you are building debugging libraries"
+ac_help="$ac_help
+  --enable-fakeroot=<path to packaging directory>"
+ac_help="$ac_help
+  --enable-securedir=<path to location of PAMs> [default \$libdir/security]"
+ac_help="$ac_help
+  --enable-sconfigdir=<path to module conf files> [default \$sysconfdir/security]"
+ac_help="$ac_help
+  --enable-suplementedir=<path to module helper binaries> [default \$sbindir]"
+ac_help="$ac_help
+  --enable-includedir=<path to include location> - where to put <security>"
+ac_help="$ac_help
+  --enable-docdir=<path to store documentation in - /usr/share/doc/pam>"
+ac_help="$ac_help
+  --enable-mandir=<path to store manuals in - /usr/share/man>"
+ac_help="$ac_help
+  --enable-pamlocking      configure libpam to observe a global authentication lock"
+ac_help="$ac_help
+  --enable-uglyhack        configure libpam to try to honor old pam_strerror syntax"
+ac_help="$ac_help
+  --enable-read-both-confs  read both /etc/pam.d and /etc/pam.conf files"
+ac_help="$ac_help
+  --enable-static-libpam   build a libpam.a library"
+ac_help="$ac_help
+  --disable-dynamic-libpam do not build a shared libpam library"
+ac_help="$ac_help
+  --enable-static-modules  do not make the modules dynamically loadable"
+ac_help="$ac_help
+  --disable-lckpwdf do not use the lckpwdf function"
+ac_help="$ac_help
+  --with-mailspool         path to mail spool directory
+                           [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]"
+
+# Initialize some variables set by options.
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+build=NONE
+cache_file=./config.cache
+exec_prefix=NONE
+host=NONE
+no_create=
+nonopt=NONE
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+target=NONE
+verbose=
+x_includes=NONE
+x_libraries=NONE
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datadir='${prefix}/share'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+libdir='${exec_prefix}/lib'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+infodir='${prefix}/info'
+mandir='${prefix}/man'
+
+# Initialize some other variables.
+subdirs=
+MFLAGS= MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+# Maximum number of lines to put in a shell here document.
+ac_max_here_lines=12
+
+ac_prev=
+for ac_option
+do
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval "$ac_prev=\$ac_option"
+    ac_prev=
+    continue
+  fi
+
+  case "$ac_option" in
+  -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) ac_optarg= ;;
+  esac
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case "$ac_option" in
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir="$ac_optarg" ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build="$ac_optarg" ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file="$ac_optarg" ;;
+
+  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
+  | --da=*)
+    datadir="$ac_optarg" ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*disable-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    eval "enable_${ac_feature}=no" ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "enable_${ac_feature}='$ac_optarg'" ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix="$ac_optarg" ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he)
+    # Omit some internal or obsolete options to make the list less imposing.
+    # This message is too long to be a string in the A/UX 3.1 sh.
+    cat << EOF
+Usage: configure [options] [host]
+Options: [defaults in brackets after descriptions]
+Configuration:
+  --cache-file=FILE       cache test results in FILE
+  --help                  print this message
+  --no-create             do not create output files
+  --quiet, --silent       do not print \`checking...' messages
+  --version               print the version of autoconf that created configure
+Directory and file names:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+                          [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+                          [same as prefix]
+  --bindir=DIR            user executables in DIR [EPREFIX/bin]
+  --sbindir=DIR           system admin executables in DIR [EPREFIX/sbin]
+  --libexecdir=DIR        program executables in DIR [EPREFIX/libexec]
+  --datadir=DIR           read-only architecture-independent data in DIR
+                          [PREFIX/share]
+  --sysconfdir=DIR        read-only single-machine data in DIR [PREFIX/etc]
+  --sharedstatedir=DIR    modifiable architecture-independent data in DIR
+                          [PREFIX/com]
+  --localstatedir=DIR     modifiable single-machine data in DIR [PREFIX/var]
+  --libdir=DIR            object code libraries in DIR [EPREFIX/lib]
+  --includedir=DIR        C header files in DIR [PREFIX/include]
+  --oldincludedir=DIR     C header files for non-gcc in DIR [/usr/include]
+  --infodir=DIR           info documentation in DIR [PREFIX/info]
+  --mandir=DIR            man documentation in DIR [PREFIX/man]
+  --srcdir=DIR            find the sources in DIR [configure dir or ..]
+  --program-prefix=PREFIX prepend PREFIX to installed program names
+  --program-suffix=SUFFIX append SUFFIX to installed program names
+  --program-transform-name=PROGRAM
+                          run sed PROGRAM on installed program names
+EOF
+    cat << EOF
+Host type:
+  --build=BUILD           configure for building on BUILD [BUILD=HOST]
+  --host=HOST             configure for HOST [guessed]
+  --target=TARGET         configure for TARGET [TARGET=HOST]
+Features and packages:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --x-includes=DIR        X include files are in DIR
+  --x-libraries=DIR       X library files are in DIR
+EOF
+    if test -n "$ac_help"; then
+      echo "--enable and --with options recognized:$ac_help"
+    fi
+    exit 0 ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host="$ac_optarg" ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir="$ac_optarg" ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir="$ac_optarg" ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir="$ac_optarg" ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir="$ac_optarg" ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst \
+  | --locals | --local | --loca | --loc | --lo)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
+  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+    localstatedir="$ac_optarg" ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir="$ac_optarg" ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir="$ac_optarg" ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix="$ac_optarg" ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix="$ac_optarg" ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix="$ac_optarg" ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name="$ac_optarg" ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir="$ac_optarg" ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir="$ac_optarg" ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site="$ac_optarg" ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir="$ac_optarg" ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir="$ac_optarg" ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target="$ac_optarg" ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers)
+    echo "configure generated by autoconf version 2.13"
+    exit 0 ;;
+
+  -with-* | --with-*)
+    ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "with_${ac_package}='$ac_optarg'" ;;
+
+  -without-* | --without-*)
+    ac_package=`echo $ac_option|sed -e 's/-*without-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    eval "with_${ac_package}=no" ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes="$ac_optarg" ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries="$ac_optarg" ;;
+
+  -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
+    ;;
+
+  *)
+    if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then
+      echo "configure: warning: $ac_option: invalid host type" 1>&2
+    fi
+    if test "x$nonopt" != xNONE; then
+      { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; }
+    fi
+    nonopt="$ac_option"
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
+fi
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 6 checking for... messages and results
+# 5 compiler messages saved in config.log
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>./config.log
+
+echo "\
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+" 1>&5
+
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Also quote any args containing shell metacharacters.
+ac_configure_args=
+for ac_arg
+do
+  case "$ac_arg" in
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c) ;;
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
+  ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+  *) ac_configure_args="$ac_configure_args $ac_arg" ;;
+  esac
+done
+
+# NLS nuisances.
+# Only set these to C if already set.  These must not be set unconditionally
+# because not all systems understand e.g. LANG=C (notably SCO).
+# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'!
+# Non-C LC_CTYPE values break the ctype check.
+if test "${LANG+set}"   = set; then LANG=C;   export LANG;   fi
+if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
+if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi
+if test "${LC_CTYPE+set}"    = set; then LC_CTYPE=C;    export LC_CTYPE;    fi
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo > confdefs.h
+
+# A filename unique to this package, relative to the directory that
+# configure is in, which we can look for to find out if srcdir is correct.
+ac_unique_file=conf/pam_conv1/pam_conv.y
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then its parent.
+  ac_prog=$0
+  ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'`
+  test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
+  srcdir=$ac_confdir
+  if test ! -r $srcdir/$ac_unique_file; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r $srcdir/$ac_unique_file; then
+  if test "$ac_srcdir_defaulted" = yes; then
+    { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; }
+  else
+    { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; }
+  fi
+fi
+srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'`
+
+# Prefer explicitly selected file to automatically selected ones.
+if test -z "$CONFIG_SITE"; then
+  if test "x$prefix" != xNONE; then
+    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
+  else
+    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
+  fi
+fi
+for ac_site_file in $CONFIG_SITE; do
+  if test -r "$ac_site_file"; then
+    echo "loading site script $ac_site_file"
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  echo "loading cache $cache_file"
+  . $cache_file
+else
+  echo "creating cache $cache_file"
+  > $cache_file
+fi
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+ac_exeext=
+ac_objext=o
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+  # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
+  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+    ac_n= ac_c='
+' ac_t='	'
+  else
+    ac_n=-n ac_c= ac_t=
+  fi
+else
+  ac_n= ac_c='\c' ac_t=
+fi
+
+
+
+
+
+
+LIBPAM_VERSION_MAJOR=0
+LIBPAM_VERSION_MINOR=76
+
+
+
+cat >> confdefs.h <<\EOF
+#define LIBPAM_VERSION_MAJOR 1
+EOF
+
+cat >> confdefs.h <<\EOF
+#define LIBPAM_VERSION_MINOR 1
+EOF
+
+
+
+
+
+LOCALSRCDIR=`/bin/pwd`         ; 
+LOCALOBJDIR=`/bin/pwd`         ; 
+OS=`uname|sed -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'`
+
+
+
+CONF_CFLAGS=			; 
+MKDIR="mkdir -p"		; 
+
+SHLIBMODE=755			; 
+
+USESONAME=yes			; 
+SOSWITCH=-soname		; 
+NEEDSONAME=no			; 
+LDCONFIG=/sbin/ldconfig		; 
+
+if test "$OS" = "aix"; then
+  INSTALL=/usr/ucb/install -c
+else
+  INSTALL=/usr/bin/install
+fi
+
+
+# Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:610: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="gcc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:640: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_prog_rejected=no
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+	continue
+      fi
+      ac_cv_prog_CC="cc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# -gt 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    set dummy "$ac_dir/$ac_word" "$@"
+    shift
+    ac_cv_prog_CC="$@"
+  fi
+fi
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+  if test -z "$CC"; then
+    case "`uname -s`" in
+    *win32* | *WIN32*)
+      # Extract the first word of "cl", so it can be a program name with args.
+set dummy cl; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:691: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="cl"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+ ;;
+    esac
+  fi
+  test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
+echo "configure:723: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+cat > conftest.$ac_ext << EOF
+
+#line 734 "configure"
+#include "confdefs.h"
+
+main(){return(0);}
+EOF
+if { (eval echo configure:739: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  ac_cv_prog_cc_works=yes
+  # If we can't run a trivial program, we are probably using a cross compiler.
+  if (./conftest; exit) 2>/dev/null; then
+    ac_cv_prog_cc_cross=no
+  else
+    ac_cv_prog_cc_cross=yes
+  fi
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_prog_cc_works=no
+fi
+rm -fr conftest*
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
+if test $ac_cv_prog_cc_works = no; then
+  { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
+fi
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
+echo "configure:765: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
+echo "configure:770: checking whether we are using GNU C" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.c <<EOF
+#ifdef __GNUC__
+  yes;
+#endif
+EOF
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:779: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+  ac_cv_prog_gcc=yes
+else
+  ac_cv_prog_gcc=no
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gcc" 1>&6
+
+if test $ac_cv_prog_gcc = yes; then
+  GCC=yes
+else
+  GCC=
+fi
+
+ac_test_CFLAGS="${CFLAGS+set}"
+ac_save_CFLAGS="$CFLAGS"
+CFLAGS=
+echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
+echo "configure:798: checking whether ${CC-cc} accepts -g" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  echo 'void f(){}' > conftest.c
+if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
+  ac_cv_prog_cc_g=yes
+else
+  ac_cv_prog_cc_g=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS="$ac_save_CFLAGS"
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+
+for ac_prog in 'bison -y' byacc
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:834: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_YACC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$YACC"; then
+  ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_YACC="$ac_prog"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+YACC="$ac_cv_prog_YACC"
+if test -n "$YACC"; then
+  echo "$ac_t""$YACC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+test -n "$YACC" && break
+done
+test -n "$YACC" || YACC="yacc"
+
+# Extract the first word of "flex", so it can be a program name with args.
+set dummy flex; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:867: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_LEX="flex"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_LEX" && ac_cv_prog_LEX="lex"
+fi
+fi
+LEX="$ac_cv_prog_LEX"
+if test -n "$LEX"; then
+  echo "$ac_t""$LEX" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$LEXLIB"
+then
+  case "$LEX" in
+  flex*) ac_lib=fl ;;
+  *) ac_lib=l ;;
+  esac
+  echo $ac_n "checking for yywrap in -l$ac_lib""... $ac_c" 1>&6
+echo "configure:901: checking for yywrap in -l$ac_lib" >&5
+ac_lib_var=`echo $ac_lib'_'yywrap | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-l$ac_lib  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 909 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char yywrap();
+
+int main() {
+yywrap()
+; return 0; }
+EOF
+if { (eval echo configure:920: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  LEXLIB="-l$ac_lib"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+fi
+
+echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6
+echo "configure:943: checking whether ln -s works" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  ac_cv_prog_LN_S=ln
+fi
+fi
+LN_S="$ac_cv_prog_LN_S"
+if test "$ac_cv_prog_LN_S" = "ln -s"; then
+  echo "$ac_t""yes" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6
+echo "configure:964: checking whether ${MAKE-make} sets \${MAKE}" >&5
+set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftestmake <<\EOF
+all:
+	@echo 'ac_maketemp="${MAKE}"'
+EOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+eval `${MAKE-make} -f conftestmake 2>/dev/null | grep temp=`
+if test -n "$ac_maketemp"; then
+  eval ac_cv_prog_make_${ac_make}_set=yes
+else
+  eval ac_cv_prog_make_${ac_make}_set=no
+fi
+rm -f conftestmake
+fi
+if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  SET_MAKE=
+else
+  echo "$ac_t""no" 1>&6
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+
+
+# Check whether --enable-debug or --disable-debug was given.
+if test "${enable_debug+set}" = set; then
+  enableval="$enable_debug"
+  WITH_DEBUG=yes ; cat >> confdefs.h <<\EOF
+#define DEBUG 1
+EOF
+ 
+else
+  WITH_DEBUG=no
+fi
+
+
+
+# Check whether --enable-memory-debug or --disable-memory-debug was given.
+if test "${enable_memory_debug+set}" = set; then
+  enableval="$enable_memory_debug"
+  WITH_MEMORY_DEBUG=yes ; cat >> confdefs.h <<\EOF
+#define MEMORY_DEBUG 1
+EOF
+ 
+else
+  WITH_MEMORY_DEBUG=no
+fi
+
+
+
+# Check whether --enable-libdebug or --disable-libdebug was given.
+if test "${enable_libdebug+set}" = set; then
+  enableval="$enable_libdebug"
+  WITH_LIBDEBUG=yes ; cat >> confdefs.h <<\EOF
+#define WITH_LIBDEBUG 1
+EOF
+ 
+else
+  WITH_LIBDEBUG=no
+fi
+
+
+
+# Check whether --enable-fakeroot or --disable-fakeroot was given.
+if test "${enable_fakeroot+set}" = set; then
+  enableval="$enable_fakeroot"
+  FAKEROOT=$enableval
+fi
+
+
+
+# Check whether --enable-securedir or --disable-securedir was given.
+if test "${enable_securedir+set}" = set; then
+  enableval="$enable_securedir"
+  SECUREDIR=$enableval
+else
+  SECUREDIR=$libdir/security
+fi
+
+
+
+# Check whether --enable-sconfigdir or --disable-sconfigdir was given.
+if test "${enable_sconfigdir+set}" = set; then
+  enableval="$enable_sconfigdir"
+  SCONFIGDIR=$enableval
+else
+  SCONFIGDIR=$sysconfdir/security
+fi
+
+
+
+# Check whether --enable-suplementedir or --disable-suplementedir was given.
+if test "${enable_suplementedir+set}" = set; then
+  enableval="$enable_suplementedir"
+  SUPLEMENTED=$enableval
+else
+  SUPLEMENTED=$sbindir
+fi
+
+
+
+# Check whether --enable-includedir or --disable-includedir was given.
+if test "${enable_includedir+set}" = set; then
+  enableval="$enable_includedir"
+  INCLUDEDIR=$enableval
+else
+  INCLUDEDIR=/usr/include
+fi
+
+
+
+# Check whether --enable-docdir or --disable-docdir was given.
+if test "${enable_docdir+set}" = set; then
+  enableval="$enable_docdir"
+  DOCDIR=$enableval
+else
+  DOCDIR=/usr/share/doc/pam
+fi
+
+
+
+# Check whether --enable-mandir or --disable-mandir was given.
+if test "${enable_mandir+set}" = set; then
+  enableval="$enable_mandir"
+  MANDIR=$enableval
+else
+  MANDIR=/usr/share/man
+fi
+
+
+
+# Check whether --enable-pamlocking or --disable-pamlocking was given.
+if test "${enable_pamlocking+set}" = set; then
+  enableval="$enable_pamlocking"
+  WITH_PAMLOCKING=yes ; cat >> confdefs.h <<\EOF
+#define PAM_LOCKING 1
+EOF
+ 
+else
+  WITH_PAMLOCKING=no
+fi
+
+
+
+# Check whether --enable-uglyhack or --disable-uglyhack was given.
+if test "${enable_uglyhack+set}" = set; then
+  enableval="$enable_uglyhack"
+  cat >> confdefs.h <<\EOF
+#define UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT 1
+EOF
+
+fi
+
+
+# Check whether --enable-read-both-confs or --disable-read-both-confs was given.
+if test "${enable_read_both_confs+set}" = set; then
+  enableval="$enable_read_both_confs"
+  cat >> confdefs.h <<\EOF
+#define PAM_READ_BOTH_CONFS 1
+EOF
+
+fi
+
+
+
+# Check whether --enable-static-libpam or --disable-static-libpam was given.
+if test "${enable_static_libpam+set}" = set; then
+  enableval="$enable_static_libpam"
+  STATIC_LIBPAM=yes 
+else
+  STATIC_LIBPAM=no
+fi
+
+
+
+# Check whether --enable-dynamic-libpam or --disable-dynamic-libpam was given.
+if test "${enable_dynamic_libpam+set}" = set; then
+  enableval="$enable_dynamic_libpam"
+  DYNAMIC_LIBPAM=no
+else
+  DYNAMIC_LIBPAM=yes
+fi
+
+
+
+DYNAMIC=-DPAM_DYNAMIC
+
+
+# Check whether --enable-static-modules or --disable-static-modules was given.
+if test "${enable_static_modules+set}" = set; then
+  enableval="$enable_static_modules"
+  STATIC=-DPAM_STATIC
+fi
+
+
+
+# Check whether --enable-lckpwdf or --disable-lckpwdf was given.
+if test "${enable_lckpwdf+set}" = set; then
+  enableval="$enable_lckpwdf"
+  WITH_LCKPWDF=no
+else
+  WITH_LCKPWDF=yes
+fi
+
+
+
+echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
+echo "configure:1175: checking how to run the C preprocessor" >&5
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    # This must be in double quotes, not single quotes, because CPP may get
+  # substituted into the Makefile and "${CC-cc}" will confuse make.
+  CPP="${CC-cc} -E"
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp.
+  cat > conftest.$ac_ext <<EOF
+#line 1190 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1196: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -E -traditional-cpp"
+  cat > conftest.$ac_ext <<EOF
+#line 1207 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1213: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -nologo -E"
+  cat > conftest.$ac_ext <<EOF
+#line 1224 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1230: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP=/lib/cpp
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+  ac_cv_prog_CPP="$CPP"
+fi
+  CPP="$ac_cv_prog_CPP"
+else
+  ac_cv_prog_CPP="$CPP"
+fi
+echo "$ac_t""$CPP" 1>&6
+
+for ac_hdr in paths.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:1258: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1263 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1268: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+# Check whether --with-mailspool or --without-mailspool was given.
+if test "${with_mailspool+set}" = set; then
+  withval="$with_mailspool"
+  with_mailspool=${withval}
+fi
+
+if test x$with_mailspool != x ; then
+	pam_mail_spool="\"$with_mailspool\""
+else
+	if test "$cross_compiling" = yes; then
+  pam_mail_spool="\"/var/spool/mail\""
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1307 "configure"
+#include "confdefs.h"
+
+#include <paths.h>
+int main() {
+#ifdef _PATH_MAILDIR
+exit(0);
+#else
+exit(1);
+#endif
+}
+EOF
+if { (eval echo configure:1319: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  pam_mail_spool="_PATH_MAILDIR"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  pam_mail_spool="\"/var/spool/mail\""
+fi
+rm -fr conftest*
+fi
+
+fi
+cat >> confdefs.h <<EOF
+#define PAM_PATH_MAILDIR $pam_mail_spool
+EOF
+
+
+echo $ac_n "checking for __libc_sched_setscheduler in -lc""... $ac_c" 1>&6
+echo "configure:1338: checking for __libc_sched_setscheduler in -lc" >&5
+ac_lib_var=`echo c'_'__libc_sched_setscheduler | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lc  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1346 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char __libc_sched_setscheduler();
+
+int main() {
+__libc_sched_setscheduler()
+; return 0; }
+EOF
+if { (eval echo configure:1357: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  PAM_NEEDS_LIBC=
+else
+  echo "$ac_t""no" 1>&6
+PAM_NEEDS_LIBC=-lc
+fi
+
+
+
+echo $ac_n "checking for lckpwdf in -lc""... $ac_c" 1>&6
+echo "configure:1381: checking for lckpwdf in -lc" >&5
+ac_lib_var=`echo c'_'lckpwdf | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lc  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1389 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char lckpwdf();
+
+int main() {
+lckpwdf()
+; return 0; }
+EOF
+if { (eval echo configure:1400: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LCKPWDF=yes
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LCKPWDF=no
+fi
+
+
+
+echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
+echo "configure:1424: checking for dlopen in -ldl" >&5
+ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1432 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char dlopen();
+
+int main() {
+dlopen()
+; return 0; }
+EOF
+if { (eval echo configure:1443: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  LIBDL=-ldl
+else
+  echo "$ac_t""no" 1>&6
+fi
+ 
+
+
+echo $ac_n "checking for FascistCheck in -lcrack""... $ac_c" 1>&6
+echo "configure:1466: checking for FascistCheck in -lcrack" >&5
+ac_lib_var=`echo crack'_'FascistCheck | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lcrack  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1474 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char FascistCheck();
+
+int main() {
+FascistCheck()
+; return 0; }
+EOF
+if { (eval echo configure:1485: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBCRACK=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBCRACK 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBCRACK=no
+fi
+
+
+
+echo $ac_n "checking for fcrypt in -lcrypt""... $ac_c" 1>&6
+echo "configure:1512: checking for fcrypt in -lcrypt" >&5
+ac_lib_var=`echo crypt'_'fcrypt | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lcrypt  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1520 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char fcrypt();
+
+int main() {
+fcrypt()
+; return 0; }
+EOF
+if { (eval echo configure:1531: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBCRYPT=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBCRYPT 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBCRYPT=no
+fi
+
+
+echo $ac_n "checking for logwtmp in -lutil""... $ac_c" 1>&6
+echo "configure:1557: checking for logwtmp in -lutil" >&5
+ac_lib_var=`echo util'_'logwtmp | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lutil  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1565 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char logwtmp();
+
+int main() {
+logwtmp()
+; return 0; }
+EOF
+if { (eval echo configure:1576: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBUTIL=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBUTIL 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBUTIL=no
+fi
+
+
+echo $ac_n "checking for dbm_store in -lndbm""... $ac_c" 1>&6
+echo "configure:1602: checking for dbm_store in -lndbm" >&5
+ac_lib_var=`echo ndbm'_'dbm_store | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lndbm  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1610 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char dbm_store();
+
+int main() {
+dbm_store()
+; return 0; }
+EOF
+if { (eval echo configure:1621: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBNDBM=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBNDBM 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBNDBM=no
+fi
+
+
+echo $ac_n "checking for dbm_store in -ldb""... $ac_c" 1>&6
+echo "configure:1647: checking for dbm_store in -ldb" >&5
+ac_lib_var=`echo db'_'dbm_store | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldb  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1655 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char dbm_store();
+
+int main() {
+dbm_store()
+; return 0; }
+EOF
+if { (eval echo configure:1666: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBDB=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBDB 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBDB=no
+fi
+
+if test x$HAVE_LIBDB != xyes ; then
+	echo $ac_n "checking for db_create in -ldb""... $ac_c" 1>&6
+echo "configure:1692: checking for db_create in -ldb" >&5
+ac_lib_var=`echo db'_'db_create | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldb  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1700 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char db_create();
+
+int main() {
+db_create()
+; return 0; }
+EOF
+if { (eval echo configure:1711: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBDB=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBDB 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBDB=no
+fi
+
+fi
+
+echo $ac_n "checking for yylex in -lfl""... $ac_c" 1>&6
+echo "configure:1738: checking for yylex in -lfl" >&5
+ac_lib_var=`echo fl'_'yylex | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lfl HAVE_LIBFL=no $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1746 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char yylex();
+
+int main() {
+yylex()
+; return 0; }
+EOF
+if { (eval echo configure:1757: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  yyterminate
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBFL=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBFL 1
+EOF
+
+fi
+
+
+echo $ac_n "checking for yp_maplist in -lnsl""... $ac_c" 1>&6
+echo "configure:1783: checking for yp_maplist in -lnsl" >&5
+ac_lib_var=`echo nsl'_'yp_maplist | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lnsl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1791 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char yp_maplist();
+
+int main() {
+yp_maplist()
+; return 0; }
+EOF
+if { (eval echo configure:1802: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBNSL=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBNSL 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBNSL=no
+fi
+
+
+echo $ac_n "checking for pwdb_db_name in -lpwdb""... $ac_c" 1>&6
+echo "configure:1828: checking for pwdb_db_name in -lpwdb" >&5
+ac_lib_var=`echo pwdb'_'pwdb_db_name | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lpwdb  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1836 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char pwdb_db_name();
+
+int main() {
+pwdb_db_name()
+; return 0; }
+EOF
+if { (eval echo configure:1847: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBPWDB=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBPWDB 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBPWDB=no
+fi
+
+
+echo $ac_n "checking for yywrap in -lfl""... $ac_c" 1>&6
+echo "configure:1873: checking for yywrap in -lfl" >&5
+ac_lib_var=`echo fl'_'yywrap | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lfl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1881 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char yywrap();
+
+int main() {
+yywrap()
+; return 0; }
+EOF
+if { (eval echo configure:1892: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBFLEX=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBFLEX 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBFLEX=no
+fi
+
+
+echo $ac_n "checking for yywrap in -ll""... $ac_c" 1>&6
+echo "configure:1918: checking for yywrap in -ll" >&5
+ac_lib_var=`echo l'_'yywrap | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ll  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1926 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char yywrap();
+
+int main() {
+yywrap()
+; return 0; }
+EOF
+if { (eval echo configure:1937: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  HAVE_LIBLEX=yes ; cat >> confdefs.h <<\EOF
+#define HAVE_LIBLEX 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+HAVE_LIBLEX=no
+fi
+
+
+
+ac_header_dirent=no
+for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr that defines DIR""... $ac_c" 1>&6
+echo "configure:1968: checking for $ac_hdr that defines DIR" >&5
+if eval "test \"`echo '$''{'ac_cv_header_dirent_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1973 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <$ac_hdr>
+int main() {
+DIR *dirp = 0;
+; return 0; }
+EOF
+if { (eval echo configure:1981: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_header_dirent_$ac_safe=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_dirent_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_dirent_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ ac_header_dirent=$ac_hdr; break
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+# Two versions of opendir et al. are in -ldir and -lx on SCO Xenix.
+if test $ac_header_dirent = dirent.h; then
+echo $ac_n "checking for opendir in -ldir""... $ac_c" 1>&6
+echo "configure:2006: checking for opendir in -ldir" >&5
+ac_lib_var=`echo dir'_'opendir | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldir  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2014 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char opendir();
+
+int main() {
+opendir()
+; return 0; }
+EOF
+if { (eval echo configure:2025: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  LIBS="$LIBS -ldir"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+else
+echo $ac_n "checking for opendir in -lx""... $ac_c" 1>&6
+echo "configure:2047: checking for opendir in -lx" >&5
+ac_lib_var=`echo x'_'opendir | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lx  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2055 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char opendir();
+
+int main() {
+opendir()
+; return 0; }
+EOF
+if { (eval echo configure:2066: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  LIBS="$LIBS -lx"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+fi
+
+echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+echo "configure:2089: checking for ANSI C header files" >&5
+if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2094 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:2102: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  ac_cv_header_stdc=yes
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 2119 "configure"
+#include "confdefs.h"
+#include <string.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 2137 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2158 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int main () { int i; for (i = 0; i < 256; i++)
+if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
+exit (0); }
+
+EOF
+if { (eval echo configure:2169: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_header_stdc=no
+fi
+rm -fr conftest*
+fi
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_header_stdc" 1>&6
+if test $ac_cv_header_stdc = yes; then
+  cat >> confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+echo $ac_n "checking for sys/wait.h that is POSIX.1 compatible""... $ac_c" 1>&6
+echo "configure:2193: checking for sys/wait.h that is POSIX.1 compatible" >&5
+if eval "test \"`echo '$''{'ac_cv_header_sys_wait_h'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2198 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/wait.h>
+#ifndef WEXITSTATUS
+#define WEXITSTATUS(stat_val) ((unsigned)(stat_val) >> 8)
+#endif
+#ifndef WIFEXITED
+#define WIFEXITED(stat_val) (((stat_val) & 255) == 0)
+#endif
+int main() {
+int s;
+wait (&s);
+s = WIFEXITED (s) ? WEXITSTATUS (s) : 1;
+; return 0; }
+EOF
+if { (eval echo configure:2214: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_header_sys_wait_h=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_sys_wait_h=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_header_sys_wait_h" 1>&6
+if test $ac_cv_header_sys_wait_h = yes; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_SYS_WAIT_H 1
+EOF
+
+fi
+
+for ac_hdr in fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h termio.h unistd.h sys/fsuid.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:2238: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2243 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:2248: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+for ac_hdr in features.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:2279: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2284 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:2289: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+for ac_hdr in crypt.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:2320: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2325 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:2330: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+for ac_hdr in ndbm.h db.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:2361: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2366 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:2371: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+HAVE_NDBM_H=$ac_cv_header_ndbm_h
+
+
+for ac_hdr in lastlog.h utmp.h utmpx.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:2404: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2409 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:2414: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+
+echo $ac_n "checking path to cracklib dictionary""... $ac_c" 1>&6
+echo "configure:2443: checking path to cracklib dictionary" >&5
+DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \
+  /usr/local/lib /usr/local/share/lib"
+DICT_FILE_CANDIDATES="pw_dict cracklib_dict"
+CRACKLIB_DICTPATH=""
+for d in $DICT_DIR_CANDIDATES ; do
+      for f in $DICT_FILE_CANDIDATES ; do
+              if test -r $d/$f.hwm ; then
+                      CRACKLIB_DICTPATH=$d/$f
+                      break 2
+              elif test -r $d/dict/$f.hwm ; then
+                      CRACKLIB_DICTPATH=$d/dict/$f
+                      break 2
+              fi
+      done
+done
+if test -z "$CRACKLIB_DICTPATH" ; then
+      echo "$ac_t""none found" 1>&6
+else
+      echo "$ac_t""$CRACKLIB_DICTPATH" 1>&6
+fi
+
+
+
+GCC_WARNINGS="-Wall -Wwrite-strings \
+	-Wpointer-arith -Wcast-qual -Wcast-align \
+	-Wstrict-prototypes -Wmissing-prototypes \
+	-Wnested-externs -Winline -Wshadow"
+
+if test "$GCC" = yes; then
+	CC=gcc				; 
+### May need per-OS attention
+### Example: -D_POSIX_SOURCE: needed on Linux but harms Solaris.
+	case $OS in
+	linux)
+		OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic"
+		LD_D="gcc -shared -Xlinker -x"
+		WARNINGS="$GCC_WARNINGS"
+		PIC="-fPIC"
+		DYNTYPE=so
+		LD=ld				
+		LD_L="$LD -x -shared"
+		RANLIB=ranlib
+		STRIP=strip
+		CC_STATIC="-Xlinker -export-dynamic"
+		;;
+	sunos)
+		OS_CFLAGS="-ansi -pedantic"
+		LD_D="gcc -shared -Xlinker -x"
+		WARNINGS="$GCC_WARNINGS"
+		PIC="-fPIC"
+		DYNTYPE=so
+		LD=ld				
+		LD_L="$LD -x -shared"
+		RANLIB=ranlib
+		STRIP=strip
+		CC_STATIC="-Xlinker -export-dynamic"
+		;;
+	aix)
+		OS_CFLAGS=""
+		DYNTYPE=lo
+		LD=ld				
+		LD_L=ld -bexpall -bM:SRE -bnoentry
+		LD_D="$LD_L"
+		RANLIB=ranlib
+		STRIP=strip
+		;;
+	*)
+		OS_CFLAGS=""
+		;;
+	esac
+else
+###
+### Non-gcc needs attention on per-OS basis
+###
+	case "$OS" in
+	darwin)
+# add some stuff here (see sourceforge bug 534205)
+# DOCDIR=/System/Documentation/Administration/Libraries/PAM
+# MANDIR=/usr/share/man
+		;;
+	solaris)
+	    ### Support for Solaris-C
+	    OS_CFLAGS=""
+	    WARNINGS=""
+	    PIC="-K pic"
+	    LD=ld
+	    LD_D="cc -z text -G -R."
+	    LD_L="$LD_D"
+	    RANLIB=ranlib
+	    STRIP=strip
+	    CC_STATIC=
+	    ;;
+	irix*)
+	    OSRELEASE=`uname -r`
+	    if test "$OSRELEASE" = 6.5; then
+		OS_CFLAGS=""
+		WARNINGS="-fullwarn"
+		PIC=                    #PIC code is default for IRIX
+		LD="cc -shared"         # modules friendly approach
+		LD_D="cc -shared"
+		LD_L="ld -G -z redlocsym"
+		RANLIB=echo
+		STRIP=strip
+		CC_STATIC=
+	    else
+		echo "IRIX prior to 6.5 not allowed for"
+		exit
+	    fi
+	    ;;
+       *) echo "Native compiler on $OS is not yet supported"
+               exit
+	    ;;
+       esac
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6
+echo "configure:2571: checking whether byte ordering is bigendian" >&5
+if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_c_bigendian=unknown
+# See if sys/param.h defines the BYTE_ORDER macro.
+cat > conftest.$ac_ext <<EOF
+#line 2578 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/param.h>
+int main() {
+
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif
+; return 0; }
+EOF
+if { (eval echo configure:2589: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  # It does; now see whether it defined to BIG_ENDIAN or not.
+cat > conftest.$ac_ext <<EOF
+#line 2593 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/param.h>
+int main() {
+
+#if BYTE_ORDER != BIG_ENDIAN
+ not big endian
+#endif
+; return 0; }
+EOF
+if { (eval echo configure:2604: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_bigendian=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_c_bigendian=no
+fi
+rm -f conftest*
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+if test $ac_cv_c_bigendian = unknown; then
+if test "$cross_compiling" = yes; then
+    { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2624 "configure"
+#include "confdefs.h"
+main () {
+  /* Are we little or big endian?  From Harbison&Steele.  */
+  union
+  {
+    long l;
+    char c[sizeof (long)];
+  } u;
+  u.l = 1;
+  exit (u.c[sizeof (long) - 1] == 1);
+}
+EOF
+if { (eval echo configure:2637: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_c_bigendian=no
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_c_bigendian=yes
+fi
+rm -fr conftest*
+fi
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_c_bigendian" 1>&6
+if test $ac_cv_c_bigendian = yes; then
+  cat >> confdefs.h <<\EOF
+#define WORDS_BIGENDIAN 1
+EOF
+
+fi
+
+echo $ac_n "checking for working const""... $ac_c" 1>&6
+echo "configure:2661: checking for working const" >&5
+if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2666 "configure"
+#include "confdefs.h"
+
+int main() {
+
+/* Ultrix mips cc rejects this.  */
+typedef int charset[2]; const charset x;
+/* SunOS 4.1.1 cc rejects this.  */
+char const *const *ccp;
+char **p;
+/* NEC SVR4.0.2 mips cc rejects this.  */
+struct point {int x, y;};
+static struct point const zero = {0,0};
+/* AIX XL C 1.02.0.0 rejects this.
+   It does not let you subtract one const X* pointer from another in an arm
+   of an if-expression whose if-part is not a constant expression */
+const char *g = "string";
+ccp = &g + (g ? g-g : 0);
+/* HPUX 7.0 cc rejects these. */
+++ccp;
+p = (char**) ccp;
+ccp = (char const *const *) p;
+{ /* SCO 3.2v4 cc rejects this.  */
+  char *t;
+  char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+  *t++ = 0;
+}
+{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+  int x[] = {25, 17};
+  const int *foo = &x[0];
+  ++foo;
+}
+{ /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+  typedef const int *iptr;
+  iptr p = 0;
+  ++p;
+}
+{ /* AIX XL C 1.02.0.0 rejects this saying
+     "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+  struct s { int j; const int *ap[3]; };
+  struct s *b; b->j = 5;
+}
+{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+  const int foo = 10;
+}
+
+; return 0; }
+EOF
+if { (eval echo configure:2715: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_const=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_c_const=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_c_const" 1>&6
+if test $ac_cv_c_const = no; then
+  cat >> confdefs.h <<\EOF
+#define const 
+EOF
+
+fi
+
+echo $ac_n "checking for uid_t in sys/types.h""... $ac_c" 1>&6
+echo "configure:2736: checking for uid_t in sys/types.h" >&5
+if eval "test \"`echo '$''{'ac_cv_type_uid_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2741 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "uid_t" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_uid_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_uid_t=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_type_uid_t" 1>&6
+if test $ac_cv_type_uid_t = no; then
+  cat >> confdefs.h <<\EOF
+#define uid_t int
+EOF
+
+  cat >> confdefs.h <<\EOF
+#define gid_t int
+EOF
+
+fi
+
+echo $ac_n "checking for off_t""... $ac_c" 1>&6
+echo "configure:2770: checking for off_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2775 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])off_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_off_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_off_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_off_t" 1>&6
+if test $ac_cv_type_off_t = no; then
+  cat >> confdefs.h <<\EOF
+#define off_t long
+EOF
+
+fi
+
+echo $ac_n "checking for pid_t""... $ac_c" 1>&6
+echo "configure:2803: checking for pid_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2808 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])pid_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_pid_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_pid_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_pid_t" 1>&6
+if test $ac_cv_type_pid_t = no; then
+  cat >> confdefs.h <<\EOF
+#define pid_t int
+EOF
+
+fi
+
+echo $ac_n "checking for size_t""... $ac_c" 1>&6
+echo "configure:2836: checking for size_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2841 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_size_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_size_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_size_t" 1>&6
+if test $ac_cv_type_size_t = no; then
+  cat >> confdefs.h <<\EOF
+#define size_t unsigned
+EOF
+
+fi
+
+echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
+echo "configure:2869: checking whether time.h and sys/time.h may both be included" >&5
+if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2874 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+int main() {
+struct tm *tp;
+; return 0; }
+EOF
+if { (eval echo configure:2883: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_header_time=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_time=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_header_time" 1>&6
+if test $ac_cv_header_time = yes; then
+  cat >> confdefs.h <<\EOF
+#define TIME_WITH_SYS_TIME 1
+EOF
+
+fi
+
+echo $ac_n "checking whether struct tm is in sys/time.h or time.h""... $ac_c" 1>&6
+echo "configure:2904: checking whether struct tm is in sys/time.h or time.h" >&5
+if eval "test \"`echo '$''{'ac_cv_struct_tm'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2909 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <time.h>
+int main() {
+struct tm *tp; tp->tm_sec;
+; return 0; }
+EOF
+if { (eval echo configure:2917: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_struct_tm=time.h
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_struct_tm=sys/time.h
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_struct_tm" 1>&6
+if test $ac_cv_struct_tm = sys/time.h; then
+  cat >> confdefs.h <<\EOF
+#define TM_IN_SYS_TIME 1
+EOF
+
+fi
+
+
+echo $ac_n "checking type of array argument to getgroups""... $ac_c" 1>&6
+echo "configure:2939: checking type of array argument to getgroups" >&5
+if eval "test \"`echo '$''{'ac_cv_type_getgroups'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_type_getgroups=cross
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2947 "configure"
+#include "confdefs.h"
+
+/* Thanks to Mike Rendell for this test.  */
+#include <sys/types.h>
+#define NGID 256
+#undef MAX
+#define MAX(x, y) ((x) > (y) ? (x) : (y))
+main()
+{
+  gid_t gidset[NGID];
+  int i, n;
+  union { gid_t gval; long lval; }  val;
+
+  val.lval = -1;
+  for (i = 0; i < NGID; i++)
+    gidset[i] = val.gval;
+  n = getgroups (sizeof (gidset) / MAX (sizeof (int), sizeof (gid_t)) - 1,
+                 gidset);
+  /* Exit non-zero if getgroups seems to require an array of ints.  This
+     happens when gid_t is short but getgroups modifies an array of ints.  */
+  exit ((n > 0 && gidset[n] != val.gval) ? 1 : 0);
+}
+
+EOF
+if { (eval echo configure:2972: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+    ac_cv_type_getgroups=gid_t
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_type_getgroups=int
+fi
+rm -fr conftest*
+fi
+
+if test $ac_cv_type_getgroups = cross; then
+        cat > conftest.$ac_ext <<EOF
+#line 2986 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "getgroups.*int.*gid_t" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_getgroups=gid_t
+else
+  rm -rf conftest*
+  ac_cv_type_getgroups=int
+fi
+rm -f conftest*
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_type_getgroups" 1>&6
+cat >> confdefs.h <<EOF
+#define GETGROUPS_T $ac_cv_type_getgroups
+EOF
+
+
+if test $ac_cv_prog_gcc = yes; then
+    echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6
+echo "configure:3011: checking whether ${CC-cc} needs -traditional" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    ac_pattern="Autoconf.*'x'"
+  cat > conftest.$ac_ext <<EOF
+#line 3017 "configure"
+#include "confdefs.h"
+#include <sgtty.h>
+Autoconf TIOCGETP
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "$ac_pattern" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_prog_gcc_traditional=yes
+else
+  rm -rf conftest*
+  ac_cv_prog_gcc_traditional=no
+fi
+rm -f conftest*
+
+
+  if test $ac_cv_prog_gcc_traditional = no; then
+    cat > conftest.$ac_ext <<EOF
+#line 3035 "configure"
+#include "confdefs.h"
+#include <termio.h>
+Autoconf TCGETA
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "$ac_pattern" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_prog_gcc_traditional=yes
+fi
+rm -f conftest*
+
+  fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gcc_traditional" 1>&6
+  if test $ac_cv_prog_gcc_traditional = yes; then
+    CC="$CC -traditional"
+  fi
+fi
+
+echo $ac_n "checking for 8-bit clean memcmp""... $ac_c" 1>&6
+echo "configure:3057: checking for 8-bit clean memcmp" >&5
+if eval "test \"`echo '$''{'ac_cv_func_memcmp_clean'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_func_memcmp_clean=no
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3065 "configure"
+#include "confdefs.h"
+
+main()
+{
+  char c0 = 0x40, c1 = 0x80, c2 = 0x81;
+  exit(memcmp(&c0, &c2, 1) < 0 && memcmp(&c1, &c2, 1) < 0 ? 0 : 1);
+}
+
+EOF
+if { (eval echo configure:3075: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_func_memcmp_clean=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_memcmp_clean=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_memcmp_clean" 1>&6
+test $ac_cv_func_memcmp_clean = no && LIBOBJS="$LIBOBJS memcmp.${ac_objext}"
+
+echo $ac_n "checking for vprintf""... $ac_c" 1>&6
+echo "configure:3093: checking for vprintf" >&5
+if eval "test \"`echo '$''{'ac_cv_func_vprintf'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3098 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char vprintf(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char vprintf();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_vprintf) || defined (__stub___vprintf)
+choke me
+#else
+vprintf();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:3121: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_vprintf=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_vprintf=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'vprintf`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  cat >> confdefs.h <<\EOF
+#define HAVE_VPRINTF 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test "$ac_cv_func_vprintf" != yes; then
+echo $ac_n "checking for _doprnt""... $ac_c" 1>&6
+echo "configure:3145: checking for _doprnt" >&5
+if eval "test \"`echo '$''{'ac_cv_func__doprnt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3150 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char _doprnt(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char _doprnt();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub__doprnt) || defined (__stub____doprnt)
+choke me
+#else
+_doprnt();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:3173: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func__doprnt=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func__doprnt=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'_doprnt`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  cat >> confdefs.h <<\EOF
+#define HAVE_DOPRNT 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+fi
+
+for ac_func in gethostname gettimeofday mkdir select strcspn strdup strerror strspn strstr strtol uname
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:3200: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3205 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:3228: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+for ac_func in getpwnam_r getgrnam_r
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:3256: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3261 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:3284: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+# Extract the first word of "sgml2txt", so it can be a program name with args.
