summaryrefslogtreecommitdiff
path: root/modules/pam_timestamp
diff options
context:
space:
mode:
authorSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 17:53:41 -0800
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 18:17:08 -0800
commit212b52cf29c06cc209bc8ac0540dbab1acdf1464 (patch)
tree58da0bf39f5c4122e4a1b4da20fdeea52b97a671 /modules/pam_timestamp
parent9c52e721044e7501c3d4567b36d222dc7326224a (diff)
parent56c8282d128fb484ffc77dff73abf42229b291d3 (diff)
New upstream version 1.1.0
Diffstat (limited to 'modules/pam_timestamp')
-rw-r--r--modules/pam_timestamp/Makefile.am47
-rw-r--r--modules/pam_timestamp/Makefile.in806
-rw-r--r--modules/pam_timestamp/README49
-rw-r--r--modules/pam_timestamp/README.xml46
-rwxr-xr-xmodules/pam_timestamp/hmacfile130
-rw-r--r--modules/pam_timestamp/hmacfile.c159
-rw-r--r--modules/pam_timestamp/hmacsha1.c293
-rw-r--r--modules/pam_timestamp/hmacsha1.h15
-rw-r--r--modules/pam_timestamp/pam_timestamp.8277
-rw-r--r--modules/pam_timestamp/pam_timestamp.8.xml189
-rw-r--r--modules/pam_timestamp/pam_timestamp.c831
-rw-r--r--modules/pam_timestamp/pam_timestamp_check.8289
-rw-r--r--modules/pam_timestamp/pam_timestamp_check.8.xml208
-rw-r--r--modules/pam_timestamp/pam_timestamp_check.c42
-rw-r--r--modules/pam_timestamp/sha1.c254
-rw-r--r--modules/pam_timestamp/sha1.h60
-rwxr-xr-xmodules/pam_timestamp/tst-pam_timestamp2
17 files changed, 3697 insertions, 0 deletions
diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am
new file mode 100644
index 00000000..37cbabf9
--- /dev/null
+++ b/modules/pam_timestamp/Makefile.am
@@ -0,0 +1,47 @@
+#
+# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2008 Red Hat, Inc.
+#
+
+CLEANFILES = *~
+
+XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml
+man_MANS = pam_timestamp.8 pam_timestamp_check.8
+TESTS = tst-pam_timestamp hmacfile
+
+EXTRA_DIST = $(man_MANS) $(XMLS) $(TESTS)
+
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+
+noinst_HEADERS = hmacsha1.h sha1.h
+
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+
+pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS)
+pam_timestamp_la_LIBADD = -L$(top_builddir)/libpam -lpam
+if HAVE_VERSIONING
+ pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif
+
+securelib_LTLIBRARIES = pam_timestamp.la
+sbin_PROGRAMS = pam_timestamp_check
+
+pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c
+pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
+
+pam_timestamp_check_SOURCES = pam_timestamp_check.c
+pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+pam_timestamp_check_LDADD = -L$(top_builddir)/libpam -lpam
+pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
+
+hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
+hmacfile_LDADD = -L$(top_builddir)/libpam -lpam
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_timestamp.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
+noinst_PROGRAMS = hmacfile
diff --git a/modules/pam_timestamp/Makefile.in b/modules/pam_timestamp/Makefile.in
new file mode 100644
index 00000000..221a34d5
--- /dev/null
+++ b/modules/pam_timestamp/Makefile.in
@@ -0,0 +1,806 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2008 Red Hat, Inc.
+#
+
+
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = tst-pam_timestamp hmacfile$(EXEEXT)
+@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map
+sbin_PROGRAMS = pam_timestamp_check$(EXEEXT)
+noinst_PROGRAMS = hmacfile$(EXEEXT)
+subdir = modules/pam_timestamp
+DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \
+ $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+ $(top_srcdir)/m4/japhar_grep_cflags.m4 \
+ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+ $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+ $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
+ $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \
+ "$(DESTDIR)$(man8dir)"
+securelibLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(securelib_LTLIBRARIES)
+pam_timestamp_la_DEPENDENCIES =
+am_pam_timestamp_la_OBJECTS = pam_timestamp_la-pam_timestamp.lo \
+ pam_timestamp_la-hmacsha1.lo pam_timestamp_la-sha1.lo
+pam_timestamp_la_OBJECTS = $(am_pam_timestamp_la_OBJECTS)
+pam_timestamp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(pam_timestamp_la_CFLAGS) \
+ $(CFLAGS) $(pam_timestamp_la_LDFLAGS) $(LDFLAGS) -o $@
+sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(noinst_PROGRAMS) $(sbin_PROGRAMS)
+am_hmacfile_OBJECTS = hmacfile.$(OBJEXT) hmacsha1.$(OBJEXT) \
+ sha1.$(OBJEXT)
+hmacfile_OBJECTS = $(am_hmacfile_OBJECTS)
+hmacfile_DEPENDENCIES =
+am_pam_timestamp_check_OBJECTS = \
+ pam_timestamp_check-pam_timestamp_check.$(OBJEXT)
+pam_timestamp_check_OBJECTS = $(am_pam_timestamp_check_OBJECTS)
+pam_timestamp_check_DEPENDENCIES =
+pam_timestamp_check_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(pam_timestamp_check_CFLAGS) $(CFLAGS) \
+ $(pam_timestamp_check_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(pam_timestamp_la_SOURCES) $(hmacfile_SOURCES) \
+ $(pam_timestamp_check_SOURCES)
+DIST_SOURCES = $(pam_timestamp_la_SOURCES) $(hmacfile_SOURCES) \
+ $(pam_timestamp_check_SOURCES)
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(man_MANS)
+DATA = $(noinst_DATA)
+HEADERS = $(noinst_HEADERS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FO2PDF = @FO2PDF@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+CLEANFILES = *~
+XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml
+man_MANS = pam_timestamp.8 pam_timestamp_check.8
+EXTRA_DIST = $(man_MANS) $(XMLS) $(TESTS)
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+noinst_HEADERS = hmacsha1.h sha1.h
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module \
+ $(AM_LDFLAGS) $(am__append_1)
+pam_timestamp_la_LIBADD = -L$(top_builddir)/libpam -lpam
+securelib_LTLIBRARIES = pam_timestamp.la
+pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c
+pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
+pam_timestamp_check_SOURCES = pam_timestamp_check.c
+pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+pam_timestamp_check_LDADD = -L$(top_builddir)/libpam -lpam
+pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
+hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
+hmacfile_LDADD = -L$(top_builddir)/libpam -lpam
+@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)"
+ @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-securelibLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \
+ done
+
+clean-securelibLTLIBRARIES:
+ -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES)
+ @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+pam_timestamp.la: $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_DEPENDENCIES)
+ $(pam_timestamp_la_LINK) -rpath $(securelibdir) $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_LIBADD) $(LIBS)
+
+clean-noinstPROGRAMS:
+ @list='$(noinst_PROGRAMS)'; for p in $$list; do \
+ f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f $$p $$f"; \
+ rm -f $$p $$f ; \
+ done
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+ @$(NORMAL_INSTALL)
+ test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
+ @list='$(sbin_PROGRAMS)'; for p in $$list; do \
+ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ if test -f $$p \
+ || test -f $$p1 \