+set dummy sgml2txt; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:3312: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2TXT'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$HAVE_SGML2TXT"; then
+  ac_cv_prog_HAVE_SGML2TXT="$HAVE_SGML2TXT" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_HAVE_SGML2TXT="yes"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_HAVE_SGML2TXT" && ac_cv_prog_HAVE_SGML2TXT="no"
+fi
+fi
+HAVE_SGML2TXT="$ac_cv_prog_HAVE_SGML2TXT"
+if test -n "$HAVE_SGML2TXT"; then
+  echo "$ac_t""$HAVE_SGML2TXT" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "sgml2html", so it can be a program name with args.
+set dummy sgml2html; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:3342: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2HTML'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$HAVE_SGML2HTML"; then
+  ac_cv_prog_HAVE_SGML2HTML="$HAVE_SGML2HTML" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_HAVE_SGML2HTML="yes"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_HAVE_SGML2HTML" && ac_cv_prog_HAVE_SGML2HTML="no"
+fi
+fi
+HAVE_SGML2HTML="$ac_cv_prog_HAVE_SGML2HTML"
+if test -n "$HAVE_SGML2HTML"; then
+  echo "$ac_t""$HAVE_SGML2HTML" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "sgml2latex", so it can be a program name with args.
+set dummy sgml2latex; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:3372: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2LATEX'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$HAVE_SGML2LATEX"; then
+  ac_cv_prog_HAVE_SGML2LATEX="$HAVE_SGML2LATEX" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_HAVE_SGML2LATEX="yes"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_HAVE_SGML2LATEX" && ac_cv_prog_HAVE_SGML2LATEX="no"
+fi
+fi
+HAVE_SGML2LATEX="$ac_cv_prog_HAVE_SGML2LATEX"
+if test -n "$HAVE_SGML2LATEX"; then
+  echo "$ac_t""$HAVE_SGML2LATEX" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test $HAVE_SGML2LATEX = "yes" ; then
+  if sgml2latex -h | grep -e --paper | grep  ' -p ' > /dev/null ; then
+    PSER="sgml2latex -o ps"
+  else
+    PSER="sgml2latex -p"
+  fi
+  # Extract the first word of "ps2pdf", so it can be a program name with args.
+set dummy ps2pdf; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:3408: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_HAVE_PS2PDF'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$HAVE_PS2PDF"; then
+  ac_cv_prog_HAVE_PS2PDF="$HAVE_PS2PDF" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_HAVE_PS2PDF="yes"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_HAVE_PS2PDF" && ac_cv_prog_HAVE_PS2PDF="no"
+fi
+fi
+HAVE_PS2PDF="$ac_cv_prog_HAVE_PS2PDF"
+if test -n "$HAVE_PS2PDF"; then
+  echo "$ac_t""$HAVE_PS2PDF" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+else
+  # Extract the first word of "sgml2ps", so it can be a program name with args.
+set dummy sgml2ps; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:3439: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2PS'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$HAVE_SGML2PS"; then
+  ac_cv_prog_HAVE_SGML2PS="$HAVE_SGML2PS" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_HAVE_SGML2PS="yes"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_HAVE_SGML2PS" && ac_cv_prog_HAVE_SGML2PS="no"
+fi
+fi
+HAVE_SGML2PS="$ac_cv_prog_HAVE_SGML2PS"
+if test -n "$HAVE_SGML2PS"; then
+  echo "$ac_t""$HAVE_SGML2PS" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+  if test $HAVE_SGML2PS = yes ; then
+    PSER="sgml2ps"
+  fi
+fi
+
+
+
+trap '' 1 2 15
+cat > confcache <<\EOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs.  It is not useful on other systems.
+# If it contains results you don't want to keep, you may remove or edit it.
+#
+# By default, configure uses ./config.cache as the cache file,
+# creating it if it does not exist already.  You can give configure
+# the --cache-file=FILE option to use a different cache file; that is
+# what configure does when it calls configure scripts in
+# subdirectories, so they share the cache.
+# Giving --cache-file=/dev/null disables caching, for debugging configure.
+# config.status only pays attention to the cache file if you give it the
+# --recheck option to rerun configure.
+#
+EOF
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(set) 2>&1 |
+  case `(ac_space=' '; set | grep ac_space) 2>&1` in
+  *ac_space=\ *)
+    # `set' does not quote correctly, so add quotes (double-quote substitution
+    # turns \\\\ into \\, and sed turns \\ into \).
+    sed -n \
+      -e "s/'/'\\\\''/g" \
+      -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
+    ;;
+  *)
+    # `set' quotes correctly as required by POSIX, so do not add quotes.
+    sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
+    ;;
+  esac >> confcache
+if cmp -s $cache_file confcache; then
+  :
+else
+  if test -w $cache_file; then
+    echo "updating cache $cache_file"
+    cat confcache > $cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Any assignment to VPATH causes Sun make to only execute
+# the first set of double-colon rules, so remove it if not needed.
+# If there is a colon in the path, we need to keep it.
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[ 	]*VPATH[ 	]*=[^:]*$/d'
+fi
+
+trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15
+
+DEFS=-DHAVE_CONFIG_H
+
+# Without the "./", some shells look in PATH for config.status.
+: ${CONFIG_STATUS=./config.status}
+
+echo creating $CONFIG_STATUS
+rm -f $CONFIG_STATUS
+cat > $CONFIG_STATUS <<EOF
+#! /bin/sh
+# Generated automatically by configure.
+# Run this file to recreate the current configuration.
+# This directory was configured as follows,
+# on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+#
+# $0 $ac_configure_args
+#
+# Compiler output produced by configure, useful for debugging
+# configure, is in ./config.log if it exists.
+
+ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]"
+for ac_option
+do
+  case "\$ac_option" in
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion"
+    exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;;
+  -version | --version | --versio | --versi | --vers | --ver | --ve | --v)
+    echo "$CONFIG_STATUS generated by autoconf version 2.13"
+    exit 0 ;;
+  -help | --help | --hel | --he | --h)
+    echo "\$ac_cs_usage"; exit 0 ;;
+  *) echo "\$ac_cs_usage"; exit 1 ;;
+  esac
+done
+
+ac_given_srcdir=$srcdir
+
+trap 'rm -fr `echo "Make.Rules _pam_aconf.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+# Protect against being on the right side of a sed subst in config.status.
+sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g;
+ s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF
+$ac_vpsub
+$extrasub
+s%@SHELL@%$SHELL%g
+s%@CFLAGS@%$CFLAGS%g
+s%@CPPFLAGS@%$CPPFLAGS%g
+s%@CXXFLAGS@%$CXXFLAGS%g
+s%@FFLAGS@%$FFLAGS%g
+s%@DEFS@%$DEFS%g
+s%@LDFLAGS@%$LDFLAGS%g
+s%@LIBS@%$LIBS%g
+s%@exec_prefix@%$exec_prefix%g
+s%@prefix@%$prefix%g
+s%@program_transform_name@%$program_transform_name%g
+s%@bindir@%$bindir%g
+s%@sbindir@%$sbindir%g
+s%@libexecdir@%$libexecdir%g
+s%@datadir@%$datadir%g
+s%@sysconfdir@%$sysconfdir%g
+s%@sharedstatedir@%$sharedstatedir%g
+s%@localstatedir@%$localstatedir%g
+s%@libdir@%$libdir%g
+s%@includedir@%$includedir%g
+s%@oldincludedir@%$oldincludedir%g
+s%@infodir@%$infodir%g
+s%@mandir@%$mandir%g
+s%@LIBPAM_VERSION_MAJOR@%$LIBPAM_VERSION_MAJOR%g
+s%@LIBPAM_VERSION_MINOR@%$LIBPAM_VERSION_MINOR%g
+s%@LOCALSRCDIR@%$LOCALSRCDIR%g
+s%@LOCALOBJDIR@%$LOCALOBJDIR%g
+s%@OS@%$OS%g
+s%@CONF_CFLAGS@%$CONF_CFLAGS%g
+s%@MKDIR@%$MKDIR%g
+s%@SHLIBMODE@%$SHLIBMODE%g
+s%@USESONAME@%$USESONAME%g
+s%@SOSWITCH@%$SOSWITCH%g
+s%@NEEDSONAME@%$NEEDSONAME%g
+s%@LDCONFIG@%$LDCONFIG%g
+s%@INSTALL@%$INSTALL%g
+s%@CC@%$CC%g
+s%@YACC@%$YACC%g
+s%@LEX@%$LEX%g
+s%@LEXLIB@%$LEXLIB%g
+s%@LN_S@%$LN_S%g
+s%@SET_MAKE@%$SET_MAKE%g
+s%@WITH_DEBUG@%$WITH_DEBUG%g
+s%@WITH_MEMORY_DEBUG@%$WITH_MEMORY_DEBUG%g
+s%@WITH_LIBDEBUG@%$WITH_LIBDEBUG%g
+s%@FAKEROOT@%$FAKEROOT%g
+s%@SECUREDIR@%$SECUREDIR%g
+s%@SCONFIGDIR@%$SCONFIGDIR%g
+s%@SUPLEMENTED@%$SUPLEMENTED%g
+s%@INCLUDEDIR@%$INCLUDEDIR%g
+s%@DOCDIR@%$DOCDIR%g
+s%@MANDIR@%$MANDIR%g
+s%@WITH_PAMLOCKING@%$WITH_PAMLOCKING%g
+s%@PAM_READ_BOTH_CONFS@%$PAM_READ_BOTH_CONFS%g
+s%@STATIC_LIBPAM@%$STATIC_LIBPAM%g
+s%@DYNAMIC_LIBPAM@%$DYNAMIC_LIBPAM%g
+s%@DYNAMIC@%$DYNAMIC%g
+s%@STATIC@%$STATIC%g
+s%@WITH_LCKPWDF@%$WITH_LCKPWDF%g
+s%@CPP@%$CPP%g
+s%@PAM_NEEDS_LIBC@%$PAM_NEEDS_LIBC%g
+s%@HAVE_LCKPWDF@%$HAVE_LCKPWDF%g
+s%@LIBDL@%$LIBDL%g
+s%@HAVE_LIBCRACK@%$HAVE_LIBCRACK%g
+s%@HAVE_LIBCRYPT@%$HAVE_LIBCRYPT%g
+s%@HAVE_LIBUTIL@%$HAVE_LIBUTIL%g
+s%@HAVE_LIBNDBM@%$HAVE_LIBNDBM%g
+s%@HAVE_LIBDB@%$HAVE_LIBDB%g
+s%@HAVE_LIBFL@%$HAVE_LIBFL%g
+s%@HAVE_LIBNSL@%$HAVE_LIBNSL%g
+s%@HAVE_LIBPWDB@%$HAVE_LIBPWDB%g
+s%@HAVE_LIBFLEX@%$HAVE_LIBFLEX%g
+s%@HAVE_LIBLEX@%$HAVE_LIBLEX%g
+s%@HAVE_NDBM_H@%$HAVE_NDBM_H%g
+s%@CRACKLIB_DICTPATH@%$CRACKLIB_DICTPATH%g
+s%@DYNTYPE@%$DYNTYPE%g
+s%@OS_CFLAGS@%$OS_CFLAGS%g
+s%@WARNINGS@%$WARNINGS%g
+s%@PIC@%$PIC%g
+s%@LD@%$LD%g
+s%@LD_D@%$LD_D%g
+s%@LD_L@%$LD_L%g
+s%@RANLIB@%$RANLIB%g
+s%@STRIP@%$STRIP%g
+s%@CC_STATIC@%$CC_STATIC%g
+s%@LIBOBJS@%$LIBOBJS%g
+s%@HAVE_SGML2TXT@%$HAVE_SGML2TXT%g
+s%@HAVE_SGML2HTML@%$HAVE_SGML2HTML%g
+s%@HAVE_SGML2LATEX@%$HAVE_SGML2LATEX%g
+s%@HAVE_PS2PDF@%$HAVE_PS2PDF%g
+s%@HAVE_SGML2PS@%$HAVE_SGML2PS%g
+s%@PSER@%$PSER%g
+s%@PS2PDF@%$PS2PDF%g
+
+CEOF
+EOF
+
+cat >> $CONFIG_STATUS <<\EOF
+
+# Split the substitutions into bite-sized pieces for seds with
+# small command number limits, like on Digital OSF/1 and HP-UX.
+ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script.
+ac_file=1 # Number of current file.
+ac_beg=1 # First line for current file.
+ac_end=$ac_max_sed_cmds # Line after last line for current file.
+ac_more_lines=:
+ac_sed_cmds=""
+while $ac_more_lines; do
+  if test $ac_beg -gt 1; then
+    sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file
+  else
+    sed "${ac_end}q" conftest.subs > conftest.s$ac_file
+  fi
+  if test ! -s conftest.s$ac_file; then
+    ac_more_lines=false
+    rm -f conftest.s$ac_file
+  else
+    if test -z "$ac_sed_cmds"; then
+      ac_sed_cmds="sed -f conftest.s$ac_file"
+    else
+      ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file"
+    fi
+    ac_file=`expr $ac_file + 1`
+    ac_beg=$ac_end
+    ac_end=`expr $ac_end + $ac_max_sed_cmds`
+  fi
+done
+if test -z "$ac_sed_cmds"; then
+  ac_sed_cmds=cat
+fi
+EOF
+
+cat >> $CONFIG_STATUS <<EOF
+
+CONFIG_FILES=\${CONFIG_FILES-"Make.Rules"}
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
+
+  # Remove last slash and all that follows it.  Not all systems have dirname.
+  ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+  if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+    # The file is in a subdirectory.
+    test ! -d "$ac_dir" && mkdir "$ac_dir"
+    ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`"
+    # A "../" for each directory in $ac_dir_suffix.
+    ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'`
+  else
+    ac_dir_suffix= ac_dots=
+  fi
+
+  case "$ac_given_srcdir" in
+  .)  srcdir=.
+      if test -z "$ac_dots"; then top_srcdir=.
+      else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;;
+  /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;;
+  *) # Relative path.
+    srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix"
+    top_srcdir="$ac_dots$ac_given_srcdir" ;;
+  esac
+
+
+  echo creating "$ac_file"
+  rm -f "$ac_file"
+  configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure."
+  case "$ac_file" in
+  *Makefile*) ac_comsub="1i\\
+# $configure_input" ;;
+  *) ac_comsub= ;;
+  esac
+
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  sed -e "$ac_comsub
+s%@configure_input@%$configure_input%g
+s%@srcdir@%$srcdir%g
+s%@top_srcdir@%$top_srcdir%g
+" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
+fi; done
+rm -f conftest.s*
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s%^\([ 	]*\)#\([ 	]*define[ 	][ 	]*\)'
+ac_dB='\([ 	][ 	]*\)[^ 	]*%\1#\2'
+ac_dC='\3'
+ac_dD='%g'
+# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE".
+ac_uA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_uB='\([ 	]\)%\1#\2define\3'
+ac_uC=' '
+ac_uD='\4%g'
+# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_eA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_eB='$%\1#\2define\3'
+ac_eC=' '
+ac_eD='%g'
+
+if test "${CONFIG_HEADERS+set}" != set; then
+EOF
+cat >> $CONFIG_STATUS <<EOF
+  CONFIG_HEADERS="_pam_aconf.h"
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+fi
+for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  echo creating $ac_file
+
+  rm -f conftest.frag conftest.in conftest.out
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  cat $ac_file_inputs > conftest.in
+
+EOF
+
+# Transform confdefs.h into a sed script conftest.vals that substitutes
+# the proper values into config.h.in to produce config.h.  And first:
+# Protect against being on the right side of a sed subst in config.status.
+# Protect against being in an unquoted here document in config.status.
+rm -f conftest.vals
+cat > conftest.hdr <<\EOF
+s/[\\&%]/\\&/g
+s%[\\$`]%\\&%g
+s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp
+s%ac_d%ac_u%gp
+s%ac_u%ac_e%gp
+EOF
+sed -n -f conftest.hdr confdefs.h > conftest.vals
+rm -f conftest.hdr
+
+# This sed command replaces #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >> conftest.vals <<\EOF
+s%^[ 	]*#[ 	]*undef[ 	][ 	]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
+EOF
+
+# Break up conftest.vals because some shells have a limit on
+# the size of here documents, and old seds have small limits too.
+
+rm -f conftest.tail
+while :
+do
+  ac_lines=`grep -c . conftest.vals`
+  # grep -c gives empty output for an empty file on some AIX systems.
+  if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi
+  # Write a limited-size here document to conftest.frag.
+  echo '  cat > conftest.frag <<CEOF' >> $CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS
+  echo 'CEOF
+  sed -f conftest.frag conftest.in > conftest.out
+  rm -f conftest.in
+  mv conftest.out conftest.in
+' >> $CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail
+  rm -f conftest.vals
+  mv conftest.tail conftest.vals
+done
+rm -f conftest.vals
+
+cat >> $CONFIG_STATUS <<\EOF
+  rm -f conftest.frag conftest.h
+  echo "/* $ac_file.  Generated automatically by configure.  */" > conftest.h
+  cat conftest.in >> conftest.h
+  rm -f conftest.in
+  if cmp -s $ac_file conftest.h 2>/dev/null; then
+    echo "$ac_file is unchanged"
+    rm -f conftest.h
+  else
+    # Remove last slash and all that follows it.  Not all systems have dirname.
+      ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+      if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+      # The file is in a subdirectory.
+      test ! -d "$ac_dir" && mkdir "$ac_dir"
+    fi
+    rm -f $ac_file
+    mv conftest.h $ac_file
+  fi
+fi; done
+
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+
+exit 0
+EOF
+chmod +x $CONFIG_STATUS
+rm -fr confdefs* $ac_clean_files
+test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
+
diff --git a/Linux-PAM/configure.in b/Linux-PAM/configure.in
new file mode 100644
index 00000000..8da11c85
--- /dev/null
+++ b/Linux-PAM/configure.in
@@ -0,0 +1,439 @@
+dnl Process this file with autoconf to produce a configure script.
+AC_INIT(conf/pam_conv1/pam_conv.y)
+
+dnl The configuration header file
+AC_CONFIG_HEADER(_pam_aconf.h)
+
+dnl
+dnl Release specific
+dnl
+
+LIBPAM_VERSION_MAJOR=0
+LIBPAM_VERSION_MINOR=76
+
+AC_SUBST(LIBPAM_VERSION_MAJOR)
+AC_SUBST(LIBPAM_VERSION_MINOR)
+AC_DEFINE(LIBPAM_VERSION_MAJOR)
+AC_DEFINE(LIBPAM_VERSION_MINOR)
+
+dnl
+dnl By default, everything under PAM is installed under the root fs.
+dnl
+
+AC_PREFIX_DEFAULT()
+
+dnl
+dnl Useful info (believed to be portable) - in the future
+dnl the LOCALSRCDIR and LOCALOBJDIRs may be different
+dnl
+LOCALSRCDIR=`/bin/pwd`         ; AC_SUBST(LOCALSRCDIR)
+LOCALOBJDIR=`/bin/pwd`         ; AC_SUBST(LOCALOBJDIR)
+OS=`uname|sed -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'`
+AC_SUBST(OS)
+
+dnl
+dnl Rules needed for the following (hardcoded Linux defaults for now)
+dnl
+
+CONF_CFLAGS=			; AC_SUBST(CONF_CFLAGS)
+MKDIR="mkdir -p"		; AC_SUBST(MKDIR)
+
+SHLIBMODE=755			; AC_SUBST(SHLIBMODE)
+
+dnl These are most likely platform specific - I think HPUX differs
+USESONAME=yes			; AC_SUBST(USESONAME)
+SOSWITCH=-soname		; AC_SUBST(SOSWITCH)
+NEEDSONAME=no			; AC_SUBST(NEEDSONAME)
+LDCONFIG=/sbin/ldconfig		; AC_SUBST(LDCONFIG)
+
+dnl ### Should enable this INSTALL detection.
+dnl ### Would need to distribute GNU's config.guess and config.sub
+dnl AC_PROG_INSTALL
+if test "$OS" = "aix"; then
+  INSTALL=/usr/ucb/install -c
+else
+  INSTALL=/usr/bin/install
+fi
+AC_SUBST(INSTALL)
+
+dnl Checks for programs.
+AC_PROG_CC
+dnl ### AC_PROG_CXX
+AC_PROG_YACC
+AC_PROG_LEX
+dnl AC_PROG_INSTALL
+AC_PROG_LN_S
+AC_PROG_MAKE_SET
+
+dnl
+dnl options and defaults
+dnl
+
+dnl lots of debugging information goes to /tmp/pam-debug.log
+AC_ARG_ENABLE(debug,
+[  --enable-debug           specify you are building with debugging on],
+	WITH_DEBUG=yes ; AC_DEFINE(DEBUG) , WITH_DEBUG=no)
+AC_SUBST(WITH_DEBUG)
+
+AC_ARG_ENABLE(memory-debug,
+[  --enable-memory-debug    specify you want every malloc etc. call tracked],
+	WITH_MEMORY_DEBUG=yes ; AC_DEFINE(MEMORY_DEBUG) , WITH_MEMORY_DEBUG=no)
+AC_SUBST(WITH_MEMORY_DEBUG)
+
+dnl build specially named libraries (for debugging purposes)
+AC_ARG_ENABLE(libdebug,
+[  --enable-libdebug        specify you are building debugging libraries],
+	WITH_LIBDEBUG=yes ; AC_DEFINE(WITH_LIBDEBUG) , WITH_LIBDEBUG=no)
+AC_SUBST(WITH_LIBDEBUG)
+
+dnl packaging convenience
+AC_ARG_ENABLE(fakeroot,
+[  --enable-fakeroot=<path to packaging directory>], FAKEROOT=$enableval)
+AC_SUBST(FAKEROOT)
+
+AC_ARG_ENABLE(securedir,
+[  --enable-securedir=<path to location of PAMs> [default \$libdir/security]],
+	SECUREDIR=$enableval, SECUREDIR=$libdir/security)
+AC_SUBST(SECUREDIR)
+
+AC_ARG_ENABLE(sconfigdir,
+[  --enable-sconfigdir=<path to module conf files> [default \$sysconfdir/security]],
+	SCONFIGDIR=$enableval, SCONFIGDIR=$sysconfdir/security)
+AC_SUBST(SCONFIGDIR)
+
+AC_ARG_ENABLE(suplementedir,
+[  --enable-suplementedir=<path to module helper binaries> [default \$sbindir]],
+	SUPLEMENTED=$enableval, SUPLEMENTED=$sbindir)
+AC_SUBST(SUPLEMENTED)
+
+AC_ARG_ENABLE(includedir,
+[  --enable-includedir=<path to include location> - where to put <security>],
+	INCLUDEDIR=$enableval, INCLUDEDIR=/usr/include)
+AC_SUBST(INCLUDEDIR)
+
+AC_ARG_ENABLE(docdir,
+[  --enable-docdir=<path to store documentation in - /usr/share/doc/pam>],
+	DOCDIR=$enableval, DOCDIR=/usr/share/doc/pam)
+AC_SUBST(DOCDIR)
+
+AC_ARG_ENABLE(mandir,
+[  --enable-mandir=<path to store manuals in - /usr/share/man>],
+	MANDIR=$enableval, MANDIR=/usr/share/man)
+AC_SUBST(MANDIR)
+
+AC_ARG_ENABLE(pamlocking,
+[  --enable-pamlocking      configure libpam to observe a global authentication lock],
+	WITH_PAMLOCKING=yes ; AC_DEFINE(PAM_LOCKING) , WITH_PAMLOCKING=no)
+AC_SUBST(WITH_PAMLOCKING)
+
+AC_ARG_ENABLE(uglyhack,
+[  --enable-uglyhack        configure libpam to try to honor old pam_strerror syntax],
+	AC_DEFINE(UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT))
+
+AC_ARG_ENABLE(read-both-confs,
+[  --enable-read-both-confs  read both /etc/pam.d and /etc/pam.conf files],
+	AC_DEFINE(PAM_READ_BOTH_CONFS))
+AC_SUBST(PAM_READ_BOTH_CONFS)
+
+AC_ARG_ENABLE(static-libpam, [  --enable-static-libpam   build a libpam.a library],
+	STATIC_LIBPAM=yes , STATIC_LIBPAM=no)
+AC_SUBST(STATIC_LIBPAM)
+
+AC_ARG_ENABLE(dynamic-libpam,
+[  --disable-dynamic-libpam do not build a shared libpam library],
+	DYNAMIC_LIBPAM=no, DYNAMIC_LIBPAM=yes)
+AC_SUBST(DYNAMIC_LIBPAM)
+
+DYNAMIC=-DPAM_DYNAMIC
+AC_SUBST(DYNAMIC)
+
+AC_ARG_ENABLE(static-modules,
+[  --enable-static-modules  do not make the modules dynamically loadable],
+	STATIC=-DPAM_STATIC)
+AC_SUBST(STATIC)
+
+AC_ARG_ENABLE(lckpwdf,
+[  --disable-lckpwdf do not use the lckpwdf function],
+	WITH_LCKPWDF=no, WITH_LCKPWDF=yes)
+AC_SUBST(WITH_LCKPWDF)
+
+AC_CHECK_HEADERS(paths.h)
+AC_ARG_WITH(mailspool,
+[  --with-mailspool         path to mail spool directory
+                           [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]],
+with_mailspool=${withval})
+if test x$with_mailspool != x ; then
+	pam_mail_spool="\"$with_mailspool\""
+else
+	AC_TRY_RUN([
+#include <paths.h>
+int main() {
+#ifdef _PATH_MAILDIR
+exit(0);
+#else
+exit(1);
+#endif
+}], pam_mail_spool="_PATH_MAILDIR",
+pam_mail_spool="\"/var/spool/mail\"",
+pam_mail_spool="\"/var/spool/mail\"")
+fi
+AC_DEFINE_UNQUOTED(PAM_PATH_MAILDIR, $pam_mail_spool)
+
+dnl Checks for libraries.
+AC_CHECK_LIB(c, __libc_sched_setscheduler, PAM_NEEDS_LIBC=, PAM_NEEDS_LIBC=-lc)
+AC_SUBST(PAM_NEEDS_LIBC)
+
+dnl Checks for the existence of lckpwdf in libc
+AC_CHECK_LIB(c, lckpwdf, HAVE_LCKPWDF=yes, HAVE_LCKPWDF=no)
+AC_SUBST(HAVE_LCKPWDF)
+
+dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc
+AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl) 
+AC_SUBST(LIBDL)
+
+dnl
+dnl At least on Solaris, the existing libcrack must be dynamic.
+dnl Ought to introduce a check for this.
+dnl
+AC_CHECK_LIB(crack, FascistCheck, HAVE_LIBCRACK=yes ; AC_DEFINE(HAVE_LIBCRACK),
+	HAVE_LIBCRACK=no)
+AC_SUBST(HAVE_LIBCRACK)
+
+AC_CHECK_LIB(crypt, fcrypt, HAVE_LIBCRYPT=yes ; AC_DEFINE(HAVE_LIBCRYPT),
+	HAVE_LIBCRYPT=no)
+AC_SUBST(HAVE_LIBCRYPT)
+AC_CHECK_LIB(util, logwtmp, HAVE_LIBUTIL=yes ; AC_DEFINE(HAVE_LIBUTIL),
+	HAVE_LIBUTIL=no)
+AC_SUBST(HAVE_LIBUTIL)
+AC_CHECK_LIB(ndbm, dbm_store, HAVE_LIBNDBM=yes ; AC_DEFINE(HAVE_LIBNDBM),
+	HAVE_LIBNDBM=no)
+AC_SUBST(HAVE_LIBNDBM)
+AC_CHECK_LIB(db, dbm_store, HAVE_LIBDB=yes ; AC_DEFINE(HAVE_LIBDB),
+	HAVE_LIBDB=no)
+if test x$HAVE_LIBDB != xyes ; then
+	AC_CHECK_LIB(db, db_create, HAVE_LIBDB=yes ; AC_DEFINE(HAVE_LIBDB),
+	HAVE_LIBDB=no)
+fi
+AC_SUBST(HAVE_LIBDB)
+AC_CHECK_LIB(fl, yylex, yyterminate, HAVE_LIBFL=yes ; AC_DEFINE(HAVE_LIBFL),
+	HAVE_LIBFL=no)
+AC_SUBST(HAVE_LIBFL)
+AC_CHECK_LIB(nsl, yp_maplist, HAVE_LIBNSL=yes ; AC_DEFINE(HAVE_LIBNSL),
+	HAVE_LIBNSL=no)
+AC_SUBST(HAVE_LIBNSL)
+AC_CHECK_LIB(pwdb, pwdb_db_name, HAVE_LIBPWDB=yes ; AC_DEFINE(HAVE_LIBPWDB),
+	HAVE_LIBPWDB=no)
+AC_SUBST(HAVE_LIBPWDB)
+AC_CHECK_LIB(fl, yywrap, HAVE_LIBFLEX=yes ; AC_DEFINE(HAVE_LIBFLEX),
+	HAVE_LIBFLEX=no)
+AC_SUBST(HAVE_LIBFLEX)
+AC_CHECK_LIB(l, yywrap, HAVE_LIBLEX=yes ; AC_DEFINE(HAVE_LIBLEX),
+	HAVE_LIBLEX=no)
+AC_SUBST(HAVE_LIBLEX)
+
+dnl Checks for header files.
+AC_HEADER_DIRENT
+AC_HEADER_STDC
+AC_HEADER_SYS_WAIT
+AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h termio.h unistd.h sys/fsuid.h)
+
+dnl Linux wants features.h in some of the source files.
+AC_CHECK_HEADERS(features.h)
+
+dnl For module/pam_cracklib
+AC_CHECK_HEADERS(crypt.h)
+
+dnl For module/pam_userdb
+AC_CHECK_HEADERS(ndbm.h db.h)
+dnl I suspect the following two lines are a hack.
+HAVE_NDBM_H=$ac_cv_header_ndbm_h
+AC_SUBST(HAVE_NDBM_H)
+
+dnl For module/pam_lastlog
+AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
+
+dnl This following rule should be made conditional upon HAVE_LIBCRYPT
+dnl being found.
+
+dnl Look for cracklib dictionary
+AC_MSG_CHECKING(path to cracklib dictionary)
+DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \
+  /usr/local/lib /usr/local/share/lib"
+DICT_FILE_CANDIDATES="pw_dict cracklib_dict"
+CRACKLIB_DICTPATH=""
+for d in $DICT_DIR_CANDIDATES ; do
+      for f in $DICT_FILE_CANDIDATES ; do
+              if test -r $d/$f.hwm ; then
+                      CRACKLIB_DICTPATH=$d/$f
+                      break 2
+              elif test -r $d/dict/$f.hwm ; then
+                      CRACKLIB_DICTPATH=$d/dict/$f
+                      break 2
+              fi
+      done
+done
+if test -z "$CRACKLIB_DICTPATH" ; then
+      AC_MSG_RESULT(none found)
+else
+      AC_MSG_RESULT($CRACKLIB_DICTPATH)
+fi
+AC_SUBST(CRACKLIB_DICTPATH)
+
+dnl Set FLAGS, linker options etc. depending on C compiler.
+dnl gcc is tested and much preferred; others less so, if at all
+dnl
+dnl If compiling with gcc, linking is also supposed to be done with gcc;
+dnl since we use linker-specific arguments, we may not gain anything by
+dnl switching LD_L over, but I think we can use LD_D as-is.
+dnl
+dnl For the moment, gcc is enforced above at "CC=gcc".
+dnl
+dnl There is an issue over _POSIX_SOURCE _BSD_SOURCE and _GNU_SOURCE .
+dnl The original "Linux-PAM" had blanket inclusion.  But portability
+dnl requires their default absence: if particular OSes require them,
+dnl this should be done selectively.
+
+GCC_WARNINGS="-Wall -Wwrite-strings \
+	-Wpointer-arith -Wcast-qual -Wcast-align \
+	-Wstrict-prototypes -Wmissing-prototypes \
+	-Wnested-externs -Winline -Wshadow"
+
+if test "$GCC" = yes; then
+	CC=gcc				; AC_SUBST(CC)
+### May need per-OS attention
+### Example: -D_POSIX_SOURCE: needed on Linux but harms Solaris.
+	case $OS in
+	linux)
+		OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic"
+		LD_D="gcc -shared -Xlinker -x"
+		WARNINGS="$GCC_WARNINGS"
+		PIC="-fPIC"
+		DYNTYPE=so
+		LD=ld				
+		LD_L="$LD -x -shared"
+		RANLIB=ranlib
+		STRIP=strip
+		CC_STATIC="-Xlinker -export-dynamic"
+		;;
+	sunos)
+		OS_CFLAGS="-ansi -pedantic"
+		LD_D="gcc -shared -Xlinker -x"
+		WARNINGS="$GCC_WARNINGS"
+		PIC="-fPIC"
+		DYNTYPE=so
+		LD=ld				
+		LD_L="$LD -x -shared"
+		RANLIB=ranlib
+		STRIP=strip
+		CC_STATIC="-Xlinker -export-dynamic"
+		;;
+	aix)
+		OS_CFLAGS=""
+		DYNTYPE=lo
+		LD=ld				
+		LD_L=ld -bexpall -bM:SRE -bnoentry
+		LD_D="$LD_L"
+		RANLIB=ranlib
+		STRIP=strip
+		;;
+	*)
+		OS_CFLAGS=""
+		;;
+	esac
+else
+###
+### Non-gcc needs attention on per-OS basis
+###
+	case "$OS" in
+	darwin)
+# add some stuff here (see sourceforge bug 534205)
+# DOCDIR=/System/Documentation/Administration/Libraries/PAM
+# MANDIR=/usr/share/man
+		;;
+	solaris)
+	    ### Support for Solaris-C
+	    OS_CFLAGS=""
+	    WARNINGS=""
+	    PIC="-K pic"
+	    LD=ld
+	    LD_D="cc -z text -G -R."
+	    LD_L="$LD_D"
+	    RANLIB=ranlib
+	    STRIP=strip
+	    CC_STATIC=
+	    ;;
+	irix*)
+	    OSRELEASE=`uname -r`
+	    if test "$OSRELEASE" = 6.5; then
+		OS_CFLAGS=""
+		WARNINGS="-fullwarn"
+		PIC=                    #PIC code is default for IRIX
+		LD="cc -shared"         # modules friendly approach
+		LD_D="cc -shared"
+		LD_L="ld -G -z redlocsym"
+		RANLIB=echo
+		STRIP=strip
+		CC_STATIC=
+	    else
+		echo "IRIX prior to 6.5 not allowed for"
+		exit
+	    fi
+	    ;;
+       *) echo "Native compiler on $OS is not yet supported"
+               exit
+	    ;;
+       esac
+fi
+
+AC_SUBST(DYNTYPE)
+AC_SUBST(OS_CFLAGS)
+AC_SUBST(WARNINGS)
+AC_SUBST(PIC)
+AC_SUBST(LD)
+AC_SUBST(LD_D)
+AC_SUBST(LD_L)
+AC_SUBST(RANLIB)
+AC_SUBST(STRIP)
+AC_SUBST(CC_STATIC)
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_BIGENDIAN
+AC_C_CONST
+AC_TYPE_UID_T
+AC_TYPE_OFF_T
+AC_TYPE_PID_T
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+AC_STRUCT_TM
+
+dnl Checks for library functions.
+AC_TYPE_GETGROUPS
+AC_PROG_GCC_TRADITIONAL
+AC_FUNC_MEMCMP
+AC_FUNC_VPRINTF
+AC_CHECK_FUNCS(gethostname gettimeofday mkdir select strcspn strdup strerror strspn strstr strtol uname)
+
+AC_CHECK_FUNCS(getpwnam_r getgrnam_r)
+
+dnl Checks for programs/utilities
+AC_CHECK_PROG(HAVE_SGML2TXT, sgml2txt, yes, no)
+AC_CHECK_PROG(HAVE_SGML2HTML, sgml2html, yes, no)
+AC_CHECK_PROG(HAVE_SGML2LATEX, sgml2latex, yes, no)
+if test $HAVE_SGML2LATEX = "yes" ; then
+  if sgml2latex -h | grep -e --paper | grep  ' -p ' > /dev/null ; then
+    PSER="sgml2latex -o ps"
+  else
+    PSER="sgml2latex -p"
+  fi
+  AC_CHECK_PROG(HAVE_PS2PDF, ps2pdf, yes, no)
+else
+  AC_CHECK_PROG(HAVE_SGML2PS, sgml2ps, yes, no)
+  if test $HAVE_SGML2PS = yes ; then
+    PSER="sgml2ps"
+  fi
+fi
+AC_SUBST(PSER)
+AC_SUBST(PS2PDF)
+
+dnl Files to be created from when we run configure
+AC_OUTPUT(Make.Rules)
diff --git a/Linux-PAM/defs/debian.defs b/Linux-PAM/defs/debian.defs
new file mode 100644
index 00000000..19ba4663
--- /dev/null
+++ b/Linux-PAM/defs/debian.defs
@@ -0,0 +1,40 @@
+##
+# defs for Debian
+# Ben Collins <bcollins@debian.org>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+##
+
+CFLAGS	:= -O2 -I${shell pwd}/include # -D__NO_STRING_INLINES
+ifneq (,$(findstring $(DEB_BUILD_OPTIONS),debug DEBUG Debug))
+  CFLAGS += -g
+endif
+
+OS		:= $(shell dpkg-architecture -qDEB_BUILD_GNU_SYSTEM)
+ARCH		:= $(shell dpkg-architecture -qDEB_BUILD_GNU_CPU)
+CC		:= gcc
+INSTALL	:= install
+MKDIR		:= mkdir -p
+ULIBS		:=
+LD		:= ld
+LD_D		:= gcc -shared -Xlinker -x
+LD_L		:= $(LD) -x -shared 
+AR		:= ar -cr
+RANLIB		:= ranlib
+PREFIX		:=
+LIBDIR		:= $(PREFIX)/lib
+USESONAME	:= yes
+SOSWITCH	:= -soname
+LINKLIBS	:= -lc -L${shell pwd}/libpam -L${shell pwd}/libpam_misc
+NEEDSONAME	:= no
+LDCONFIG	:= /sbin/ldconfig
+FAKEROOT	:=
+SUPLEMENTED	:= $(PREFIX)/sbin
+SECUREDIR	:= $(LIBDIR)/security
+INCLUDED	:= /usr/include/security
+CONFIGED	:= /etc
+SCONFIGED	:= /etc/security
+EXTRALS		:= -lnsl -lcrypt
+WARNINGS	:= -Wall
diff --git a/Linux-PAM/defs/hpux.defs b/Linux-PAM/defs/hpux.defs
new file mode 100644
index 00000000..d8341983
--- /dev/null
+++ b/Linux-PAM/defs/hpux.defs
@@ -0,0 +1,36 @@
+##
+#  HPUX defs contributed by Derrick J Brashear <shadow@dementia.org>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the default version. Please look in .../defs/ for your
+# preferred OS/vendor.
+
+OS=hpux9
+ARCH=hpux
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=-g -DPAM_SHL -DHAVE_UTMP_H
+ULIBS=
+LD=ld                                      
+LD_D=$(LD) -b
+LD_L=$(LD) -b
+USESONAME=no
+NEEDSONAME=no
+LDCONFIG=:
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=
+PREFIX=/usr
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
+DYNLOAD="dld"
+DYNTYPE="sl"
+SHLIBMODE=755
diff --git a/Linux-PAM/defs/linux.defs b/Linux-PAM/defs/linux.defs
new file mode 100644
index 00000000..0e274320
--- /dev/null
+++ b/Linux-PAM/defs/linux.defs
@@ -0,0 +1,32 @@
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the default version. Please look in .../defs/ for your
+# preferred OS/vendor.
+
+OS=linux
+ARCH=i386		# should be changed for alpha
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=-O7 -pipe -g
+ULIBS=#-lefence
+LD=ld
+LD_D=gcc -shared -Xlinker -x
+LD_L=$(LD) -x -shared 
+USESONAME=yes
+LINKLIBS=-lc
+SOSWITCH=-soname
+NEEDSONAME=no
+LDCONFIG=/sbin/ldconfig
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=
+PREFIX=/usr
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
diff --git a/Linux-PAM/defs/morgan.defs b/Linux-PAM/defs/morgan.defs
new file mode 100644
index 00000000..2b0cf289
--- /dev/null
+++ b/Linux-PAM/defs/morgan.defs
@@ -0,0 +1,36 @@
+##
+# defs for Andrew's debugging version (which is a modified Red Hat
+# box)
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the version used for Red Hat Linux.
+
+OS=linux
+ARCH=i386
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=$(RPM_OPT_FLAGS) -pipe -g
+ULIBS=
+#-lefence
+LD=ld
+LD_D=gcc -shared -Xlinker -x
+LD_L=$(LD) -x -shared 
+USESONAME=yes
+SOSWITCH=-soname
+LINKLIBS=-lc
+NEEDSONAME=no
+LDCONFIG=/sbin/ldconfig
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=$(RPM_BUILD_ROOT)
+PREFIX=
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security.d
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
diff --git a/Linux-PAM/defs/redhat.defs b/Linux-PAM/defs/redhat.defs
new file mode 100644
index 00000000..a6ed36da
--- /dev/null
+++ b/Linux-PAM/defs/redhat.defs
@@ -0,0 +1,36 @@
+##
+# defs for Red Hat Linux
+# Michael K. Johnson <johnsonm@redhat.com>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the version used for Red Hat Linux.
+
+OS=linux
+ARCH=$(shell rpm --showrc | grep '^build arch' | sed 's/^.*: //g')
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=$(RPM_OPT_FLAGS) -pipe -g
+ULIBS=#-lefence
+LD=ld
+LD_D=gcc -shared -Xlinker -x
+LD_L=$(LD) -x -shared 
+USESONAME=yes
+SOSWITCH=-soname
+LINKLIBS=-lc
+NEEDSONAME=no
+LDCONFIG=/sbin/ldconfig
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=$(RPM_BUILD_ROOT)
+PREFIX=
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
+EXTRALS=-lcrypt
diff --git a/Linux-PAM/defs/redhat4.defs b/Linux-PAM/defs/redhat4.defs
new file mode 100644
index 00000000..219abeb6
--- /dev/null
+++ b/Linux-PAM/defs/redhat4.defs
@@ -0,0 +1,35 @@
+##
+# defs for Red Hat Linux
+# Michael K. Johnson <johnsonm@redhat.com>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the version used for Red Hat Linux.
+
+OS=linux
+ARCH=$(shell rpm --showrc | grep '^build arch' | sed 's/^.*: //g')
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=$(RPM_OPT_FLAGS) -pipe -g
+ULIBS=#-lefence
+LD=ld
+LD_D=gcc -shared -Xlinker -x
+LD_L=$(LD) -x -shared 
+USESONAME=yes
+SOSWITCH=-soname
+LINKLIBS=-lc
+NEEDSONAME=no
+LDCONFIG=/sbin/ldconfig
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=$(RPM_BUILD_ROOT)
+PREFIX=
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
diff --git a/Linux-PAM/defs/solaris-2.1.5.defs b/Linux-PAM/defs/solaris-2.1.5.defs
new file mode 100644
index 00000000..4624b604
--- /dev/null
+++ b/Linux-PAM/defs/solaris-2.1.5.defs
@@ -0,0 +1,45 @@
+##
+#  Solaris defs contributed by Josh Wilmes <josh@makita.jpl.nasa.gov>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the default version. Please look in .../defs/ for your
+# preferred OS/vendor.
+
+# Please note that the linker used must be the GNU ld, not the native Sun
+# linker.  It is fairly common for the gnu linker (/usr/ccs/bin/ld) to be
+# configured as the default linker for gcc.  To tell gcc to use the
+# gnu linker, you need to set the GCC_EXEC_PREFIX environment variable
+# to point at the directory where the gnu linker is installed.  Here's
+# what I do:
+# $ mkdir /tmp/foo
+# $ ln -s /path/to/gnu/ld /tmp/foo/ld
+# $ export GCC_EXEC_PREFIX=/tmp/foo/
+# $ export PATH=/tmp/foo:$PATH
+
+OS=solaris
+ARCH=sun
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=-O7 -pipe -g -D__EXTENSIONS__ -Dsolaris
+ULIBS=
+LD_D=gcc -shared -Xlinker -x  
+LD=ld                                      
+LD_L=$(LD) -G
+USESONAME=yes
+SOSWITCH=-h
+NEEDSONAME=no
+LDCONFIG=/sbin/echo
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=
+PREFIX=/usr
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
diff --git a/Linux-PAM/defs/solaris.defs b/Linux-PAM/defs/solaris.defs
new file mode 100644
index 00000000..f9f26529
--- /dev/null
+++ b/Linux-PAM/defs/solaris.defs
@@ -0,0 +1,48 @@
+##
+#  Solaris defs contributed by Josh Wilmes <josh@makita.jpl.nasa.gov>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the default version. Please look in .../defs/ for your
+# preferred OS/vendor.
+
+# Please note that the linker used must be the GNU ld, not the native Sun
+# linker.  It is fairly common for the gnu linker (/usr/ccs/bin/ld) to be
+# configured as the default linker for gcc.  To tell gcc to use the
+# gnu linker, you need to set the GCC_EXEC_PREFIX environment variable
+# to point at the directory where the gnu linker is installed.  Here's
+# what I do:
+# $ mkdir /tmp/foo
+# $ ln -s /path/to/gnu/ld /tmp/foo/ld
+# $ export GCC_EXEC_PREFIX=/tmp/foo/
+# $ export PATH=/tmp/foo:$PATH
+
+OS=solaris
+ARCH=sun
+CC=cc
+INSTALL=install
+MKDIR=mkdir -p
+WARNINGS = -D_POSIX_SOURCE 
+PIC=-KPIC
+CFLAGS=-g -D__EXTENSIONS__ -Dsolaris
+ULIBS=
+LD=ld                                      
+LD_L=$(LD) -G 
+LD_D=$(LD_L)
+RDYNAMIC=
+USESONAME=yes
+SOSWITCH=-h
+NEEDSONAME=no
+LDCONFIG=echo
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=
+PREFIX=/usr
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
diff --git a/Linux-PAM/defs/sunos.defs b/Linux-PAM/defs/sunos.defs
new file mode 100644
index 00000000..158accc5
--- /dev/null
+++ b/Linux-PAM/defs/sunos.defs
@@ -0,0 +1,37 @@
+##
+#  SunOS defs contributed by Derrick J Brashear <shadow@dementia.org>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the SunOS version. Please look in .../defs/ for your
+# preferred OS/vendor.
+
+OS=sunos
+ARCH=sun
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=-O2 -pipe -g -D__EXTENSIONS__
+ULIBS=
+LD_D=gcc -shared -Xlinker -x  
+LD=ld                                      
+LD_L=$(LD)
+USESONAME=no
+NEEDSONAME=yes
+LDCONFIG=/usr/etc/ldconfig
+AR=ar cr
+RANLIB=ranlib
+FAKEROOT=
+PREFIX=/usr
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
+WARNINGS= -ansi -Wall -Wwrite-strings \
+        -Wpointer-arith -Wcast-qual -Wcast-align \
+        -Wtraditional -Wstrict-prototypes -Wmissing-prototypes \
+        -Wnested-externs -Winline -Wshadow
diff --git a/Linux-PAM/defs/suse.defs b/Linux-PAM/defs/suse.defs
new file mode 100644
index 00000000..1fc6b741
--- /dev/null
+++ b/Linux-PAM/defs/suse.defs
@@ -0,0 +1,36 @@
+##
+# defs for SuSE Linux
+# Thorsten Kukuk <kukuk@suse.de>
+##
+# this file indicates the compiler and the various hardware/OS dependent
+# flags for installation. It also defines the various destinations of
+# installed files on the system.
+#
+# This file is the version used for SuSE Linux.
+
+OS=linux
+ARCH=$(shell rpm --showrc | grep 'build arch' | grep -v "compatible" | sed 's/^.*: //g')
+CC=gcc
+INSTALL=install
+MKDIR=mkdir -p
+CFLAGS=$(RPM_OPT_FLAGS) -pipe -D_REENTRANT
+ULIBS=#-lefence
+LD=ld
+LD_D=gcc -shared -Xlinker -x
+LD_L=$(LD) -x -shared
+USESONAME=yes
+SOSWITCH=-soname
+LINKLIBS=-lc
+NEEDSONAME=yes
+LDCONFIG=/sbin/ldconfig
+AR=ar -cr
+RANLIB=ranlib
+FAKEROOT=$(RPM_BUILD_ROOT)
+PREFIX=
+SUPLEMENTED=$(PREFIX)/sbin
+LIBDIR=$(PREFIX)/lib
+SECUREDIR=$(LIBDIR)/security
+INCLUDED=/usr/include/security
+CONFIGED=/etc
+SCONFIGED=/etc/security
+EXTRALS=-lcrypt
diff --git a/Linux-PAM/doc/CREDITS b/Linux-PAM/doc/CREDITS
new file mode 100644
index 00000000..1b40f7fd
--- /dev/null
+++ b/Linux-PAM/doc/CREDITS
@@ -0,0 +1,49 @@
+<!--
+ an sgml list of people to credit for their contributions to Linux-PAM
+ $Id: CREDITS,v 1.1.1.1 2001/04/29 04:16:27 hartmans Exp $
+  -->
+Chris Adams,
+Peter Allgeyer,
+Tim Baverstock,
+Tim Berger,
+Craig S. Bell,
+Derrick J. Brashear,
+Ben Buxton,
+Seth Chaiklin,
+Oliver Crow,
+Chris Dent,
+Marc Ewing,
+Cristian Gafton,
+Emmanuel Galanos,
+Brad M. Garcia,
+Eric Hester,
+Michel D'Hooge,
+Roger Hu,
+Eric Jacksch,
+Michael K. Johnson,
+David Kinchlea,
+Olaf Kirch,
+Marcin Korzonek,
+Stephen Langasek,
+Nicolai Langfeldt,
+Elliot Lee,
+Luke Kenneth Casson Leighton,
+Al Longyear,
+Ingo Luetkebohle,
+Marek Michalkiewicz,
+Robert Milkowski,
+Aleph One,
+Martin Pool,
+Sean Reifschneider,
+Jan Rekorajski,
+Erik Troan,
+Theodore Ts'o,
+Jeff Uphoff,
+Myles Uyema,
+Savochkin Andrey Vladimirovich,
+Ronald Wahl,
+David Wood,
+John Wilmes,
+Joseph S. D. Yao
+and
+Alex O.  Yuriev.
diff --git a/Linux-PAM/doc/Makefile b/Linux-PAM/doc/Makefile
new file mode 100644
index 00000000..20c2a23f
--- /dev/null
+++ b/Linux-PAM/doc/Makefile
@@ -0,0 +1,167 @@
+
+### $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $
+
+include ../Make.Rules
+
+#######################################################
+
+FILES=pam pam_appl pam_modules
+FSRCS=pam.sgml pam_appl.sgml pam_modules.sgml
+
+TEXTS=txts/pam.txt txts/pam_appl.txt txts/pam_modules.txt
+HTMLS=html/pam.html html/pam_appl.html html/pam_modules.html
+PSFILES=ps/pam.ps ps/pam_appl.ps ps/pam_modules.ps
+PDFFILES=pdf/pam.pdf ps/pam_appl.pdf ps/pam_modules.pdf
+
+MODULES=$(shell ls modules/*.sgml)
+
+#######################################################
+
+dummy:
+	@echo "Making the documentation..."
+	@$(MAKE) all
+
+# note, at this time we don't include pdf files by default, but you
+# can type make pdf in this directory and see what happens in the pdf
+# subdirectory.
+
+all: htmls texts postscript
+
+htmls: $(HTMLS)
+
+$(HTMLS) : $(FSRCS)
+ifeq ($(HAVE_SGML2HTML),yes)
+	@for i in $(FILES) ; do \
+	if [ ! -f "html/$$i.html" ] || [ "$$i.sgml" -nt "html/$$i.html" ]; \
+	then \
+		cd html ; sgml2html ../$$i ; \
+		if [ $$? -ne 0 ]; then exit 1 ; fi ; \
+		cd .. ; \
+	fi ; \
+	done
+else
+	@echo XXX - you do not have the sgml2html binary installed
+endif
+
+texts: $(TEXTS)
+
+$(TEXTS) : $(FSRCS)
+ifeq ($(HAVE_SGML2TXT),yes)
+	@for i in $(FILES) ; do \
+		if [ ! -f "txts/$$i.txt" ] \
+				|| [ "$$i.sgml" -nt "txts/$$i.txt" ]; then \
+			cd txts ; sgml2txt ../$$i ; cd .. ; \
+		fi ; \
+	done
+else
+	@echo XXX - you do not have the sgml2txt binary installed
+endif
+
+postscript: $(PSFILES)
+
+$(PSFILES): $(FSRCS)
+ifneq ($(PSER),)
+	@for i in $(FILES) ; do \
+	if [ ! -f "ps/$$i.ps" ] || [ "$$i.sgml" -nt "ps/$$i.ps" ]; then \
+		cd ps ; $(PSER) ../$$i ; cd .. ; \
+	fi ; \
+	done
+else
+	@echo XXX - neither sgml2ps nor sgml2latex binaries are installed
+endif
+
+pdf: $(PDFFILES)
+
+$(PDFFILES) : $(PSFILES)
+ifeq ($(HAVE_PS2PDF),yes)
+	@for i in $(FILES) ; do \
+	if [ ! -f "pdf/$$i.pdf" ] || [ "ps/$$i.ps" -nt "ps/$$i.pdf" ]; then \
+		ps2pdf ps/$$i.ps pdf/$$i.pdf ; \
+	fi ; \
+	done
+else
+	@echo XXX - ps2pdf is not installed
+endif
+
+pam.sgml: pam_source.sgml MODULES-SGML CREDITS
+	@sed -e '/^<!\-\- insert\-file MODULES\-SGML \-\->/r MODULES-SGML' pam_source.sgml | sed -e '/^<!\-\- insert\-file CREDITS \-\->/r CREDITS' > pam.sgml
+
+MODULES-SGML: $(MODULES)
+	@echo 'Building module text from files in modules/*.sgml'
+	@rm -f MODULES-SGML
+	@echo '<!-- modules included:' > MODULES-SGML
+	@ls modules/*.sgml >> MODULES-SGML
+	@echo '  and that is all -->' >> MODULES-SGML
+	@cat modules/*.sgml >> MODULES-SGML
+
+extraclean: clean
+
+remove:
+	cd man && for file in *.3 ; do \
+	  rm -f $(FAKEROOT)$(MANDIR)/man3/$$file ; \
+	done
+	cd man && for file in *.8 ; do \
+	  rm -f $(FAKEROOT)$(MANDIR)/man8/$$file ; \
+	done
+	cd txts && for file in *.txt; do \
+	  rm -f $(FAKEROOT)$(DOCDIR)/text/$$file ; \
+	done
+	cd ps && for file in *.ps; do \
+	  rm -f $(FAKEROOT)$(DOCDIR)/ps/$$file  ; \
+	done
+	cd html && for file in *.html; do \
+	  rm -f $(FAKEROOT)$(DOCDIR)/html/$$file ; \
+	done
+
+install: all
+ifeq ($(HAVE_SGML2TXT),yes)
+	mkdir -p $(FAKEROOT)$(DOCDIR)/text
+	for file in txts/*.txt; do \
+	  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/text ; \
+	done
+endif
+ifneq ($(PSER),)
+	mkdir -p $(FAKEROOT)$(DOCDIR)/ps
+	for file in ps/*.ps; do \
+	  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/ps  ; \
+	done
+	ifeq ($(HAVE_PS2PDF),yes)
+		mkdir -p $(FAKEROOT)$(DOCDIR)/pdf
+		for file in pdf/*.pdf; do \
+		  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/pdf  ; \
+		done
+	endif
+endif
+ifeq ($(HAVE_SGML2HTML),yes)
+	mkdir -p $(FAKEROOT)$(DOCDIR)/html
+	for file in html/*.html; do \
+	  install -m 644 $$file $(FAKEROOT)$(DOCDIR)/html ; \
+	done
+endif
+	mkdir -p $(FAKEROOT)$(MANDIR)/man3
+	mkdir -p $(FAKEROOT)$(MANDIR)/man8
+	for file in man/*.3 ; do \
+	  install -m 644 $$file $(FAKEROOT)$(MANDIR)/man3 ; \
+	done
+	for file in man/*.8 ; do \
+	  install -m 644 $$file $(FAKEROOT)$(MANDIR)/man8 ; \
+	done
+
+spec: specs/draft-morgan-pam.raw
+	cd specs/formatter && $(MAKE)
+	specs/formatter/padout < specs/draft-morgan-pam.raw > specs/draft-morgan-pam-current.txt
+
+releasedocs: all spec
+	tar zvfc Linux-PAM-$(MAJOR_REL).$(MINOR_REL)-docs.tar.gz --exclude CVS  html ps txts specs/draft-morgan-pam-current.txt
+
+clean:
+	rm -f *~ *.bak
+	rm -f html/pam*.html
+	rm -f man/*~
+	rm -f $(TEXTS)
+	rm -f $(PSFILES) ps/missfont.log
+	rm -f pdf/*.pdf
+	rm -f MODULES-SGML pam.sgml
+	rm -f specs/draft-morgan-pam-current.txt
+	$(MAKE) -C specs/formatter clean
+
diff --git a/Linux-PAM/doc/NOTES b/Linux-PAM/doc/NOTES
new file mode 100644
index 00000000..b0f40d47
--- /dev/null
+++ b/Linux-PAM/doc/NOTES
@@ -0,0 +1,16 @@
+Things to be added:
+
+@ modules:
+@ application:
+
+	use of
+		'user' = user to become,
+		'uid' = user requesting service
+		'euid' = privilege of current process.
+
+@ sysadmin:
+
+	included modules:
+		behavior
+	non-included modules:
+		behavior/pointers.
diff --git a/Linux-PAM/doc/figs/pam_orient.txt b/Linux-PAM/doc/figs/pam_orient.txt
new file mode 100644
index 00000000..a8b745a1
--- /dev/null
+++ b/Linux-PAM/doc/figs/pam_orient.txt
@@ -0,0 +1,23 @@
+
+
+
+	 +----------------+
+	 | application: X |
+         +----------------+	  /  +----------+     +================+
+       	 | authentication-[---->--\--] Linux-   |--<--| /etc/pam.conf  |
+	 |       +        [----<--/--] 	 PAM    |     |================|
+	 |[conversation()][--+    \  |          |     | X auth .. a.so |
+	 +----------------+  |    /  +-n--n-----+     | X auth .. b.so |
+	 |                |  |       __|  |           |           _____/
+	 |  service user  |  A      |  	  |           |____,-----' 
+	 |                |  |      V  	  A	        	   
+	 +----------------+  +------|-----|---------+ -----+------+
+	                        +---u-----u----+    |	   |	  |
+			        |   auth....   |--[ a ]--[ b ]--[ c ]
+				+--------------+
+				|   acct....   |--[ b ]--[ d ]
+				+--------------+
+				|   password   |--[ b ]--[ c ]
+				+--------------+
+				|   session    |--[ e ]--[ c ]
+				+--------------+
\ No newline at end of file
diff --git a/Linux-PAM/doc/html/index.html b/Linux-PAM/doc/html/index.html
new file mode 100644
index 00000000..8ab3b9ec
--- /dev/null
+++ b/Linux-PAM/doc/html/index.html
@@ -0,0 +1,21 @@
+
+<HTML>
+<HEAD>
+<TITLE>Linux-PAM - Pluggable Authentication Modules for Linux</TITLE>
+</HEAD>
+<BODY>
+
+<p>
+Here is the documentation for Linux-PAM. As you will see it is
+currently not complete. However, in order of decreasing length:
+
+<ul>
+<li> <a href="pam.html">The System Administrators' Guide</a>
+<li> <a href="pam_modules.html">The Module Writers' Manual</a>
+<li> <a href="pam_appl.html">The Application developers' Manual</a>
+</ul>
+
+<hr>
+<p>
+REVISION: <tt>$Id: index.html,v 1.1.1.1 2001/04/29 04:16:52 hartmans Exp $</tt>
+</BODY>
diff --git a/Linux-PAM/doc/man/pam.8 b/Linux-PAM/doc/man/pam.8
new file mode 100644
index 00000000..f2ef9c1f
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.8
@@ -0,0 +1,369 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam.8,v 1.1.1.1 2001/04/29 04:16:52 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1996-7,2001 <morgan@kernel.org>
+.TH PAM 8 "2001 Jan 20" "Linux-PAM 0.74" "Linux-PAM Manual"
+.SH NAME
+
+Linux-PAM \- Pluggable Authentication Modules for Linux
+
+.SH SYNOPSIS
+.B /etc/pam.conf
+.sp 2
+.SH DESCRIPTION
+
+This manual is intended to offer a quick introduction to
+.BR Linux-PAM ". "
+For more information the reader is directed to the
+.BR "Linux-PAM system administrators' guide".
+
+.sp
+.BR Linux-PAM
+Is a system of libraries that handle the authentication tasks of
+applications (services) on the system.  The library provides a stable
+general interface (Application Programming Interface - API) that
+privilege granting programs (such as
+.BR login "(1) "
+and
+.BR su "(1)) "
+defer to to perform standard authentication tasks.
+
+.sp
+The principal feature of the PAM approach is that the nature of the
+authentication is dynamically configurable.  In other words, the
+system administrator is free to choose how individual
+service-providing applications will authenticate users. This dynamic
+configuration is set by the contents of the single
+.BR Linux-PAM
+configuration file
+.BR /etc/pam.conf "."
+Alternatively, the configuration can be set by individual
+configuration files located in the
+.B /etc/pam.d/
+directory.
+.IB "The presence of this directory will cause " Linux-PAM " to ignore"
+.BI /etc/pam.conf "."
+
+.sp
+From the point of view of the system administrator, for whom this
+manual is provided, it is not of primary importance to understand the
+internal behavior of the
+.BR Linux-PAM
+library.  The important point to recognize is that the configuration
+file(s)
+.I define
+the connection between applications
+.BR "" "(" services ")"
+and the pluggable authentication modules
+.BR "" "(" PAM "s)"
+that perform the actual authentication tasks.
+
+.sp
+.BR Linux-PAM
+separates the tasks of
+.I authentication
+into four independent management groups:
+.BR "account" " management; "
+.BR "auth" "entication management; "
+.BR "password" " management; "
+and
+.BR "session" " management."
+(We highlight the abbreviations used for these groups in the
+configuration file.)
+
+.sp
+Simply put, these groups take care of different aspects of a typical
+user's request for a restricted service:
+
+.sp
+.BR account " - "
+provide account verification types of service: has the user's password
+expired?; is this user permitted access to the requested service?
+
+.br
+.BR auth "entication - "
+establish the user is who they claim to be. Typically this is via some
+challenge-response request that the user must satisfy: if you are who
+you claim to be please enter your password.  Not all authentications
+are of this type, there exist hardware based authentication schemes
+(such as the use of smart-cards and biometric devices), with suitable
+modules, these may be substituted seamlessly for more standard
+approaches to authentication - such is the flexibility of
+.BR Linux-PAM "."
+
+.br
+.BR password " - "
+this group's responsibility is the task of updating authentication
+mechanisms. Typically, such services are strongly coupled to those of
+the
+.BR auth
+group. Some authentication mechanisms lend themselves well to being
+updated with such a function. Standard UN*X password-based access is
+the obvious example: please enter a replacement password.
+
+.br
+.BR session " - "
+this group of tasks cover things that should be done prior to a
+service being given and after it is withdrawn. Such tasks include the
+maintenance of audit trails and the mounting of the user's home
+directory. The
+.BR session
+management group is important as it provides both an opening and
+closing hook for modules to affect the services available to a user.
+
+.SH The configuration file(s)
+
+When a
+.BR Linux-PAM
+aware privilege granting application is started, it activates its
+attachment to the PAM-API.  This activation performs a number of
+tasks, the most important being the reading of the configuration file(s):
+.BR /etc/pam.conf "."
+Alternatively, this may be the contents of the
+.BR /etc/pam.d/
+directory.
+
+These files list the
+.BR PAM "s"
+that will do the authentication tasks required by this service, and
+the appropriate behavior of the PAM-API in the event that individual
+.BR PAM "s "
+fail.
+
+.sp
+The syntax of the
+.B /etc/pam.conf
+configuration file is as follows. The file is made
+up of a list of rules, each rule is typically placed on a single line,
+but may be extended with an escaped end of line: `\\<LF>'. Comments
+are preceded with `#' marks and extend to the next end of line.
+
+.sp
+The format of each rule is a space separated collection of tokens, the
+first three being case-insensitive:
+
+.sp
+.br
+.BR "   service  type  control  module-path  module-arguments"
+
+.sp
+The syntax of files contained in the
+.B /etc/pam.d/
+directory, are identical except for the absence of any
+.I service 
+field. In this case, the
+.I service
+is the name of the file in the
+.B /etc/pam.d/
+directory. This filename must be in lower case.
+
+.sp
+An important feature of
+.BR Linux-PAM ", "
+is that a number of rules may be
+.I stacked
+to combine the services of a number of PAMs for a given authentication
+task.
+
+.sp
+The
+.BR service
+is typically the familiar name of the corresponding application:
+.BR login
+and 
+.BR su
+are good examples. The
+.BR service "-name, " other ", "
+is reserved for giving
+.I default
+rules.  Only lines that mention the current service (or in the absence
+of such, the
+.BR other
+entries) will be associated with the given service-application.
+
+.sp
+The
+.BR type
+is the management group that the rule corresponds to. It is used to
+specify which of the management groups the subsequent module is to
+be associated with. Valid entries are:
+.BR account "; "
+.BR auth "; "
+.BR password "; "
+and
+.BR session "."
+The meaning of each of these tokens was explained above.
+
+.sp
+The third field,
+.BR control ", "
+indicates the behavior of the PAM-API should the module fail to
+succeed in its authentication task. There are two types of syntax for
+this control field: the simple one has a single simple keyword; the
+more complicated one involves a square-bracketed selection of
+.B value=action
+pairs.
+
+.sp
+For the simple (historical) syntax valid
+.BR control
+values are:
+.BR requisite
+- failure of such a PAM results in the immediate termination of the
+authentication process;
+.BR required
+- failure of such a PAM will ultimately lead to the PAM-API returning
+failure but only after the remaining
+.I stacked
+modules (for this
+.BR service
+and
+.BR type ")"
+have been invoked;
+.BR sufficient
+- success of such a module is enough to satisfy the authentication
+requirements of the stack of modules (if a prior
+.BR required
+module has failed the success of this one is
+.IR ignored "); "
+.BR optional
+- the success or failure of this module is only important if it is the
+only module in the stack associated with this
+.BR service "+" type "."
+
+.sp
+For the more complicated syntax valid
+.B control
+values have the following form:
+.sp
+.RB  [value1=action1 value2=action2 ...]
+.sp
+Where
+.B valueN
+corresponds to the return code from the function invoked in the module
+for which the line is defined. It is selected from one of these:
+.BR success ;
+.BR open_err ;
+.BR symbol_err ;
+.BR service_err ;
+.BR system_err ;
+.BR buf_err ;
+.BR perm_denied ;
+.BR auth_err ;
+.BR cred_insufficient ;
+.BR authinfo_unavail ;
+.BR user_unknown ;
+.BR maxtries ;
+.BR new_authtok_reqd ;
+.BR acct_expired ;
+.BR session_err ;
+.BR cred_unavail ;
+.BR cred_expired ;
+.BR cred_err ;
+.BR no_module_data ;
+.BR conv_err ;
+.BR authtok_err ;
+.BR authtok_recover_err ;
+.BR authtok_lock_busy ;
+.BR authtok_disable_aging ;
+.BR try_again ;
+.BR ignore ;
+.BR abort ;
+.BR authtok_expired ;
+.BR module_unknown ;
+.BR bad_item "; and"
+.BR default .
+The last of these,
+.BR default ,
+implies 'all
+.BR valueN 's
+not mentioned explicitly. Note, the full list of PAM errors is
+available in /usr/include/security/_pam_types.h . The
+.B actionN
+can be: an unsigned integer, 
+.BR J ,
+signifying an action of 'jump over the next J modules in the stack';
+or take one of the following forms:
+.br
+.B ignore
+- when used with a stack of modules, the module's return status will
+not contribute to the return code the application obtains;
+.br
+.B bad 
+- this action indicates that the return code should be thought of as
+indicative of the module failing. If this module is the first in the
+stack to fail, its status value will be used for that of the whole
+stack.
+.br
+.B die
+- equivalent to bad with the side effect of terminating the module
+stack and PAM immediately returning to the application.
+.br
+.B ok
+- this tells PAM that the administrator thinks this return code
+should contribute directly to the return code of the full stack of
+modules. In other words, if the former state of the stack would lead
+to a return of
+.BR PAM_SUCCESS ,
+the module's return code will override this value. Note, if the former
+state of the stack holds some value that is indicative of a modules
+failure, this 'ok' value will not be used to override that value.
+.br
+.B done
+- equivalent to ok with the side effect of terminating the module
+stack and PAM immediately returning to the application.
+.br
+.B reset
+- clear all memory of the state of the module stack and start again
+with the next stacked module.
+
+.sp
+.BR module-path
+- this is either the full filename of the PAM to be used by the
+application (it begins with a '/'), or a relative pathname from the
+default module location:
+.BR /lib/security/ .
+
+.sp
+.BR module-arguments
+- these are a space separated list of tokens that can be used to
+modify the specific behavior of the given PAM. Such arguments will be
+documented for each individual module.
+
+.SH "FILES"
+.BR /etc/pam.conf " - the configuration file"
+.br
+.BR /etc/pam.d/ " - the"
+.BR Linux-PAM
+configuration directory. Generally, if this directory is present, the
+.B /etc/pam.conf
+file is ignored.
+.br
+.BR /lib/libpam.so.X " - the dynamic library"
+.br
+.BR /lib/security/*.so " - the PAMs
+
+.SH ERRORS
+Typically errors generated by the
+.BR Linux-PAM
+system of libraries, will be written to
+.BR syslog "(3)."
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+.br
+Contains additional features, but remains backwardly compatible with
+this RFC.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam.conf.8 b/Linux-PAM/doc/man/pam.conf.8
new file mode 100644
index 00000000..d067b559
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.conf.8
@@ -0,0 +1 @@
+.so pam.8
diff --git a/Linux-PAM/doc/man/pam.d.8 b/Linux-PAM/doc/man/pam.d.8
new file mode 100644
index 00000000..d067b559
--- /dev/null
+++ b/Linux-PAM/doc/man/pam.d.8
@@ -0,0 +1 @@
+.so pam.8
diff --git a/Linux-PAM/doc/man/pam_authenticate.3 b/Linux-PAM/doc/man/pam_authenticate.3
new file mode 100644
index 00000000..bc1cd5c9
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_authenticate.3
@@ -0,0 +1,91 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam_authenticate.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net>
+.TH PAM_AUTHENTICATE 3 "1996 Dec 9" "Linux-PAM 0.55" "App. Programmers' Manual"
+.SH NAME
+
+pam_authenticate \- authenticate a user
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_authenticate(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_authenticate
+
+.br
+Use this function to authenticate an applicant user.  It is linked
+.I dynamically
+to the authentication modules by
+.BR Linux-PAM ". "
+It is the task of these module to perform such an authentication.  The
+specific nature of the authentication is not the concern of the
+application.
+
+.br
+Following successful completion, the
+.BR name
+of the authenticated user will be present in the
+.BR Linux-PAM
+item
+.BR PAM_USER ". "
+This item may be recovered with a call to
+.BR pam_get_item "(3)."
+
+.br
+The application developer should note that the modules may request
+that the user enter their username via the conversation mechanism (see
+.BR pam_start "(3))."
+Should this be the case, the user-prompt string can be set via
+the
+.BR PAM_USER_PROMPT
+item (see
+.BR pam_set_item "(3))."
+
+.SH "RETURN VALUE"
+On success
+.BR PAM_SUCCESS
+is returned.  All other returns should be considered
+authentication failures and will be
+.I delayed
+by an amount specified with prior calls to
+.BR pam_fail_delay "(3). "
+Specific failures that demand special attention are the following:
+.TP
+.B PAM_ABORT
+the application should exit immediately. Of course,
+.BR pam_end "(3)"
+should be called first.
+
+.TP
+.B PAM_MAXTRIES
+the application has tried too many times to authenticate the
+user, authentication should not be attempted again.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_get_item "(3) "
+.BR pam_fail_delay "(3) "
+and
+.BR pam_strerror "(3). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam_chauthtok.3 b/Linux-PAM/doc/man/pam_chauthtok.3
new file mode 100644
index 00000000..94a8f2d3
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_chauthtok.3
@@ -0,0 +1,101 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam_chauthtok.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_CHAUTHTOK 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual"
+.SH NAME
+
+pam_chauthtok \- updating authentication tokens
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_chauthtok(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_chauthtok
+
+.br
+Use this function to rejuvenate the authentication tokens (passwords
+etc.) of an applicant user.
+
+.br
+Note, the application should not pre-authenticate the user, as this is
+performed (if required) by the
+.BR Linux-PAM
+framework.
+
+.br
+The
+.I flags
+argument can
+.I optionally
+take the value,
+.BR PAM_CHANGE_EXPIRED_AUTHTOK "."
+In such cases the framework is only required to update those
+authentication tokens that have expired. Without this argument, the
+framework will attempt to obtain new tokens for all configured
+authentication mechanisms. The details of the types and number of such
+schemes should not concern the calling application.
+
+.SH RETURN VALUE
+A successful return from this function will be indicated with
+.BR PAM_SUCCESS "."
+
+.br
+Specific errors of special interest when calling this function are
+
+.br
+.BR PAM_AUTHTOK_ERROR
+- a valid new token was not obtained
+
+.br
+.BR PAM_AUTHTOK_RECOVERY_ERR
+- old authentication token was not available
+
+.br
+.BR PAM_AUTHTOK_LOCK_BUSY
+- a resource needed to update the token was locked (try again later)
+
+.br
+.BR PAM_AUTHTOK_DISABLE_AGING
+- one or more of the authentication modules does not honor
+authentication token aging
+
+.br
+.BR PAM_TRY_AGAIN
+- one or more authentication mechanism is not prepared to update a
+token at this time
+
+.br
+In general other return values may be returned. They should be treated
+as indicating failure.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_authenticate "(3), "
+.BR pam_setcred "(3), "
+.BR pam_get_item "(3), "
+.BR pam_strerror "(3) "
+and
+.BR pam "(8)."
+
+.br
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam_close_session.3 b/Linux-PAM/doc/man/pam_close_session.3
new file mode 100644
index 00000000..d851700c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_close_session.3
@@ -0,0 +1 @@
+.so pam_open_session.3
diff --git a/Linux-PAM/doc/man/pam_end.3 b/Linux-PAM/doc/man/pam_end.3
new file mode 100644
index 00000000..de999f24
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_end.3
@@ -0,0 +1 @@
+.so pam_start.3
diff --git a/Linux-PAM/doc/man/pam_fail_delay.3 b/Linux-PAM/doc/man/pam_fail_delay.3
new file mode 100644
index 00000000..63cc88b3
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_fail_delay.3
@@ -0,0 +1,130 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam_fail_delay.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_FAIL_DELAY 3 "1997 Jan 12" "Linux-PAM 0.56" "Programmers' Manual"
+.SH NAME
+
+pam_fail_delay \- request a delay on failure
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.br
+or,
+.br
+.B #include <security/pam_modules.h>
+.sp
+.BI "int pam_fail_delay(pam_handle_t " "*pamh" ", unsigned int " "usec" ");"
+.sp 2
+.SH DESCRIPTION
+.br
+It is often possible to attack an authentication scheme by exploiting
+the time it takes the scheme to deny access to an applicant user.  In
+cases of
+.I short
+timeouts, it may prove possible to attempt a
+.I brute force
+dictionary attack -- with an automated process, the attacker tries all
+possible passwords to gain access to the system.  In other cases,
+where individual failures can take measurable amounts of time
+(indicating the nature of the failure), an attacker can obtain useful
+information about the authentication process.  These latter attacks
+make use of procedural delays that constitute a
+.I covert channel
+of useful information.
+
+.br
+To minimize the effectiveness of such attacks, it is desirable to
+introduce a random delay in a failed authentication process.
+.B Linux-PAM
+provides such a facility.  The delay occurs upon failure of the
+.BR pam_authenticate "(3) "
+and
+.BR pam_chauthtok "(3) "
+functions.  It occurs
+.I after
+all authentication modules have been called, but
+.I before
+control is returned to the service application.
+
+.br
+The function,
+.BR pam_fail_delay "(3),"
+is used to specify a required minimum for the length of the
+failure-delay; the
+.I usec
+argument.  This function can be called by the service application
+and/or the authentication modules, both may have an interest in
+delaying a reapplication for service by the user.  The length of the
+delay is computed at the time it is required.  Its length is
+pseudo-gausianly distributed about the
+.I maximum
+requested value; the resultant delay will differ by as much as 25% of
+this maximum requested value (both up and down).
+
+.br
+On return from
+.BR pam_authenticate "(3) or " pam_chauthtok "(3),"
+independent of success or failure, the new requested delay is reset to
+its default value: zero.
+
+.SH EXAMPLE
+.br
+For example, a
+.B login
+application may require a failure delay of roughly 3 seconds. It will
+contain the following code:
+.sp
+.br
+.B "     pam_fail_delay(pamh, 3000000 /* micro-seconds */ );"
+.br
+.B "     pam_authenticate(pamh, 0);"
+.sp
+.br
+if the modules do not request a delay, the failure delay will be
+between 2.25 and 3.75 seconds.
+
+.br
+However, the modules, invoked in the authentication process, may
+also request delays:
+.sp
+.br
+.RB "  (module #1)   " "pam_fail_delay(pamh, 2000000);"
+.sp
+.br
+.RB "  (module #2)   " "pam_fail_delay(pamh, 4000000);"
+.sp
+.br
+in this case, it is the largest requested value that is used to
+compute the actual failed delay: here between 3 and 5 seconds.
+
+.SH "RETURN VALUE"
+Following a successful call to
+.BR pam_fail_delay "(3), " PAM_SUCCESS
+is returned.  All other returns should be considered serious failures.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+Under consideration by the X/Open group for future inclusion in the
+PAM RFC. 1996/1/10
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_get_item "(3) "
+and
+.BR pam_strerror "(3). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam_get_item.3 b/Linux-PAM/doc/man/pam_get_item.3
new file mode 100644
index 00000000..f4f0d462
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_get_item.3
@@ -0,0 +1 @@
+.so pam_set_item.3
diff --git a/Linux-PAM/doc/man/pam_open_session.3 b/Linux-PAM/doc/man/pam_open_session.3
new file mode 100644
index 00000000..05ccbb88
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_open_session.3
@@ -0,0 +1,99 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam_open_session.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_OPEN_SESSION 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual"
+.SH NAME
+
+pam_open/close_session \- PAM session management
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_open_session(pam_handle_t " *pamh ", int  " flags ");"
+.sp
+.BI "int pam_close_session(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+
+PAM provides management-hooks for the initialization and termination
+of a session. 