+ ; then \
+ f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \
+ else :; fi; \
+ done
+
+uninstall-sbinPROGRAMS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(sbin_PROGRAMS)'; for p in $$list; do \
+ f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
+ rm -f "$(DESTDIR)$(sbindir)/$$f"; \
+ done
+
+clean-sbinPROGRAMS:
+ @list='$(sbin_PROGRAMS)'; for p in $$list; do \
+ f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f $$p $$f"; \
+ rm -f $$p $$f ; \
+ done
+hmacfile$(EXEEXT): $(hmacfile_OBJECTS) $(hmacfile_DEPENDENCIES)
+ @rm -f hmacfile$(EXEEXT)
+ $(LINK) $(hmacfile_OBJECTS) $(hmacfile_LDADD) $(LIBS)
+pam_timestamp_check$(EXEEXT): $(pam_timestamp_check_OBJECTS) $(pam_timestamp_check_DEPENDENCIES)
+ @rm -f pam_timestamp_check$(EXEEXT)
+ $(pam_timestamp_check_LINK) $(pam_timestamp_check_OBJECTS) $(pam_timestamp_check_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacfile.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacsha1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-sha1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+pam_timestamp_la-pam_timestamp.lo: pam_timestamp.c
+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-pam_timestamp.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-pam_timestamp.Tpo -c -o pam_timestamp_la-pam_timestamp.lo `test -f 'pam_timestamp.c' || echo '$(srcdir)/'`pam_timestamp.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_la-pam_timestamp.Tpo $(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pam_timestamp.c' object='pam_timestamp_la-pam_timestamp.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-pam_timestamp.lo `test -f 'pam_timestamp.c' || echo '$(srcdir)/'`pam_timestamp.c
+
+pam_timestamp_la-hmacsha1.lo: hmacsha1.c
+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-hmacsha1.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo -c -o pam_timestamp_la-hmacsha1.lo `test -f 'hmacsha1.c' || echo '$(srcdir)/'`hmacsha1.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo $(DEPDIR)/pam_timestamp_la-hmacsha1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hmacsha1.c' object='pam_timestamp_la-hmacsha1.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-hmacsha1.lo `test -f 'hmacsha1.c' || echo '$(srcdir)/'`hmacsha1.c
+
+pam_timestamp_la-sha1.lo: sha1.c
+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-sha1.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-sha1.Tpo -c -o pam_timestamp_la-sha1.lo `test -f 'sha1.c' || echo '$(srcdir)/'`sha1.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_la-sha1.Tpo $(DEPDIR)/pam_timestamp_la-sha1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sha1.c' object='pam_timestamp_la-sha1.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-sha1.lo `test -f 'sha1.c' || echo '$(srcdir)/'`sha1.c
+
+pam_timestamp_check-pam_timestamp_check.o: pam_timestamp_check.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -MT pam_timestamp_check-pam_timestamp_check.o -MD -MP -MF $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo -c -o pam_timestamp_check-pam_timestamp_check.o `test -f 'pam_timestamp_check.c' || echo '$(srcdir)/'`pam_timestamp_check.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pam_timestamp_check.c' object='pam_timestamp_check-pam_timestamp_check.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -c -o pam_timestamp_check-pam_timestamp_check.o `test -f 'pam_timestamp_check.c' || echo '$(srcdir)/'`pam_timestamp_check.c
+
+pam_timestamp_check-pam_timestamp_check.obj: pam_timestamp_check.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -MT pam_timestamp_check-pam_timestamp_check.obj -MD -MP -MF $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo -c -o pam_timestamp_check-pam_timestamp_check.obj `if test -f 'pam_timestamp_check.c'; then $(CYGPATH_W) 'pam_timestamp_check.c'; else $(CYGPATH_W) '$(srcdir)/pam_timestamp_check.c'; fi`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pam_timestamp_check.c' object='pam_timestamp_check-pam_timestamp_check.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -c -o pam_timestamp_check-pam_timestamp_check.obj `if test -f 'pam_timestamp_check.c'; then $(CYGPATH_W) 'pam_timestamp_check.c'; else $(CYGPATH_W) '$(srcdir)/pam_timestamp_check.c'; fi`
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+install-man8: $(man8_MANS) $(man_MANS)
+ @$(NORMAL_INSTALL)
+ test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ if test -f $$i; then file=$$i; \
+ else file=$(srcdir)/$$i; fi; \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+uninstall-man8:
+ @$(NORMAL_UNINSTALL)
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+ rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ echo "XPASS: $$tst"; \
+ ;; \
+ *) \
+ echo "PASS: $$tst"; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ echo "XFAIL: $$tst"; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ echo "FAIL: $$tst"; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ echo "SKIP: $$tst"; \
+ fi; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ echo "$$dashes"; \
+ echo "$$banner"; \
+ test -z "$$skipped" || echo "$$skipped"; \
+ test -z "$$report" || echo "$$report"; \
+ echo "$$dashes"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS)
+installdirs:
+ for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+ -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+ clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man install-securelibLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-sbinPROGRAMS
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man: install-man8
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man uninstall-sbinPROGRAMS \
+ uninstall-securelibLTLIBRARIES
+
+uninstall-man: uninstall-man8
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
+ clean-generic clean-libtool clean-noinstPROGRAMS \
+ clean-sbinPROGRAMS clean-securelibLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-man8 install-pdf install-pdf-am install-ps \
+ install-ps-am install-sbinPROGRAMS \
+ install-securelibLTLIBRARIES install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-man uninstall-man8 \
+ uninstall-sbinPROGRAMS uninstall-securelibLTLIBRARIES
+
+@ENABLE_REGENERATE_MAN_TRUE@README: pam_timestamp.8.xml
+@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/modules/pam_timestamp/README b/modules/pam_timestamp/README
new file mode 100644
index 00000000..17b96437
--- /dev/null
+++ b/modules/pam_timestamp/README
@@ -0,0 +1,49 @@
+pam_timestamp — Authenticate using cached successful authentication attempts
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+In a nutshell, pam_timestamp caches successful authentication attempts, and
+allows you to use a recent successful attempt as the basis for authentication.
+This is similar mechanism which is used in sudo.
+
+When an application opens a session using pam_timestamp, a timestamp file is
+created in the timestampdir directory for the user. When an application
+attempts to authenticate the user, a pam_timestamp will treat a sufficiently
+recent timestamp file as grounds for succeeding.
+
+OPTIONS
+
+timestamp_timeout=number
+
+ How long should pam_timestamp treat timestamp as valid after their last
+ modification date (in seconds). Default is 300 seconds.