+
+.TP
+.B pam_open_session
+.br
+Use this function to signal that an authenticated user session has
+begun. It should be called only after the user is properly identified
+and (where necessary) has been granted their credentials with
+.BR pam_authenticate "(3)"
+and
+.BR pam_setcred "(3)"
+respectively.
+
+.br
+Some types of functions associated with session
+initialization are logging for the purposes of system-audit and
+mounting directories (the user's home directory for example). These
+should not concern the application. It should be noted that the
+.I effective
+uid,
+.BR geteuid "(2),"
+of the application should be of sufficient privilege to perform such
+tasks.
+
+.TP
+.B pam_close_session
+.br
+Use this function to signal that a user session has
+terminated. In general this function may not need to be located in the
+same application as the initialization function,
+.BR pam_open_session "."
+
+.br
+Typically, this function will undo the actions of
+.BR pam_open_session "."
+That is, log audit information concerning the end of the user session
+or unmount the user's home directory. Apart from having sufficient
+privilege the details of the session termination should not concern
+the calling application. It is good programming practice, however, to
+cease acting on behalf of the user on returning from this call.
+
+.SH RETURN VALUE
+A successful return from the session management functions will be
+indicated with
+.BR PAM_SUCCESS "."
+
+.br
+The specific error indicating a failure to open or close a session is
+.BR PAM_SESSION_ERR "."
+In general other return values may be returned. They should be treated
+as indicating failure.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+OSF-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_authenticate "(3), "
+.BR pam_setcred "(3), "
+.BR pam_get_item "(3), "
+.BR pam_strerror "(3) "
+and
+.BR pam "(3)."
+
+.br
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam_set_item.3 b/Linux-PAM/doc/man/pam_set_item.3
new file mode 100644
index 00000000..ad759cfd
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_set_item.3
@@ -0,0 +1,55 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam_set_item.3,v 1.1.1.1 2002/09/15 20:08:27 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1996,1997 <morgan@kernel.org>
+.TH PAM_SET_ITEM 3 "2001 Jan 21" "Linux-PAM" "App. Programmers' Manual"
+.SH NAME
+
+pam_set_item, pam_get_item \- item manipulation under PAM
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.br
+or
+.br
+.B #include <secruity/pam_modules.h>
+.sp
+.BI "int pam_set_item(pam_handle_t " *pamh ", int " item_type ", void " *item ");"
+.sp
+.BI "int pam_get_item(const pam_handle_t " *pamh ", int  " item_type ", const void " **item_p ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_set_item
+.sp
+.B pam_set_item
+
+These functions are currently undocumented in a man page, but see the
+end of this man page for more information (the PAM guides).
+
+On success
+.BR PAM_SUCCESS
+is returned, all other return values should be treated as errors.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam (8)
+and
+.BR pam_strerror "(3)."
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam_setcred.3 b/Linux-PAM/doc/man/pam_setcred.3
new file mode 100644
index 00000000..9681690c
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_setcred.3
@@ -0,0 +1,79 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam_setcred.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1996,1997 <morgan@parc.power.net>
+.TH PAM_SETCRED 3 "1997 July 6" "Linux-PAM 0.58" "App. Programmers' Manual"
+.SH NAME
+
+pam_setcred \- set the credentials for the user
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_setcred(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_setcred
+
+This function is used to establish, maintain and delete the
+credentials of a user. It should be called after a user has been
+authenticated and before a session is opened for the user (with
+.BR pam_open_session "(3))."
+
+It should be noted that credentials come in many forms. Examples
+include: group memberships; ticket-files; and Linux-PAM environment
+variables.  For this reason, it is important that the basic identity
+of the user is established, by the application, prior to a call to
+this function.  For example, the default
+.BR Linux-PAM
+environment variables should be set and also
+.BR initgroups "(2) "
+(or equivalent) should have been performed.
+
+.SH "VALID FLAGS"
+.TP
+.BR PAM_ESTABLISH_CRED
+initialize the credentials for the user.
+
+.TP
+.BR PAM_DELETE_CRED
+delete the user's credentials.
+
+.TP
+.BR PAM_REINITIALIZE_CRED
+delete and then initialize the user's credentials.
+
+.TP
+.BR PAM_REFRESH_CRED
+extend the lifetime of the existing credentials.
+
+.SH "RETURN VALUE"
+
+On success
+.BR PAM_SUCCESS
+is returned, all other return values should be treated as errors.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_authenticate "(3), "
+.BR pam_strerror "(3)"
+and
+.BR pam_open_session "(3). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam_start.3 b/Linux-PAM/doc/man/pam_start.3
new file mode 100644
index 00000000..159bf201
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_start.3
@@ -0,0 +1,98 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: pam_start.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net>
+.TH PAM_START 3 "1997 Feb 15" "Linux-PAM 0.56" "Application Programmers' Manual"
+.SH NAME
+
+pam_start, pam_end \- activating Linux-PAM
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_start(const char " *service ", const char " *user ", const struct pam_conv " *conv ", pam_handle_t " **pamh_p ");"
+.sp
+.BI "int pam_end(pam_handle_t " *pamh ", int " pam_status ");"
+.sp 2
+.SH DESCRIPTION
+.TP
+.B pam_start
+Initialize the
+.I Linux-PAM
+library.  Identifying the application with a particular
+.IR service
+name.  The
+.IR user "name"
+can take the value
+.IR NULL ", "
+if not known at the time the interface is initialized.  The
+conversation structure is passed to the library via the
+.IR conv
+argument.  (For a complete description of this and other structures
+the reader is directed to the more verbose
+.IR Linux-PAM
+application developers' guide).  Upon successful initialization, an
+opaque pointer-handle for future access to the library is returned
+through the contents of the
+.IR pamh_p
+pointer.
+
+.TP
+.B pam_end
+Terminate the
+.B Linux-PAM
+library.  The service application associated with the
+.IR pamh
+handle, is terminated.  The argument,
+.IR pam_status ", "
+passes the value most recently returned to the application from the
+library; it indicates the manner in which the library should be
+shutdown.  Besides carrying a return value, this argument may be
+logically OR'd with
+.IR PAM_DATA_SILENT
+to indicate that the module should not treat the call too
+seriously. It is generally used to indicate that the current closing
+of the library is in a
+.IR fork "(2)ed"
+process, and that the parent will take care of cleaning up things that
+exist outside of the current process space (files etc.).
+
+.SH "RETURN VALUE"
+.TP
+.B pam_start
+.TP
+.B pam_end
+On success,
+.BR PAM_SUCCESS
+is returned
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+.sp
+Note, the 
+.BR PAM_DATA_SILENT
+flag is pending acceptance with the DCE (as of 1996/12/4).
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+
+.BR fork "(2), "
+.BR pam_authenticate "(3), "
+.BR pam_acct_mgmt "(3), "
+.BR pam_open_session "(3), "
+and
+.BR pam_chauthtok "(3)."
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/pam_strerror.3 b/Linux-PAM/doc/man/pam_strerror.3
new file mode 100644
index 00000000..84622088
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_strerror.3
@@ -0,0 +1,51 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" ripped off from Rick Faith's getgroups man page
+.\" $Id: pam_strerror.3,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@linux.kernel.org>
+.TH PAM_STRERROR 3 "1999 Oct 4" "Linux-PAM 0.70" "Programmers' Manual"
+.SH NAME
+
+pam_strerror \- return a textual description of a Linux-PAM error
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.br
+or,
+.br
+.B #include <security/pam_modules.h>
+.sp
+.BI "const char * pam_strerror( pam_handle_t " "*pamh" ", int " pam_error ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_strerror
+
+This function returns some text describing the
+.BR Linux-PAM
+error associated with the
+.B pam_error
+argument.
+
+.SH "RETURN VALUE"
+
+On success this function returns a description of the indicated
+error.  Should the function not recognize the error, ``Unknown
+Linux-PAM error'' is returned.
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+This function should be internationalized.
+
+.SH "SEE ALSO"
+
+.BR pam "(8). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/man/template-man b/Linux-PAM/doc/man/template-man
new file mode 100644
index 00000000..5ba564a0
--- /dev/null
+++ b/Linux-PAM/doc/man/template-man
@@ -0,0 +1,52 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id: template-man,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_???? 2 "1997 Jan 4" "Linux-PAM 0.55" "Application Programmers' Manual"
+.SH NAME
+
+function names \- brief summary of function
+
+.SH SYNOPSIS
+.B #include <security/pam_????.h>
+.sp
+.BI "int pam_???(pam_handle_t " pamh ", int  " flags);
+.sp 2
+.SH DESCRIPTION
+.TP
+.B pam_???
+Here goes the
+.I explanation
+it may be quite
+.IR long .
+.TP
+.SH "RETURN VALUE"
+.B pam_???
+On success...
+.BR PAM_SUCCESS
+is returned
+.TP
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(2). "
+
+.SH "CONFORMING TO"
+.B pam_???
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_??? "(2), "
+and
+.BR pam_??? "(2). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/Linux-PAM/doc/modules/README b/Linux-PAM/doc/modules/README
new file mode 100644
index 00000000..b81f1d26
--- /dev/null
+++ b/Linux-PAM/doc/modules/README
@@ -0,0 +1,13 @@
+$Id: README,v 1.1.1.2 2002/09/15 20:08:28 hartmans Exp $
+
+This directory contains a number of sgml sub-files. One for each
+documented module. They contain a description of each module and give
+some indication of its reliability.
+
+Additionally, there is a 'module.sgml-template' file which should be
+used as a blank form for new module descriptions.
+
+Please feel free to submit amendments/comments etc. regarding these
+files to:
+
+	Andrew G. Morgan <morgan@kernel.org>
diff --git a/Linux-PAM/doc/modules/module.sgml-template b/Linux-PAM/doc/modules/module.sgml-template
new file mode 100644
index 00000000..36ffe617
--- /dev/null
+++ b/Linux-PAM/doc/modules/module.sgml-template
@@ -0,0 +1,170 @@
+<!--
+
+   $Id: module.sgml-template,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $
+   
+   This template file was written by Andrew G. Morgan
+					<morgan@kernel.org>
+
+[
+	Text that should be deleted/replaced, is enclosed within 
+		'[' .. ']'
+	marks. For example, this text should be deleted!
+]
+
+-->
+
+<sect1> [*Familiar full name of module*, eg. The "allow all" module.]
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+[
+	insert the name of the module
+
+	Blank is not permitted.
+]
+
+<tag><bf>Author[s]:</bf></tag>
+
+[
+	Insert author names here
+
+	Blank is not permitted. If in doubt, put "unknown" if the
+	author wishes to remain anonymous, put "anonymous".
+]
+
+<tag><bf>Maintainer:</bf></tag>
+	
+[
+	Insert names and date-begun of most recent maintainer.
+]
+
+<tag><bf>Management groups provided:</bf></tag>
+
+[
+	list the subset of four management groups supported by the
+	module. Choose from: account; authentication; password;
+	session.
+
+	Blank entries are not permitted. Explicitly list all of the
+	management groups. In the future more may be added to libpam!
+]
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+
+[
+	Indicate whether this module contains code that can perform
+	reversible (strong) encryption. This field is primarily to
+	ensure that people redistributing it are not unwittingly
+	breaking laws...
+
+	Modules may also require the presence of some local library
+	that performs the necessary encryption via some standard API.
+	In this case "uses API" can be included in this field. The
+	library in question should be added to the system requirements
+	below.
+
+	Blank = no cryptography is used by module.
+]
+	
+<tag><bf>Security rating:</bf></tag>
+
+[
+	Initially, this field should be left blank. If someone takes
+	it upon themselves to test the strength of the module, it can
+	later be filled.
+
+	Blank = unknown.
+]
+
+<tag><bf>Clean code base:</bf></tag>
+
+[
+	This will probably be filled by the libpam maintainer.
+	It can be considered to be a public humiliation list. :*)
+
+	I am of the opinion that "gcc -with_all_those_flags" is
+	trying to tell us something about whether the program
+	works as intended. Since there is currently no Security
+	evaluation procedure for modules IMHO this is not a
+	completely unreasonable indication (a lower bound anyway)
+	of the reliability of a module.
+
+	This field would indicate the number and flavor of
+	warnings that gcc barfs up when trying to compile the
+	module as part of the tree. Is this too tyrannical?
+
+	Blank = Linux-PAM maintainer has not tested it :)
+]
+
+<tag><bf>System dependencies:</bf></tag>
+
+[
+	here we list config files, dynamic libraries needed, system
+	resources, kernel options.. etc.
+
+	Blank = nothing more than libc required.
+]
+
+<tag><bf>Network aware:</bf></tag>
+
+[
+	Does the module base its behavior on probing a network
+	connection? Does it expect to be protected by the
+	application?
+
+	Blank = Ignorance of network.
+]
+
+</descrip>
+
+<sect2>Overview of module
+
+[
+	some text describing the intended actions of the module
+	general comments mainly (specifics in sections
+	below).
+]
+
+[
+
+	[ now we have a <sect2> level subsection for each of the
+	  management groups. Include as many as there are groups
+	  listed above in the synopsis ]
+
+<sect2>[ Account | Authentication | Password | Session ] component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+[
+	List the supported arguments (leave their description for the
+	description below.
+
+	Blank = no arguments are read and nothing is logged to syslog
+		about any arguments that are passed. Note, this
+		behavior is contrary to the RFC!
+]
+
+<tag><bf>Description:</bf></tag>
+
+[
+	This component of the module performs the task of ...
+]
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+[
+	Here we list some doos and don'ts for this module.
+]
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_access.sgml b/Linux-PAM/doc/modules/pam_access.sgml
new file mode 100644
index 00000000..8a910d13
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_access.sgml
@@ -0,0 +1,117 @@
+<!--
+   
+   pam_access module docs added by Tim Berger <timb@transmeta.com>
+
+-->
+
+<sect1> The access module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+
+<tt>pam_access</tt>
+
+
+<tag><bf>Author[s]:</bf></tag>
+
+Alexei Nogin &lt;alexei@nogin.dnttm.ru&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+	
+<tag><bf>Management groups provided:</bf></tag>
+
+account
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag> 
+Requires a configuration file. By default 
+<tt>/etc/security/access.conf</tt> is used but this can be overridden. 
+
+<tag><bf>Network aware:</bf></tag>
+
+Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of
+the stdin file descriptor with <tt/ttyname()/.  Standard
+gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/
+calls.  <bf/NIS/ is used for netgroup support.
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+Provides logdaemon style login access control.
+
+<sect2> Account component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tt>accessfile=<it>/path/to/file.conf</it></tt>;
+<tt>fieldsep=<it>separators</it></tt>
+
+<tag><bf>Description:</bf></tag>
+
+This module provides logdaemon style login access control based on
+login names and on host (or domain) names, internet addresses (or
+network numbers), or on terminal line names in case of non-networked
+logins. Diagnostics are reported through <tt/syslog(3)/.  Wietse
+Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with
+several changes by A. Nogin.
+
+<p> 
+The behavior of this module can be modified with the following 
+arguments: 
+<itemize> 
+ 
+<item><tt>accessfile=/path/to/file.conf</tt> - 
+indicate an alternative <em/access/ configuration file to override 
+the default. This can be useful when different services need different 
+access lists. 
+
+<item><tt>fieldsep=<it>separators</it></tt> -
+this option modifies the field separator character that
+<tt/pam_access/ will recognize when parsing the access configuration
+file. For example: <tt>fieldsep=|</tt> will cause the default `:'
+character to be treated as part of a field value and `|' becomes the
+field separator. Doing this is useful in conjuction with a system that
+wants to use pam_access with X based applications, since the
+<tt/PAM_TTY/ item is likely to be of the form "hostname:0" which
+includes a `:' character in its value.
+
+</itemize> 
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+Use of module is recommended, for example, on administrative machines
+such as <bf/NIS/ servers and mail servers where you need several accounts
+active but don't want them all to have login capability.
+
+For <tt>/etc/pam.d</tt> style configurations where your modules live
+in <tt>/lib/security</tt>, start by adding the following line to
+<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>,
+<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>:
+
+<tscreen>
+<verb>
+account  required       /lib/security/pam_access.so
+</verb>
+</tscreen>
+
+Note that use of this module is not effective unless your system ignores
+<tt>.rhosts</tt> files.  See the the pam_rhosts_auth documentation.
+
+A sample <tt>access.conf</tt> configuration file is included with the
+distribution.
+
+</descrip>
diff --git a/Linux-PAM/doc/modules/pam_chroot.sgml b/Linux-PAM/doc/modules/pam_chroot.sgml
new file mode 100644
index 00000000..2bc3e8af
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_chroot.sgml
@@ -0,0 +1,86 @@
+<!--
+   $Id: pam_chroot.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $
+   
+   This file was written by Bruce Campbell <brucec@humbug.org.au>
+-->
+
+<sect1>Chroot
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_chroot/
+
+<tag><bf>Author:</bf></tag>
+Bruce Campbell &lt;brucec@humbug.org.au&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author; proposed on 20/11/96 - email for status
+
+<tag><bf>Management groups provided:</bf></tag>
+account; session; authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+Unwritten.
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+Expects localhost.
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module is intended to provide a transparent wrapper around the
+average user, one that puts them in a fake file-system (eg, their
+'<tt>/</tt>' is really <tt>/some/where/else</tt>).
+
+<p>
+Useful if you have several classes of users, and are slightly paranoid
+about security.  Can be used to limit who else users can see on the
+system, and to limit the selection of programs they can run.
+
+<sect2>Account component:
+
+<p>
+<em/Need more info here./
+
+<sect2>Authentication component:
+
+<p>
+<em/Need more info here./
+
+<sect2>Session component:
+
+<p>
+<em/Need more info here./
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+Arguments and logging levels for the PAM version are being worked on.
+
+<tag><bf>Description:</bf></tag>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+Do provide a reasonable list of programs - just tossing 'cat', 'ls', 'rm',
+'cp' and 'ed' in there is a bit... 
+<p>
+Don't take it to extremes (eg, you can set up a separate environment for
+each user, but its a big waste of your disk space.)
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_cracklib.sgml b/Linux-PAM/doc/modules/pam_cracklib.sgml
new file mode 100644
index 00000000..de1d5df2
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_cracklib.sgml
@@ -0,0 +1,304 @@
+<!--
+   $Id: pam_cracklib.sgml,v 1.1.1.2 2002/09/15 20:08:28 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+   long password amendments are from Philip W. Dalrymple III <pwd@mdtsoft.com>
+-->
+
+<sect1>Cracklib pluggable password strength-checker
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+
+pam_cracklib
+
+<tag><bf>Author:</bf></tag>
+
+Cristian Gafton &lt;gafton@redhat.com&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+
+password
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag> 
+
+Requires the system library <tt/libcrack/ and a system dictionary:
+<tt>/usr/lib/cracklib_dict</tt>.
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module can be plugged into the <tt/password/ stack of a given
+application to provide some plug-in strength-checking for passwords.
+
+<p>
+This module works in the following manner: it first calls the
+<em>Cracklib</em> routine to check the strength of the password; if
+crack likes the password, the module does an additional set of
+strength checks.  These checks are:
+<itemize>
+
+<item> <bf/Palindrome/ -
+
+Is the new password a palindrome of the old one?
+
+<item> <bf/Case Change Only/ -
+
+Is the new password the the old one with only a change of case?
+
+<item> <bf/Similar/ -
+
+Is the new password too much like the old one?  This is primarily
+controlled by one argument, <tt/difok/ which is a number of characters
+that if different between the old and new are enough to accept the new
+password, this defaults to 10 or 1/2 the size of the new password
+whichever is smaller.
+
+To avoid the lockup associated with trying to change a long and
+complicated password, <tt/difignore/ is available. This argument can
+be used to specify the minimum length a new password needs to be
+before the <tt/difok/ value is ignored. The default value for
+<tt/difignore/ is 23.
+
+
+<item> <bf/Simple/ -
+
+Is the new password too small?  This is controlled by 5 arguments
+<tt/minlen/, <tt/dcredit/, <tt/ucredit/, <tt/lcredit/, and
+<tt/ocredit/. See the section on the arguments for the details of how
+these work and there defaults.
+
+<item> <bf/Rotated/ -
+
+Is the new password a rotated version of the old password?
+
+<item> <bf/Already used/ -
+
+Was the password used in the past?  Previously used passwords are to
+be found in /etc/security/opasswd.
+
+</itemize>
+
+<p>
+This module with no arguments will work well for standard unix
+password encryption.  With md5 encryption, passwords can be longer
+than 8 characters and the default settings for this module can make it
+hard for the user to choose a satisfactory new password.  Notably, the
+requirement that the new password contain no more than 1/2 of the
+characters in the old password becomes a non-trivial constraint.  For
+example, an old password of the form "the quick brown fox jumped over
+the lazy dogs" would be difficult to change...  In addition, the
+default action is to allow passwords as small as 5 characters in
+length.  For a md5 systems it can be a good idea to increase the
+required minimum size of a password.  One can then allow more credit
+for different kinds of characters but accept that the new password may
+share most of these characters with the old password.
+
+<sect2>Password component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/;
+<tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/;
+<tt/use_authtok/;
+
+<tag><bf>Description:</bf></tag>
+
+The action of this module is to prompt the user for a password and
+check its strength against a system dictionary and a set of rules for
+identifying poor choices.
+
+<p>
+The default action is to prompt for a single password, check its
+strength and then, if it is considered strong, prompt for the password
+a second time (to verify that it was typed correctly on the first
+occasion). All being well, the password is passed on to subsequent
+modules to be installed as the new authentication token.
+
+<p>
+The default action may be modified in a number of ways using the
+arguments recognized by the module:
+<itemize>
+
+<item> <tt/debug/ -
+
+this option makes the module write information to syslog(3) indicating
+the behavior of the module (this option does <bf/not/ write password
+information to the log file).
+
+<item> <tt/type=XXX/ -
+
+the default action is for the module to use the following prompts when
+requesting passwords: ``New UNIX password: '' and ``Retype UNIX
+password: ''. Using this option you can replace the word UNIX with
+<tt/XXX/.
+
+<item> <tt/retry=N/ -
+
+the default number of times this module will request a new password
+(for strength-checking) from the user is 1. Using this argument this
+can be increased to <tt/N/.
+
+<item> <tt/difok=N/ -
+
+This argument will change the default of 10 for the number of
+characters in the new password that must not be present in the old
+password.  In addition, if 1/2 of the characters in the new password
+are different then the new password will be accepted anyway.
+
+<item> <tt/minlen=N/ -
+
+The minimum acceptable size for the new password (plus one if credits 
+are not disabled which is the default).
+In addition to the number of characters in the new password, credit (of
++1 in length) is given for each different kind of character (<em>other,
+upper, lower</em> and <em/digit/).  The default for this parameter is
+9 which is good for a old style UNIX password all of the same type of
+character but may be too low to exploit the added security of a md5
+system.  Note that there is a pair of length limits in
+<em>Cracklib</em> itself, a "way too short" limit of 4 which is hard
+coded in and a defined limit (6) that will be checked without
+reference to <tt>minlen</tt>.  If you want to allow passwords as short
+as 5 characters you should either not use this module or recompile
+the crack library and then recompile this module.
+
+<item> <tt/dcredit=N/ -
+
+(N >= 0) This is the maximum credit for having digits in the new password. If
+you have less than or <tt/N/ digits, each digit will count +1 towards
+meeting the current <tt/minlen/ value.  The default for <tt/dcredit/
+is 1 which is the recommended value for <tt/minlen/ less than 10.
+(N < 0) This is the minimum number of digits that must be met for a new 
+password.
+
+<item> <tt/ucredit=N/ -
+
+(N >= 0) This is the maximum credit for having upper case letters in the new
+password.  If you have less than or <tt/N/ upper case letters each
+letter will count +1 towards meeting the current <tt/minlen/ value.
+The default for <tt/ucredit/ is 1 which is the recommended value for
+<tt/minlen/ less than 10. (N < 0) This is the minimum number of upper 
+case letters that must be met for a new password.
+
+<item> <tt/lcredit=N/ -
+
+(N >= 0) This is the maximum credit for having lower case letters in the new
+password.  If you have less than or <tt/N/ lower case letters, each
+letter will count +1 towards meeting the current <tt/minlen/ value.
+The default for <tt/lcredit/ is 1 which is the recommended value for
+<tt/minlen/ less than 10. (N < 0) This is the minimum number of lower 
+case letters that must be met for a new password.
+
+<item> <tt/ocredit=N/ -
+
+(N >= 0) This is the maximum credit for having other characters in the new
+password.  If you have less than or <tt/N/ other characters, each
+character will count +1 towards meeting the current <tt/minlen/ value.
+The default for <tt/ocredit/ is 1 which is the recommended value for
+<tt/minlen/ less than 10. (N < 0) This is the minimum number of other 
+characters that must be met for a new password.
+
+<item> <tt/use_authtok/ -
+
+This argument is used to <em/force/ the module to not prompt the user
+for a new password but use the one provided by the previously stacked
+<tt/password/ module.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+<p>
+For an example of the use of this module, we show how it may be
+stacked with the password component of <tt/pam_pwdb/:
+<tscreen>
+<verb>
+#
+# These lines stack two password type modules. In this example the
+# user is given 3 opportunities to enter a strong password. The
+# "use_authtok" argument ensures that the pam_pwdb module does not
+# prompt for a password, but instead uses the one provided by
+# pam_cracklib.
+#
+passwd	password required	pam_cracklib.so retry=3
+passwd	password required	pam_pwdb.so use_authtok
+</verb>
+</tscreen>
+
+<p>
+Another example (in the <tt>/etc/pam.d/passwd</tt> format) is for the
+case that you want to use md5 password encryption:
+<tscreen>
+<verb>
+#%PAM-1.0
+#
+# These lines allow a md5 systems to support passwords of at least 14
+# bytes with extra credit of 2 for digits and 2 for others the new
+# password must have at least three bytes that are not present in the
+# old password
+#
+password  required pam_cracklib.so \
+               difok=3 minlen=15 dcredit= 2 ocredit=2
+password  required pam_pwdb.so use_authtok nullok md5
+</verb>
+</tscreen>
+
+<p>
+And here is another example in case you don't want to use credits:
+<tscreen>
+<verb>
+#%PAM-1.0
+#
+# These lines require the user to select a password with a minimum
+# length of 8 and with at least 1 digit number, 1 upper case letter,
+# and 1 other character
+#
+password  required pam_cracklib.so \
+               dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
+password  required pam_pwdb.so use_authtok nullok md5
+</verb>
+</tscreen>
+
+<p>
+In this example we simply say that the password must have a minimum 
+length of 8:
+<tscreen>
+<verb>
+#%PAM-1.0
+#
+# These lines require the user to select a password with a mimimum
+# length of 8. He gets no credits and he is not forced to use
+# digit numbers, upper case letters etc.
+#
+password  required pam_cracklib.so \
+               dcredit=0 ucredit=0 ocredit=0 lcredit=0 minlen=8
+password  required pam_pwdb.so use_authtok nullok md5
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_deny.sgml b/Linux-PAM/doc/modules/pam_deny.sgml
new file mode 100644
index 00000000..d8041d19
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_deny.sgml
@@ -0,0 +1,177 @@
+<!--
+   $Id: pam_deny.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The locking-out module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+pam_deny
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+current <bf/Linux-PAM/ maintainer
+
+<tag><bf>Management groups provided:</bf></tag>
+account; authentication; password; session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+clean.
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module can be used to deny access. It always indicates a failure
+to the application through the PAM framework. As is commented in the
+overview section <ref id="overview-section" name="above">, this module
+might be suitable for using for default (the <tt/OTHER/) entries.
+
+<sect2>Account component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This component does nothing other than return a failure. The
+failure type is <tt/PAM_ACCT_EXPIRED/.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+Stacking this module with type <tt/account/ will prevent the user from
+gaining access to the system via applications that refer to
+<bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/.
+
+<p>
+The following example would make it impossible to login:
+<tscreen>
+<verb>
+#
+# add this line to your other login entries to disable all accounts
+#
+login	account	 required	pam_deny.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This component does nothing other than return a failure. The failure
+type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is
+called (when the application tries to authenticate the user), and is
+<tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/
+(to establish and set the credentials of the user -- it is unlikely
+that this function will ever be called in practice).
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+To deny access to default applications with this component of the
+<tt/pam_deny/ module, you might include the following line in your
+<bf/Linux-PAM/ configuration file:
+<tscreen>
+<verb>
+#
+# add this line to your existing OTHER entries to prevent
+# authentication succeeding with default applications.
+#
+OTHER	auth	 required	pam_deny.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<sect2>Password component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This component of the module denies the user the opportunity to change
+their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when
+invoked.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+This module should be used to prevent an application from updating the
+applicant user's password. For example, to prevent <tt/login/ from
+automatically prompting for a new password when the old one has
+expired you should include the following line in your configuration
+file:
+<tscreen>
+<verb>
+#
+# add this line to your other login entries to prevent the login
+# application from being able to change the user's password.
+#
+login	password required	pam_deny.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This aspect of the module prevents an application from starting a
+session on the host computer.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+Together with another session module, that displays a message of the
+day perhaps (<tt/pam_motd/ for example), this module can be used to
+block a user from starting a shell. We might use the following entries
+in the configuration file to inform the user it is system time:
+<tscreen>
+<verb>
+#
+# An example to see how to configure login to refuse the user a
+# session (politely)
+#
+login	session	 required	pam_motd.so \
+			motd=/etc/system_time
+login	session	 required	pam_deny.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_env.sgml b/Linux-PAM/doc/modules/pam_env.sgml
new file mode 100644
index 00000000..0ca18fe4
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_env.sgml
@@ -0,0 +1,141 @@
+<!--
+   $Id: pam_env.sgml,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $
+   
+   This file was written by Dave Kinchlea <kinch@kinch.ark.com>
+   Ed. AGM
+-->
+
+<sect1>Set/unset environment variables
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_env/
+
+<tag><bf>Author:</bf></tag>
+Dave Kinchlea &lt;kinch@kinch.ark.com&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author
+
+<tag><bf>Management groups provided:</bf></tag>
+Authentication (setcred)
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+<tt>/etc/security/pam_env.conf</tt>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module allows the (un)setting of environment variables. Supported
+is the use of previously set environment variables as well as
+<em>PAM_ITEM</em>s such as <tt>PAM_RHOST</tt>.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt/conffile=/<em/configuration-file-name/;
+<tt/envfile/=<em/env-file-name/; <tt/readenv/=<em/0|1/
+
+<tag><bf>Description:</bf></tag>
+This module allows you to (un)set arbitrary environment variables
+using fixed strings, the value of previously set environment variables
+and/or <em/PAM_ITEM/s.
+
+<p>
+All is controlled via a configuration file (by default,
+<tt>/etc/security/pam_env.conf</tt> but can be overriden with
+<tt>conffile</tt> argument).  Each line starts with the variable name,
+there are then two possible options for each variable <bf>DEFAULT</bf>
+and <bf>OVERRIDE</bf>.  <bf>DEFAULT</bf> allows an administrator to
+set the value of the variable to some default value, if none is
+supplied then the empty string is assumed.  The <bf>OVERRIDE</bf>
+option tells pam_env that it should enter in its value (overriding the
+default value) if there is one to use.  <bf>OVERRIDE</bf> is not used,
+<tt>""</tt> is assumed and no override will be done.
+
+<p>
+<tscreen>
+<verb>
+VARIABLE   [DEFAULT=[value]]  [OVERRIDE=[value]]
+</verb>
+</tscreen>
+
+<p>
+(Possibly non-existent) environment variables may be used in values
+using the <tt>&dollar;&lcub;string&rcub;</tt> syntax and (possibly
+non-existent) <em/PAM_ITEM/s may be used in values using the
+<tt>&commat;&lcub;string&rcub;</tt> syntax. Both the <tt>&dollar;</tt>
+and <tt>&commat;</tt> characters can be backslash-escaped to be used
+as literal values (as in <tt>&bsol;&dollar;</tt>.  Double quotes may
+be used in values (but not environment variable names) when white
+space is needed <bf>the full value must be delimited by the quotes and
+embedded or escaped quotes are not supported</bf>.
+
+<p>
+This module can also parse a file with simple <tt>KEY=VAL</tt> pairs
+on seperate lines (<tt>/etc/environment</tt> by default). You can
+change the default file to parse, with the <em/envfile/ flag and turn
+it on or off by setting the <em/readenv/ flag to 1 or 0 respectively.
+
+<p>
+The behavior of this module can be modified with one of the following
+flags:
+
+<p>
+<itemize>
+
+<item><tt/debug/
+- write more information to <tt/syslog(3)/.
+
+<item><tt/conffile=/<em/filename/
+- by default the file <tt>/etc/security/pam_env.conf</tt> is used as
+the configuration file. This option overrides the default. You must
+supply a complete path + file name.
+
+<item><tt/envfile=/<em/filename/
+- by default the file <tt>/etc/environment</tt> is used to load KEY=VAL
+pairs directly into the env. This option overrides the default. You must
+supply a complete path + file name.
+
+<item><tt/readenv=/<em/0|1/
+- turns on or off the reading of the file specified by envfile (0 is off,
+1 is on). By default this option is on.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+See sample <tt>pam_env.conf</tt> for more information and examples.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
+
+
+
+
+
+
+
+
+
+
diff --git a/Linux-PAM/doc/modules/pam_filter.sgml b/Linux-PAM/doc/modules/pam_filter.sgml
new file mode 100644
index 00000000..1d582abc
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_filter.sgml
@@ -0,0 +1,150 @@
+<!--
+   $Id: pam_filter.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The filter module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+
+pam_filter
+
+<tag><bf>Author:</bf></tag>
+
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+	
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+
+account; authentication; password; session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+
+Not yet.
+
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+This module compiles cleanly on Linux based systems.
+
+<tag><bf>System dependencies:</bf></tag>
+
+To function it requires <em/filters/ to be installed on the system.
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module was written to offer a plug-in alternative to programs
+like ttysnoop (XXX - need a reference). Since writing a filter that
+performs this function has not occurred, it is currently only a toy.
+The single filter provided with the module simply transposes upper and
+lower case letters in the input and output streams. (This can be very
+annoying and is not kind to termcap based editors).
+
+<sect2>Account+Authentication+Password+Session components
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tt/debug/; <tt/new_term/; <tt/non_term/; <tt/runX/
+
+<tag><bf>Description:</bf></tag>
+
+Each component of the module has the potential to invoke the desired
+filter.  The filter is always <tt/execv(2)/d with the privilege of the
+calling application and <bf/not/ that of the user. For this reason it
+cannot usually be killed by the user without closing their session.
+
+<p>
+The behavior of the module can be significantly altered by the
+arguments passed to it in the <bf/Linux-PAM/ configuration file:
+<itemize>
+<item><tt/debug/ -
+
+this option increases the amount of information logged to
+<tt/syslog(3)/ as the module is executed.
+
+<item><tt/new_term/ -
+
+the default action of the filter is to set the <tt/PAM_TTY/ item to
+indicate the terminal that the user is using to connect to the
+application. This argument indicates that the filter should set
+<tt/PAM_TTY/ to the filtered pseudo-terminal.
+
+<item><tt/non_term/ -
+don't try to set the <tt/PAM_TTY/ item.
+
+<item><tt/runX/ -
+
+in order that the module can invoke a filter it should know when to
+invoke it. This argument is required to tell the filter when to do
+this. The arguments that follow this one are respectively the full
+pathname of the filter to be run and any command line arguments that
+the filter might expect.
+
+<p>
+Permitted values for <tt/X/ are <tt/1/ and <tt/2/. These indicate the
+precise time that the filter is to be run. To understand this concept
+it will be useful to have read the Linux-PAM Module developer's
+guide. Basically, for each management group there are up to two ways
+of calling the module's functions.
+
+In the case of the <em/authentication/ and <em/session/ components
+there are actually two separate functions.  For the case of
+authentication, these functions are <tt/_authenticate/ and
+<tt/_setcred/ -- here <tt/run1/ means run the filter from the
+<tt/_authenticate/ function and <tt/run2/ means run the filter from
+<tt/_setcred/. In the case of the session modules, <tt/run1/ implies
+that the filter is invoked at the <tt/_open_session/ stage, and
+<tt/run2/ for <tt/_close_session/.
+
+<p>
+For the case of the account component. Either <tt/run1/ or <tt/run2/
+may be used.
+
+<p>
+For the case of the password component, <tt/run1/ is used to indicate
+that the filter is run on the first occasion <tt/_chauthtok/ is run
+(the <tt/PAM_PRELIM_CHECK/ phase) and <tt/run2/ is used to indicate
+that the filter is run on the second occasion (the
+<tt/PAM_UPDATE_AUTHTOK/ phase).
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+At the time of writing there is little real use to be made of this
+module. For fun you might try adding the following line to your
+login's configuration entries
+<tscreen>
+<verb>
+#
+# An example to see how to configure login to transpose upper and
+# lower case letters once the user has logged in(!)
+#
+login	session	 required	pam_filter.so \
+			run1 /usr/sbin/pam_filter/upperLOWER
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_ftp.sgml b/Linux-PAM/doc/modules/pam_ftp.sgml
new file mode 100644
index 00000000..3ea43713
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_ftp.sgml
@@ -0,0 +1,93 @@
+<!--
+   $Id: pam_ftp.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>Anonymous access module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_ftp.so/
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+prompts for email address of user; easily spoofed (XXX - needs work)
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+The purpose of this module is to provide a pluggable anonymous ftp
+mode of access.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/;
+<tt/users=XXX,YYY,.../;
+<tt/ignore/
+
+<tag><bf>Description:</bf></tag>
+
+This module intercepts the user's name and password. If the name is
+``<tt/ftp/'' or ``<tt/anonymous/'', the user's password is broken up
+at the `<tt/@/' delimiter into a <tt/PAM_RUSER/ and a <tt/PAM_RHOST/
+part; these pam-items being set accordingly. The username
+(<tt/PAM_USER/) is set to ``<tt/ftp/''.  In this case the module
+succeeds.  Alternatively, the module sets the <tt/PAM_AUTHTOK/ item
+with the entered password and fails.
+
+<p>
+The behavior of the module can be modified with the following flags:
+<itemize>
+<item><tt/debug/ -
+log more information to with <tt/syslog(3)/.
+
+<item><tt/users=XXX,YYY,.../ - 
+instead of ``<tt/ftp/'' or ``<tt/anonymous/'', provide anonymous login
+to the comma separated list of users; ``<tt/XXX,YYY,.../''. Should the
+applicant enter one of these usernames the returned username is set to
+the first in the list; ``<tt/XXX/''.
+
+<item><tt/ignore/ -
+pay no attention to the email address of the user (if supplied).
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+An example of the use of this module is provided in the configuration
+file section <ref id="configuration" name="above">. With care, this
+module could be used to provide new/temporary account anonymous
+login.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_group.sgml b/Linux-PAM/doc/modules/pam_group.sgml
new file mode 100644
index 00000000..770933bc
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_group.sgml
@@ -0,0 +1,108 @@
+<!--
+   $Id: pam_group.sgml,v 1.1.1.2 2002/09/15 20:08:30 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The group access module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_group/
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+Sensitive to <em/setgid/ status of file-systems accessible to users.
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled
+with or without <tt/libpwdb/.
+
+<tag><bf>Network aware:</bf></tag>
+Only through correctly set <tt/PAM_TTY/ item.
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module provides group-settings based on the user's name and the
+terminal they are requesting a given service from. It takes note of
+the time of day.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This module does not authenticate the user, but instead it grants
+group memberships (in the credential setting phase of the
+authentication module) to the user.  Such memberships are based on the
+service they are applying for. The group memberships are listed in
+text form in the <tt>/etc/security/group.conf</tt> file.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+For this module to function correctly there must be a correctly
+formatted <tt>/etc/security/groups.conf</tt> file present. The format
+of this file is as follows. Group memberships are given based on the
+service application satisfying any combination of lines in the
+configuration file. Each line (barring comments which are preceded by
+`<tt/#/' marks) has the following
+syntax:
+<tscreen>
+<verb>
+services   ;   ttys   ;   users   ;   times   ;   groups
+</verb>
+</tscreen>
+Here the first four fields share the syntax of the <tt>pam_time</tt>
+configuration file; <tt>/etc/security/pam_time.conf</tt>, and the last
+field, the <tt/groups/ field, is a comma (or space) separated list of
+the text-names of a selection of groups. If the users application for
+service satisfies the first four fields, the user is granted membership
+of the listed groups.
+
+<p>
+As stated in above this module's usefulness relies on the file-systems
+accessible to the user.  The point being that once granted the
+membership of a group, the user may attempt to create a <em/setgid/
+binary with a restricted group ownership.  Later, when the user is not
+given membership to this group, they can recover group membership with
+the precompiled binary.  The reason that the file-systems that the user
+has access to are so significant, is the fact that when a system is
+mounted <em/nosuid/ the user is unable to create or execute such a
+binary file.  For this module to provide any level of security, all
+file-systems that the user has write access to should be mounted
+<em/nosuid/.
+
+<p>
+The <tt>pam_group</tt> module fuctions in parallel with the
+<tt>/etc/group</tt> file. If the user is granted any groups based on
+the behavior of this module, they are granted <em>in addition</em> to
+those entries <tt>/etc/group</tt> (or equivalent).
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_issue.sgml b/Linux-PAM/doc/modules/pam_issue.sgml
new file mode 100644
index 00000000..1f617e3b
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_issue.sgml
@@ -0,0 +1,120 @@
+<!--
+
+Ben Collins <bcollins@debian.org>
+
+-->
+
+<sect1>Add issue file to user prompt
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_issue/
+
+<tag><bf>Author:</bf></tag>
+Ben Collins &lt;bcollins@debian.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author
+
+<tag><bf>Management groups provided:</bf></tag>
+Authentication (pam_sm_authenticate)
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module prepends the issue file (<em>/etc/issue</em> by default) when
+prompting for a username.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/issue=issue-file-name/; <tt/noesc/;
+
+<tag><bf>Description:</bf></tag>
+This module allows you to prepend an issue file to the username prompt. It
+also by default parses escape codes in the issue file similar to some
+common getty's (using &bsol;x format).
+<p>
+Recognized escapes:
+<itemize>
+
+<item><tt/d/
+- current date
+
+<item><tt/s/
+- operating system name
+
+<item><tt/l/
+- name of this tty
+
+<item><tt/m/
+- architecture of this system (i686, sparc, powerpc, ...)
+
+<item><tt/n/
+- hostname of this system
+
+<item><tt/o/
+- domainname of this system
+
+<item><tt/r/
+- release number of the operation system (eg. 2.2.12)
+
+<item><tt/t/
+- current time
+
+<item><tt/u/
+- number of users currently logged in
+
+<item><tt/U/
+- same as <tt/u/, except it is suffixed with "user" or "users" (eg. "1
+user" or "10 users"
+
+<item><tt/v/
+- version/build-date of the operating system (eg. "&num;3 Mon Aug 23 14:38:16
+EDT 1999" on Linux).
+
+</itemize>
+
+<p>
+The behavior of this module can be modified with one of the following
+flags:
+
+<p>
+<itemize>
+
+<item><tt/issue/
+- the file to output if not using the default
+
+<item><tt/noesc/
+- turns off escape code parsing
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+login  auth  pam_issue.so  issue=/etc/issue
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_krb4.sgml b/Linux-PAM/doc/modules/pam_krb4.sgml
new file mode 100644
index 00000000..2fc8518e
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_krb4.sgml
@@ -0,0 +1,126 @@
+<!--
+   $Id: pam_krb4.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $
+   
+   This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
+-->
+
+<sect1>The Kerberos 4 module.
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_krb4/
+
+<tag><bf>Author:</bf></tag>
+Derrick J. Brashear &lt;shadow@dementia.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication; password; session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+uses API
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
+and a set of Kerberos include files.
+
+<tag><bf>Network aware:</bf></tag>
+Gets Kerberos ticket granting ticket via a Kerberos key distribution
+center reached via the network.
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module provides an interface for doing Kerberos verification of a
+user's password, getting the user a Kerberos ticket granting ticket
+for use with the Kerberos ticket granting service, destroying the
+user's tickets at logout time, and changing a Kerberos password.
+
+<sect2> Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This component of the module currently sets the user's <tt/KRBTKFILE/
+environment variable (although there is currently no way to export
+this), as well as deleting the user's ticket file upon logout (until
+<tt/PAM_CRED_DELETE/ is supported by <em/login/).
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+This part of the module won't be terribly useful until we can change
+the environment from within a <tt/Linux-PAM/ module.
+
+</descrip>
+
+<sect2> Password component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/use_first_pass/; <tt/try_first_pass/
+
+<tag><bf>Description:</bf></tag>
+
+This component of the module changes a user's Kerberos password
+by first getting and using the user's old password to get
+a session key for the password changing service, then sending
+a new password to that service.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+This should only be used with a real Kerberos v4 <tt/kadmind/. It
+cannot be used with an AFS kaserver unless special provisions are
+made. Contact the module author for more information.
+
+</descrip>
+
+<sect2> Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/use_first_pass/; <tt/try_first_pass/
+
+<tag><bf>Description:</bf></tag>
+
+This component of the module verifies a user's Kerberos password
+by requesting a ticket granting ticket from the Kerberos server
+and optionally using it to attempt to retrieve the local computer's
+host key and verifying using the key file on the local machine if 
+one exists.
+
+It also writes out a ticket file for the user to use later, and 
+deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
+is called from <em/login/).
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+This module can be used with a real Kerberos server using MIT
+v4 Kerberos keys. The module or the system Kerberos libraries
+may be modified to support AFS style Kerberos keys. Currently
+this is not supported to avoid cryptography constraints.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_lastlog.sgml b/Linux-PAM/doc/modules/pam_lastlog.sgml
new file mode 100644
index 00000000..e79723b3
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_lastlog.sgml
@@ -0,0 +1,119 @@
+<!--
+   $Id: pam_lastlog.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The last login module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_lastlog/
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author
+
+<tag><bf>Management groups provided:</bf></tag>
+auth
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+uses information contained in the <tt>/var/log/lastlog</tt> file.
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This session module maintains the <tt>/var/log/lastlog</tt> file.  Adding
+an open entry when called via the <tt>pam_open_seesion()</tt> function
+and completing it when <tt>pam_close_session()</tt> is called.  This
+module can also display a line of information about the last login of
+the user.  If an application already performs these tasks, it is not
+necessary to use this module.
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt/nodate/; <tt/noterm/; <tt/nohost/; <tt/silent/;
+<tt/never/
+
+<tag><bf>Description:</bf></tag>
+
+<p>
+This module can be used to provide a ``Last login on ...''
+message. when the user logs into the system from what ever application
+uses the PAM libraries.  In addition, the module maintains the
+<tt>/var/log/lastlog</tt> file.
+
+<p>
+The behavior of this module can be modified with one of the following
+flags:
+
+<p>
+<itemize>
+<item><tt/debug/
+- write more information to <tt/syslog(3)/.
+
+<item><tt/nodate/
+- neglect to give the date of the last login when displaying
+information about the last login on the system.
+
+<item><tt/noterm/ 
+- neglect to diplay the terminal name on which the last login was
+attempt.
+
+<item><tt/nohost/
+- neglect to indicate from which host the last login was attempted.
+
+<item><tt/silent/
+- neglect to inform the user about any previous login: just update
+the <tt>/var/log/lastlog</tt> file.
+
+<item><tt/never/
+- if the <tt>/var/log/lastlog</tt> file does not contain any old entries
+for the user, indicate that the user has never previously logged in
+with a ``welcome..." message.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+This module can be used to indicate that the user has new mail when
+they <em/login/ to the system. Here is a sample entry for your
+<tt>/etc/pam.d/XXX</tt> file:
+<tscreen>
+<verb>
+#
+# When were we last here?
+#
+session	 optional	pam_lastlog.so
+</verb>
+</tscreen>
+
+<p>
+Note, some applications may perform this function themselves. In such
+cases, this module is not necessary.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_limits.sgml b/Linux-PAM/doc/modules/pam_limits.sgml
new file mode 100644
index 00000000..65ce6d82
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_limits.sgml
@@ -0,0 +1,247 @@
+<!--
+   $Id: pam_limits.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+   from information compiled by Cristian Gafton (author of module)
+-->
+
+<sect1>The resource limits module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_limits/
+
+<tag><bf>Authors:</bf></tag>
+Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
+Thanks are also due to Elliot Lee &lt;sopwith@redhat.com&gt;
+for his comments on improving this module.
+
+<tag><bf>Maintainer:</bf></tag>
+Cristian Gafton - 1996/11/20
+
+<tag><bf>Management groups provided:</bf></tag>
+session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+requires an <tt>/etc/security/limits.conf</tt> file and kernel support
+for resource limits. Also uses the library, <tt/libpwdb/.
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets
+limits on the system resources that can be obtained in a
+user-session. Its actions are dictated more explicitly through the
+configuration file discussed below.
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt>conf=/path/to/file.conf</tt>; <tt>change_uid</tt>;
+<tt>utmp_early</tt>
+
+<tag><bf>Description:</bf></tag>
+
+Through the contents of the configuration file,
+<tt>/etc/security/limits.conf</tt>, resource limits are placed on
+users' sessions. Users of <tt/uid=0/ are not affected by this
+restriction.
+
+<p>
+The behavior of this module can be modified with the following
+arguments:
+<itemize>
+
+<item><tt/debug/ -
+verbose logging to <tt/syslog(3)/.
+
+<item><tt>conf=/path/to/file.conf</tt> -
+indicate an alternative <em/limits/ configuration file to the default.
+
+<item><tt/change_uid/ - 
+change real uid to the user for who the limits are set up.  Use this
+option if you have problems like login not forking a shell for user
+who has no processes. Be warned that something else may break when
+you do this.
+
+<item><tt/utmp_early/ - 
+some broken applications actually allocate a utmp entry for the user
+before the user is admitted to the system. If some of the services you
+are configuring PAM for do this, you can selectively use this module
+argument to compensate for this behavior and at the same time maintain
+system-wide consistency with a single limits.conf file.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+In order to use this module the system administrator must first create
+a <em/root-only-readable/ file (default is
+<tt>/etc/security/limits.conf</tt>).  This file describes the resource
+limits the superuser wishes to impose on users and groups. No limits
+are imposed on <tt/uid=0/ accounts.
+
+<p>
+Each line of the configuration file describes a limit for a user in
+the form:
+<tscreen>
+<verb>
+<domain>	<type>	<item>		<value>
+</verb>
+</tscreen>
+
+<p>
+The fields listed above should be filled as follows...<newline>
+<tt>&lt;domain&gt;</tt> can be:
+<itemize>
+<item> a username
+<item> a groupname, with <tt>@group</tt> syntax
+<item> the wild-card <tt/*/, for default entry
+<item> the wild-card <tt/%/, for maxlogins limit only,
+can also be used with <tt>%group</tt> syntax
+</itemize>
+
+<p>
+<tt>&lt;type&gt;</tt> can have the three values:
+<itemize>
+
+<item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits
+are set by the superuser and enforced by the Linux Kernel. The user
+cannot raise his requirement of system resources above such values.
+
+<item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits
+are ones that the user can move up or down within the permitted range
+by any pre-exisiting <em/hard/ limits. The values specified with this
+token can be thought of as <em/default/ values, for normal system
+usage.
+
+<item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits
+together.
+
+</itemize>
+
+<p>
+<tt>&lt;item&gt;</tt> can be one of the following:
+<itemize>
+<item><tt/core/ - limits the core file size (KB)
+<item><tt/data/ - max data size (KB)
+<item><tt/fsize/ - maximum filesize (KB)
+<item><tt/memlock/ - max locked-in-memory address space (KB)
+<item><tt/nofile/ - max number of open files
+<item><tt/rss/ - max resident set size (KB)
+<item><tt/stack/ - max stack size (KB)
+<item><tt/cpu/ - max CPU time (MIN)
+<item><tt/nproc/ - max number of processes
+<item><tt/as/ - address space limit
+<item><tt/maxlogins/ - max number of logins for this user
+<item><tt/maxsyslogins/ - max number of logins on system
+<item><tt/priority/ - the priority to run user process with (negative
+values boost process priority)
+<item><tt/locks/ - max locked files (Linux 2.4 and higher)
+</itemize>
+
+<p>
+Note, if you specify a type of ``-'' but neglect to supply the
+<tt/item/ and <tt/value/ fields then the module will never enforce any
+limits on the corresponding user/group-members etc. . Note, the first
+entry of the form which applies to the authenticating user will
+override all other entries in the limits configuration file. In such
+cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/.
+
+<p>
+In general, individual limits have priority over group limits, so if
+you impose no limits for <tt/admin/ group, but one of the members in
+this group have a limits line, the user will have its limits set
+according to this line.
+
+<p>
+Also, please note that all limit settings are set <em/per login/.
+They are not global, nor are they permanent; existing only for the
+duration of the session.
+
+<p>
+In the <em/limits/ configuration file, the ``<tt/#/'' character
+introduces a comment - after which the rest of the line is ignored.
+
+<p>
+The <tt/pam_limits/ module does its best to report configuration
+problems found in its configuration file via <tt/syslog(3)/.
+
+<p>
+The following is an example configuration file:
+<tscreen>
+<verb>
+# EXAMPLE /etc/security/limits.conf file:
+# =======================================
+# <domain>	<type>	<item>		<value>
+*               soft    core            0
+*               hard    rss             10000
+@student        hard    nproc           20
+@faculty        soft    nproc           20
+@faculty        hard    nproc           50
+ftp             hard    nproc           0
+@student        -       maxlogins       4
+</verb>
+</tscreen>
+Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource
+(see <tt/@faculty/) -- this establishes the <em/default/ and permitted
+<em/extreme/ level of resources that the user can obtain in a given
+service-session.
+
+<p>
+Note, that wild-cards <tt/*/ and <tt/%/ have the following meaning when
+used for maxlogins limit
+<itemize>
+<item> <tt/*/ every user
+<item> <tt/%/ all users, or entire group when <tt>%group</tt> is specified 
+</itemize>
+See the following examples:
+<tscreen>
+<verb>
+# EXAMPLE /etc/security/limits.conf file:
+# <domain>	<type>	<item>		<value>
+*               -       maxlogins       2
+@faculty        -       maxlogins       4
+%               -       maxlogins       30
+%student        -       maxlogins       10
+</verb>
+</tscreen>
+Explanation: every user can login 2 times, members of the <tt/faculty/
+group can login 4 times, there can be only 30 logins, only 10 from
+<tt/students/ group.
+
+<p>
+For the services that need resources limits (login for example) put
+the following line in <tt>/etc/pam.conf</tt> as the last line for that
+service (usually after the pam_unix session line:
+<tscreen>
+<verb>
+#
+# Resource limits imposed on login sessions via pam_limits
+#
+login   session    required     pam_limits.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_listfile.sgml b/Linux-PAM/doc/modules/pam_listfile.sgml
new file mode 100644
index 00000000..f39d8bc6
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_listfile.sgml
@@ -0,0 +1,138 @@
+<!--
+   $Id: pam_listfile.sgml,v 1.1.1.1 2001/04/29 04:16:56 hartmans Exp $
+   
+   This file was written by Michael K. Johnson <johnsonm@redhat.com>
+-->
+
+<sect1>The list-file module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_listfile/
+
+<tag><bf>Author:</bf></tag>
+Elliot Lee <tt>&lt;sopwith@cuc.edu&gt;</tt>
+
+<tag><bf>Maintainer:</bf></tag>
+Red Hat Software:<newline>
+Michael K. Johnson &lt;johnsonm@redhat.com&gt;  1996/11/18<newline>
+(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+clean
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+The list-file module provides a way to deny or allow services based on
+an arbitrary file.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tt>onerr=succeed|fail</tt>;
+<tt>sense=allow|deny</tt>;
+<tt>file=</tt><it>filename</it>;
+<tt>item=user|tty|rhost|ruser|group|shell</tt>
+<tt>apply=user|@group</tt>
+
+<tag><bf>Description:</bf></tag>
+
+The module gets the item of the type specified -- <tt>user</tt> specifies
+the username, <tt>PAM_USER</tt>; tty specifies the name of the terminal
+over which the request has been made, <tt>PAM_TTY</tt>; rhost specifies
+the name of the remote host (if any) from which the request was made,
+<tt>PAM_RHOST</tt>; and ruser specifies the name of the remote user
+(if available) who made the request, <tt>PAM_RUSER</tt> -- and looks for
+an instance of that item in the file <it>filename</it>.  <it>filename</it>
+contains one line per item listed.  If the item is found, then if
+<tt>sense=allow</tt>, <tt>PAM_SUCCESS</tt> is returned, causing the
+authorization request to succeed; else if <tt>sense=deny</tt>,
+<tt>PAM_AUTH_ERR</tt> is returned, causing the authorization
+request to fail.
+
+<p>
+If an error is encountered (for instance, if <it>filename</it>
+does not exist, or a poorly-constructed argument is encountered),
+then if <tt>onerr=succeed</tt>, <tt>PAM_SUCCESS</tt> is returned,
+otherwise if <tt>onerr=fail</tt>, <tt>PAM_AUTH_ERR</tt> or
+<tt>PAM_SERVICE_ERR</tt> (as appropriate) will be returned.
+
+<p>
+An additional argument, <tt>apply=</tt>, can be used to restrict the
+application of the above to a specific user
+(<tt>apply=</tt><em>username</em>) or a given group
+(<tt>apply=@</tt><em>groupname</em>).  This added restriction is only
+meaningful when used with the <tt/tty/, <tt/rhost/ and <tt/shell/
+<em/items/.
+
+<p>
+Besides this last one, all arguments should be specified; do not count
+on any default behavior, as it is subject to change.
+
+<p>
+No credentials are awarded by this module.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+Classic ``ftpusers'' authentication can be implemented with this entry
+in <tt>/etc/pam.conf</tt>:
+<tscreen>
+<verb>
+#
+# deny ftp-access to users listed in the /etc/ftpusers file
+#
+ftp	auth	 required	pam_listfile.so \
+	onerr=succeed item=user sense=deny file=/etc/ftpusers
+</verb>
+</tscreen>
+Note, users listed in <tt>/etc/ftpusers</tt> file are
+(counterintuitively) <bf/not/ allowed access to the ftp service.
+
+<p>
+To allow login access only for certain users, you can use a
+<tt/pam.conf/ entry like this:
+<tscreen>
+<verb>
+#
+# permit login to users listed in /etc/loginusers
+#
+login	auth	 required	pam_listfile.so \
+	onerr=fail item=user sense=allow file=/etc/loginusers
+</verb>
+</tscreen>
+
+<p>
+For this example to work, all users who are allowed to use the login
+service should be listed in the file <tt>/etc/loginusers</tt>.  Unless
+you are explicitly trying to lock out root, make sure that when you do
+this, you leave a way for root to log in, either by listing root in
+<tt>/etc/loginusers</tt>, or by listing a user who is able to <em/su/
+to the root account.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_mail.sgml b/Linux-PAM/doc/modules/pam_mail.sgml
new file mode 100644
index 00000000..397df29e
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_mail.sgml
@@ -0,0 +1,142 @@
+<!--
+   $Id: pam_mail.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The mail module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_mail/
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author
+
+<tag><bf>Management groups provided:</bf></tag>
+Authentication (credential)
+Session (open)
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+Default mail directory <tt>/var/spool/mail/</tt>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module looks at the user's mail directory and indicates
+whether the user has any mail in it.
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt/dir=/<em/directory-name/; <tt/nopen/; <tt/close/;
+<tt/noenv/; <tt/empty/; <tt/hash=/<em/hashcount/; <tt/standard/;
+<tt/quiet/;
+
+<tag><bf>Description:</bf></tag>
+
+This module provides the ``you have new mail'' service to the user. It
+can be plugged into any application that has credential hooks. It gives a
+single message indicating the <em/newness/ of any mail it finds in the
+user's mail folder. This module also sets the <bf/Linux-PAM/
+environment variable, <tt/MAIL/, to the user's mail directory.
+
+<p>
+The behavior of this module can be modified with one of the following
+flags:
+
+<p>
+<itemize>
+<item><tt/debug/
+- write more information to <tt/syslog(3)/.
+
+<item><tt/dir=/<em/pathname/
+- look for the users' mail in an alternative directory given by
+<em/pathname/.  The default location for mail is
+<tt>/var/spool/mail</tt>. Note, if the supplied <em/pathname/ is
+prefixed by a `<tt/&tilde;/', the directory is interpreted as
+indicating a file in the user's home directory.
+
+<item><tt/nopen/
+- instruct the module to <em/not/ print any mail information when the
+user's credentials are acquired. This flag is useful to get the <tt/MAIL/
+environment variable set, but to not display any information about it.
+
+<item><tt/close/
+- instruct the module to indicate if the user has any mail at the as
+the user's credentials are revoked.
+
+<item><tt/noenv/
+- do not set the <tt/MAIL/ environment variable.
+
+<item><tt/empty/
+- indicate that the user's mail directory is empty if this is found to
+be the case.
+
+<item><tt/hash=/<em/hashcount/
+- mail directory hash depth.  For example, a <em/hashcount/ of 2 would
+make the mailfile be <tt>/var/spool/mail/u/s/user</tt>.
+
+<item><tt/standard/
+- old style "You have..." format which doesn't show the mail spool being used.
+  this also implies "empty"
+
+<item><tt/quiet/
+- only report when there is new mail.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+This module can be used to indicate that the user has new mail when
+they <em/login/ to the system. Here is a sample entry for your
+<tt>/etc/pam.conf</tt> file:
+<tscreen>
+<verb>
+#
+# do we have any mail?
+#
+login	session	 optional	pam_mail.so
+</verb>
+</tscreen>
+
+<p>
+Note, if the mail spool file (be it <tt>/var/spool/mail/$USER</tt> or
+a pathname given with the <tt>dir=</tt> parameter) is a directory then
+<tt>pam_mail</tt> assumes it is in the <it>Qmail Maildir</it> format.
+
+<p>
+Note, some applications may perform this function themselves. In such
+cases, this module is not necessary.
+
+</descrip>
+
+<sect2>Authentication component
+
+<p>
+Then authentication companent works the same as the session component,
+except that everything is done during the <tt>pam_setcred()</tt> phase.
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_mkhomedir.sgml b/Linux-PAM/doc/modules/pam_mkhomedir.sgml
new file mode 100644
index 00000000..075e16f9
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_mkhomedir.sgml
@@ -0,0 +1,83 @@
+<!--
+
+Ben Collins <bcollins@debian.org>
+
+-->
+
+<sect1>Create home directories on initial login
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_mkhomedir/
+
+<tag><bf>Author:</bf></tag>
+Jason Gunthorpe &lt;jgg@ualberta.ca&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Ben Collins &lt;bcollins@debian.org&gt;
+
+<tag><bf>Management groups provided:</bf></tag>
+Session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+Creates home directories on the fly for authenticated users.
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt/skel=skeleton-dir/; <tt/umask=octal-umask/;
+
+<tag><bf>Description:</bf></tag>
+This module is useful for distributed systems where the user account is
+managed in a central database (such as NIS, NIS+, or LDAP) and accessed
+through miltiple systems. It frees the administrator from having to create
+a default home directory on each of the systems by creating it upon the
+first succesfully authenticated login of that user. The skeleton directory
+(usually /etc/skel/) is used to copy default files and also set's a umask
+for the creation.
+
+<p>
+The behavior of this module can be modified with one of the following
+flags:
+
+<p>
+<itemize>
+
+<item><tt/skel/
+- The skeleton directory for default files to copy to the new home directory.
+
+<item><tt/umask/
+- An octal for of the same format as you would pass to the shells umask command.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_motd.sgml b/Linux-PAM/doc/modules/pam_motd.sgml
new file mode 100644
index 00000000..8ddc6392
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_motd.sgml
@@ -0,0 +1,77 @@
+<!--
+
+Ben Collins <bcollins@debian.org>
+
+-->
+
+<sect1>Output the motd file
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_motd/
+
+<tag><bf>Author:</bf></tag>
+Ben Collins &lt;bcollins@debian.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author
+
+<tag><bf>Management groups provided:</bf></tag>
+Session (open)
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module outputs the motd file (<em>/etc/motd</em> by default) upon
+successful login.
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt/motd=motd-file-name/;
+
+<tag><bf>Description:</bf></tag>
+This module allows you to have arbitrary motd's (message of the day)
+output after a succesful login. By default this file is <em>/etc/motd</em>,
+but is configurable to any file.
+
+<p>
+The behavior of this module can be modified with one of the following
+flags:
+
+<p>
+<itemize>
+
+<item><tt/motd/
+- the file to output if not using the default.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+login  session  pam_motd.so  motd=/etc/motd
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_nologin.sgml b/Linux-PAM/doc/modules/pam_nologin.sgml
new file mode 100644
index 00000000..e2463570
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_nologin.sgml
@@ -0,0 +1,81 @@
+<!--
+   $Id: pam_nologin.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $
+   
+   This file was written by Michael K. Johnson <johnsonm@redhat.com>
+-->
+
+<sect1>The no-login module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_nologin/
+
+<tag><bf>Author:</bf></tag>
+Written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
+
+<tag><bf>Maintainer:</bf></tag>
+
+<tag><bf>Management groups provided:</bf></tag>
+account; authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+Provides standard Unix <em/nologin/ authentication.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+successok, file=&lt;<em/filename/&gt;
+
+<tag><bf>Description:</bf></tag>
+
+Provides standard Unix <em/nologin/ authentication.  If the file
+<tt>/etc/nologin</tt> exists, only root is allowed to log in; other
+users are turned away with an error message (and the module returns
+<tt/PAM_AUTH_ERR/ or <tt/PAM_USER_UNKNOWN/).  All users (root or
+otherwise) are shown the contents of <tt>/etc/nologin</tt>.
+
+<p>
+If the file <tt>/etc/nologin</tt> does not exist, this module defaults
+to returning <tt/PAM_IGNORE/, but the <tt/successok/ module argument
+causes it to return <tt/PAM_SUCCESS/ in this case.
+
+<p>
+The administrator can override the default nologin file with the
+<tt/file=/<em/pathname/ module argument.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+In order to make this module effective, all login methods should be
+secured by it.  It should be used as a <tt>required</tt> method listed
+before any <tt>sufficient</tt> methods in order to get standard Unix
+nologin semantics. Note, the use of <tt/successok/ module argument
+causes the module to return <tt/PAM_SUCCESS/ and as such would break
+such a configuration - failing <tt/sufficient/ modules would lead to a
+successful login because the nologin module <em/succeeded/.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_permit.sgml b/Linux-PAM/doc/modules/pam_permit.sgml
new file mode 100644
index 00000000..969e6b84
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_permit.sgml
@@ -0,0 +1,83 @@
+<!--
+   $Id: pam_permit.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The promiscuous module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+pam_permit
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan, &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Linux-PAM maintainer.
+
+<tag><bf>Management groups provided:</bf></tag>
+account; authentication; password; session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+VERY LOW. Use with extreme caution.
+
+<tag><bf>Clean code base:</bf></tag>
+Clean.
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module is very dangerous. It should be used with extreme
+caution. Its action is always to permit access. It does nothing else.
+
+<sect2>Account+Authentication+Password+Session components
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+No matter what management group, the action of this module is to
+simply return <tt/PAM_SUCCESS/ -- operation successful.
+
+<p>
+In the case of authentication, the user's name will be acquired. Many
+applications become confused if this name is unknown.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+It is seldom a good idea to use this module. However, it does have
+some legitimate uses.  For example, if the system-administrator wishes
+to turn off the account management on a workstation, and at the same
+time continue to allow logins, then she might use the following
+configuration file entry for login:
+<tscreen>
+<verb>
+#
+# add this line to your other login entries to disable account
+# management, but continue to permit users to log in...
+#
+login	account	 required	pam_permit.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_pwdb.sgml b/Linux-PAM/doc/modules/pam_pwdb.sgml
new file mode 100644
index 00000000..df0cb329
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_pwdb.sgml
@@ -0,0 +1,249 @@
+<!--
+   $Id: pam_pwdb.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The Password-Database module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+pam_pwdb
+
+<tag><bf>Author:</bf></tag>
+Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
+and Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Red Hat.
+
+<tag><bf>Management groups provided:</bf></tag>
+account; authentication; password; session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+Requires properly configured <tt/libpwdb/
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module is a pluggable replacement for the <tt/pam_unix_../
+modules. It uses the generic interface of the <em/Password Database/
+library <tt>libpwdb</tt>.
+
+<sect2>Account component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/
+
+<tag><bf>Description:</bf></tag>
+
+The <tt/debug/ argument makes the accounting functions of this module
+<tt/syslog(3)/ more information on its actions. (Remaining arguments
+supported by the other functions of this module are silently ignored,
+but others are logged as errors through <tt/syslog(3)/).
+
+Based on the following <tt/pwdb_element/s:
+<tt/expire/;
+<tt/last_change/;
+<tt/max_change/;
+<tt/defer_change/;
+<tt/warn_change/,
+this module performs the task of establishing the status of the user's
+account and password. In the case of the latter, it may offer advice
+to the user on changing their password or, through the
+<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until
+they have established a new password. The entries listed above are
+documented in the <em/Password Database Library Guide/ (see pointer
+above). Should the user's record not contain one or more of these
+entries, the corresponding <em/shadow/ check is not performed.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+In its accounting mode, this module can be inserted as follows:
+<tscreen>
+<verb>
+#
+# Ensure users account and password are still active
+#
+login	account	 required	pam_pwdb.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/;
+<tt/use_first_pass/;
+<tt/try_first_pass/;
+<tt/nullok/;
+<tt/nodelay/;
+<tt/likeauth/
+
+<tag><bf>Description:</bf></tag>
+
+The <tt/debug/ argument makes the authentication functions of this
+module <tt/syslog(3)/ more information on its actions.
+
+<p>
+The default action of this module is to not permit the user access to
+a service if their <em/official/ password is blank. The <tt/nullok/
+argument overrides this default.
+
+<p>
+When given the argument <tt/try_first_pass/, before prompting the user
+for their password, the module first tries the previous stacked
+<tt/auth/-module's password in case that satisfies this module as
+well. The argument <tt/use_first_pass/ forces the module to use such a
+recalled password and will never prompt the user - if no password is
+available or the password is not appropriate, the user will be denied
+access.
+
+<p>
+The argument, <tt>nodelay</tt>, can be used to discourage the
+authentication component from requesting a delay should the
+authentication as a whole fail.  The default action is for the module
+to request a delay-on-failure of the order of one second.
+
+<p>
+Remaining arguments, supported by the other functions of this module,
+are silently ignored. Other arguments are logged as errors through
+<tt/syslog(3)/.
+
+<p>
+A helper binary, <tt>pwdb_chkpwd</tt>, is provided to check the user's
+password when it is stored in a read protected database.  This binary
+is very simple and will only check the password of the user invoking
+it.  It is called transparently on behalf of the user by the
+authenticating component of this module.  In this way it is possible
+for applications like <em>xlock</em> to work without being setuid-root.
+
+<p>
+The <tt>likeauth</tt> argument makes the module return the same value
+when called as a credential setting module and an authentication
+module.  This will help libpam take a sane path through the auth
+component of your configuration file.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+The correct functionality of this module is dictated by having an
+appropriate <tt>/etc/pwdb.conf</tt> file, the user
+databases specified there dictate the source of the authenticated
+user's record.
+
+</descrip>
+
+<sect2>Password component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt/nullok/; <tt/not_set_pass/; <tt/use_authtok/;
+<tt/try_first_pass/; <tt/use_first_pass/; <tt/md5/; <tt/bigcrypt/;
+<tt/shadow/; <tt/radius/; <tt/unix/
+
+<tag><bf>Description:</bf></tag>
+
+This part of the <tt/pam_pwdb/ module performs the task of updating
+the user's password.  Thanks to the flexibility of <tt/libpwdb/ this
+module is able to move the user's password from one database to
+another, perhaps securing the user's database entry in a dynamic
+manner (<em/this is very ALPHA code at the moment!/) - this is the
+purpose of the <tt/shadow/, <tt/radius/ and <tt/unix/ arguments.
+
+<p>
+In the case of conventional unix databases (which store the password
+encrypted) the <tt/md5/ argument is used to do the encryption with the
+MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call.
+As an alternative to this, the <tt/bigcrypt/ argument can be used to
+encrypt more than the first 8 characters of a password with DEC's
+(Digital Equipment Cooperation) `C2' extension to the standard UNIX
+<tt/crypt()/ algorithm.
+
+<p>
+The <tt/nullok/ module is used to permit the changing of a password
+<em/from/ an empty one. Without this argument, empty passwords are
+treated as account-locking ones.
+
+<p>
+The argument <tt/use_first_pass/ is used to lock the choice of old and
+new passwords to that dictated by the previously stacked <tt/password/
+module.  The <tt/try_first_pass/ argument is used to avoid the user
+having to re-enter an old password when <tt/pam_pwdb/ follows a module
+that possibly shared the user's old password - if this old password is
+not correct the user will be prompted for the correct one.  The
+argument <tt/use_authtok/ is used to <em/force/ this module to set the
+new password to the one provided by the previously stacked
+<tt/password/ module (this is used in an example of the stacking of
+the <em/Cracklib/ module documented above).
+
+<p>
+The <tt/not_set_pass/ argument is used to inform the module that it is
+not to pay attention to/make available the old or new passwords from/to
+other (stacked) password modules.
+
+<p>
+The <tt/debug/ argument makes the password functions of this module
+<tt/syslog(3)/ more information on its actions. Other arguments may be
+logged as erroneous to <tt/syslog(3)/.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+An example of the stacking of this module with respect to the
+pluggable password checking module, <tt/pam_cracklib/, is given in
+that modules section above.
+</descrip>
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+No arguments are recognized by this module component. Its action is
+simply to log the username and the service-type to
+<tt/syslog(3)/. Messages are logged at the beginning and end of the
+user's session.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+The use of the session modules is straightforward:
+<tscreen>
+<verb>
+#
+# pwdb - unix like session opening and closing
+#
+login	session	 required	pam_pwdb.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_radius.sgml b/Linux-PAM/doc/modules/pam_radius.sgml
new file mode 100644
index 00000000..b452bebd
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_radius.sgml
@@ -0,0 +1,117 @@
+<!--
+   $Id: pam_radius.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $
+   
+   This file was written by Cristian Gafton <gafton@redhat.com>
+-->
+
+<sect1>The RADIUS session module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_radius/
+
+<tag><bf>Author:</bf></tag>
+Cristian Gafton &lt;gafton@redhat.com&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+session
+
+<tag><bf>Cryptographically sensitive:</bf></tag> 
+This module does not deal with passwords
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+gcc reports 1 warning when compiling <tt>/usr/include/rpc/clnt.h</tt>.
+Hey, is not my fault !
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+yes; this is a network module (independent of application).
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module is intended to provide the session service for users
+authenticated with a RADIUS server.  At the present stage, the only
+option supported is the use of the RADIUS server as an accounting
+server.
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tt/debug/ - verbose logging to <tt/syslog(3)/.
+
+<tag><bf>Description:</bf></tag>
+
+This module is intended to provide the session service for users
+authenticated with a RADIUS server. At the present stage, the only
+option supported is the use of the RADIUS server as an <em/accounting/
+server.  
+
+<p>
+(There are few things which needs to be cleared out first in
+the PAM project until one will be able to use this module and expect
+it to magically start pppd in response to a RADIUS server command to
+use PPP for this user, or to initiate a telnet connection to another
+host, or to hang and call back the user using parameters provided in
+the RADIUS server response. Most of these things are better suited for
+the radius login application. I hope to make available Real Soon (tm)
+patches for the login apps to make it work this way.)
+
+<p>
+When opening a session, this module sends an ``Accounting-Start''
+message to the RADIUS server, which will log/update/whatever a
+database for this user. On close, an ``Accounting-Stop'' message is
+sent to the RADIUS server.
+
+<p>
+This module has no other prerequisites for making it work.  One can
+install a RADIUS server just for fun and use it as a centralized
+accounting server and forget about wtmp/last/sac etc. .
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+For the services that need this module (<em/login/ for example) put
+the following line in <tt>/etc/pam.conf</tt> as the last line for that
+service (usually after the pam_unix session line):
+<tscreen>
+<verb>
+login	session	 required	pam_radius.so
+</verb>
+</tscreen>
+Replace <tt/login/ for each service you are using this module.
+
+<p>
+This module make extensive use of the API provided in libpwdb
+0.54preB or later. By default, it will read the radius server
+configuration (hostname and secret) from <tt>/etc/raddb/server</tt>.
+This is a default compiled into libpwdb, and curently there is no way to
+modify this default without recompiling libpwdb. I am working on
+extending the radius support from libpwdb to provide a possibility
+to make this runtime-configurable.
+
+Also please note that libpwdb will require also the RADIUS
+dictionary to be present (<tt>/etc/raddb/dictionary</tt>).
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
+
diff --git a/Linux-PAM/doc/modules/pam_rhosts.sgml b/Linux-PAM/doc/modules/pam_rhosts.sgml
new file mode 100644
index 00000000..4b9d1a89
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_rhosts.sgml
@@ -0,0 +1,164 @@
+<!--
+   $Id: pam_rhosts.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The rhosts module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_rhosts_auth/
+
+<tag><bf>Author:</bf></tag>
+Al Longyear &lt;longyear@netcom.com&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+Clean.
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+Standard <tt/inet_addr()/, <tt/gethostbyname()/ function calls.
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module performs the standard network authentication for services,
+as used by traditional implementations of <em/rlogin/ and <em/rsh/
+etc.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/no_hosts_equiv/; <tt/no_rhosts/; <tt/debug/; <tt/no_warn/;
+<tt/privategroup/; <tt/promiscuous/; <tt/suppress/
+
+<tag><bf>Description:</bf></tag>
+
+The authentication mechanism of this module is based on the contents
+of two files; <tt>/etc/hosts.equiv</tt> (or <tt/_PATH_HEQUIV/ in
+<tt>#include &lt;netdb.h&gt;</tt>) and <tt>~/.rhosts</tt>.  Firstly,
+hosts listed in the former file are treated as equivalent to the
+localhost. Secondly, entries in the user's own copy of the latter file
+is used to map "<tt/remote-host remote-user/" pairs to that user's
+account on the current host. Access is granted to the user if their
+host is present in <tt>/etc/hosts.equiv</tt> and their remote account
+is identical to their local one, or if their remote account has an
+entry in their personal configuration file.
+
+<p>
+Some restrictions are applied to the attributes of the user's personal
+configuration file: it must be a regular file (as defined by
+<tt/S_ISREG(x)/ of POSIX.1); it must be owned by the <em/superuser/ or
+the user; it must not be writable by any user besides its owner.
+
+<p>
+The module authenticates a remote user (internally specified by the
+item <tt/PAM_RUSER/) connecting from the remote host (internally
+specified by the item <tt/PAM_RHOST/).  Accordingly, for applications
+to be compatible this authentication module they must set these items
+prior to calling <tt/pam_authenticate()/.  The module is not capable
+of independently probing the network connection for such information.
+
+<p>
+In the case of <tt/root/-access, the <tt>/etc/host.equiv</tt> file is
+<em/ignored/ unless the <tt>hosts_equiv_rootok</tt> option
+should be used.  Instead, the superuser must have a correctly configured
+personal configuration file.
+
+<p>
+The behavior of the module is modified by flags:
+<itemize>
+<item>
+<tt/debug/ -
+log more information to <tt/syslog(3)/. (XXX - actually, this module
+does not do any logging currently, please volunteer to fix this!)
+
+<item>
+<tt/no_warn/ -
+do not give verbal warnings to the user about failures etc. (XXX -
+this module currently does not issue any warnings, please volunteer to
+fix this!)
+
+<item>
+<tt/no_hosts_equiv/ -
+ignore the contents of the <tt>/etc/hosts.equiv</tt> file.
+
+<item>
+<tt/hosts_equiv_rootok/ -
+allow the use of <tt>/etc/hosts.equiv</tt> for superuser.  Without this
+option <tt>/etc/hosts.equiv</tt> is not consulted for the superuser account.
+This option has no effect if the <tt>no_hosts_equiv</tt> option is used.
+
+<item>
+<tt/no_rhosts/ -
+ignore the contents of all user's personal configuration file
+<tt>~/.rhosts</tt>.
+
+<item>
+<tt/privategroup/ -
+normally, the <tt>~/.rhosts</tt> file must not be writable by anyone
+other than its owner.  This option overlooks group write access in the
+case that the group owner of this file has the same name as the
+user being authenticated.  To lessen the security problems associated
+with this option, the module also checks that the user is the only
+member of their private group.
+
+<item>
+<tt/promiscuous/ -
+A host entry of `+' will lead to all hosts being granted
+access. Without this option, '+' entries will be ignored. Note, that
+the <tt/debug/ option will syslog a warning in this latter case.
+
+<item>
+<tt/suppress/ -
+This will prevent the module from <tt/syslog(3)/ing a warning message
+when this authentication fails.  This option is mostly for keeping
+logs free of meaningless errors, in particular when the module is used
+with the <tt/sufficient/ control flag.
+
+</itemize>
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+To allow users to login from trusted remote machines, you should try
+adding the following line to your <tt>/etc/pam.conf</tt> file
+<em/before/ the line that would otherwise prompt the user for a
+password:
+<tscreen>
+<verb>
+#
+# No passwords required for users from hosts listed above.
+#
+login  auth  sufficient  pam_rhosts_auth.so no_rhosts
+</verb>
+</tscreen>
+Note, in this example, the system administrator has turned off all
+<em/personal/ <em/rhosts/ configuration files. Also note, that this module
+can be used to <em/only/ allow remote login from hosts specified in
+the <tt>/etc/host.equiv</tt> file, by replacing <tt/sufficient/ in the
+above example with <tt/required/.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_rootok.sgml b/Linux-PAM/doc/modules/pam_rootok.sgml
new file mode 100644
index 00000000..e882f4d5
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_rootok.sgml
@@ -0,0 +1,85 @@
+<!--
+   $Id: pam_rootok.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>The root access module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+pam_rootok
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+<bf>Linux-PAM</bf> maintainer
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+Clean.
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module is for use in situations where the superuser wishes
+to gain access to a service without having to enter a password.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/
+
+<tag><bf>Description:</bf></tag>
+
+This module authenticates the user if their <tt/uid/ is <tt/0/.
+Applications that are created <em/setuid/-root generally retain the
+<tt/uid/ of the user but run with the authority of an enhanced
+<em/effective-/<tt/uid/. It is the real <tt/uid/ that is checked.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+In the case of the <tt/su/ application the historical usage is to
+permit the superuser to adopt the identity of a lesser user without
+the use of a password. To obtain this behavior under <tt/Linux-PAM/
+the following pair of lines are needed for the corresponding entry in
+the configuration file:
+<tscreen>
+<verb>
+#
+# su authentication. Root is granted access by default.