+
+verbose
+
+ Attempt to inform the user when access is granted.
+
+debug
+
+ Turns on debugging messages sent to syslog(3).
+
+NOTES
+
+Users can get confused when they are not always asked for passwords when
+running a given program. Some users reflexively begin typing information before
+noticing that it is not being asked for.
+
+EXAMPLES
+
+auth sufficient pam_timestamp.so verbose
+auth required pam_unix.so
+
+session required pam_unix.so
+session optional pam_timestamp.so
+
+
+AUTHOR
+
+pam_tally was written by Nalin Dahyabhai.
+
diff --git a/modules/pam_timestamp/README.xml b/modules/pam_timestamp/README.xml
new file mode 100644
index 00000000..5b72deb1
--- /dev/null
+++ b/modules/pam_timestamp/README.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_timestamp.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_timestamp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_timestamp-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-notes"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-author"]/*)'/>
+ </section>
+
+</article>
diff --git a/modules/pam_timestamp/hmacfile b/modules/pam_timestamp/hmacfile
new file mode 100755
index 00000000..89e2a4b6
--- /dev/null
+++ b/modules/pam_timestamp/hmacfile
@@ -0,0 +1,130 @@
+#! /bin/sh
+
+# hmacfile - temporary wrapper script for .libs/hmacfile
+# Generated by ltmain.sh (GNU libtool) 2.2.6
+#
+# The hmacfile program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting. It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='/bin/sed -e 1s/^X//'
+sed_quote_subst='s/\([`"$\\]\)/\\\1/g'
+
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+ emulate sh
+ NULLCMD=:
+ # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
+fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+relink_command=""
+
+# This environment variable determines our operation mode.
+if test "$libtool_install_magic" = "%%%MAGIC variable%%%"; then
+ # install mode needs the following variables:
+ generated_by_libtool_version='2.2.6'
+ notinst_deplibs=' /data/cvs/Linux-PAM/libpam/libpam.la'
+else
+ # When we are sourced in execute mode, $file and $ECHO are already set.
+ if test "$libtool_execute_magic" != "%%%MAGIC variable%%%"; then
+ ECHO="echo"
+ file="$0"
+ # Make sure echo works.
+ if test "X$1" = X--no-reexec; then
+ # Discard the --no-reexec flag, and continue.
+ shift
+ elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then
+ # Yippee, $ECHO works!
+ :
+ else
+ # Restart under the correct shell, and then maybe $ECHO will work.
+ exec /bin/sh "$0" --no-reexec ${1+"$@"}
+ fi
+ fi
+
+ # Find the directory that this script lives in.
+ thisdir=`$ECHO "X$file" | $Xsed -e 's%/[^/]*$%%'`
+ test "x$thisdir" = "x$file" && thisdir=.
+
+ # Follow symbolic links until we get to the real thisdir.
+ file=`ls -ld "$file" | /bin/sed -n 's/.*-> //p'`
+ while test -n "$file"; do
+ destdir=`$ECHO "X$file" | $Xsed -e 's%/[^/]*$%%'`
+
+ # If there was a directory component, then change thisdir.
+ if test "x$destdir" != "x$file"; then
+ case "$destdir" in
+ [\\/]* | [A-Za-z]:[\\/]*) thisdir="$destdir" ;;
+ *) thisdir="$thisdir/$destdir" ;;
+ esac
+ fi
+
+ file=`$ECHO "X$file" | $Xsed -e 's%^.*/%%'`
+ file=`ls -ld "$thisdir/$file" | /bin/sed -n 's/.*-> //p'`
+ done
+
+
+ # Usually 'no', except on cygwin/mingw when embedded into
+ # the cwrapper.
+ WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=no
+ if test "$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR" = "yes"; then
+ # special case for '.'
+ if test "$thisdir" = "."; then
+ thisdir=`pwd`
+ fi
+ # remove .libs from thisdir
+ case "$thisdir" in
+ *[\\/].libs ) thisdir=`$ECHO "X$thisdir" | $Xsed -e 's%[\\/][^\\/]*$%%'` ;;
+ .libs ) thisdir=. ;;
+ esac
+ fi
+
+ # Try to get the absolute directory name.
+ absdir=`cd "$thisdir" && pwd`
+ test -n "$absdir" && thisdir="$absdir"
+
+ program='hmacfile'
+ progdir="$thisdir/.libs"
+
+
+ if test -f "$progdir/$program"; then
+ # Add our own library path to LD_LIBRARY_PATH
+ LD_LIBRARY_PATH="/data/cvs/Linux-PAM/libpam/.libs:$LD_LIBRARY_PATH"
+
+ # Some systems cannot cope with colon-terminated LD_LIBRARY_PATH
+ # The second colon is a workaround for a bug in BeOS R4 sed
+ LD_LIBRARY_PATH=`$ECHO "X$LD_LIBRARY_PATH" | $Xsed -e 's/::*$//'`
+
+ export LD_LIBRARY_PATH
+
+ if test "$libtool_execute_magic" != "%%%MAGIC variable%%%"; then
+ # Run the actual program with our arguments.
+
+ exec "$progdir/$program" ${1+"$@"}
+
+ $ECHO "$0: cannot exec $program $*" 1>&2
+ exit 1
+ fi
+ else
+ # The program doesn't exist.