+#
+su	auth	 sufficient	pam_rootok.so
+su	auth	 required	pam_unix_auth.so
+</verb>
+</tscreen>
+
+<p>
+Note. For programs that are run by the superuser (or started when the
+system boots) this module should not be used to authenticate users.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_securetty.sgml b/Linux-PAM/doc/modules/pam_securetty.sgml
new file mode 100644
index 00000000..f500b8b2
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_securetty.sgml
@@ -0,0 +1,72 @@
+<!--
+   $Id: pam_securetty.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $
+   
+   This file was written by Michael K. Johnson <johnsonm@redhat.com>
+-->
+
+<sect1>The securetty module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_securetty/
+
+<tag><bf>Author[s]:</bf></tag>
+Elliot Lee &lt;sopwith@cuc.edu&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Red Hat Software:<newline>
+<em/currently/ Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
+(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+<tt>/etc/securetty</tt> file
+
+<tag><bf>Network aware:</bf></tag>
+
+Requires the application to fill in the <tt>PAM_TTY</tt> item
+correctly in order to act meaningfully.
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+Provides standard Unix securetty checking.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+Provides standard Unix securetty checking, which causes authentication
+for root to fail unless <tt>PAM_TTY</tt> is set to a string listed in
+the <tt>/etc/securetty</tt> file.  For all other users, it succeeds.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+For canonical usage, should be listed as a <tt>required</tt>
+authentication method before any <tt>sufficient</tt> authentication
+methods.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_tally.sgml b/Linux-PAM/doc/modules/pam_tally.sgml
new file mode 100644
index 00000000..a2d03435
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_tally.sgml
@@ -0,0 +1,191 @@
+<!--
+
+   $Id: pam_tally.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $
+   
+   This template file was written by Andrew G. Morgan <morgan@kernel.org>
+   adapted from text provided by Tim Baverstock.
+-->
+
+<sect1>The login counter (tallying) module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+pam_tally
+
+<tag><bf>Author[s]:</bf></tag>
+Tim Baverstock
+
+<tag><bf>Maintainer:</bf></tag>
+
+<tag><bf>Management groups provided:</bf></tag>
+auth; account
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+A faillog file (default location /var/log/faillog)
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module maintains a count of attempted accesses, can reset count
+on success, can deny access if too many attempts fail.
+
+<p>
+pam_tally comes in two parts: <tt>pam_tally.so</tt> and
+<tt>pam_tally</tt>. The former is the PAM module and the latter, a
+stand-alone program. <tt>pam_tally</tt> is an (optional) application
+which can be used to interrogate and manipulate the counter file. It
+can display users' counts, set individual counts, or clear all
+counts. Setting artificially high counts may be useful for blocking
+users without changing their passwords. For example, one might find it
+useful to clear all counts every midnight from a cron job.
+
+<p>
+The counts file is organized as a binary-word array, indexed by
+uid. You can probably make sense of it with <tt>od</tt>, if you don't
+want to use the supplied appliction.
+
+<p>
+Note, there are some outstanding issues with this module:
+<tt>pam_tally</tt> is very dependant on <tt>getpw*()</tt> - a database
+of usernames would be much more flexible; the `keep a count of current
+logins' bit has been <tt>#ifdef</tt>'d out and you can only reset the
+counter on successful authentication, for now.
+
+<sect3>Generic options accepted by both components
+<p>
+<itemize>
+<item> <tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>):
+   if something weird happens, such as unable to open the file, how
+   should the module react?
+<item> <tt>file=</tt><em>/where/to/keep/counts</em>:
+   specify the file location for the counts.
+   The default location is <tt>/var/log/faillog</tt>.
+</itemize>
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>);
+<tt>file=</tt>/where/to/keep/counts;
+<tt>no_magic_root</tt>
+
+<tag><bf>Description:</bf></tag>
+
+<p>
+The authentication component of this module increments the attempted
+login counter.
+
+<p>
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+<p>
+The module argument <tt>no_magic_root</tt> is used to indicate that if
+the module is invoked by a user with uid=0, then the counter is
+incremented. The sys-admin should use this for daemon-launched
+services, like <tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>. For user
+launched services, like <tt>su</tt>, this argument should be omitted.
+
+<p>
+By way of more explanation, when a process already running as root
+tries to access some service, the access is <em>magic</em>, and
+bypasses <tt>pam_tally</tt>'s checks: this is handy for <tt>su</tt>ing
+from root into an account otherwise blocked. However, for services
+like <tt>telnet</tt> or <tt>login</tt>, which always effectively run
+from the root account, root (ie everyone) shouldn't be granted this
+magic status, and the flag `no_magic_root' should be set in this
+situation, as noted in the summary above.
+
+</descrip>
+
+<sect2>Account component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>);
+<tt>file=</tt>/where/to/keep/counts;
+<tt>deny=</tt><em>n</em>;
+<tt>no_magic_root</tt>;
+<tt>even_deny_root_account</tt>;
+<tt>reset</tt>;
+<tt>no_reset</tt>;
+<tt>per_user</tt>;
+<tt>no_lock_time</tt>
+
+<tag><bf>Description:</bf></tag>
+
+<p>
+The account component can deny access and/or reset the attempts
+counter. It also checks to make sure that the counts file is a plain
+file and not world writable.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+<p>
+The <tt>deny=</tt><em>n</em> option is used to deny access if tally
+for this user exceeds <em>n</em>. The presence of
+<tt>deny=</tt><em>n</em> changes the default for
+<tt>reset</tt>/<tt>no_reset</tt> to <tt>reset</tt>, unless the user
+trying to gain access is root and the <tt>no_magic_root</tt> option
+has NOT been specified.
+
+<p>
+The <tt>no_magic_root</tt> option ensures that access attempts by root
+DON'T ignore deny.  Use this for daemon-based stuff, like
+<tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>.
+
+<p>
+The <tt>even_deny_root_account</tt> option is used to ensure that the
+root account can become unavailable. <bf>Note</bf> that magic root
+trying to gain root bypasses this, but normal users can be locked out.
+
+<p>
+The <tt>reset</tt> option instructs the module to reset count to 0 on
+successful entry, even for magic root. The <tt>no_reset</tt> option is
+used to instruct the module to not reset the count on successful
+entry.  This is the default unless <tt>deny</tt> exists and the user
+attempting access is NOT magic root.
+
+<p>
+If <tt>/var/log/faillog</tt> contains a non-zero <tt>.fail_max</tt>
+field for this user then the <tt>per_user</tt> module argument will
+ensure that the module uses this value and not the global
+<tt>deny=</tt><em>n</em> parameter.
+
+<p>
+The <tt>no_lock_time</tt> option is for ensuring that the module does
+not use the <tt>.fail_locktime</tt> field in /var/log/faillog for this
+user.
+
+<p>
+Normally, failed attempts to access root will <bf>NOT</bf> cause the
+root account to become blocked, to prevent denial-of-service: if your
+users aren't given shell accounts and root may only login via
+<tt>su</tt> or at the machine console (not
+<tt>telnet</tt>/<tt>rsh</tt>, etc), this is safe. If you really want
+root to be blocked for some given service, use
+<tt>even_deny_root_account</tt>.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_time.sgml b/Linux-PAM/doc/modules/pam_time.sgml
new file mode 100644
index 00000000..785f76c2
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_time.sgml
@@ -0,0 +1,166 @@
+<!--
+   $Id: pam_time.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>Time control
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_time/
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan <tt>&lt;morgan@kernel.org&gt;</tt>
+
+<tag><bf>Maintainer:</bf></tag>
+Author
+
+<tag><bf>Management groups provided:</bf></tag>
+account
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+Requires a configuration file <tt>/etc/security/time.conf</tt>
+
+<tag><bf>Network aware:</bf></tag>
+Through the <tt/PAM_TTY/ item only
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+Running a well regulated system occasionally involves restricting
+access to certain services in a selective manner.  This module offers
+some time control for access to services offered by a system.  Its
+actions are determined with a configuration file.  This module can be
+configured to deny access to (individual) users based on their name,
+the time of day, the day of week, the service they are applying for
+and their terminal from which they are making their request.
+
+<sect2>Account component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This module bases its actions on the rules listed in its configuration
+file: <tt>/etc/security/time.conf</tt>.  Each rule has the following
+form,
+<tscreen>
+<em/services/<tt/;/<em/ttys/<tt/;/<em/users/<tt/;/<em/times/
+</tscreen>
+In words, each rule occupies a line, terminated with a newline or the
+beginning of a comment; a `<tt/#/'.  It contains four fields separated
+with semicolons, `<tt/;/'. The fields are as follows:
+
+<p>
+<itemize>
+<item><em/services/ -
+a logic list of service names that are affected by this rule.
+
+<item><em/ttys/ -
+a logic list of terminal names indicating those terminals covered by
+the rule.
+
+<item><em/user/ -
+a logic list of usernames to which this rule applies
+
+<p>
+By a logic list we mean a sequence of tokens (associated with the
+appropriate <tt/PAM_/ item), containing no more than one wildcard
+character; `<tt/*/', and optionally prefixed with a negation operator;
+`<tt/!/'. Such a sequence is concatenated with one of two logical
+operators: <tt/&amp;/ (logical AND) and <tt/|/ (logical OR).  Two
+examples are: <tt>!morgan&amp;!root</tt>, indicating that this rule
+does not apply to the user <tt>morgan</tt> nor to <tt>root</tt>; and
+<tt>tty*&amp;!ttyp*</tt>, which indicates that the rule applies only
+to console terminals but not pseudoterminals.
+
+<item><em/times/ - a logic list of times at which this rule
+applies. The format of each element is a day/time-range. The days are
+specified by a sequence of two character entries.  For example,
+<tt/MoTuSa/, indicates Monday Tuesday and Saturday.  Note that
+repeated days are <em/unset/; <tt/MoTuMo/ indicates Tuesday, and
+<tt/MoWk/ means all weekdays bar Monday.  The two character
+combinations accepted are,
+<tscreen>
+<verb>
+Mo Tu We Th Fr Sa Su Wk Wd Al
+</verb>
+</tscreen>
+The last two of these being <em/weekend/ days and <em/all 7 days/ of
+the week respectively.
+
+<p>
+The time range part is a pair of 24-hour times, <em/HHMM/, separated
+by a hyphen -- indicating the start and finish time for the rule.  If
+the finsish time is smaller than the start time, it is assumed to
+apply on the following day. For an example, <tt/Mo1800-0300/ indicates
+that the permitted times are Monday night from 6pm to 3am the
+following morning.
+
+</itemize>
+
+<p>
+Note, that the given time restriction is only applied when the first
+three fields are satisfied by a user's application for service.
+
+<p>
+For convenience and readability a rule can be extended beyond a single
+line with a `<tt>&bsol;</tt><em/newline/'.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+The use of this module is initiated with an entry in the
+<bf/Linux-PAM/ configuration file of the following type:
+<tscreen>
+<verb>
+#
+# apply pam_time accounting to login requests
+#
+login	account	 required	pam_time.so
+</verb>
+</tscreen>
+where, here we are applying the module to the <em/login/ application.
+
+<p>
+Some examples of rules that can be placed in the
+<tt>/etc/security/time.conf</tt> configuration file are the following:
+<descrip>
+
+<tag><tt>login ; tty* &amp; !ttyp* ; !root ; !Al0000-2400</tt></tag>
+all users except for <tt/root/ are denied access to console-login at
+all times.
+
+<tag><tt>games ; * ; !waster ; Wd0000-2400 | Wk1800-0800</tt></tag>
+games (configured to use Linux-PAM) are only to be accessed out of
+working hours.  This rule does not apply to the user <tt/waster/.
+
+</descrip>
+
+<p>
+Note, currently there is no daemon enforcing the end of a session.
+This needs to be remedied.
+
+<p>
+Poorly formatted rules are logged as errors using <tt/syslog(3)/.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_unix.sgml b/Linux-PAM/doc/modules/pam_unix.sgml
new file mode 100644
index 00000000..286cd3f8
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_unix.sgml
@@ -0,0 +1,288 @@
+<!--
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+
+   Converted from the pam_pwdb.sgml file for pam_unix by Ben Collins <bcollins@debian.org>
+-->
+
+<sect1>The Unix Password module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+pam_unix
+
+<tag><bf>Author:</bf></tag>
+
+<tag><bf>Maintainer:</bf></tag>
+
+<tag><bf>Management groups provided:</bf></tag>
+account; authentication; password; session
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This is the standard Unix authentication module. It uses standard calls
+from the system's libraries to retrieve and set account information as
+well as authentication. Usually this is obtained from the /etc/passwd
+and the /etc/shadow file as well if shadow is enabled.
+
+<sect2>Account component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/; <tt/audit/
+
+<tag><bf>Description:</bf></tag>
+
+The <tt/debug/ argument makes the accounting functions of this module
+<tt/syslog(3)/ more information on its actions. (Remaining arguments
+supported by the other functions of this module are silently ignored,
+but others are logged as errors through <tt/syslog(3)/). The <tt/audit/
+argument causes even more logging.
+
+Based on the following <tt/shadow/ elements:
+<tt/expire/;
+<tt/last_change/;
+<tt/max_change/;
+<tt/min_change/;
+<tt/warn_change/,
+this module performs the task of establishing the status of the user's
+account and password. In the case of the latter, it may offer advice
+to the user on changing their password or, through the
+<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until
+they have established a new password. The entries listed above are
+documented in the <em/GNU Libc/ info documents. Should the user's record
+not contain one or more of these entries, the corresponding <em/shadow/
+check is not performed.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+In its accounting mode, this module can be inserted as follows:
+<tscreen>
+<verb>
+#
+# Ensure users account and password are still active
+#
+login	account	 required	pam_unix.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/;
+<tt/audit/;
+<tt/use_first_pass/;
+<tt/try_first_pass/;
+<tt/nullok/;
+<tt/nodelay/
+
+<tag><bf>Description:</bf></tag>
+
+The <tt/debug/ argument makes the authentication functions of this
+module <tt/syslog(3)/ more information on its actions. The <tt/audit/
+causes even more information to be logged.
+
+<p>
+The default action of this module is to not permit the user access to
+a service if their <em/official/ password is blank. The <tt/nullok/
+argument overrides this default.
+
+<p>
+When given the argument <tt/try_first_pass/, before prompting the user
+for their password, the module first tries the previous stacked
+<tt/auth/-module's password in case that satisfies this module as
+well. The argument <tt/use_first_pass/ forces the module to use such a
+recalled password and will never prompt the user - if no password is
+available or the password is not appropriate, the user will be denied
+access.
+
+<p>
+The argument, <tt>nodelay</tt>, can be used to discourage the
+authentication component from requesting a delay should the
+authentication as a whole fail.  The default action is for the module
+to request a delay-on-failure of the order of one second.
+
+<p>
+Remaining arguments, supported by the other functions of this module,
+are silently ignored. Other arguments are logged as errors through
+<tt/syslog(3)/.
+
+<p>
+A helper binary, <tt>unix_chkpwd</tt>, is provided to check the user's
+password when it is stored in a read protected database.  This binary
+is very simple and will only check the password of the user invoking
+it.  It is called transparently on behalf of the user by the
+authenticating component of this module.  In this way it is possible
+for applications like <em>xlock</em> to work without being setuid-root.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+The correct functionality of this module is dictated by having an
+appropriate <tt>/etc/nsswitch.conf</tt> file, the user
+databases specified there dictate the source of the authenticated
+user's record.
+<p>
+In its authentication mode, this module can be inserted as follows:
+<tscreen>
+<verb>
+#
+# Authenticate the user
+#
+login   auth  required       pam_unix.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<sect2>Password component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/;
+<tt/audit/;
+<tt/nullok/;
+<tt/not_set_pass/;
+<tt/use_authtok/;
+<tt/try_first_pass/;
+<tt/use_first_pass/;
+<tt/md5/;
+<tt/bigcrypt/;
+<tt/shadow/;
+<tt/nis/;
+<tt/remember/
+
+<tag><bf>Description:</bf></tag>
+
+This part of the <tt/pam_unix/ module performs the task of updating
+the user's password.
+
+<p>
+In the case of conventional unix databases (which store the password
+encrypted) the <tt/md5/ argument is used to do the encryption with the
+MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call.
+As an alternative to this, the <tt/bigcrypt/ argument can be used to
+encrypt more than the first 8 characters of a password with DEC's
+(Digital Equipment Cooperation) `C2' extension to the standard UNIX
+<tt/crypt()/ algorithm.
+
+<p>
+The <tt/nullok/ argument is used to permit the changing of a password
+<em/from/ an empty one. Without this argument, empty passwords are
+treated as account-locking ones.
+
+<p>
+The argument <tt/use_first_pass/ is used to lock the choice of old and
+new passwords to that dictated by the previously stacked <tt/password/
+module.  The <tt/try_first_pass/ argument is used to avoid the user
+having to re-enter an old password when <tt/pam_unix/ follows a module
+that possibly shared the user's old password - if this old password is
+not correct the user will be prompted for the correct one.  The
+argument <tt/use_authtok/ is used to <em/force/ this module to set the
+new password to the one provided by the previously stacked
+<tt/password/ module (this is used in an example of the stacking of
+the <em/Cracklib/ module documented above).
+
+<p>
+The <tt/not_set_pass/ argument is used to inform the module that it is
+not to pay attention to/make available the old or new passwords from/to
+other (stacked) password modules.
+
+<p>
+The <tt/debug/ argument makes the password functions of this module
+<tt/syslog(3)/ more information on its actions. Other arguments may be
+logged as erroneous to <tt/syslog(3)/. The <tt/audit/ argument causes
+even more information to be logged.
+
+<p>
+With the <tt/nis/ argument, <tt/pam_unix/ will attempt to use NIS RPC
+for setting new passwords.
+
+<p>
+The <tt/remember/ argument takes one value. This is the number of most
+recent passwords to save for each user. These are saved in
+<tt>/etc/security/opasswd</tt> in order to force password change history
+and keep the user from alternating between the same password too frequently.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+Standard usage:
+<tscreen>
+<verb>
+#
+# Change the users password
+#
+passwd   password   required   pam_unix.so
+</verb>
+</tscreen>
+
+<p>
+An example of the stacking of this module with respect to the
+pluggable password checking module, <tt/pam_cracklib/:
+<tscreen>
+<verb>
+#
+# Change the users password
+#
+passwd   password   required   pam_cracklib.so retry=3 minlen=6 difok=3
+passwd   password   required   pam_unix.so use_authtok nullok md5
+</verb>
+</tscreen>
+
+</descrip>
+
+<sect2>Session component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+No arguments are recognized by this module component. Its action is
+simply to log the username and the service-type to
+<tt/syslog(3)/. Messages are logged at the beginning and end of the
+user's session.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+The use of the session modules is straightforward:
+<tscreen>
+<verb>
+#
+# session opening and closing
+#
+login	session	 required	pam_unix.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_userdb.sgml b/Linux-PAM/doc/modules/pam_userdb.sgml
new file mode 100644
index 00000000..bdbf80b8
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_userdb.sgml
@@ -0,0 +1,112 @@
+<!--
+   This file was written by Cristian Gafton <gafton@redhat.com>
+-->
+
+<sect1>The userdb module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_userdb/
+
+<tag><bf>Author:</bf></tag>
+Cristian Gafton &lt;gafton@redhat.com&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+Requires Berkeley DB.
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+Look up users in a .db database and verify their password against
+what is contained in that database.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/;
+<tt/icase/;
+<tt/dump/;
+<tt/db=XXXX/;
+
+<tag><bf>Description:</bf></tag>
+
+This module is used to verify a username/password pair against values stored in
+a Berkeley DB database. The database is indexed by the username, and the data 
+fields corresponding to the username keys are the passwords, in unencrypted form,
+so caution must be exercised over the access rights to the DB database itself..
+
+The module will read the password from the user using the conversation mechanism. If
+you are using this module on top of another authetication module (like <tt/pam_pwdb/;)
+then you should tell that module to read the entered password from the PAM_AUTHTOK field, which is set by this module.
+
+<p>
+The action of the module may be modified from this default by one or
+more of the following flags in the <tt>/etc/pam.d/&lt;service&gt;</tt> file.
+<itemize>
+<item>
+<tt/debug/ -
+Supply more debugging information to <tt/syslog(3)/.
+
+<item>
+<tt/icase/ -
+Perform the password comparisons case insensitive.
+
+<item>
+<tt/dump/ -
+dump all the entries in the database to the log (eek,
+don't do this by default!)
+
+<item>
+<tt/db=XXXX/ - 
+use the database found on pathname XXXX. Note that Berkeley DB usually adds the 
+needed filename extension for you, so you should use something like <tt>/etc/foodata</tt>
+instead of <tt>/etc/foodata.db</tt>.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+This is a normal ftp configuration file (usually placed as <tt>/etc/pam.d/ftp</tt> 
+on most systems) that will accept for login users whose username/password pairs are 
+provided in the <tt>/tmp/dbtest.db</tt> file:
+
+<tscreen>
+<verb>
+#%PAM-1.0
+auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+auth       sufficient   pam_userdb.so icase db=/tmp/dbtest
+auth       required     pam_pwdb.so shadow nullok try_first_pass
+auth       required     pam_shells.so
+account    required     pam_pwdb.so
+session    required     pam_pwdb.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_warn.sgml b/Linux-PAM/doc/modules/pam_warn.sgml
new file mode 100644
index 00000000..caedf873
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_warn.sgml
@@ -0,0 +1,67 @@
+<!--
+   $Id: pam_warn.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+-->
+
+<sect1>Warning logger module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_warn/
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@kernel.org&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication; password
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+
+<tag><bf>Network aware:</bf></tag>
+logs information about the remote user and host (if pam-items are known)
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module is principally for logging information about a
+proposed authentication or application to update a password.
+
+<sect2>Authentication+Password component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+Log the service, terminal, user, remote user and remote host to
+<tt/syslog(3)/. The items are not probed for, but instead obtained
+from the standard pam-items.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+an example is provided in the configuration file section <ref
+id="configuration" name="above">.
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/modules/pam_wheel.sgml b/Linux-PAM/doc/modules/pam_wheel.sgml
new file mode 100644
index 00000000..cc064120
--- /dev/null
+++ b/Linux-PAM/doc/modules/pam_wheel.sgml
@@ -0,0 +1,125 @@
+<!--
+   $Id: pam_wheel.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $
+   
+   This file was written by Andrew G. Morgan <morgan@kernel.org>
+	from notes provided by Cristian Gafton.
+-->
+
+<sect1>The wheel module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_wheel/
+
+<tag><bf>Author:</bf></tag>
+Cristian Gafton &lt;gafton@redhat.com&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+	
+<tag><bf>Security rating:</bf></tag>
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+Requires libpwdb.
+
+<tag><bf>Network aware:</bf></tag>
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+Only permit root access to members of the wheel (<tt/gid=0/) group.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+<tt/debug/;
+<tt/use_uid/;
+<tt/trust/;
+<tt/deny/;
+<tt/group=XXXX/
+
+<tag><bf>Description:</bf></tag>
+
+This module is used to enforce the so-called <em/wheel/ group. By
+default, it permits root access to the system if the applicant user is
+a member of the <tt/wheel/ group (first, the module checks for the
+existence of a '<tt/wheel/' group. Otherwise the module defines the
+group with group-id <tt/0/ to be the <em/wheel/ group).
+
+<p>
+The action of the module may be modified from this default by one or
+more of the following flags in the <tt>/etc/pam.conf</tt> file.
+<itemize>
+<item>
+<tt/debug/ -
+Supply more debugging information to <tt/syslog(3)/.
+
+<item>
+<tt/use_uid/ -
+This option modifies the behavior of the module by using the current
+<tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user.
+This option is useful for being able to jump from one account to
+another, for example with 'su'.
+
+<item>
+<tt/trust/ -
+This option instructs the module to return <tt/PAM_SUCCESS/ should it
+find the user applying for root privilege is a member of the wheel
+group. The default action is to return <tt/PAM_IGNORE/ in this
+situation. By using the <tt/trust/ option it is possible to arrange
+for <tt/wheel/-group members to become root without typing a
+password. <bf/USE WITH CARE/.
+
+<item>
+<tt/deny/ - 
+This is used to reverse the logic of the module's behavior.
+If the user is trying to get <tt/uid=0/ access and is a member of the wheel
+group, deny access (for the wheel group, this is perhaps nonsense!):
+it is intended for use in conjunction with the <tt/group=/ argument...
+
+<item>
+<tt/group=XXXX/ -
+Instead of checking the <tt/gid=0/ group, use the user's <tt/XXXX/
+group membership for the authentication. Here, <tt/XXXX/ is the name
+of the group and <bf/not/ its numeric identifier.
+
+</itemize>
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+To restrict access to superuser status to the members of the
+<tt/wheel/ group, use the following entries in your configuration
+file:
+<tscreen>
+<verb>
+#
+# root gains access by default (rootok), only wheel members can 
+# become root (wheel) but Unix authenticate non-root applicants.
+#
+su	auth	 sufficient	pam_rootok.so
+su	auth	 required	pam_wheel.so
+su	auth	 required	pam_unix_auth.so
+</verb>
+</tscreen>
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->
diff --git a/Linux-PAM/doc/pam_appl.sgml b/Linux-PAM/doc/pam_appl.sgml
new file mode 100644
index 00000000..f6d35b4e
--- /dev/null
+++ b/Linux-PAM/doc/pam_appl.sgml
@@ -0,0 +1,1782 @@
+<!doctype linuxdoc system>
+
+<!--
+
+ $Id: pam_appl.sgml,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $
+
+    Copyright (C) Andrew G. Morgan 1996-2001.  All rights reserved.
+
+Redistribution and use in source (sgml) and binary (derived) forms,
+with or without modification, are permitted provided that the
+following conditions are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, and the entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. The name of the author may not be used to endorse or promote
+   products derived from this software without specific prior
+   written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License, in which case the provisions of the GNU
+GPL are required INSTEAD OF the above restrictions.  (This clause is
+necessary due to a potential bad interaction between the GNU GPL and
+the restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+
+ -->
+
+<article>
+
+<title>The Linux-PAM Application Developers' Guide
+<author>Andrew G. Morgan, <tt>morgan@kernel.org</tt>
+<date>DRAFT v0.76 2001/12/08
+<abstract>
+This manual documents what an application developer needs to know
+about the <bf>Linux-PAM</bf> library. It describes how an application
+might use the <bf>Linux-PAM</bf> library to authenticate users. In
+addition it contains a description of the funtions to be found in
+<tt/libpam_misc/ library, that can be used in general applications.
+Finally, it contains some comments on PAM related security issues for
+the application developer.
+</abstract>
+
+<toc>
+
+<sect>Introduction
+
+<sect1>Synopsis
+
+<p>
+For general applications that wish to use the services provided by
+<bf/Linux-PAM/ the following is a summary of the relevant linking
+information:
+<tscreen>
+<verb>
+#include <security/pam_appl.h>
+
+cc -o application .... -lpam -ldl
+</verb>
+</tscreen>
+
+<p>
+In addition to <tt/libpam/, there is a library of miscellaneous
+functions that make the job of writing <em/PAM-aware/ applications
+easier (this library is not covered in the DCE-RFC for PAM and is
+specific to the Linux-PAM distribution):
+<tscreen>
+<verb>
+...
+#include <security/pam_misc.h>
+
+cc -o application .... -lpam -lpam_misc -ldl
+</verb>
+</tscreen>
+
+<sect1> Description
+
+<p>
+<bf>Linux-PAM</bf> (Pluggable Authentication Modules for Linux) is a
+library that enables the local system administrator to choose how
+individual applications authenticate users.  For an overview of the
+<bf>Linux-PAM</bf> library see the <bf/Linux-PAM/ System
+Administrators' Guide.
+
+<p>
+It is the purpose of the <bf>Linux-PAM</bf> project to liberate the
+development of privilege granting software from the development of
+secure and appropriate authentication schemes.  This is accomplished
+by providing a documented library of functions that an application may
+use for all forms of user authentication management. This library
+dynamically loads locally configured authentication modules that
+actually perform the authentication tasks.
+
+<p>
+From the perspective of an application developer the information
+contained in the local configuration of the PAM library should not be
+important.  Indeed it is intended that an application treat the
+functions documented here as a ``black box'' that will deal with all
+aspects of user authentication. ``All aspects'' includes user
+verification, account management, session initialization/termination
+and also the resetting of passwords (<em/authentication tokens/).
+
+<sect>Overview
+
+<p>
+Most service-giving applications are restricted.  In other words,
+their service is not available to all and every prospective client.
+Instead, the applying client must jump through a number of hoops to
+convince the serving application that they are authorized to obtain
+service.
+
+The process of <em/authenticating/ a client is what PAM is designed to
+manage.  In addition to authentication, PAM provides account
+management, credential management, session management and
+authentication-token (password changing) management services.  It is
+important to realize when writing a PAM based application that these
+services are provided in a manner that is <bf>transparent</bf> to
+the application.  That is to say, when the application is written, no
+assumptions can be made about <em>how</em> the client will be
+authenticated.
+
+<p>
+The process of authentication is performed by the PAM library via a
+call to <tt>pam_authenticate()</tt>.  The return value of this
+function will indicate whether a named client (the <em>user</em>) has
+been authenticated.  If the PAM library needs to prompt the user for
+any information, such as their <em>name</em> or a <em>password</em>
+then it will do so.  If the PAM library is configured to authenticate
+the user using some silent protocol, it will do this too.  (This
+latter case might be via some hardware interface for example.)
+
+<p>
+It is important to note that the application must leave all decisions
+about when to prompt the user at the discretion of the PAM library.
+
+<p>
+The PAM library, however, must work equally well for different styles
+of application.  Some applications, like the familiar <tt>login</tt>
+and <tt>passwd</tt> are terminal based applications, exchanges of
+information with the client in these cases is as plain text messages.
+Graphically based applications, however, have a more sophisticated
+interface.  They generally interact with the user via specially
+constructed dialogue boxes.  Additionally, network based services
+require that text messages exchanged with the client are specially
+formatted for automated processing: one such example is <tt>ftpd</tt>
+which prefixes each exchanged message with a numeric identifier.
+
+<p>
+The presentation of simple requests to a client is thus something very
+dependent on the protocol that the serving application will use.  In
+spite of the fact that PAM demands that it drives the whole
+authentication process, it is not possible to leave such protocol
+subtleties up to the PAM library.  To overcome this potential problem,
+the application provides the PAM library with a <em>conversation</em>
+function.  This function is called from <bf>within</bf> the PAM
+library and enables the PAM to directly interact with the client.  The
+sorts of things that this conversation function must be able to do are
+prompt the user with text and/or obtain textual input from the user
+for processing by the PAM library.  The details of this function are
+provided in a later section.
+
+<p>
+For example, the conversation function may be called by the PAM library
+with a request to prompt the user for a password.  Its job is to
+reformat the prompt request into a form that the client will
+understand.  In the case of <tt>ftpd</tt>, this might involve prefixing
+the string with the number <tt>331</tt> and sending the request over
+the network to a connected client.  The conversation function will
+then obtain any reply and, after extracting the typed password, will
+return this string of text to the PAM library.  Similar concerns need
+to be addressed in the case of an X-based graphical server.
+
+<p>
+There are a number of issues that need to be addressed when one is
+porting an existing application to become PAM compliant.  A section
+below has been devoted to this: Porting legacy applications.
+
+<p>
+Besides authentication, PAM provides other forms of management.
+Session management is provided with calls to
+<tt>pam_open_session()</tt> and <tt>pam_close_session()</tt>.  What
+these functions actually do is up to the local administrator.  But
+typically, they could be used to log entry and exit from the system or
+for mounting and unmounting the user's home directory.  If an
+application provides continuous service for a period of time, it
+should probably call these functions, first open after the user is
+authenticated and then close when the service is terminated.
+
+<p>
+Account management is another area that an application developer
+should include with a call to <tt/pam_acct_mgmt()/.  This call will
+perform checks on the good health of the user's account (has it
+expired etc.). One of the things this function may check is whether
+the user's authentication token has expired - in such a case the
+application may choose to attempt to update it with a call to
+<tt/pam_chauthtok()/, although some applications are not suited to
+this task (<em>ftp</em> for example) and in this case the application
+should deny access to the user.
+
+<p>
+PAM is also capable of setting and deleting the users credentials with
+the call <tt>pam_setcred()</tt>.  This function should always be
+called after the user is authenticated and before service is offered
+to the user.  By convention, this should be the last call to the PAM
+library before the PAM session is opened.  What exactly a credential
+is, is not well defined.  However, some examples are given in the
+glossary below.
+
+<sect>The public interface to <bf>Linux-PAM</bf>
+ 
+<p>
+Firstly, the relevant include file for the <bf>Linux-PAM</bf> library
+is <tt>&lt;security/pam_appl.h&gt;</tt>. It contains the definitions
+for a number of functions. After listing these functions, we collect
+some guiding remarks for programmers.
+
+<sect1>What can be expected by the application
+
+<p>
+Below we document those functions in the <bf/Linux-PAM/ library that
+may be called from an application.
+
+<sect2>Initialization of Linux-PAM
+<label id="pam-start-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_start(const char *service_name, const char *user,
+		     const struct pam_conv *pam_conversation,
+		     pam_handle_t **pamh);
+</verb>
+</tscreen>
+
+<p>
+This is the first of the <bf>Linux-PAM</bf> functions that must be
+called by an application. It initializes the interface and reads the
+system configuration file, <tt>/etc/pam.conf</tt> (see the
+<bf/Linux-PAM/ System Administrators' Guide).  Following a successful
+return (<tt/PAM_SUCCESS/) the contents of <tt/*pamh/ is a handle that
+provides continuity for successive calls to the <bf/Linux-PAM/
+library.  The arguments expected by <tt/pam_start/ are as follows: the
+<tt/service_name/ of the program, the <tt/user/name of the individual
+to be authenticated, a pointer to an application-supplied
+<tt/pam_conv/ structure and a pointer to a <tt/pam_handle_t/
+<em/pointer/.
+
+<p>
+The <tt>pam_conv</tt> structure is discussed more fully in the section
+<ref id="the-conversation-function" name="below">.  The
+<tt>pam_handle_t</tt> is a <em>blind</em> structure and the
+application should not attempt to probe it directly for information.
+Instead the <bf>Linux-PAM</bf> library provides the functions
+<tt>pam_set_item</tt> and <tt>pam_get_item</tt>.  These functions are
+documented below.
+
+<sect2>Termination of the library
+<label id="pam-end-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_end(pam_handle_t *pamh, int pam_status);
+</verb>
+</tscreen>
+
+<p>
+This function is the last function an application should call in the
+<bf>Linux-PAM</bf> library.  Upon return the handle <tt/pamh/ is no
+longer valid and all memory associated with it will be invalid (likely
+to cause a segmentation fault if accessed).
+
+<p>
+Under normal conditions the argument <tt/pam_status/ has the value
+PAM_SUCCESS, but in the event of an unsuccessful application for
+service the appropriate <bf/Linux-PAM/ error-return value should be
+used here. Note, <tt/pam_end()/ unconditionally shuts down the
+authentication stack associated with the <tt/pamh/ handle. The value
+taken by <tt/pam_status/ is used as an argument to the module specific
+callback functions, <tt/cleanup()/ (see the <bf/Linux-PAM/ <htmlurl
+url="pam_modules.html" name="Module Developers' Guide">). In this way,
+the module can be given notification of the pass/fail nature of the
+tear-down process, and perform any last minute tasks that are
+appropriate to the module before it is unlinked.
+
+<sect2>Setting PAM items
+<label id="pam-set-item-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_set_item(pam_handle_t *pamh, int item_type,
+			const void *item);
+</verb>
+</tscreen>
+
+<p>This function is used to (re)set the value of one of the following
+<bf/item_type/s:
+
+<p><descrip>
+<tag><tt/PAM_SERVICE/</tag>
+
+     	The service name (which identifies that PAM stack that
+     	<tt/libpam/ will use to authenticate the program).
+
+<tag><tt/PAM_USER/</tag>
+
+	The username of the entity under who's identity service will
+	be given. That is, following authentication, <tt/PAM_USER/
+	identifies the local entity that gets to use the
+	service. Note, this value can be mapped from something (eg.,
+	"<tt/anonymous/") to something else (eg. "<tt/guest119/") by
+	any module in the PAM stack. As such an application should
+	consult the value of <tt/PAM_USER/ after each call to a
+	<tt/pam_*()/ function.
+
+<tag><tt/PAM_USER_PROMPT/</tag>
+
+	The string used when prompting for a user's name. The default
+        value for this string is ``Please enter username: ''.
+
+<tag><tt/PAM_TTY/</tag>
+
+	The terminal name: prefixed by <tt>/dev/</tt> if it is a
+        device file; for graphical, X-based, applications the value
+        for this item should be the <tt/&dollar;DISPLAY/ variable.
+
+<tag><tt/PAM_RUSER/</tag>
+
+        The requesting entity: user's username for a locally
+	requesting user or a remote requesting user - generally an
+	application or module will attempt to supply the value that is
+	most strongly authenticated (a local account before a remote
+	one. The level of trust in this value is embodied in the
+	actual authentication stack associated with the application,
+	so it is ultimately at the discretion of the system
+	administrator. It should generally match the current
+	<tt/PAM_RHOST/ value. That is, "<tt/PAM_RUSER@PAM_RHOST/"
+	should always identify the requesting user. In some cases,
+	<tt/PAM_RUSER/ may be NULL. In such situations, it is unclear
+	who the requesting entity is.
+
+<tag><tt/PAM_RHOST/</tag>
+
+	The requesting hostname (the hostname of the machine from
+	which the <tt/PAM_RUSER/ entity is requesting service). That
+	is "<tt/PAM_RUSER@PAM_RHOST/" does identify the requesting
+	user.  "<tt/luser@localhost/" or "<tt/evil@evilcom.com/" are
+	valid "<tt/PAM_RUSER@PAM_RHOST/" examples. In some
+	applications, <tt/PAM_RHOST/ may be NULL. In such situations,
+	it is unclear where the authentication request is originating
+	from.
+
+<tag><tt/PAM_CONV/</tag>
+
+	The conversation structure (see section <ref
+        id="the-conversation-function" name="below">).
+
+<tag><tt/PAM_FAIL_DELAY/</tag> A function pointer to redirect
+        centrally managed failure delays (see section <ref
+        id="the-failure-delay-function" name="below">).
+
+</descrip>
+
+<p>
+For all <tt/item_type/s, other than <tt/PAM_CONV/ and
+<tt/PAM_FAIL_DELAY/, <tt/item/ is a pointer to a <tt>&lt;NUL&gt;</tt>
+terminated character string.  In the case of <tt/PAM_CONV/, <tt/item/
+points to an initialized <tt/pam_conv/ structure (see section <ref
+id="the-conversation-function" name="below">). In the case of
+<tt/PAM_FAIL_DELAY/, <tt/item/ is a function pointer: <tt/void
+(*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)/ (see
+section <ref id="the-failure-delay-function" name="below">).
+
+<p>
+A successful call to this function returns <tt/PAM_SUCCESS/.  However,
+the application should expect at least one the following errors:
+
+<p>
+<descrip>
+<tag><tt/PAM_SYSTEM_ERR/</tag>
+        The <tt/pam_handle_t/ passed as a first argument to this
+        function was invalid.
+<tag><tt/PAM_PERM_DENIED/</tag>
+	An attempt was made to replace the conversation structure with
+        a <tt/NULL/ value.
+<tag><tt/PAM_BUF_ERR/</tag>
+	The function ran out of memory making a copy of the item.
+<tag><tt/PAM_BAD_ITEM/</tag>
+	The application attempted to set an undefined or inaccessible
+	item.
+</descrip>
+
+<sect2>Getting PAM items
+<label id="pam-get-item-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_get_item(const pam_handle_t *pamh, int item_type,
+			const void **item);
+</verb>
+</tscreen>
+
+<p>
+This function is used to obtain the value of the indicated
+<tt/item_type/.  Upon successful return, <tt/*item/ contains a pointer
+to the value of the corresponding item.  Note, this is a pointer to
+the <em/actual/ data and should <em/not/ be <tt/free()/'ed or
+over-written!
+
+<p>
+A successful call is signaled by a return value of <tt/PAM_SUCCESS/.
+However, the application should expect one of the following errors:
+
+<p>
+<descrip>
+<tag><tt/PAM_SYSTEM_ERR/</tag>
+        The <tt/pam_handle_t/ passed as a first argument to this
+        function was invalid.
+<tag><tt/PAM_PERM_DENIED/</tag>
+	The value of <tt/item/ was <tt/NULL/.
+<tag><tt/PAM_BAD_ITEM/</tag>
+	The application attempted to set an undefined or inaccessible
+	item.
+</descrip>
+
+<p>
+Note, in the case of an error, the contents of <tt/item/ is not
+modified - that is, it retains its pre-call value. One should take
+care to initialize this value prior to calling
+<tt/pam_get_item()/. Since, if its value - despite the
+<tt/pam_get_item()/ function failing - is to be used the consequences
+are undefined.
+
+<sect2>Understanding errors
+<label id="pam-strerror-section">
+
+<p>
+<tscreen>
+<verb>
+extern const char *pam_strerror(pam_handle_t *pamh, int errnum);
+</verb>
+</tscreen>
+
+<p>
+This function returns some text describing the <bf>Linux-PAM</bf>
+error associated with the argument <tt/errnum/.  If the error is not
+recognized ``<tt/Unknown Linux-PAM error/'' is returned.