+ $ECHO "$0: error: \`$progdir/$program' does not exist" 1>&2
+ $ECHO "This script is just a wrapper for $program." 1>&2
+ echo "See the libtool documentation for more information." 1>&2
+ exit 1
+ fi
+fi
diff --git a/modules/pam_timestamp/hmacfile.c b/modules/pam_timestamp/hmacfile.c
new file mode 100644
index 00000000..d2da5ff1
--- /dev/null
+++ b/modules/pam_timestamp/hmacfile.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2003,2004 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "hmacsha1.h"
+
+static void
+testvectors(void)
+{
+ void *hmac;
+ size_t hmac_len;
+ size_t i, j;
+ char hex[3];
+ struct vector {
+ const char *key;
+ int key_len;
+ const char *data;
+ int data_len;
+ const char *hmac;
+ } vectors[] = {
+ {
+ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20,
+ "Hi There", 8,
+ "b617318655057264e28bc0b6fb378c8ef146be00",
+ },
+
+#ifdef HMAC_ALLOW_SHORT_KEYS
+ {
+ "Jefe", 4,
+ "what do ya want for nothing?", 28,
+ "effcdf6ae5eb2fa2d27416d5f184df9c259a7c79",
+ },
+#endif
+
+ {
+ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20,
+ "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 50,
+ "125d7342b9ac11cd91a39af48aa17b4f63f175d3",
+ },
+
+ {
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 25,
+ "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
+ 50,
+ "4c9007f4026250c6bc8414f9bf50c86c2d7235da",
+ },
+
+ {
+ "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20,
+ "Test With Truncation", 20,
+ "4c1a03424b55e07fe7f27be1d58bb9324a9a5a04",
+ },
+
+ {
+ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+ 80,
+ "Test Using Larger Than Block-Size Key - Hash Key First", 54,
+ "aa4ae5e15272d00e95705637ce8a3b55ed402112",
+ },
+
+ {
+ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+ 80,
+ "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data", 73,
+ "e8e99d0f45237d786d6bbaa7965c7808bbff1a91",
+ },
+ };
+ for (i = 0; i < sizeof(vectors) / sizeof(vectors[0]); i++) {
+ hmac = NULL;
+ hmac_len = 0;
+ hmac_sha1_generate(&hmac, &hmac_len,
+ vectors[i].key, vectors[i].key_len,
+ vectors[i].data, vectors[i].data_len);
+ if (hmac != NULL) {
+ unsigned char *hmacc = hmac;
+ for (j = 0; j < hmac_len; j++) {
+ snprintf(hex, sizeof(hex), "%02x",
+ hmacc[j] & 0xff);
+ if (strncasecmp(hex,
+ vectors[i].hmac + 2 * j,
+ 2) != 0) {
+ printf("Incorrect result for vector %lu\n", i + 1);
+ exit(1);
+
+ }
+ }
+ free(hmac);
+ } else {
+ printf("Error in vector %lu.\n", i + 1);
+ exit(1);
+ }
+ }
+}
+
+int
+main(int argc, char **argv)
+{
+ void *hmac;
+ size_t maclen;
+ const char *keyfile;
+ int i;
+ size_t j;
+
+ testvectors();
+
+ keyfile = argv[1];
+ for (i = 2; i < argc; i++) {
+ hmac_sha1_generate_file(NULL, &hmac, &maclen, keyfile, -1, -1,
+ argv[i], strlen(argv[i]));
+ if (hmac != NULL) {
+ unsigned char *hmacc = hmac;
+ for (j = 0; j < maclen; j++) {
+ printf("%02x", hmacc[j] & 0xff);
+ }
+ printf(" %s\n", argv[i]);
+ free(hmac);
+ }
+ }
+ return 0;
+}
diff --git a/modules/pam_timestamp/hmacsha1.c b/modules/pam_timestamp/hmacsha1.c
new file mode 100644
index 00000000..5b3774ff
--- /dev/null
+++ b/modules/pam_timestamp/hmacsha1.c
@@ -0,0 +1,293 @@
+/* An implementation of HMAC using SHA-1.
+ *
+ * Copyright (c) 2003 Red Hat, Inc.
+ * Written by Nalin Dahyabhai <nalin@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/* See RFC 2104 for descriptions. */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <security/pam_ext.h>
+#include "hmacsha1.h"
+#include "sha1.h"
+
+#define MINIMUM_KEY_SIZE SHA1_OUTPUT_SIZE
+#define MAXIMUM_KEY_SIZE SHA1_BLOCK_SIZE
+
+static void
+hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size,
+ uid_t owner, gid_t group)
+{
+ int randfd, keyfd, i;
+ size_t count;
+ char *key;
+
+ /* Open the destination file. */
+ keyfd = open(filename,
+ O_WRONLY | O_CREAT | O_EXCL | O_TRUNC,
+ S_IRUSR | S_IWUSR);
+ if (keyfd == -1) {
+ pam_syslog(pamh, LOG_ERR, "Cannot create %s: %m", filename);
+ return;
+ }
+
+
+ if (fchown(keyfd, owner, group) == -1) {
+ pam_syslog(pamh, LOG_ERR, "Cannot chown %s: %m", filename);
+ return;
+ }
+
+ /* Open the random device to get key data. */
+ randfd = open("/dev/urandom", O_RDONLY);
+ if (randfd == -1) {
+ pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m");
+ close(keyfd);
+ return;
+ }
+
+ /* Read random data for use as the key. */
+ key = malloc(key_size);
+ count = 0;
+ if (!key) {
+ close(keyfd);
+ close(randfd);
+ return;
+ }
+ while (count < key_size) {
+ i = read(randfd, key + count, key_size - count);
+ if ((i == 0) || (i == -1)) {
+ break;
+ }
+ count += i;
+ }
+
+ close(randfd);
+
+ /* If we didn't get enough, stop here. */
+ if (count < key_size) {
+ pam_syslog(pamh, LOG_ERR, "Short read on random device");
+ memset(key, 0, key_size);
+ free(key);
+ close(keyfd);
+ return;
+ }
+
+ /* Now write the key. */
+ count = 0;
+ while (count < key_size) {
+ i = write(keyfd, key + count, key_size - count);
+ if ((i == 0) || (i == -1)) {
+ break;
+ }
+ count += i;
+ }
+ memset(key, 0, key_size);
+ free(key);
+ close(keyfd);
+}
+
+static void
+hmac_key_read(pam_handle_t *pamh, const char *filename, size_t default_key_size,
+ uid_t owner, gid_t group,
+ void **key, size_t *key_size)
+{
+ char *tmp;
+ int keyfd, i, count;
+ struct stat st;
+
+ tmp = NULL;
+ *key = NULL;
+ *key_size = 0;
+
+ /* Try to open the key file. */
+ keyfd = open(filename, O_RDONLY);
+ if (keyfd == -1) {
+ /* No such thing? Create it. */
+ if (errno == ENOENT) {
+ hmac_key_create(pamh, filename, default_key_size,
+ owner, group);
+ keyfd = open(filename, O_RDONLY);
+ } else {
+ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", filename);
+ }
+ if (keyfd == -1)
+ return;
+ }
+
+ /* If we failed to open the file, we're done. */
+ if (fstat(keyfd, &st) == -1) {
+ close(keyfd);
+ return;
+ }
+
+ /* Read the contents of the file. */
+ tmp = malloc(st.st_size);
+ if (!tmp) {
+ close(keyfd);
+ return;
+ }
+
+ count = 0;
+ while (count < st.st_size) {
+ i = read(keyfd, tmp + count, st.st_size - count);
+ if ((i == 0) || (i == -1)) {
+ break;
+ }
+ count += i;
+ }
+ close(keyfd);
+
+ /* Require that we got the expected amount of data. */
+ if (count < st.st_size) {
+ memset(tmp, 0, st.st_size);
+ free(tmp);
+ return;
+ }
+
+ /* Pass the key back. */
+ *key = tmp;
+ *key_size = st.st_size;
+}
+
+static void
+xor_block(unsigned char *p, unsigned char byte, size_t length)
+{
+ size_t i;
+ for (i = 0; i < length; i++) {
+ p[i] = p[i] ^ byte;
+ }
+}
+
+void
+hmac_sha1_generate(void **mac, size_t *mac_length,
+ const void *raw_key, size_t raw_key_size,
+ const void *text, size_t text_length)
+{
+ unsigned char key[MAXIMUM_KEY_SIZE], tmp_key[MAXIMUM_KEY_SIZE];
+ size_t maximum_key_size = SHA1_BLOCK_SIZE,
+ minimum_key_size = SHA1_OUTPUT_SIZE;
+ const unsigned char ipad = 0x36, opad = 0x5c;
+ struct sha1_context sha1;
+ unsigned char inner[SHA1_OUTPUT_SIZE], outer[SHA1_OUTPUT_SIZE];
+
+ *mac = NULL;
+ *mac_length = 0;
+
+#ifndef HMAC_ALLOW_SHORT_KEYS
+ /* If the key is too short, don't bother. */
+ if (raw_key_size < minimum_key_size) {
+ return;
+ }
+#endif
+
+ /* If the key is too long, "compress" it, else copy it and pad it
+ * out with zero bytes. */
+ memset(key, 0, sizeof(key));
+ if (raw_key_size > maximum_key_size) {
+ sha1_init(&sha1);
+ sha1_update(&sha1, raw_key, raw_key_size);
+ sha1_output(&sha1, key);
+ } else {
+ memmove(key, raw_key, raw_key_size);
+ }
+
+ /* Generate the inner sum. */
+ memcpy(tmp_key, key, sizeof(tmp_key));
+ xor_block(tmp_key, ipad, sizeof(tmp_key));
+
+ sha1_init(&sha1);
+ sha1_update(&sha1, tmp_key, sizeof(tmp_key));
+ sha1_update(&sha1, text, text_length);
+ sha1_output(&sha1, inner);
+
+ /* Generate the outer sum. */
+ memcpy(tmp_key, key, sizeof(tmp_key));
+ xor_block(tmp_key, opad, sizeof(tmp_key));
+
+ sha1_init(&sha1);
+ sha1_update(&sha1, tmp_key, sizeof(tmp_key));
+ sha1_update(&sha1, inner, sizeof(inner));
+ sha1_output(&sha1, outer);
+
+ /* We don't need any of the keys any more. */
+ memset(key, 0, sizeof(key));
+ memset(tmp_key, 0, sizeof(tmp_key));
+
+ /* Allocate space to store the output. */
+ *mac_length = sizeof(outer);
+ *mac = malloc(*mac_length);
+ if (*mac == NULL) {
+ *mac_length = 0;
+ return;
+ }
+
+ memcpy(*mac, outer, *mac_length);
+}
+
+void
+hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length,
+ const char *keyfile, uid_t owner, gid_t group,
+ const void *text, size_t text_length)
+{
+ void *key;
+ size_t key_length;
+
+ hmac_key_read(pamh, keyfile,
+ MAXIMUM_KEY_SIZE, owner, group,
+ &key, &key_length);
+ if (key == NULL) {
+ *mac = NULL;
+ *mac_length = 0;
+ return;
+ }
+ hmac_sha1_generate(mac, mac_length,
+ key, key_length,
+ text, text_length);
+ memset(key, 0, key_length);
+ free(key);
+}
+
+size_t
+hmac_sha1_size(void)
+{
+ return SHA1_OUTPUT_SIZE;
+}
diff --git a/modules/pam_timestamp/hmacsha1.h b/modules/pam_timestamp/hmacsha1.h
new file mode 100644
index 00000000..200d1d06
--- /dev/null
+++ b/modules/pam_timestamp/hmacsha1.h
@@ -0,0 +1,15 @@
+#ifndef pam_timestamp_hmacfile_h
+#define pam_timestamp_hmacfile_h
+
+#include <sys/types.h>
+#include <security/pam_modules.h>
+
+size_t hmac_sha1_size(void);
+void hmac_sha1_generate(void **mac, size_t *mac_length,
+ const void *key, size_t key_length,
+ const void *text, size_t text_length);
+void hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length,
+ const char *keyfile, uid_t owner, gid_t group,
+ const void *text, size_t text_length);
+
+#endif
diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8
new file mode 100644
index 00000000..7560ca74
--- /dev/null
+++ b/modules/pam_timestamp/pam_timestamp.8
@@ -0,0 +1,277 @@
+.\" Title: pam_timestamp
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+.\" Date: 06/16/2009
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_TIMESTAMP" "8" "06/16/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * (re)Define some macros
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" toupper - uppercase a string (locale-aware)
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de toupper
+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+\\$*
+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH-xref - format a cross-reference to an SH section
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de SH-xref
+.ie n \{\
+.\}
+.toupper \\$*
+.el \{\
+\\$*
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH - level-one heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SH
+.\" put an extra blank line of space above the head in non-TTY output
+.if t \{\
+.sp 1
+.\}
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[an-margin]u
+.ti 0
+.HTML-TAG ".NH \\n[an-level]"
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+\." make the size of the head bigger
+.ps +3
+.ft B
+.ne (2v + 1u)
+.ie n \{\
+.\" if n (TTY output), use uppercase
+.toupper \\$*
+.\}
+.el \{\
+.nr an-break-flag 0
+.\" if not n (not TTY), use normal case (not uppercase)
+\\$1
+.in \\n[an-margin]u
+.ti 0
+.\" if not n (not TTY), put a border/line under subheading
+.sp -.6
+\l'\n(.lu'
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SS - level-two heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SS
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[IN]u
+.ti \\n[SN]u
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.ps \\n[PS-SS]u
+\." make the size of the head bigger
+.ps +2
+.ft B
+.ne (2v + 1u)
+.if \\n[.$] \&\\$*
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BB/BE - put background/screen (filled box) around block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BB
+.if t \{\
+.sp -.5
+.br
+.in +2n
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EB
+.if t \{\
+.if "\\$2"adjust-for-leading-newline" \{\
+.sp -1
+.\}
+.br
+.di
+.in
+.ll
+.gcolor
+.nr BW \\n(.lu-\\n(.i
+.nr BH \\n(dn+.5v
+.ne \\n(BHu+.5v
+.ie "\\$2"adjust-for-leading-newline" \{\
+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.el \{\
+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.in 0
+.sp -.5v
+.nf
+.BX
+.in
+.sp .5v
+.fi
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BM/EM - put colored marker in margin next to block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BM
+.if t \{\
+.br
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EM
+.if t \{\
+.br
+.di
+.ll
+.gcolor
+.nr BH \\n(dn
+.ne \\n(BHu
+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+.in 0
+.nf
+.BX
+.in
+.fi
+.\}
+..
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "Name"
+pam_timestamp \- Authenticate using cached successful authentication attempts
+.SH "Synopsis"
+.fam C
+.HP \w'\fBpam_timestamp\&.so\fR\ 'u
+\fBpam_timestamp\&.so\fR [timestamp_timeout=\fInumber\fR] [verbose] [debug]
+.fam
+.SH "DESCRIPTION"
+.PP
+In a nutshell,
+\fIpam_timestamp\fR
+caches successful authentication attempts, and allows you to use a recent successful attempt as the basis for authentication\&. This is similar mechanism which is used in
+\fBsudo\fR\&.