+
+<sect2>Planning for delays
+<label id="the-failure-delay-function">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_fail_delay(pam_handle_t *pamh, unsigned int micro_sec);
+</verb>
+</tscreen>
+
+<p>
+This function is offered by <bf/Linux-PAM/ to facilitate time delays
+following a failed call to <tt/pam_authenticate()/ and before control
+is returned to the application. When using this function the
+application programmer should check if it is available with,
+<tscreen>
+<verb>
+#ifdef PAM_FAIL_DELAY
+    ....
+#endif /* PAM_FAIL_DELAY */
+</verb>
+</tscreen>
+
+
+<p>
+Generally, an application requests that a user is authenticated by
+<bf/Linux-PAM/ through a call to <tt/pam_authenticate()/ or
+<tt/pam_chauthtok()/.  These functions call each of the <em/stacked/
+authentication modules listed in the relevant <bf/Linux-PAM/
+configuration file.  As directed by this file, one of more of the
+modules may fail causing the <tt/pam_...()/ call to return an error.
+It is desirable for there to also be a pause before the application
+continues. The principal reason for such a delay is security: a delay
+acts to discourage <em/brute force/ dictionary attacks primarily, but
+also helps hinder <em/timed/ (covert channel) attacks.
+
+<p>
+The <tt/pam_fail_delay()/ function provides the mechanism by which an
+application or module can suggest a minimum delay (of <tt/micro_sec/
+<em/micro-seconds/). <bf/Linux-PAM/ keeps a record of the longest time
+requested with this function. Should <tt/pam_authenticate()/ fail,
+the failing return to the application is delayed by an amount of time
+randomly distributed (by up to 25%) about this longest value.
+
+<p>
+Independent of success, the delay time is reset to its zero default
+value when <bf/Linux-PAM/ returns control to the application.
+
+<p>
+For applications written with a single thread that are event driven in
+nature, <tt/libpam/ generating this delay may be undesirable. Instead,
+the application may want to register the delay in some other way. For
+example, in a single threaded server that serves multiple
+authentication requests from a single event loop, the application
+might want to simply mark a given connection as blocked until an
+application timer expires. For this reason, <bf/Linux-PAM/ supplies
+the <tt/PAM_FAIL_DELAY/ item. It can be queried and set with
+<tt/pam_get_item()/ and <tt/pam_set_item()/ respectively. The value
+used to set it should be a function pointer of the following
+prototype:
+
+<tscreen>
+<verb>
+void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
+</verb>
+</tscreen>
+
+The arguments being the <tt/retval/ return code of the module stack,
+the <tt/usec_delay/ micro-second delay that libpam is requesting and
+the <tt/appdata_ptr/ that the application has associated with the
+current <tt/pamh/ (<tt/pam_handle_t/). This last value was set by the
+application when it called <tt/pam_start/ or explicitly with
+<tt/pam_set_item(... , PAM_CONV, ...)/. Note, if <tt/PAM_FAIL_DELAY/
+is unset (or set to <tt/NULL/), then <tt/libpam/ will perform any
+delay.
+
+<sect2>Authenticating the user
+
+<p>
+<tscreen>
+<verb>
+extern int pam_authenticate(pam_handle_t *pamh, int flags);
+</verb>
+</tscreen>
+
+<p>
+This function serves as an interface to the authentication mechanisms
+of the loaded modules.  The single <em/optional/ flag, which may be
+logically OR'd with <tt/PAM_SILENT/, takes the following value,
+
+<p><descrip>
+
+<tag><tt/PAM_DISALLOW_NULL_AUTHTOK/</tag>
+	Instruct the authentication modules to return
+<tt/PAM_AUTH_ERR/ if the user does not have a registered
+authorization token---it is set to <tt/NULL/ in the system database.
+</descrip>
+
+<p>
+The value returned by this function is one of the following:
+
+<p><descrip>
+
+<tag><tt/PAM_AUTH_ERR/</tag>
+	The user was not authenticated
+<tag><tt/PAM_CRED_INSUFFICIENT/</tag>
+	For some reason the application does not have sufficient
+credentials to authenticate the user.
+<tag><tt/PAM_AUTHINFO_UNAVAIL/</tag>
+	The modules were not able to access the authentication
+information. This might be due to a network or hardware failure etc.
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The supplied username is not known to the authentication
+service
+<tag><tt/PAM_MAXTRIES/</tag>
+	One or more of the authentication modules has reached its
+limit of tries authenticating the user. Do not try again.
+
+</descrip>
+
+<p>
+If one or more of the authentication modules fails to load, for
+whatever reason, this function will return <tt/PAM_ABORT/.
+
+<sect2>Setting user credentials
+<label id="pam-setcred-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_setcred(pam_handle_t *pamh, int flags);
+</verb>
+</tscreen>
+
+<p>
+This function is used to set the module-specific credentials of the
+user.  It is usually called after the user has been authenticated,
+after the account management function has been called but before a
+session has been opened for the user.
+
+<p>
+A credential is something that the user possesses.  It is some
+property, such as a <em>Kerberos</em> ticket, or a supplementary group
+membership that make up the uniqueness of a given user.  On a Linux
+(or UN*X system) the user's <tt>UID</tt> and <tt>GID</tt>'s are
+credentials too.  However, it has been decided that these properties
+(along with the default supplementary groups of which the user is a
+member) are credentials that should be set directly by the application
+and not by PAM.
+
+<p>
+This function simply calls the <tt/pam_sm_setcred/ functions of each
+of the loaded modules.  Valid <tt/flags/, any one of which, may be
+logically OR'd with <tt/PAM_SILENT/, are:
+
+<p><descrip>
+<tag><tt/PAM_ESTABLISH_CRED/</tag>
+	Set the credentials for the authentication service,
+<tag><tt/PAM_DELETE_CRED/</tag>
+	Delete the credentials associated with the authentication service,
+<tag><tt/PAM_REINITIALIZE_CRED/</tag>
+	Reinitialize the user credentials, and
+<tag><tt/PAM_REFRESH_CRED/</tag>
+	Extend the lifetime of the user credentials.
+</descrip>
+
+<p>
+A successful return is signalled with <tt/PAM_SUCCESS/. Errors that
+are especially relevant to this function are the following:
+
+<p><descrip>
+<tag><tt/PAM_CRED_UNAVAIL/</tag>
+	A module cannot retrieve the user's credentials.
+<tag><tt/PAM_CRED_EXPIRED/</tag>
+	The user's credentials have expired.
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The user is not known to an authentication module.
+<tag><tt/PAM_CRED_ERR/</tag>
+	A module was unable to set the credentials of the user.
+</descrip>
+
+<sect2>Account management
+
+<p>
+<tscreen>
+<verb>
+extern int pam_acct_mgmt(pam_handle_t *pamh, int flags);
+</verb>
+</tscreen>
+
+<p>
+This function is typically called after the user has been
+authenticated.  It establishes whether the user's account is healthy.
+That is to say, whether the user's account is still active and whether
+the user is permitted to gain access to the system at this time.
+Valid flags, any one of which, may be logically OR'd with
+<tt/PAM_SILENT/, and are the same as those applicable to the
+<tt/flags/ argument of <tt/pam_authenticate/.
+
+<p>
+This function simply calls the corresponding functions of each of the
+loaded modules, as instructed by the configuration file,
+<tt>/etc/pam.conf</tt>.
+
+<p>
+The normal response from this function is <tt/PAM_SUCCESS/, however,
+specific failures are indicated by the following error returns:
+
+<descrip>
+<tag><tt/PAM_AUTHTOKEN_REQD/</tag>
+The user <bf/is/ valid but their authentication token has
+<em/expired/.  The correct response to this return-value is to require
+that the user satisfies the <tt/pam_chauthtok()/ function before
+obtaining service.  It may not be possible for some applications to do
+this.  In such cases, the user should be denied access until such time
+as they can update their password.
+
+<tag><tt/PAM_ACCT_EXPIRED/</tag>
+	The user is no longer permitted to access the system.
+<tag><tt/PAM_AUTH_ERR/</tag>
+	There was an authentication error.
+
+<tag><tt/PAM_PERM_DENIED/</tag>
+	The user is not permitted to gain access at this time.
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The user is not known to a module's account management
+component.
+
+</descrip>
+
+<sect2>Updating authentication tokens
+<label id="pam-chauthtok-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_chauthtok(pam_handle_t *pamh, const int flags);
+</verb>
+</tscreen>
+
+<p>
+This function is used to change the authentication token for a given
+user (as indicated by the state associated with the handle,
+<tt/pamh/). The following is a valid but optional flag which may be
+logically OR'd with <tt/PAM_SILENT/,
+
+<descrip>
+<tag><tt/PAM_CHANGE_EXPIRED_AUTHTOK/</tag>
+	This argument indicates to the modules that the users
+authentication token (password) should only be changed if it has
+expired.
+</descrip>
+
+<p>
+Note, if this argument is not passed, the application requires that
+<em/all/ authentication tokens are to be changed.
+
+<p>
+<tt/PAM_SUCCESS/ is the only successful return value, valid
+error-returns are:
+
+<descrip>
+<tag><tt/PAM_AUTHTOK_ERR/</tag>
+	A module was unable to obtain the new authentication token.
+	
+<tag><tt/PAM_AUTHTOK_RECOVERY_ERR/</tag>
+	A module was unable to obtain the old authentication token.
+
+<tag><tt/PAM_AUTHTOK_LOCK_BUSY/</tag>
+	One or more of the modules was unable to change the
+authentication token since it is currently locked.
+	
+<tag><tt/PAM_AUTHTOK_DISABLE_AGING/</tag>
+	Authentication token aging has been disabled for at least one
+of the modules.
+
+<tag><tt/PAM_PERM_DENIED/</tag>
+	Permission denied.
+
+<tag><tt/PAM_TRY_AGAIN/</tag>
+	Not all of the modules were in a position to update the
+authentication token(s). In such a case none of the user's
+authentication tokens are updated.
+
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The user is not known to the authentication token changing
+service.
+
+</descrip>
+
+<sect2>Session initialization
+<label id="pam-open-session-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_open_session(pam_handle_t *pamh, int flags);
+</verb>
+</tscreen>
+
+<p>
+This function is used to indicate that an authenticated session has
+begun.  It is used to inform the modules that the user is currently in
+a session.  It should be possible for the <bf>Linux-PAM</bf> library
+to open a session and close the same session (see section <ref
+id="pam-close-session-section" name="below">) from different
+applications.
+
+<p>
+Currently, this function simply calls each of the corresponding
+functions of the loaded modules. The only valid flag is
+<tt/PAM_SILENT/ and this is, of course, <em/optional/.
+
+<p>
+If any of the <em/required/ loaded modules are unable to open a
+session for the user, this function will return <tt/PAM_SESSION_ERR/.
+
+<sect2>Terminating sessions
+<label id="pam-close-session-section">
+
+<p>
+<tscreen>
+<verb>
+extern int pam_close_session(pam_handle_t *pamh, int flags);
+</verb>
+</tscreen>
+
+<p>
+This function is used to indicate that an authenticated session has
+ended. It is used to inform the modules that the user is exiting a
+session. It should be possible for the <bf>Linux-PAM</bf> library to
+open a session and close the same session from different applications.
+
+<p>
+This function simply calls each of the corresponding functions of the
+loaded modules in the same order that they were invoked with
+<tt/pam_open_session()/.  The only valid flag is <tt/PAM_SILENT/ and
+this is, of course, <em/optional/.
+
+<p>
+If any of the <em/required/ loaded modules are unable to close a
+session for the user, this function will return <tt/PAM_SESSION_ERR/.
+
+<sect2>Setting PAM environment variables
+<label id="pam-putenv-section">
+
+<p>
+The <tt/libpam/ library associates with each PAM-handle (<tt/pamh/), a
+set of <it/PAM environment variables/. These variables are intended to
+hold the session environment variables that the user will inherit when
+the session is granted and the authenticated user obtains access to
+the requested service. For example, when <tt/login/ has finally given
+the user a shell, the environment (as viewed with the command
+<tt/env/) will be what <tt/libpam/ was maintaining as the PAM
+environment for that service application. Note, these variables are not
+the environment variables of the <tt/login/ application. This is
+principally for two reasons: <tt/login/ may want to have an
+environment that cannot be seen or manipulated by a user; and
+<tt/login/ (or whatever the serving application is) may be maintaining
+a number of parallel sessions, via different <tt/pamh/ values, at the
+same time and a single environment may not be appropriately shared
+between each of these. The PAM environment may contain variables
+seeded by the applicant user's client program, for example, and as
+such it is not appropriate for one applicant to interfere with the
+environment of another applicant.
+
+<p>
+<tscreen>
+<verb>
+extern int pam_putenv(pam_handle_t *pamh, const char *name_value);
+</verb>
+</tscreen>
+
+<p>
+This function attempts to (re)set a <bf/Linux-PAM/ environment
+variable. The <tt/name_value/ argument is a single <tt/NUL/ terminated
+string of one of the following forms:
+<descrip>
+<tag>``<tt/NAME=value of variable/''</tag>
+
+In this case the environment variable of the given <tt/NAME/ is set to
+the indicated value: ``<tt/value of variable/''.  If this variable is
+already known, it is overwritten. Otherwise it is added to the
+<bf/Linux-PAM/ environment.
+
+<tag>``<tt/NAME=/''</tag>
+
+This function sets the variable to an empty value. It is listed
+separately to indicate that this is the correct way to achieve such a
+setting.
+
+<tag>``<tt/NAME/''</tag>
+
+Without an `<tt/=/' the <tt/pam_putenv()/ function will delete the
+corresponding variable from the <bf/Linux-PAM/ environment.
+
+</descrip>
+
+<p>
+Success is indicated with a return value of <tt/PAM_SUCCESS/. Failure
+is indicated by one of the following returns:
+
+<descrip>
+<tag><tt/PAM_PERM_DENIED/</tag>
+	name given is a <tt/NULL/ pointer
+
+<tag><tt/PAM_BAD_ITEM/</tag>
+	variable requested (for deletion) is not currently set
+
+<tag><tt/PAM_ABORT/</tag>
+	the <bf/Linux-PAM/ handle, <tt/pamh/, is corrupt
+
+<tag><tt/PAM_BUF_ERR/</tag>
+	failed to allocate memory when attempting update
+
+</descrip>
+
+<sect2>Getting a PAM environment variable
+<label id="pam-getenv-section">
+
+<p>
+<tscreen>
+<verb>
+extern const char *pam_getenv(pam_handle_t *pamh, const char *name);
+</verb>
+</tscreen>
+
+<p>
+Obtain the value of the indicated <bf/Linux-PAM/ environment
+variable. On error, internal failure or the unavailability of the
+given variable (unspecified), this function simply returns <tt/NULL/.
+
+<sect2>Getting the PAM environment
+<label id="pam-getenvlist-section">
+
+<p>
+<tscreen>
+<verb>
+extern const char * const *pam_getenvlist(pam_handle_t *pamh);
+</verb>
+</tscreen>
+
+<p>
+The PAM environment variables (see section <ref
+id="pam-putenv-section" name="above">) are a complete set of enviroment
+variables that are associated with a PAM-handle (<tt/pamh/). They
+represent the contents of the <it/regular/ environment variables of
+the authenticated user when service is granted.
+
+<p>
+Th function, <tt>pam_getenvlist()</tt> returns a pointer to a complete,
+<tt/malloc()/'d, copy of the PAM environment.  It is a pointer to a
+duplicated list of environment variables.  It should be noted that
+this memory will never be <tt/free()'d/ by <tt/libpam/.  Once obtained
+by a call to <tt/pam_getenvlist()/, <bf>it is the responsibility of
+the calling application</bf> to <tt/free()/ this memory.
+
+<p>
+The format of the memory is a <tt/malloc()/'d array of <tt/char */
+pointers, the last element of which is set to <tt/NULL/. Each of the
+non-<tt/NULL/ entries in this array point to a <tt/NUL/ terminated and
+<tt/malloc()/'d <tt/char/ string of the form:
+<tt/"/<it/name/<tt/=/<it/value/<tt/"/.
+
+<p>
+It is by design, and not a coincidence, that the format and contents
+of the returned array matches that required for the third argument of
+the <tt/execle(3)/ function call.
+
+<sect1>What is expected of an application
+
+<sect2>The conversation function
+<label id="the-conversation-function">
+
+<p>
+An application must provide a ``conversation function''. It is used
+for direct communication between a loaded module and the application
+and will typically provide a means for the module to prompt the user
+for a password etc. . The structure, <tt/pam_conv/, is defined by
+including <tt>&lt;security/pam_appl.h&gt</tt>; to be,
+
+<p>
+<tscreen>
+<verb>
+struct pam_conv {
+    int (*conv)(int num_msg,
+        const struct pam_message **msg,
+        struct pam_response **resp,
+        void *appdata_ptr);
+    void *appdata_ptr;
+};
+</verb>
+</tscreen>
+
+<p>
+It is initialized by the application before it is passed to the
+library.  The <em/contents/ of this structure are attached to the
+<tt/*pamh/ handle.  The point of this argument is to provide a
+mechanism for any loaded module to interact directly with the
+application program. This is why it is called a <em/conversation/
+structure.
+
+<p>
+When a module calls the referenced <tt/conv()/ function, the argument
+<tt/*appdata_ptr/ is set to the second element of this structure.
+
+<p>
+The other arguments of a call to <tt/conv()/ concern the information
+exchanged by module and application. That is to say, <tt/num_msg/
+holds the length of the array of pointers, <tt/msg/. After a
+successful return, the pointer <tt/*resp/ points to an array of
+<tt/pam_response/ structures, holding the application supplied text.
+Note, <tt/*resp/ is an <tt/struct pam_response/ array and <em/not/ an
+array of pointers.
+
+<p>
+The message (from the module to the application) passing structure is
+defined by <tt>&lt;security/pam_appl.h&gt;</tt> as:
+
+<p>
+<tscreen>
+<verb>
+struct pam_message {
+    int msg_style;
+    const char *msg;
+};
+</verb>
+</tscreen>
+
+<p>
+Valid choices for <tt/msg_style/ are:
+
+<p><descrip>
+<tag><tt/PAM_PROMPT_ECHO_OFF/</tag>
+	Obtain a string without echoing any text
+<tag><tt/PAM_PROMPT_ECHO_ON/</tag>
+	Obtain a string whilst echoing text
+<tag><tt/PAM_ERROR_MSG/</tag>
+	Display an error
+<tag><tt/PAM_TEXT_INFO/</tag>
+	Display some text.
+</descrip>
+
+<p>
+The point of having an array of messages is that it becomes possible
+to pass a number of things to the application in a single call from
+the module. It can also be convenient for the application that related
+things come at once: a windows based application can then present a
+single form with many messages/prompts on at once.
+
+<p>
+In passing, it is worth noting that there is a descrepency between the
+way Linux-PAM handles the <tt/const struct pam_message **msg/
+conversation function argument from the way that Solaris' PAM (and
+derivitives, known to include HP/UX, <em/are there others?/)
+does. Linux-PAM interprets the <tt/msg/ argument as entirely
+equivalent to the following prototype <tt/const struct pam_message
+*msg[]/ (which, in spirit, is consistent with the commonly used
+prototypes for <tt/argv/ argument to the familiar <tt/main()/
+function: <tt/char **argv/; and <tt/char *argv[]/). Said another way
+Linux-PAM interprets the <tt/msg/ argument as a pointer to an array of
+<tt/num_meg/ read only 'struct pam_message' <em/pointers/.  Solaris'
+PAM implementation interprets this argument as a pointer to a pointer
+to an array of <tt/num_meg/ <tt/pam_message/ structures.  Fortunately,
+perhaps, for most module/application developers when <tt/num_msg/ has
+a value of one these two definitions are entirely
+equivalent. Unfortunately, casually raising this number to two has led
+to unanticipated compatibility problems.
+
+<p>
+For what its worth the two known module writer work-arounds for trying
+to maintain source level compatibility with both PAM implementations
+are:
+<itemize>
+<item> never call the conversation function with <tt/num_msg/ greater
+than one.
+<item> set up <tt/msg/ as doubly referenced so both types of
+conversation function can find the messages. That is, make
+<p><tscreen>
+<verb>
+msg[n] = & (( *msg )[n])
+</verb>
+</tscreen>
+</itemize>
+<p>
+The response (from the application to the module) passing structure is
+defined by including <tt>&lt;security/pam_appl.h&gt;</tt> as:
+
+<p><tscreen><verb>
+struct pam_response {
+    char *resp;
+    int resp_retcode;
+};
+</verb></tscreen>
+
+<p>
+Currently, there are no definitions for <tt/resp_retcode/ values; the
+normal value is <tt/0/.
+
+<p>
+Prior to the 0.59 release of Linux-PAM, the length of the returned
+<tt/pam_response/ array was equal to the number of <em/prompts/ (types
+<tt/PAM_PROMPT_ECHO_OFF/ and <tt/PAM_PROMPT_ECHO_ON/) in the
+<tt/pam_message/ array with which the conversation function was
+called.  This meant that it was not always necessary for the module to
+<tt/free(3)/ the responses if the conversation function was only used
+to display some text.
+
+<p>
+Post Linux-PAM-0.59.  The number of responses is always equal to the
+<tt/num_msg/ conversation function argument.  This is slightly easier
+to program but does require that the response array is <tt/free(3)/'d
+after every call to the conversation function.  The index of the
+responses corresponds directly to the prompt index in the
+<tt/pam_message/ array.
+
+<p>
+The maximum length of the <tt/pam_msg.msg/ and <tt/pam_response.resp/
+character strings is <tt/PAM_MAX_MSG_SIZE/.  (This is not enforced by
+Linux-PAM.)
+
+<p>
+<tt/PAM_SUCCESS/ is the expected return value of this
+function.  However, should an error occur the application should not
+set <tt/*resp/ but simply return <tt/PAM_CONV_ERR/.
+
+<p>
+Note, if an application wishes to use two conversation functions, it
+should activate the second with a call to <tt/pam_set_item()/.
+
+<p>
+<bf>Notes:</bf> New item types are being added to the conversation
+protocol.  Currently Linux-PAM supports: <tt>PAM_BINARY_PROMPT</tt>
+and <tt>PAM_BINARY_MSG</tt>.  These two are intended for server-client
+hidden information exchange and may be used as an interface for
+maching-machine authentication.
+
+<sect1>Programming notes
+
+<p>
+Note, all of the authentication service function calls accept the
+token <tt/PAM_SILENT/, which instructs the modules to not send
+messages to the application. This token can be logically OR'd with any
+one of the permitted tokens specific to the individual function calls.
+<tt/PAM_SILENT/ does not override the prompting of the user for
+passwords etc., it only stops informative messages from being
+generated.
+
+<sect>Security issues of <bf>Linux-PAM</bf>
+
+<p>
+PAM, from the perspective of an application, is a convenient API for
+authenticating users. PAM modules generally have no increased
+privilege over that possessed by the application that is making use of
+it. For this reason, the application must take ultimate responsibility
+for protecting the environment in which PAM operates.
+
+<p>
+A poorly (or maliciously) written application can defeat any
+<bf/Linux-PAM/ module's authentication mechanisms by simply ignoring
+it's return values.  It is the applications task and responsibility to
+grant privileges and access to services.  The <bf/Linux-PAM/ library
+simply assumes the responsibility of <em/authenticating/ the user;
+ascertaining that the user <em/is/ who they say they are.  Care should
+be taken to anticipate all of the documented behavior of the
+<bf/Linux-PAM/ library functions.  A failure to do this will most
+certainly lead to a future security breach.
+
+<sect1>Care about standard library calls
+
+<p>
+In general, writers of authorization-granting applications should
+assume that each module is likely to call any or <em/all/ `libc'
+functions.  For `libc' functions that return pointers to
+static/dynamically allocated structures (ie. the library allocates the
+memory and the user is not expected to `<tt/free()/' it) any module
+call to this function is likely to corrupt a pointer previously
+obtained by the application.  The application programmer should either
+re-call such a `libc' function after a call to the <bf/Linux-PAM/
+library, or copy the structure contents to some safe area of memory
+before passing control to the <bf/Linux-PAM/ library.
+
+<p>
+Two important function classes that fall into this category are
+<tt>getpwnam(3)</tt> and <tt>syslog(3)</tt>.
+
+<sect1>Choice of a service name
+
+<p>
+When picking the <em/service-name/ that corresponds to the first entry
+in the <bf/Linux-PAM/ configuration file, the application programmer
+should <bf/avoid/ the temptation of choosing something related to
+<tt/argv[0]/.  It is a trivial matter for any user to invoke any
+application on a system under a different name and this should not be
+permitted to cause a security breach.
+
+<p>
+In general, this is always the right advice if the program is setuid,
+or otherwise more privileged than the user that invokes it. In some
+cases, avoiding this advice is convenient, but as an author of such an
+application, you should consider well the ways in which your program
+will be installed and used. (Its often the case that programs are not
+intended to be setuid, but end up being installed that way for
+convenience. If your program falls into this category, don't fall into
+the trap of making this mistake.)
+
+<p>
+To invoke some <tt/target/ application by another name, the user may
+symbolically link the target application with the desired name.  To be
+precise all the user need do is,
+<tscreen>
+<verb>
+ln -s /target/application ./preferred_name
+</verb>
+</tscreen>
+and then <em/run/ <tt>./preferred_name</tt>
+
+<p>
+By studying the <bf/Linux-PAM/ configuration file(s), an attacker can
+choose the <tt/preferred_name/ to be that of a service enjoying
+minimal protection; for example a game which uses <bf/Linux-PAM/ to
+restrict access to certain hours of the day.  If the service-name were
+to be linked to the filename under which the service was invoked, it
+is clear that the user is effectively in the position of dictating
+which authentication scheme the service uses.  Needless to say, this
+is not a secure situation.
+
+<p>
+The conclusion is that the application developer should carefully
+define the service-name of an application. The safest thing is to make
+it a single hard-wired name.
+
+<sect1>The conversation function
+
+<p>
+Care should be taken to ensure that the <tt/conv()/ function is
+robust. Such a function is provided in the library <tt/libpam_misc/
+(see <ref id="libpam-misc-section" name="below">).
+
+<sect1>The identity of the user
+
+<p>
+The <bf/Linux-PAM/ modules will need to determine the identity of the
+user who requests a service, and the identity of the user who grants
+the service.  These two users will seldom be the same.  Indeed there
+is generally a third user identity to be considered, the new (assumed)
+identity of the user once the service is granted.
+
+<p>
+The need for keeping tabs on these identities is clearly an issue of
+security.  One convention that is actively used by some modules is
+that the identity of the user requesting a service should be the
+current <tt/uid/ (userid) of the running process; the identity of the
+privilege granting user is the <tt/euid/ (effective userid) of the
+running process; the identity of the user, under whose name the
+service will be executed, is given by the contents of the
+<tt/PAM_USER/ <tt/pam_get_item(3)/. Note, modules can change the
+values of <tt/PAM_USER/ and <tt/PAM_RUSER/ during any of the
+<tt/pam_*()/ library calls. For this reason, the application should
+take care to use the <tt/pam_get_item()/ every time it wishes to
+establish who the authenticated user is (or will currently be).
+
+<p>
+For network-serving databases and other applications that provide
+their own security model (independent of the OS kernel) the above
+scheme is insufficient to identify the requesting user.
+
+<p>
+A more portable solution to storing the identity of the requesting
+user is to use the <tt/PAM_RUSER/ <tt/pam_get_item(3)/. The
+application should supply this value before attempting to authenticate
+the user with <tt/pam_authenticate()/. How well this name can be
+trusted will ultimately be at the discretion of the local
+administrator (who configures PAM for your application) and a selected
+module may attempt to override the value where it can obtain more
+reliable data. If an application is unable to determine the identity
+of the requesting entity/user, it should not call <tt/pam_set_item(3)/
+to set <tt/PAM_RUSER/.
+
+<p>
+In addition to the <tt/PAM_RUSER/ item, the application should supply
+the <tt/PAM_RHOST/ (<em/requesting host/) item. As a general rule, the
+following convention for its value can be assumed: <tt/&lt;unset&gt;/
+= unknown; <tt/localhost/ = invoked directly from the local system;
+<em/other.place.xyz/ = some component of the user's connection
+originates from this remote/requesting host. At present, PAM has no
+established convention for indicating whether the application supports
+a trusted path to communication from this host.
+
+<sect1>Sufficient resources
+
+<p>
+Care should be taken to ensure that the proper execution of an
+application is not compromised by a lack of system resources.  If an
+application is unable to open sufficient files to perform its service,
+it should fail gracefully, or request additional resources.
+Specifically, the quantities manipulated by the <tt/setrlimit(2)/
+family of commands should be taken into consideration.
+
+<p>
+This is also true of conversation prompts. The application should not
+accept prompts of arbitrary length with out checking for resource
+allocation failure and dealing with such extreme conditions gracefully
+and in a mannor that preserves the PAM API. Such tolerance may be
+especially important when attempting to track a malicious adversary.
+
+<sect>A library of miscellaneous helper functions
+<label id="libpam-misc-section">
+
+<p>
+To aid the work of the application developer a library of
+miscellaneous functions is provided.  It is called <tt/libpam_misc/,
+and contains functions for allocating memory (securely), a text based
+conversation function, and routines for enhancing the standard
+PAM-environment variable support.
+
+<sect1>Requirements
+
+<p>
+The functions, structures and macros, made available by this library
+can be defined by including <tt>&lt;security/pam_misc.h&gt;</tt>.  It
+should be noted that this library is specific to <bf/Linux-PAM/ and is
+not referred to in the defining DCE-RFC (see <ref id="bibliography"
+name="the bibliography">) below.
+
+<sect1>Macros supplied
+
+<sect2>Safe duplication of strings
+
+<p>
+<tscreen>
+<verb>
+x_strdup(const char *s)
+</verb>
+</tscreen>
+
+<p>
+This macro is a replacement for the <tt/xstrdup()/ function that was
+present in earlier versions of the library and which clashed horribly
+with a number of applications. It returns a duplicate copy of the
+<tt/NUL/ terminated string, <tt/s/. <tt/NULL/ is returned if there is
+insufficient memory available for the duplicate or if <tt/s/ is
+<tt/NULL/ to begin with.
+
+<sect1>Functions supplied
+
+<sect2>A text based conversation function
+
+<p>
+<tscreen>
+<verb>
+extern int misc_conv(int num_msg, const struct pam_message **msgm,
+		     struct pam_response **response, void *appdata_ptr);
+</verb>
+</tscreen>
+
+<p>
+This is a function that will prompt the user with the appropriate
+comments and obtain the appropriate inputs as directed by
+authentication modules.
+
+<p>
+In addition to simply slotting into the appropriate <tt/struct
+pam_conv/, this function provides some time-out facilities.  The
+function exports five variables that can be used by an application
+programmer to limit the amount of time this conversation function will
+spend waiting for the user to type something.
+
+<p>
+The five variables are as follows:
+<descrip>
+<tag><tt>extern time_t pam_misc_conv_warn_time;</tt></tag>
+
+This variable contains the <em/time/ (as returned by <tt/time()/) that
+the user should be first warned that the clock is ticking. By default
+it has the value <tt/0/, which indicates that no such warning will be
+given. The application may set its value to sometime in the future,
+but this should be done prior to passing control to the <bf/Linux-PAM/
+library.
+
+<tag><tt>extern const char *pam_misc_conv_warn_line;</tt></tag>
+
+Used in conjuction with <tt/pam_misc_conv_warn_time/, this variable is
+a pointer to the string that will be displayed when it becomes time to
+warn the user that the timeout is approaching. Its default value is
+``..&bsol;a.Time is running out...&bsol;n'', but this can be changed
+by the application prior to passing control to <bf/Linux-PAM/.
+
+<tag><tt>extern time_t pam_misc_conv_die_time;</tt></tag>
+
+This variable contains the <em/time/ (as returned by <tt/time()/) that
+the conversation will time out. By default it has the value <tt/0/,
+which indicates that the conversation function will not timeout. The
+application may set its value to sometime in the future, this should
+be done prior to passing control to the <bf/Linux-PAM/ library.
+
+<tag><tt>extern const char *pam_misc_conv_die_line;</tt></tag>
+
+Used in conjuction with <tt/pam_misc_conv_die_time/, this variable is
+a pointer to the string that will be displayed when the conversation
+times out. Its default value is ``..&bsol;a.Sorry, your time is
+up!&bsol;n'', but this can be changed by the application prior to
+passing control to <bf/Linux-PAM/.
+
+<tag><tt>extern int pam_misc_conv_died;</tt></tag>
+
+Following a return from the <bf/Linux-PAM/ libraray, the value of this
+variable indicates whether the conversation has timed out. A value of
+<tt/1/ indicates the time-out occurred.
+
+</descrip>
+
+<p>
+The following two function pointers are available for supporting binary
+prompts in the conversation function. They are optimized for the
+current incarnation of the <tt/libpamc/ library and are subject to
+change.
+<descrip>
+<tag><tt>extern int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t
+*prompt_p);</tt></tag>
+
+This function pointer is initialized to <tt/NULL/ but can be filled
+with a function that provides machine-machine (hidden) message
+exchange.  It is intended for use with hidden authentication protocols
+such as RSA or Diffie-Hellman key exchanges.  (This is still under
+development.)
+
+<tag><tt>extern int (*pam_binary_handler_free)(void *appdata,
+pamc_bp_t *delete_me);</tt></tag>
+
+This function pointer is initialized to <tt/PAM_BP_RENEW(delete_me, 0,
+0)/, but can be redefined as desired by the application.
+
+</descrip>
+
+<sect2>Transcribing an environment to that of Linux-PAM
+<p>
+<tscreen>
+<verb>
+extern int pam_misc_paste_env(pam_handle_t *pamh,
+			      const char * const * user_env);
+</verb>
+</tscreen>
+
+This function takes the supplied list of environment pointers and
+<em/uploads/ its contents to the <bf/Linux-PAM/ environment. Success
+is indicated by <tt/PAM_SUCCESS/.
+
+<sect2>Liberating a locally saved environment
+<p>
+<tscreen>
+<verb>
+extern char **pam_misc_drop_env(char **env);
+</verb>
+</tscreen>
+
+This function is defined to complement the <tt/pam_getenvlist()/
+function.  It liberates the memory associated with <tt/env/,
+<em/overwriting/ with <tt/0/ all memory before <tt/free()/ing it.
+
+<sect2>BSD like Linux-PAM environment variable setting
+<p>
+<tscreen>
+<verb>
+extern int pam_misc_setenv(pam_handle_t *pamh, const char *name,
+			   const char *value, int readonly);
+</verb>
+</tscreen>
+
+This function performs a task equivalent to <tt/pam_putenv()/, its
+syntax is, however, more like the BSD style function; <tt/setenv()/.
+The <tt/name/ and <tt/value/ are concatenated with an ``<tt/=/'' to
+form a <tt/name_value/ and passed to <tt/pam_putenv()/. If, however,
+the <bf/Linux-PAM/ variable is already set, the replacement will only
+be applied if the last argument, <tt/readonly/, is zero.
+
+<sect>Porting legacy applications
+
+<p>
+The following is extracted from an email.  I'll tidy it up later.
+
+<p>
+The point of PAM is that the application is not supposed to have any
+idea how the attached authentication modules will choose to
+authenticate the user.  So all they can do is provide a conversation
+function that will talk directly to the user(client) on the modules'
+behalf.
+
+<p>
+Consider the case that you plug a retinal scanner into the login
+program.  In this situation the user would be prompted: "please look
+into the scanner".  No username or password would be needed - all this
+information could be deduced from the scan and a database lookup.  The
+point is that the retinal scanner is an ideal task for a "module".
+
+<p>
+While it is true that a pop-daemon program is designed with the POP
+protocol in mind and no-one ever considered attaching a retinal
+scanner to it, it is also the case that the "clean" PAM'ification of
+such a daemon would allow for the possibility of a scanner module
+being be attached to it.  The point being that the "standard"
+pop-authentication protocol(s) [which will be needed to satisfy
+inflexible/legacy clients] would be supported by inserting an
+appropriate pam_qpopper module(s).  However, having rewritten popd
+once in this way any new protocols can be implemented in-situ.
+
+<p>
+One simple test of a ported application would be to insert the
+<tt/pam_permit/ module and see if the application demands you type a
+password...  In such a case, <tt/xlock/ would fail to lock the
+terminal - or would at best be a screen-saver, ftp would give password
+free access to all etc..  Neither of these is a very secure thing to
+do, but they do illustrate how much flexibility PAM puts in the hands
+of the local admin.
+
+<p>
+The key issue, in doing things correctly, is identifying what is part
+of the authentication procedure (how many passwords etc..) the
+exchange protocol (prefixes to prompts etc., numbers like 331 in the
+case of ftpd) and what is part of the service that the application
+delivers.  PAM really needs to have total control in the
+authentication "procedure", the conversation function should only
+deal with reformatting user prompts and extracting responses from raw
+input.
+
+<sect>Glossary of PAM related terms
+
+<p>
+The following are a list of terms used within this document.
+
+<p>
+<descrip>
+
+<tag>Authentication token</tag>
+Generally, this is a password.  However, a user can authenticate
+him/herself in a variety of ways.  Updating the user's authentication
+token thus corresponds to <em>refreshing</em> the object they use to
+authenticate themself with the system.  The word password is avoided
+to keep open the possibility that the authentication involves a
+retinal scan or other non-textual mode of challenge/response.
+
+<tag>Credentials</tag>
+Having successfully authenticated the user, PAM is able to establish
+certain characteristics/attributes of the user.  These are termed
+<em>credentials</em>.  Examples of which are group memberships to
+perform privileged tasks with, and <em>tickets</em> in the form of
+environment variables etc. .  Some user-credentials, such as the
+user's UID and GID (plus default group memberships) are not deemed to
+be PAM-credentials.  It is the responsibility of the application to
+grant these directly.
+
+</descrip>
+
+<sect>An example application
+
+<p>
+To get a flavor of the way a <tt/Linux-PAM/ application is written we
+include the following example. It prompts the user for their password
+and indicates whether their account is valid on the standard output,
+its return code also indicates the success (<tt/0/ for success; <tt/1/
+for failure).
+
+<p>
+<tscreen>
+<verb>
+/*
+  This program was contributed by Shane Watts
+  [modifications by AGM]
+
+  You need to add the following (or equivalent) to the /etc/pam.conf file.
+  # check authorization
+  check_user   auth       required     /usr/lib/security/pam_unix_auth.so
+  check_user   account    required     /usr/lib/security/pam_unix_acct.so
+ */
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#include <stdio.h>
+
+static struct pam_conv conv = {
+    misc_conv,
+    NULL
+};
+
+int main(int argc, char *argv[])
+{
+    pam_handle_t *pamh=NULL;
+    int retval;
+    const char *user="nobody";
+
+    if(argc == 2) {
+	user = argv[1];
+    }
+
+    if(argc > 2) {
+	fprintf(stderr, "Usage: check_user [username]\n");
+	exit(1);
+    }
+
+    retval = pam_start("check_user", user, &ero;conv, &ero;pamh);
+	
+    if (retval == PAM_SUCCESS)
+        retval = pam_authenticate(pamh, 0);    /* is user really user? */
+
+    if (retval == PAM_SUCCESS)
+        retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */
+
+    /* This is where we have been authorized or not. */
+
+    if (retval == PAM_SUCCESS) {
+	fprintf(stdout, "Authenticated\n");
+    } else {
+	fprintf(stdout, "Not Authenticated\n");
+    }
+
+    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */
+	pamh = NULL;
+	fprintf(stderr, "check_user: failed to release authenticator\n");
+	exit(1);
+    }
+
+    return ( retval == PAM_SUCCESS ? 0:1 );       /* indicate success */
+}
+</verb>
+</tscreen>
+
+<sect>Files
+
+<p><descrip>
+
+<tag><tt>/usr/include/security/pam_appl.h</tt></tag>
+
+header file for <bf/Linux-PAM/ applications interface
+
+<tag><tt>/usr/include/security/pam_misc.h</tt></tag>
+
+header file for useful library functions for making applications
+easier to write
+
+<tag><tt>/usr/lib/libpam.so.*</tt></tag>
+
+the shared library providing applications with access to
+<bf/Linux-PAM/.
+
+<tag><tt>/etc/pam.conf</tt></tag>
+
+the <bf/Linux-PAM/ configuration file.
+
+<tag><tt>/usr/lib/security/pam_*.so</tt></tag>
+
+the primary location for <bf/Linux-PAM/ dynamically loadable object
+files; the modules.
+
+</descrip>
+
+<sect>See also
+<label id="bibliography">
+
+<p><itemize>
+
+<item>The <bf/Linux-PAM/
+<htmlurl url="pam.html" name="System Administrators' Guide">.
+
+<item>The <bf/Linux-PAM/
+<htmlurl url="pam_modules.html" name="Module Writers' Guide">.
+
+<item>The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH
+PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation Request
+For Comments 86.0, October 1995.
+
+</itemize>
+
+<sect>Notes
+
+<p>
+I intend to put development comments here... like ``at the moment
+this isn't actually supported''. At release time what ever is in
+this section will be placed in the Bugs section below! :)
+
+<p>
+<itemize>
+
+<item> <tt/pam_strerror()/ should be internationalized....
+
+<item>
+Note, the <tt/resp_retcode/ of struct <tt/pam_message/, has no
+purpose at the moment. Ideas/suggestions welcome!
+
+<item> more security issues are required....