+.PP
+When an application opens a session using
+\fIpam_timestamp\fR, a timestamp file is created in the
+\fItimestampdir\fR
+directory for the user\&. When an application attempts to authenticate the user, a
+\fIpam_timestamp\fR
+will treat a sufficiently recent timestamp file as grounds for succeeding\&.
+.SH "OPTIONS"
+.PP
+\fBtimestamp_timeout=\fR\fB\fInumber\fR\fR
+.RS 4
+How long should pam_timestamp treat timestamp as valid after their last modification date (in seconds)\&. Default is 300 seconds\&.
+.RE
+.PP
+\fBverbose\fR
+.RS 4
+Attempt to inform the user when access is granted\&.
+.RE
+.PP
+\fBdebug\fR
+.RS 4
+Turns on debugging messages sent to
+\fBsyslog\fR(3)\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+The
+\fBauth\fR
+and
+\fBsession\fR
+module types are provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_AUTH_ERR
+.RS 4
+The module was not able to retrieve the user name or no valid timestamp file was found\&.
+.RE
+.PP
+PAM_SUCCESS
+.RS 4
+Everything was successful\&.
+.RE
+.PP
+PAM_SESSION_ERR
+.RS 4
+Timestamp file could not be created or updated\&.
+.RE
+.SH "NOTES"
+.PP
+Users can get confused when they are not always asked for passwords when running a given program\&. Some users reflexively begin typing information before noticing that it is not being asked for\&.
+.SH "EXAMPLES"
+.sp
+.if n \{\
+.RS 4
+.\}
+.fam C
+.ps -1
+.nf
+.if t \{\
+.sp -1
+.\}
+.BB lightgray adjust-for-leading-newline
+.sp -1
+
+auth sufficient pam_timestamp\&.so verbose
+auth required pam_unix\&.so
+
+session required pam_unix\&.so
+session optional pam_timestamp\&.so
+
+.EB lightgray adjust-for-leading-newline
+.if t \{\
+.sp 1
+.\}
+.fi
+.fam
+.ps +1
+.if n \{\
+.RE
+.\}
+.SH "FILES"
+.PP
+\FC/var/run/sudo/\&.\&.\&.\F[]
+.RS 4
+timestamp files and directories
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBpam_timestamp_check\fR(8),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_tally was written by Nalin Dahyabhai\&.
diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml
new file mode 100644
index 00000000..adb87a79
--- /dev/null
+++ b/modules/pam_timestamp/pam_timestamp.8.xml
@@ -0,0 +1,189 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_timestamp">
+
+ <refmeta>
+ <refentrytitle>pam_timestamp</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_timestamp-name">
+ <refname>pam_timestamp</refname>
+ <refpurpose>Authenticate using cached successful authentication attempts</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_timestamp-cmdsynopsis">
+ <command>pam_timestamp.so</command>
+ <arg choice="opt">
+ timestamp_timeout=<replaceable>number</replaceable>
+ </arg>
+ <arg choice="opt">
+ verbose
+ </arg>
+ <arg choice="opt">
+ debug
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_timestamp-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ In a nutshell, <emphasis>pam_timestamp</emphasis> caches successful
+authentication attempts, and allows you to use a recent successful attempt as
+the basis for authentication. This is similar mechanism which is used in
+<command>sudo</command>.
+ </para>
+ <para>
+ When an application opens a session using <emphasis>pam_timestamp</emphasis>,
+a timestamp file is created in the <emphasis>timestampdir</emphasis> directory
+for the user. When an application attempts to authenticate the user, a
+<emphasis>pam_timestamp</emphasis> will treat a sufficiently recent timestamp
+file as grounds for succeeding.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_timestamp-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>timestamp_timeout=<replaceable>number</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ How long should pam_timestamp treat timestamp as valid after their
+ last modification date (in seconds). Default is 300 seconds.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>verbose</option>
+ </term>
+ <listitem>
+ <para>
+ Attempt to inform the user when access is granted.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Turns on debugging messages sent to <citerefentry>
+ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_timestamp-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ The <option>auth</option> and <option>session</option>
+ module types are provided.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ The module was not able to retrieve the user name or
+ no valid timestamp file was found.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Everything was successful.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SESSION_ERR</term>
+ <listitem>
+ <para>
+ Timestamp file could not be created or updated.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-notes'>
+ <title>NOTES</title>
+ <para>
+ Users can get confused when they are not always asked for passwords when
+running a given program. Some users reflexively begin typing information before
+noticing that it is not being asked for.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+auth sufficient pam_timestamp.so verbose
+auth required pam_unix.so
+
+session required pam_unix.so
+session optional pam_timestamp.so
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id="pam_timestamp-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>/var/run/sudo/...</filename></term>
+ <listitem>
+ <para>timestamp files and directories</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam_timestamp_check</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_tally was written by Nalin Dahyabhai.
+ </para>
+ </refsect1>
+
+</refentry>
+
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
new file mode 100644
index 00000000..7e6c4b0b
--- /dev/null
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -0,0 +1,831 @@
+/******************************************************************************
+ * A module for Linux-PAM that will cache authentication results, inspired by
+ * (and implemented with an eye toward being mixable with) sudo.
+ *
+ * Copyright (c) 2002 Red Hat, Inc.