+
+</itemize>
+
+<sect>Author/acknowledgments
+
+<p>
+This document was written by Andrew G. Morgan
+(morgan@kernel.org) with many contributions from
+<!-- insert credits here -->
+<!--
+ an sgml list of people to credit for their contributions to Linux-PAM
+ $Id: pam_appl.sgml,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $
+  -->
+Chris Adams,
+Peter Allgeyer,
+Tim Baverstock,
+Tim Berger,
+Craig S. Bell,
+Derrick J. Brashear,
+Ben Buxton,
+Seth Chaiklin,
+Oliver Crow,
+Chris Dent,
+Marc Ewing,
+Cristian Gafton,
+Emmanuel Galanos,
+Brad M. Garcia,
+Eric Hester,
+Roger Hu,
+Eric Jacksch,
+Michael K. Johnson,
+David Kinchlea,
+Olaf Kirch,
+Marcin Korzonek,
+Stephen Langasek,
+Nicolai Langfeldt,
+Elliot Lee,
+Luke Kenneth Casson Leighton,
+Al Longyear,
+Ingo Luetkebohle,
+Marek Michalkiewicz,
+Robert Milkowski,
+Aleph One,
+Martin Pool,
+Sean Reifschneider,
+Jan Rekorajski,
+Erik Troan,
+Theodore Ts'o,
+Jeff Uphoff,
+Myles Uyema,
+Savochkin Andrey Vladimirovich,
+Ronald Wahl,
+David Wood,
+John Wilmes,
+Joseph S. D. Yao
+and
+Alex O.  Yuriev.
+
+<p>
+Thanks are also due to Sun Microsystems, especially to Vipin Samar and
+Charlie Lai for their advice. At an early stage in the development of
+<bf/Linux-PAM/, Sun graciously made the documentation for their
+implementation of PAM available. This act greatly accelerated the
+development of <bf/Linux-PAM/.
+
+<sect>Bugs/omissions
+
+<p>
+This manual is hopelessly unfinished. Only a partial list of people is
+credited for all the good work they have done.
+
+<sect>Copyright information for this document
+
+<p>
+Copyright (c) Andrew G. Morgan 1996-9,2000-1.  All rights reserved.
+<newline>
+Email: <tt>&lt;morgan@kernel.org&gt;</tt>
+
+<p>
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+<p>
+<itemize>
+
+<item>
+1. Redistributions of source code must retain the above copyright
+   notice, and the entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+<item>
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+<item>
+3. The name of the author may not be used to endorse or promote
+   products derived from this software without specific prior
+   written permission.
+
+</itemize>
+
+<p>
+<bf/Alternatively/, this product may be distributed under the terms of
+the GNU General Public License (GPL), in which case the provisions of
+the GNU GPL are required <bf/instead of/ the above restrictions.
+(This clause is necessary due to a potential bad interaction between
+the GNU GPL and the restrictions contained in a BSD-style copyright.)
+
+<p>
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+
+<p>
+<tt>$Id: pam_appl.sgml,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $</tt>
+
+</article>
diff --git a/Linux-PAM/doc/pam_modules.sgml b/Linux-PAM/doc/pam_modules.sgml
new file mode 100644
index 00000000..c67dd448
--- /dev/null
+++ b/Linux-PAM/doc/pam_modules.sgml
@@ -0,0 +1,1505 @@
+<!doctype linuxdoc system>
+
+<!--
+
+ $Id: pam_modules.sgml,v 1.1.1.2 2002/09/15 20:08:25 hartmans Exp $
+
+    Copyright (c) Andrew G. Morgan 1996-2001.  All rights reserved.
+
+	** some sections, in this document, were contributed by other
+	** authors. They carry individual copyrights.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, and the entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. The name of the author may not be used to endorse or promote
+   products derived from this software without specific prior
+   written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License, in which case the provisions of the GNU
+GPL are required INSTEAD OF the above restrictions.  (This clause is
+necessary due to a potential bad interaction between the GNU GPL and
+the restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+
+ -->
+
+<article>
+
+<title>The Linux-PAM Module Writers' Guide
+<author>Andrew G. Morgan, <tt>morgan@kernel.org</tt>
+<date>DRAFT v0.76 2002/05/09
+<abstract>
+This manual documents what a programmer needs to know in order to
+write a module that conforms to the <bf/Linux-PAM/ standard. It also
+discusses some security issues from the point of view of the module
+programmer.
+</abstract>
+
+<toc>
+
+<sect>Introduction
+
+<sect1> Synopsis
+<p>
+<tscreen>
+<verb>
+#include <security/pam_modules.h>
+
+gcc -fPIC -c pam_module-name.c
+ld -x --shared -o pam_module-name.so pam_module-name.o
+</verb>
+</tscreen>
+
+<sect1> Description
+
+<p>
+<bf/Linux-PAM/ (Pluggable Authentication Modules for Linux) is a
+library that enables the local system administrator to choose how
+individual applications authenticate users.  For an overview of the
+<bf/Linux-PAM/ library see the <bf/Linux-PAM/ System Administrators'
+Guide.
+
+<p>
+A <bf/Linux-PAM/ module is a single executable binary file that can be
+loaded by the <bf/Linux-PAM/ interface library. This PAM library is
+configured locally with a system file, <tt>/etc/pam.conf</tt>, to
+authenticate a user request via the locally available authentication
+modules. The modules themselves will usually be located in the
+directory <tt>/usr/lib/security</tt> and take the form of dynamically
+loadable object files (see dlopen(3)). Alternatively, the modules can
+be statically linked into the <bf/Linux-PAM/ library; this is mostly to
+allow <bf/Linux-PAM/ to be used on platforms without dynamic linking
+available, but the two forms can be used together.  It is the
+<bf/Linux-PAM/ interface that is called by an application and it is
+the responsibility of the library to locate, load and call the
+appropriate functions in a <bf/Linux-PAM/-module.
+
+<p>
+Except for the immediate purpose of interacting with the user
+(entering a password etc..) the module should never call the
+application directly. This exception requires a "conversation
+mechanism" which is documented below.
+
+<sect>What can be expected by the module
+
+<p>
+Here we list the interface that the conventions that all
+<bf/Linux-PAM/ modules must adhere to.
+
+<sect1>Getting and setting <tt/PAM_ITEM/s and <em/data/
+
+<p>
+First, we cover what the module should expect from the <bf/Linux-PAM/
+library and a <bf/Linux-PAM/ <em/aware/ application. Essesntially this
+is the <tt/libpam.*/ library.
+
+<sect2>
+Setting data
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern int pam_set_data(pam_handle_t *pamh,
+                        const char *module_data_name,
+			void *data,
+			void (*cleanup)(pam_handle_t *pamh,
+			                void *data, int error_status) );
+</verb>
+</tscreen>
+
+<p>
+The modules may be dynamically loadable objects. In general such files
+should not contain <tt/static/ variables. This and the subsequent
+function provide a mechanism for a module to associate some data with
+the handle <tt/pamh/. Typically a module will call the
+<tt/pam_set_data()/ function to register some data under a (hopefully)
+unique <tt/module_data_name/. The data is available for use by other
+modules too but <em/not/ by an application.
+
+<p>
+The function <tt/cleanup()/ is associated with the <tt/data/ and, if
+non-<tt/NULL/, it is called when this data is over-written or
+following a call to <tt/pam_end()/ (see the Linux-PAM Application
+Developers' Guide).
+
+<p>
+The <tt/error_status/ argument is used to indicate to the module the
+sort of action it is to take in cleaning this data item. As an
+example, Kerberos creates a ticket file during the authentication
+phase, this file might be associated with a data item. When
+<tt/pam_end()/ is called by the module, the <tt/error_status/
+carries the return value of the <tt/pam_authenticate()/ or other
+<tt/libpam/ function as appropriate. Based on this value the Kerberos
+module may choose to delete the ticket file (<em/authentication
+failure/) or leave it in place.
+
+<p>
+The <tt/error_status/ may have been logically OR'd with either of the
+following two values:
+
+<p>
+<descrip>
+<tag><tt/PAM_DATA_REPLACE/</tag>
+	When a data item is being replaced (through a second call to
+<tt/pam_set_data()/) this mask is used. Otherwise, the call is assumed
+to be from <tt/pam_end()/.
+
+<tag><tt/PAM_DATA_SILENT/</tag>
+	Which indicates that the process would prefer to perform the
+<tt/cleanup()/ quietly. That is, discourages logging/messages to the
+user.
+
+</descrip>
+
+
+<sect2>
+Getting data
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern int pam_get_data(const pam_handle_t *pamh,
+			const char *module_data_name,
+			const void **data);
+</verb>
+</tscreen>
+
+<p>
+This function together with the previous one provides a method of
+associating module-specific data with the handle <tt/pamh/. A
+successful call to <tt/pam_get_data/ will result in <tt/*data/
+pointing to the data associated with the <tt/module_data_name/. Note,
+this data is <em/not/ a copy and should be treated as <em/constant/
+by the module.
+
+<p>
+Note, if there is an entry but it has the value <tt/NULL/, then this
+call returns <tt/PAM_NO_MODULE_DATA/.
+
+<sect2>
+Setting items
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern int pam_set_item(pam_handle_t *pamh,
+                        int item_type,
+			const void *item);
+</verb>
+</tscreen>
+
+<p>
+This function is used to (re)set the value of one of the
+<tt/item_type/s.  The reader is urged to read the entry for this
+function in the <bf/Linux-PAM/ application developers' manual.
+
+<p>
+In addition to the <tt/item/s listed there, the module can set the
+following two <tt/item_type/s:
+
+<p>
+<descrip>
+<tag><tt/PAM_AUTHTOK/</tag>
+
+The authentication token (often a password). This token should be
+ignored by all module functions besides <tt/pam_sm_authenticate()/ and
+<tt/pam_sm_chauthtok()/. In the former function it is used to pass the
+most recent authentication token from one stacked module to
+another. In the latter function the token is used for another
+purpose. It contains the currently active authentication token.
+
+<tag><tt/PAM_OLDAUTHTOK/</tag>
+
+The old authentication token. This token should be ignored by all
+module functions except <tt/pam_sm_chauthtok()/.
+
+</descrip>
+
+<p>
+Both of these items are reset before returning to the application.
+When resetting these items, the <bf/Linux-PAM/ library first writes
+<tt/0/'s to the current tokens and then <tt/free()/'s the associated
+memory.
+
+<p>
+The return values for this function are listed in the 
+<bf>Linux-PAM</bf> Application Developers' Guide.
+
+<sect2>
+Getting items
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern int pam_get_item(const pam_handle_t *pamh,
+			int item_type,
+			const void **item);
+</verb>
+</tscreen>
+
+<p>
+This function is used to obtain the value of the specified
+<tt/item_type/. It is better documented in the <bf/Linux-PAM/
+Application Developers' Guide. However, there are three things worth
+stressing here:
+<itemize>
+
+<item>
+Generally, if the module wishes to obtain the name of the user, it
+should not use this function, but instead perform a call to
+<tt/pam_get_user()/ (see section <ref id="pam-get-user"
+name="below">).
+
+<item>
+The module is additionally privileged to read the authentication
+tokens, <tt/PAM_AUTHTOK/ and <tt/PAM_OLDAUTHTOK/ (see the section
+above on <tt/pam_set_data()/).
+
+<item>
+The module should <em/not/ <tt/free()/ or alter the data pointed to by
+<tt/*item/ after a successful return from <tt/pam_get_item()/. This
+pointer points directly at the data contained within the <tt/*pamh/
+structure.  Should a module require that a change is made to the this
+<tt/ITEM/ it should make the appropriate call to <tt/pam_set_item()/.
+</itemize>
+
+<sect2>The <em/conversation/ mechanism
+
+<p>
+Following the call <tt>pam_get_item(pamh,PAM_CONV,&amp;item)</tt>, the
+pointer <tt/item/ points to a structure containing an a pointer to a
+<em/conversation/-function that provides limited but direct access to
+the application.  The purpose of this function is to allow the module
+to prompt the user for their password and pass other information in a
+manner consistent with the application. For example, an X-windows
+based program might pop up a dialog box to report a login
+failure. Just as the application should not be concerned with the
+method of authentication, so the module should not dictate the manner
+in which input (output) is obtained from (presented to) to the user.
+
+<p>
+<bf>The reader is strongly urged to read the more complete description of
+the <tt/pam_conv/ structure, written from the perspective of the
+application developer, in the <bf/Linux-PAM/ Application Developers'
+Guide.</bf>
+
+<p>
+The return values for this function are listed in the 
+<bf>Linux-PAM</bf> Application Developers' Guide.
+
+<p>
+The <tt/pam_response/ structure returned after a call to the
+<tt/pam_conv/ function must be <tt/free()/'d by the module. Since the
+call to the conversation function originates from the module, it is
+clear that this <tt/pam_response/ structure could be either statically
+or dynamically (using <tt/malloc()/ etc.) allocated within the
+application. Repeated calls to the conversation function would likely
+overwrite static memory, so it is required that for a successful
+return from the conversation function the memory for the response
+structure is dynamically allocated by the application with one of the
+<tt/malloc()/ family of commands and <em/must/ be <tt/free()/'d by the
+module.
+
+<p>
+If the <tt/pam_conv/ mechanism is used to enter authentication tokens,
+the module should either pass the result to the <tt/pam_set_item()/
+library function, or copy it itself. In such a case, once the token
+has been stored (by one of these methods or another one), the memory
+returned by the application should be overwritten with <tt/0/'s, and
+then <tt/free()/'d.
+
+There is a handy macro <tt/_pam_drop_reply()/ to be found in
+<tt>&lt;security/_pam_macros.h&gt;</tt> that can be used to
+conveniently cleanup a <tt/pam_response/ structure. (Note, this
+include file is specific to the Linux-PAM sources, and whilst it will
+work with Sun derived PAM implementations, it is not generally
+distributed by Sun.)
+
+<sect2>Getting the name of a user<label id="pam-get-user">
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern int pam_get_user(pam_handle_t *pamh, 
+                        const char **user,
+			const char *prompt);
+</verb>
+</tscreen>
+
+<p>
+This is a <bf/Linux-PAM/ library function that returns the
+(prospective) name of the user. To determine the username it does the
+following things, in this order:
+<itemize>
+
+<item> checks what <tt/pam_get_item(pamh, PAM_USER, ... );/ would have
+returned. If this is not <tt/NULL/ this is what it returns. Otherwise,
+
+<item> obtains a username from the application via the <tt/pam_conv/
+mechanism, it prompts the user with the first non-<tt/NULL/ string in
+the following list:
+<itemize>
+
+<item> The <tt/prompt/ argument passed to the function
+<item> What is returned by <tt/pam_get_item(pamh,PAM_USER_PROMPT, ... );/
+<item> The default prompt: ``Please enter username: ''
+
+</itemize>
+</itemize>
+
+<p>
+By whatever means the username is obtained, a pointer to it is
+returned as the contents of <tt/*user/. Note, this memory should
+<em/not/ be <tt/free()/'d by the module. Instead, it will be liberated
+on the next call to <tt/pam_get_user()/, or by <tt/pam_end()/ when the
+application ends its interaction with <bf/Linux-PAM/.
+
+<p>
+Also, in addition, it should be noted that this function sets the
+<tt/PAM_USER/ item that is associated with the <tt/pam_[gs]et_item()/
+function.
+
+<p>
+The return value of this function is one of the following:
+<itemize>
+
+<item> <tt/PAM_SUCCESS/ - username obtained.
+
+<item> <tt/PAM_CONV_AGAIN/ - converstation did not complete and the
+caller is required to return control to the application, until such
+time as the application has completed the conversation process. A
+module calling <tt/pam_get_user()/ that obtains this return code,
+should return <tt/PAM_INCOMPLETE/ and be prepared (when invoked the
+next time) to recall <tt/pam_get_user()/ to fill in the user's name,
+and then pick up where it left off as if nothing had happened. This
+procedure is needed to support an event-driven application programming
+model.
+
+<item> <tt/PAM_CONV_ERR/ - the conversation method supplied by the
+application failed to obtain the username.
+
+</itemize>
+
+<sect2>Setting a Linux-PAM environment variable
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern int pam_putenv(pam_handle_t *pamh, const char *name_value);
+</verb>
+</tscreen>
+
+<p>
+<bf/Linux-PAM/ comes equipped with a series of functions for
+maintaining a set of <em/environment/ variables. The environment is
+initialized by the call to <tt/pam_start()/ and is <bf/erased/ with a
+call to <tt/pam_end()/.  This <em/environment/ is associated with the
+<tt/pam_handle_t/ pointer returned by the former call.
+
+<p>
+The default environment is all but empty. It contains a single
+<tt/NULL/ pointer, which is always required to terminate the
+variable-list.  The <tt/pam_putenv()/ function can be used to add a
+new environment variable, replace an existing one, or delete an old
+one.
+
+<p>
+<itemize>
+<item>Adding/replacing a variable<newline>
+
+To add or overwrite a <bf/Linux-PAM/ environment variable the value of
+the argument <tt/name_value/, should be of the following form:
+<tscreen>
+<verb>
+name_value="VARIABLE=VALUE OF VARIABLE"
+</verb>
+</tscreen>
+Here, <tt/VARIABLE/ is the environment variable's name and what
+follows the `<tt/=/' is its (new) value. (Note, that <tt/"VARIABLE="/
+is a valid value for <tt/name_value/, indicating that the variable is
+set to <tt/""/.)
+
+<item> Deleting a variable<newline>
+
+To delete a <bf/Linux-PAM/ environment variable the value of
+the argument <tt/name_value/, should be of the following form:
+<tscreen>
+<verb>
+name_value="VARIABLE"
+</verb>
+</tscreen>
+Here, <tt/VARIABLE/ is the environment variable's name and the absence
+of an `<tt/=/' indicates that the variable should be removed.
+
+</itemize>
+
+<p>
+In all cases <tt/PAM_SUCCESS/ indicates success.
+
+<sect2>Getting a Linux-PAM environment variable
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern const char *pam_getenv(pam_handle_t *pamh, const char *name);
+</verb>
+</tscreen>
+
+<p>
+This function can be used to return the value of the given
+variable. If the returned value is <tt/NULL/, the variable is not
+known.
+
+<sect2>Listing the Linux-PAM environment
+
+<p>
+Synopsis:
+<tscreen>
+<verb>
+extern char * const *pam_getenvlist(pam_handle_t *pamh);
+</verb>
+</tscreen>
+
+<p>
+This function returns a pointer to the entire <bf/Linux-PAM/
+environment array.  At first sight the <em/type/ of the returned data
+may appear a little confusing.  It is basically a <em/read-only/ array
+of character pointers, that lists the <tt/NULL/ terminated list of
+environment variables set so far.
+
+<p>
+Although, this is not a concern for the module programmer, we mention
+here that an application should be careful to copy this entire array
+before executing <tt/pam_end()/ otherwise all the variable information
+will be lost. (There are functions in <tt/libpam_misc/ for this
+purpose: <tt/pam_misc_copy_env()/ and <tt/pam_misc_drop_env()/.)
+
+<sect1>Other functions provided by <tt/libpam/
+
+<sect2>Understanding errors
+
+<p>
+<itemize>
+
+<item>
+<tt>extern const char *pam_strerror(pam_handle_t *pamh, int errnum);</tt>
+
+<p>
+This function returns some text describing the <bf/Linux-PAM/ error
+associated with the argument <tt/errnum/.  If the error is not
+recognized <tt/``Unknown Linux-PAM error''/ is returned.
+
+</itemize>
+
+<sect2>Planning for delays
+
+<p>
+<itemize>
+
+<item>
+<tt>extern int pam_fail_delay(pam_handle_t *pamh, unsigned int
+micro_sec)</tt>
+
+<p>
+This function is offered by <bf/Linux-PAM/ to facilitate time delays
+following a failed call to <tt/pam_authenticate()/ and before control
+is returned to the application. When using this function the module
+programmer should check if it is available with,
+<tscreen>
+<verb>
+#ifdef PAM_FAIL_DELAY
+    ....
+#endif /* PAM_FAIL_DELAY */
+</verb>
+</tscreen>
+
+<p>
+Generally, an application requests that a user is authenticated by
+<bf/Linux-PAM/ through a call to <tt/pam_authenticate()/ or
+<tt/pam_chauthtok()/.  These functions call each of the <em/stacked/
+authentication modules listed in the <bf/Linux-PAM/ configuration
+file.  As directed by this file, one of more of the modules may fail
+causing the <tt/pam_...()/ call to return an error.  It is desirable
+for there to also be a pause before the application continues. The
+principal reason for such a delay is security: a delay acts to
+discourage <em/brute force/ dictionary attacks primarily, but also
+helps hinder <em/timed/ (cf. covert channel) attacks.
+
+<p>
+The <tt/pam_fail_delay()/ function provides the mechanism by which an
+application or module can suggest a minimum delay (of <tt/micro_sec/
+<em/micro-seconds/). <bf/Linux-PAM/ keeps a record of the longest time
+requested with this function. Should <tt/pam_authenticate()/ fail,
+the failing return to the application is delayed by an amount of time
+randomly distributed (by up to 25%) about this longest value.
+
+<p>
+Independent of success, the delay time is reset to its zero default
+value when <bf/Linux-PAM/ returns control to the application.
+
+</itemize>
+
+<sect>What is expected of a module
+
+<p>
+The module must supply a sub-set of the six functions listed
+below. Together they define the function of a <bf/Linux-PAM
+module/. Module developers are strongly urged to read the comments on
+security that follow this list.
+
+<sect1> Overview
+
+<p>
+The six module functions are grouped into four independent management
+groups. These groups are as follows: <em/authentication/,
+<em/account/, <em/session/ and <em/password/. To be properly defined,
+a module must define all functions within at least one of these
+groups. A single module may contain the necessary functions for
+<em/all/ four groups.
+
+<sect2> Functional independence
+
+<p>
+The independence of the four groups of service a module can offer
+means that the module should allow for the possibility that any one of
+these four services may legitimately be called in any order. Thus, the
+module writer should consider the appropriateness of performing a
+service without the prior success of some other part of the module.
+
+<p>
+As an informative example, consider the possibility that an
+application applies to change a user's authentication token, without
+having first requested that <bf/Linux-PAM/ authenticate the user. In
+some cases this may be deemed appropriate: when <tt/root/ wants to
+change the authentication token of some lesser user. In other cases it
+may not be appropriate: when <tt/joe/ maliciously wants to reset
+<tt/alice/'s password; or when anyone other than the user themself
+wishes to reset their <em/KERBEROS/ authentication token. A policy for
+this action should be defined by any reasonable authentication scheme,
+the module writer should consider this when implementing a given
+module.
+
+<sect2> Minimizing administration problems
+
+<p>
+To avoid system administration problems and the poor construction of a
+<tt>/etc/pam.conf</tt> file, the module developer may define all
+six of the following functions. For those functions that would not be
+called, the module should return <tt/PAM_SERVICE_ERR/ and write an
+appropriate message to the system log. When this action is deemed
+inappropriate, the function would simply return <tt/PAM_IGNORE/.
+
+<sect2> Arguments supplied to the module
+
+<p>
+The <tt/flags/ argument of each of the following functions can be
+logically OR'd with <tt/PAM_SILENT/, which is used to inform the
+module to not pass any <em/text/ (errors or warnings) to the
+application.
+
+<p>
+The <tt/argc/ and <tt/argv/ arguments are taken from the line
+appropriate to this module---that is, with the <em/service_name/
+matching that of the application---in the configuration file (see the
+<bf/Linux-PAM/ System Administrators' Guide). Together these two
+parameters provide the number of arguments and an array of pointers to
+the individual argument tokens. This will be familiar to C programmers
+as the ubiquitous method of passing command arguments to the function
+<tt/main()/. Note, however, that the first argument (<tt/argv[0]/) is
+a true argument and <bf/not/ the name of the module.
+
+<sect1> Authentication management
+
+<p>
+To be correctly initialized, <tt/PAM_SM_AUTH/ must be <tt/#define/'d
+prior to including <tt>&lt;security/pam_modules.h&gt;</tt>. This will
+ensure that the prototypes for static modules are properly declared.
+
+<p>
+<itemize>
+
+<item>
+<tt>PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
+int argc, const char **argv);</tt>
+
+<p>
+This function performs the task of authenticating the user. 
+
+<p>
+The <tt/flags/ argument can be a logically OR'd with <tt/PAM_SILENT/
+and optionally take the following value:
+
+<p><descrip>
+<tag><tt/PAM_DISALLOW_NULL_AUTHTOK/</tag>
+	return <tt/PAM_AUTH_ERR/ if the database of authentication
+tokens for this authentication mechanism has a <tt/NULL/ entry for the
+user. Without this flag, such a <tt/NULL/ token will lead to a success
+without the user being prompted.
+</descrip>
+
+<p>
+Besides <tt/PAM_SUCCESS/ return values that can be sent by this
+function are one of the following:
+
+<descrip>
+
+<tag><tt/PAM_AUTH_ERR/</tag>
+	The user was not authenticated
+<tag><tt/PAM_CRED_INSUFFICIENT/</tag>
+	For some reason the application does not have sufficient
+credentials to authenticate the user.
+<tag><tt/PAM_AUTHINFO_UNAVAIL/</tag>
+	The modules were not able to access the authentication
+information. This might be due to a network or hardware failure etc.
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The supplied username is not known to the authentication
+service
+<tag><tt/PAM_MAXTRIES/</tag>
+	One or more of the authentication modules has reached its
+limit of tries authenticating the user. Do not try again.
+
+</descrip>
+
+<item>
+<tt>PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int
+argc, const char **argv);</tt>
+
+<p>
+This function performs the task of altering the credentials of the
+user with respect to the corresponding authorization
+scheme. Generally, an authentication module may have access to more
+information about a user than their authentication token. This
+function is used to make such information available to the
+application. It should only be called <em/after/ the user has been
+authenticated but before a session has been established.
+
+<p>
+Permitted flags, one of which, may be logically OR'd with
+<tt/PAM_SILENT/ are,
+
+<p><descrip>
+<tag><tt/PAM_ESTABLISH_CRED/</tag>
+	Set the credentials for the authentication service,
+<tag><tt/PAM_DELETE_CRED/</tag>
+	Delete the credentials associated with the authentication service,
+<tag><tt/PAM_REINITIALIZE_CRED/</tag>
+	Reinitialize the user credentials, and
+<tag><tt/PAM_REFRESH_CRED/</tag>
+	Extend the lifetime of the user credentials.
+</descrip>
+
+<p>
+Prior to <bf/Linux-PAM-0.75/, and due to a deficiency with the way the
+<tt/auth/ stack was handled in the case of the setcred stack being
+processed, the module was required to attempt to return the same error
+code as <tt/pam_sm_authenticate/ did.  This was necessary to preserve
+the logic followed by libpam as it executes the stack of
+<em/authentication/ modules, when the application called either
+<tt/pam_authenticate()/ or <tt/pam_setcred()/.  Failing to do this,
+led to confusion on the part of the System Administrator.
+
+<p>
+For <bf/Linux-PAM-0.75/ and later, libpam handles the credential stack
+much more sanely. The way the <tt/auth/ stack is navigated in order to
+evaluate the <tt/pam_setcred()/ function call, independent of the
+<tt/pam_sm_setcred()/ return codes, is exactly the same way that it
+was navigated when evaluating the <tt/pam_authenticate()/ library
+call. Typically, if a stack entry was ignored in evaluating
+<tt/pam_authenticate()/, it will be ignored when libpam evaluates the
+<tt/pam_setcred()/ function call. Otherwise, the return codes from
+each module specific <tt/pam_sm_setcred()/ call are treated as
+<tt/required/.
+
+<p>
+Besides <tt/PAM_SUCCESS/, the module may return one of the following
+errors:
+
+<p><descrip>
+<tag><tt/PAM_CRED_UNAVAIL/</tag>
+	This module cannot retrieve the user's credentials.
+<tag><tt/PAM_CRED_EXPIRED/</tag>
+	The user's credentials have expired.
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The user is not known to this authentication module.
+<tag><tt/PAM_CRED_ERR/</tag>
+	This module was unable to set the credentials of the user.
+</descrip>
+
+<p>
+these, non-<tt/PAM_SUCCESS/, return values will typically lead to the
+credential stack <em/failing/. The first such error will dominate in
+the return value of <tt/pam_setcred()/.
+
+</itemize>
+
+<sect1> Account management
+
+<p>
+To be correctly initialized, <tt/PAM_SM_ACCOUNT/ must be
+<tt/#define/'d prior to including <tt>&lt;security/pam_modules.h&gt;</tt>.
+This will ensure that the prototype for a static module is properly
+declared.
+
+<p>
+<itemize>
+
+<item>
+<tt>PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int
+argc, const char **argv);</tt>
+
+<p>
+This function performs the task of establishing whether the user is
+permitted to gain access at this time. It should be understood that
+the user has previously been validated by an authentication
+module. This function checks for other things. Such things might be:
+the time of day or the date, the terminal line, remote
+hostname, etc. .
+
+<p>
+This function may also determine things like the expiration on
+passwords, and respond that the user change it before continuing.
+
+<p>
+Valid flags, which may be logically OR'd with <tt/PAM_SILENT/, are the
+same as those applicable to the <tt/flags/ argument of
+<tt/pam_sm_authenticate/.
+
+<p>
+This function may return one of the following errors,
+
+<descrip>
+
+<tag><tt/PAM_ACCT_EXPIRED/</tag>
+	The user is no longer permitted access to the system.
+<tag><tt/PAM_AUTH_ERR/</tag>
+	There was an authentication error.
+<tag><tt/PAM_AUTHTOKEN_REQD/</tag>
+	The user's authentication token has expired. Before calling
+this function again the application will arrange for a new one to be
+given. This will likely result in a call to <tt/pam_sm_chauthtok()/.
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The user is not known to the module's account management
+component.
+	
+</descrip>
+
+</itemize>
+
+<sect1> Session management
+
+<p>
+To be correctly initialized, <tt/PAM_SM_SESSION/ must be
+<tt/#define/'d prior to including
+<tt>&lt;security/pam_modules.h&gt;</tt>.  This will ensure that the
+prototypes for static modules are properly declared.
+
+<p>
+The following two functions are defined to handle the
+initialization/termination of a session. For example, at the beginning
+of a session the module may wish to log a message with the system
+regarding the user. Similarly, at the end of the session the module
+would inform the system that the user's session has ended.
+
+<p>
+It should be possible for sessions to be opened by one application and
+closed by another. This either requires that the module uses only
+information obtained from <tt/pam_get_item()/, or that information
+regarding the session is stored in some way by the operating system
+(in a file for example).
+
+<p>
+<itemize>
+
+<item>
+<tt>PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int
+argc, const char **argv);</tt>
+
+<p>
+This function is called to commence a session. The only valid, but
+optional, flag is <tt/PAM_SILENT/.
+
+<p>
+As a return value, <tt/PAM_SUCCESS/ signals success and
+<tt/PAM_SESSION_ERR/ failure.
+
+<item>
+<tt>PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int
+argc, const char **argv);</tt>
+
+<p>
+This function is called to terminate a session. The only valid, but
+optional, flag is <tt/PAM_SILENT/.
+
+<p>
+As a return value, <tt/PAM_SUCCESS/ signals success and
+<tt/PAM_SESSION_ERR/ failure.
+
+</itemize>
+
+<sect1> Password management
+
+<p>
+To be correctly initialized, <tt/PAM_SM_PASSWORD/ must be
+<tt/#define/'d prior to including <tt>&lt;security/pam_modules.h&gt;</tt>.
+This will ensure that the prototype for a static module is properly
+declared.
+
+<p>
+<itemize>
+
+<item>
+<tt>PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int
+argc, const char **argv);</tt>
+
+<p>
+This function is used to (re-)set the authentication token of the
+user. A valid flag, which may be logically OR'd with <tt/PAM_SILENT/,
+can be built from the following list,
+
+<descrip>
+<tag><tt/PAM_CHANGE_EXPIRED_AUTHTOK/</tag>
+	This argument indicates to the module that the users
+authentication token (password) should only be changed if it has
+expired. This flag is optional and <em/must/ be combined with one of
+the following two flags. Note, however, the following two options are
+<em/mutually exclusive/.
+
+<tag><tt/PAM_PRELIM_CHECK/</tag>
+	This indicates that the modules are being probed as to their
+ready status for altering the user's authentication token. If the
+module requires access to another system over some network it should
+attempt to verify it can connect to this system on receiving this
+flag. If a module cannot establish it is ready to update the user's
+authentication token it should return <tt/PAM_TRY_AGAIN/, this
+information will be passed back to the application.
+
+<tag><tt/PAM_UPDATE_AUTHTOK/</tag>
+	This informs the module that this is the call it should change
+the authorization tokens. If the flag is logically OR'd with
+<tt/PAM_CHANGE_EXPIRED_AUTHTOK/, the token is only changed if it has
+actually expired.
+
+</descrip>
+
+<p>
+Note, the <bf/Linux-PAM/ library calls this function twice in
+succession. The first time with <tt/PAM_PRELIM_CHECK/ and then, if the
+module does not return <tt/PAM_TRY_AGAIN/, subsequently with
+<tt/PAM_UPDATE_AUTHTOK/. It is only on the second call that the
+authorization token is (possibly) changed.
+
+<p>
+<tt/PAM_SUCCESS/ is the only successful return value, valid
+error-returns are:
+
+<descrip>
+<tag><tt/PAM_AUTHTOK_ERR/</tag>
+	The module was unable to obtain the new authentication token.
+	
+<tag><tt/PAM_AUTHTOK_RECOVERY_ERR/</tag>
+	The module was unable to obtain the old authentication token.
+
+<tag><tt/PAM_AUTHTOK_LOCK_BUSY/</tag>
+	Cannot change the authentication token since it is currently
+locked.
+	
+<tag><tt/PAM_AUTHTOK_DISABLE_AGING/</tag>
+	Authentication token aging has been disabled.
+
+<tag><tt/PAM_PERM_DENIED/</tag>
+	Permission denied.
+
+<tag><tt/PAM_TRY_AGAIN/</tag>
+	Preliminary check was unsuccessful. Signals an immediate return
+to the application is desired.
+
+<tag><tt/PAM_USER_UNKNOWN/</tag>
+	The user is not known to the authentication token changing
+service.
+
+</descrip>
+
+</itemize>
+
+<sect>Generic optional arguments
+
+<p>
+Here we list the generic arguments that all modules can expect to
+be passed. They are not mandatory, and their absence should be
+accepted without comment by the module.
+
+<p>
+<descrip>
+<tag><tt/debug/</tag>
+
+Use the <tt/syslog(3)/ call to log debugging information to the system
+log files.
+
+<tag><tt/no_warn/</tag>
+
+Instruct module to not give warning messages to the application.
+
+<tag><tt/use_first_pass/</tag>
+
+The module should not prompt the user for a password. Instead, it
+should obtain the previously typed password (by a call to
+<tt/pam_get_item()/ for the <tt/PAM_AUTHTOK/ item), and use that. If
+that doesn't work, then the user will not be authenticated. (This
+option is intended for <tt/auth/ and <tt/passwd/ modules only).
+
+<tag><tt/try_first_pass/</tag>
+
+The module should attempt authentication with the previously typed
+password (by a call to <tt/pam_get_item()/ for the <tt/PAM_AUTHTOK/
+item). If that doesn't work, then the user is prompted for a
+password. (This option is intended for <tt/auth/ modules only).
+
+<tag><tt/use_mapped_pass/</tag>
+
+<bf/WARNING:/ coding this functionality may cause the module writer to
+break <em/local/ encryption laws. For example, in the U.S. there are
+restrictions on the export computer code that is capable of strong
+encryption.  It has not been established whether this option is
+affected by this law, but one might reasonably assume that it does
+until told otherwise.  For this reason, this option is not supported
+by any of the modules distributed with <bf/Linux-PAM/.
+
+The intended function of this argument, however, is that the module
+should take the existing authentication token from a previously
+invoked module and use it as a key to retrieve the authentication
+token for this module. For example, the module might create a strong
+hash of the <tt/PAM_AUTHTOK/ item (established by a previously
+executed module). Then, with logical-exclusive-or, use the result as a
+<em/key/ to safely store/retrieve the authentication token for this
+module in/from a local file <em/etc/. .
+
+<tag><tt/expose_account/</tag>
+
+<p>
+In general the leakage of some information about user accounts is not
+a secure policy for modules to adopt. Sometimes information such as
+users names or home directories, or preferred shell, can be used to
+attack a user's account. In some circumstances, however, this sort of
+information is not deemed a threat: displaying a user's full name when
+asking them for a password in a secured environment could also be
+called being 'friendly'. The <tt/expose_account/ argument is a
+standard module argument to encourage a module to be less discrete
+about account information as it is deemed appropriate by the local
+administrator.
+
+</descrip>
+
+<sect>Programming notes
+
+<p>
+Here we collect some pointers for the module writer to bear in mind
+when writing/developing a <bf/Linux-PAM/ compatible module.
+
+<sect1>Security issues for module creation
+
+<sect2>Sufficient resources
+
+<p>
+Care should be taken to ensure that the proper execution of a module
+is not compromised by a lack of system resources.  If a module is
+unable to open sufficient files to perform its task, it should fail
+gracefully, or request additional resources.  Specifically, the
+quantities manipulated by the <tt/setrlimit(2)/ family of commands
+should be taken into consideration.
+
+<sect2>Who's who?
+
+<p>
+Generally, the module may wish to establish the identity of the user
+requesting a service.  This may not be the same as the username
+returned by <tt/pam_get_user()/. Indeed, that is only going to be the
+name of the user under whose identity the service will be given.  This
+is not necessarily the user that requests the service.
+
+<p>
+In other words, user X runs a program that is setuid-Y, it grants the
+user to have the permissions of Z.  A specific example of this sort of
+service request is the <em/su/ program: user <tt/joe/ executes
+<em/su/ to become the user <em/jane/.  In this situation X=<tt/joe/,
+Y=<tt/root/ and Z=<tt/jane/.  Clearly, it is important that the module
+does not confuse these different users and grant an inappropriate
+level of privilege.
+
+<p>
+The following is the convention to be adhered to when juggling
+user-identities.
+
+<p>
+<itemize>
+<item>X, the identity of the user invoking the service request.
+This is the user identifier; returned by the function <tt/getuid(2)/.
+
+<item>Y, the privileged identity of the application used to grant the
+requested service.  This is the <em/effective/ user identifier;
+returned by the function <tt/geteuid(2)/.
+
+<item>Z, the user under whose identity the service will be granted.
+This is the username returned by <tt/pam_get_user(2)/ and also stored
+in the <bf/Linux-PAM/ item, <tt/PAM_USER/.
+
+<item><bf/Linux-PAM/ has a place for an additional user identity that
+a module may care to make use of. This is the <tt/PAM_RUSER/ item.
+Generally, network sensitive modules/applications may wish to set/read
+this item to establish the identity of the user requesting a service
+from a remote location.
+
+</itemize>
+
+<p>
+Note, if a module wishes to modify the identity of either the <tt/uid/
+or <tt/euid/ of the running process, it should take care to restore
+the original values prior to returning control to the <bf/Linux-PAM/
+library.
+
+<sect2>Using the conversation function
+<p>
+Prior to calling the conversation function, the module should reset
+the contents of the pointer that will return the applications
+response.  This is a good idea since the application may fail to fill
+the pointer and the module should be in a position to notice!
+
+<p>
+The module should be prepared for a failure from the conversation. The
+generic error would be <tt/PAM_CONV_ERR/, but anything other than
+<tt/PAM_SUCCESS/ should be treated as indicating failure.
+
+<sect2>Authentication tokens
+
+<p>
+To ensure that the authentication tokens are not left lying around the
+items, <tt/PAM_AUTHTOK/ and <tt/PAM_OLDAUTHTOK/, are not available to
+the application: they are defined in
+<tt>&lt;security/pam_modules.h&gt;</tt>. This is ostensibly for
+security reasons, but a maliciously programmed application will always
+have access to all memory of the process, so it is only superficially
+enforced.  As a general rule the module should overwrite
+authentication tokens as soon as they are no longer needed.
+Especially before <tt/free()/'ing them. The <bf/Linux-PAM/ library is
+required to do this when either of these authentication token items
+are (re)set.
+
+<p>
+Not to dwell too little on this concern; should the module store the
+authentication tokens either as (automatic) function variables or
+using <tt/pam_[gs]et_data()/ the associated memory should be
+over-written explicitly before it is released. In the case of the
+latter storage mechanism, the associated <tt/cleanup()/ function
+should explicitly overwrite the <tt/*data/ before <tt/free()/'ing it:
+for example,
+
+<tscreen>
+<verb>
+/*
+ * An example cleanup() function for releasing memory that was used to
+ * store a password. 
+ */
+
+int cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+    char *xx;
+
+    if ((xx = data)) {
+        while (*xx)
+            *xx++ = '\0';
+        free(data);
+    }
+    return PAM_SUCCESS;
+}
+</verb>
+</tscreen>
+
+<sect1>Use of <tt/syslog(3)/
+
+<p>
+Only rarely should error information be directed to the user. Usually,
+this is to be limited to ``<em/sorry you cannot login now/'' type
+messages. Information concerning errors in the configuration file,
+<tt>/etc/pam.conf</tt>, or due to some system failure encountered by
+the module, should be written to <tt/syslog(3)/ with
+<em/facility-type/ <tt/LOG_AUTHPRIV/.
+
+<p>
+With a few exceptions, the level of logging is, at the discretion of
+the module developer. Here is the recommended usage of different
+logging levels:
+
+<p>
+<itemize>
+
+<item>