+ * Written by Nalin Dahyabhai <nalin@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#define PAM_SM_AUTH
+#define PAM_SM_SESSION
+
+#include "config.h"
+
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <utmp.h>
+#include <syslog.h>
+#include "hmacsha1.h"
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+#include <security/pam_ext.h>
+#include <security/pam_modutil.h>
+
+/* The default timeout we use is 5 minutes, which matches the sudo default
+ * for the timestamp_timeout parameter. */
+#define DEFAULT_TIMESTAMP_TIMEOUT (5 * 60)
+#define MODULE "pam_timestamp"
+#define TIMESTAMPDIR "/var/run/sudo"
+#define TIMESTAMPKEY TIMESTAMPDIR "/_pam_timestamp_key"
+
+/* Various buffers we use need to be at least as large as either PATH_MAX or
+ * LINE_MAX, so choose the larger of the two. */
+#if (LINE_MAX > PATH_MAX)
+#define BUFLEN LINE_MAX
+#else
+#define BUFLEN PATH_MAX
+#endif
+
+/* Return PAM_SUCCESS if the given directory looks "safe". */
+static int
+check_dir_perms(pam_handle_t *pamh, const char *tdir)
+{
+ char scratch[BUFLEN];
+ struct stat st;
+ int i;
+ /* Check that the directory is "safe". */
+ if ((tdir == NULL) || (strlen(tdir) == 0)) {
+ return PAM_AUTH_ERR;
+ }
+ /* Iterate over the path, checking intermediate directories. */
+ memset(scratch, 0, sizeof(scratch));
+ for (i = 0; (tdir[i] != '\0') && (i < (int)sizeof(scratch)); i++) {
+ scratch[i] = tdir[i];
+ if ((scratch[i] == '/') || (tdir[i + 1] == '\0')) {
+ /* We now have the name of a directory in the path, so
+ * we need to check it. */
+ if ((lstat(scratch, &st) == -1) && (errno != ENOENT)) {
+ pam_syslog(pamh, LOG_ERR,
+ "unable to read `%s': %m",
+ scratch);
+ return PAM_AUTH_ERR;
+ }
+ if (!S_ISDIR(st.st_mode)) {
+ pam_syslog(pamh, LOG_ERR,
+ "`%s' is not a directory",
+ scratch);
+ return PAM_AUTH_ERR;
+ }
+ if (S_ISLNK(st.st_mode)) {
+ pam_syslog(pamh, LOG_ERR,
+ "`%s' is a symbolic link",
+ scratch);
+ return PAM_AUTH_ERR;
+ }
+ if (st.st_uid != 0) {
+ pam_syslog(pamh, LOG_ERR,
+ "`%s' owner UID != 0",
+ scratch);
+ return PAM_AUTH_ERR;
+ }
+ if (st.st_gid != 0) {
+ pam_syslog(pamh, LOG_ERR,
+ "`%s' owner GID != 0",
+ scratch);
+ return PAM_AUTH_ERR;
+ }
+ if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
+ pam_syslog(pamh, LOG_ERR,
+ "`%s' permissions are lax",
+ scratch);
+ return PAM_AUTH_ERR;
+ }
+ }
+ }
+ return PAM_SUCCESS;
+}
+
+/* Validate a tty pathname as actually belonging to a tty, and return its base
+ * name if it's valid. */
+static const char *
+check_tty(const char *tty)
+{
+ /* Check that we're not being set up to take a fall. */
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ return NULL;
+ }
+ /* Pull out the meaningful part of the tty's name. */
+ if (strchr(tty, '/') != NULL) {
+ if (strncmp(tty, "/dev/", 5) != 0) {
+ /* Make sure the device node is actually in /dev/,
+ * noted by Michal Zalewski. */
+ return NULL;
+ }
+ tty = strrchr(tty, '/') + 1;
+ }
+ /* Make sure the tty wasn't actually a directory (no basename). */
+ if (strlen(tty) == 0) {
+ return NULL;
+ }
+ return tty;
+}
+
+/* Determine the right path name for a given user's timestamp. */
+static int
+format_timestamp_name(char *path, size_t len,
+ const char *timestamp_dir,
+ const char *tty,
+ const char *ruser,
+ const char *user)
+{
+ if (strcmp(ruser, user) == 0) {
+ return snprintf(path, len, "%s/%s/%s", timestamp_dir,
+ ruser, tty);
+ } else {
+ return snprintf(path, len, "%s/%s/%s:%s", timestamp_dir,
+ ruser, tty, user);
+ }
+}
+
+/* Check if a given timestamp date, when compared to a current time, fits
+ * within the given interval. */
+static int
+timestamp_good(time_t then, time_t now, time_t interval)
+{
+ if (((now >= then) && ((now - then) < interval)) ||
+ ((now < then) && ((then - now) < (2 * interval)))) {
+ return PAM_SUCCESS;
+ }
+ return PAM_AUTH_ERR;
+}
+
+static int
+check_login_time(const char *ruser, time_t timestamp)
+{
+ struct utmp utbuf, *ut;
+ time_t oldest_login = 0;
+
+ setutent();
+ while(!getutent_r(&utbuf, &ut)) {
+ if (ut->ut_type != USER_PROCESS) {
+ continue;
+ }
+ if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user) != 0)) {
+ continue;
+ }
+ if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) {
+ oldest_login = ut->ut_tv.tv_sec;
+ }
+ }
+ endutent();
+ if(oldest_login == 0 || timestamp < oldest_login) {
+ return PAM_AUTH_ERR;
+ }
+ return PAM_SUCCESS;
+}
+
+#ifndef PAM_TIMESTAMP_MAIN
+static int
+get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
+{
+ const void *ruser;
+ struct passwd *pwd;
+
+ if (ruserbuf == NULL || ruserbuflen < 1)
+ return -2;
+ /* Get the name of the source user. */
+ if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS) {
+ ruser = NULL;
+ }
+ if ((ruser == NULL) || (strlen(ruser) == 0)) {
+ /* Barring that, use the current RUID. */
+ pwd = pam_modutil_getpwuid(pamh, getuid());
+ if (pwd != NULL) {
+ ruser = pwd->pw_name;
+ }
+ }
+ if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
+ *ruserbuf = '\0';
+ return -1;
+ }
+ strcpy(ruserbuf, ruser);
+ return 0;
+}
+
+/* Get the path to the timestamp to use. */
+static int
+get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv,
+ char *path, size_t len)
+{
+ const char *user, *tty;
+ const void *void_tty;
+ const char *tdir = TIMESTAMPDIR;
+ char ruser[BUFLEN];
+ int i, debug = 0;
+
+ /* Parse arguments. */
+ for (i = 0; i < argc; i++) {
+ if (strcmp(argv[i], "debug") == 0) {
+ debug = 1;
+ }
+ }
+ for (i = 0; i < argc; i++) {
+ if (strncmp(argv[i], "timestampdir=", 13) == 0) {
+ tdir = argv[i] + 13;
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "storing timestamps in `%s'",
+ tdir);
+ }
+ }
+ }
+ i = check_dir_perms(pamh, tdir);
+ if (i != PAM_SUCCESS) {
+ return i;
+ }
+ /* Get the name of the target user. */
+ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) {
+ user = NULL;
+ }
+ if ((user == NULL) || (strlen(user) == 0)) {
+ return PAM_AUTH_ERR;
+ }
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG, "becoming user `%s'", user);
+ }
+ /* Get the name of the source user. */
+ if (get_ruser(pamh, ruser, sizeof(ruser)) || strlen(ruser) == 0) {
+ return PAM_AUTH_ERR;
+ }
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG, "currently user `%s'", ruser);
+ }
+ /* Get the name of the terminal. */
+ if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS) {
+ tty = NULL;
+ } else {
+ tty = void_tty;
+ }
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ tty = ttyname(STDIN_FILENO);
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ tty = ttyname(STDOUT_FILENO);
+ }
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ tty = ttyname(STDERR_FILENO);
+ }
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ /* Match sudo's behavior for this case. */
+ tty = "unknown";
+ }
+ }
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG, "tty is `%s'", tty);
+ }
+ /* Snip off all but the last part of the tty name. */
+ tty = check_tty(tty);
+ if (tty == NULL) {
+ return PAM_AUTH_ERR;
+ }
+ /* Generate the name of the file used to cache auth results. These
+ * paths should jive with sudo's per-tty naming scheme. */
+ if (format_timestamp_name(path, len, tdir, tty, ruser, user) >= (int)len) {
+ return PAM_AUTH_ERR;
+ }
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG, "using timestamp file `%s'", path);
+ }
+ return PAM_SUCCESS;
+}
+
+/* Tell the user that access has been granted. */
+static void
+verbose_success(pam_handle_t *pamh, long diff)
+{
+ pam_info(pamh, _("Access granted (last access was %ld seconds ago)."), diff);
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+ struct stat st;
+ time_t interval = DEFAULT_TIMESTAMP_TIMEOUT;
+ int i, fd, debug = 0, verbose = 0;
+ char path[BUFLEN], *p, *message, *message_end;
+ long tmp;
+ const void *void_service;
+ const char *service;
+ time_t now, then;
+
+ /* Parse arguments. */
+ for (i = 0; i < argc; i++) {
+ if (strcmp(argv[i], "debug") == 0) {
+ debug = 1;
+ }
+ }
+ for (i = 0; i < argc; i++) {
+ if (strncmp(argv[i], "timestamp_timeout=", 18) == 0) {
+ tmp = strtol(argv[i] + 18, &p, 0);
+ if ((p != NULL) && (*p == '\0')) {
+ interval = tmp;
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "setting timeout to %ld"
+ " seconds", (long)interval);
+ }
+ }
+ } else
+ if (strcmp(argv[i], "verbose") == 0) {
+ verbose = 1;
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "becoming more verbose");
+ }
+ }
+ }
+
+ if (flags & PAM_SILENT) {
+ verbose = 0;
+ }
+
+ /* Get the name of the timestamp file. */
+ if (get_timestamp_name(pamh, argc, argv,
+ path, sizeof(path)) != PAM_SUCCESS) {
+ return PAM_AUTH_ERR;
+ }
+
+ /* Get the name of the service. */
+ if (pam_get_item(pamh, PAM_SERVICE, &void_service) != PAM_SUCCESS) {
+ service = NULL;
+ } else {
+ service = void_service;
+ }
+ if ((service == NULL) || (strlen(service) == 0)) {
+ service = "(unknown)";
+ }
+
+ /* Open the timestamp file. */
+ fd = open(path, O_RDONLY | O_NOFOLLOW);
+ if (fd == -1) {
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "cannot open timestamp `%s': %m",
+ path);
+ }
+ return PAM_AUTH_ERR;
+ }
+
+ if (fstat(fd, &st) == 0) {
+ int count;
+ void *mac;
+ size_t maclen;
+ char ruser[BUFLEN];
+
+ /* Check that the file is owned by the superuser. */
+ if ((st.st_uid != 0) || (st.st_gid != 0)) {
+ pam_syslog(pamh, LOG_ERR, "timestamp file `%s' is "
+ "not owned by root", path);
+ close(fd);
+ return PAM_AUTH_ERR;
+ }
+
+ /* Check that the file is a normal file. */
+ if (!(S_ISREG(st.st_mode))) {
+ pam_syslog(pamh, LOG_ERR, "timestamp file `%s' is "
+ "not a regular file", path);
+ close(fd);
+ return PAM_AUTH_ERR;
+ }
+
+ /* Check that the file is the expected size. */
+ if (st.st_size == 0) {
+ /* Invalid, but may have been created by sudo. */
+ close(fd);
+ return PAM_AUTH_ERR;
+ }
+ if (st.st_size !=
+ (off_t)(strlen(path) + 1 + sizeof(then) + hmac_sha1_size())) {
+ pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' "
+ "appears to be corrupted", path);
+ close(fd);
+ return PAM_AUTH_ERR;
+ }
+
+ /* Read the file contents. */
+ message = malloc(st.st_size);
+ count = 0;
+ if (!message) {
+ close(fd);
+ return PAM_BUF_ERR;
+ }
+ while (count < st.st_size) {
+ i = read(fd, message + count, st.st_size - count);
+ if ((i == 0) || (i == -1)) {
+ break;
+ }
+ count += i;
+ }
+ if (count < st.st_size) {
+ pam_syslog(pamh, LOG_NOTICE, "error reading timestamp "
+ "file `%s': %m", path);
+ close(fd);
+ free(message);
+ return PAM_AUTH_ERR;
+ }
+ message_end = message + strlen(path) + 1 + sizeof(then);
+
+ /* Regenerate the MAC. */
+ hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, 0, 0,
+ message, message_end - message);
+ if ((mac == NULL) ||
+ (memcmp(path, message, strlen(path)) != 0) ||
+ (memcmp(mac, message_end, maclen) != 0)) {
+ pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is "
+ "corrupted", path);
+ close(fd);
+ free(message);
+ return PAM_AUTH_ERR;
+ }
+ free(mac);
+ memmove(&then, message + strlen(path) + 1, sizeof(then));
+ free(message);
+
+ /* Check oldest login against timestamp */
+ if (get_ruser(pamh, ruser, sizeof(ruser)))
+ {
+ close(fd);
+ return PAM_AUTH_ERR;
+ }
+ if (check_login_time(ruser, then) != PAM_SUCCESS)
+ {
+ pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is "
+ "older than oldest login, disallowing "
+ "access to %s for user %s",
+ path, service, ruser);
+ close(fd);
+ return PAM_AUTH_ERR;
+ }
+
+ /* Compare the dates. */
+ now = time(NULL);
+ if (timestamp_good(then, now, interval) == PAM_SUCCESS) {
+ close(fd);
+ pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is "
+ "only %ld seconds old, allowing access to %s "
+ "for user %s", path, (long) (now - st.st_mtime),
+ service, ruser);
+ if (verbose) {
+ verbose_success(pamh, now - st.st_mtime);
+ }
+ return PAM_SUCCESS;
+ } else {
+ close(fd);
+ pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' has "
+ "unacceptable age (%ld seconds), disallowing "
+ "access to %s for user %s",
+ path, (long) (now - st.st_mtime),
+ service, ruser);
+ return PAM_AUTH_ERR;
+ }
+ }
+ close(fd);
+
+ /* Fail by default. */
+ return PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED)
+{
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv)
+{
+ char path[BUFLEN], subdir[BUFLEN], *text, *p;
+ void *mac;
+ size_t maclen;
+ time_t now;
+ int fd, i, debug = 0;
+
+ /* Parse arguments. */
+ for (i = 0; i < argc; i++) {
+ if (strcmp(argv[i], "debug") == 0) {
+ debug = 1;
+ }
+ }
+
+ /* Get the name of the timestamp file. */
+ if (get_timestamp_name(pamh, argc, argv,
+ path, sizeof(path)) != PAM_SUCCESS) {
+ return PAM_SESSION_ERR;
+ }
+
+ /* Create the directory for the timestamp file if it doesn't already
+ * exist. */
+ for (i = 1; path[i] != '\0'; i++) {
+ if (path[i] == '/') {
+ /* Attempt to create the directory. */
+ strncpy(subdir, path, i);
+ subdir[i] = '\0';
+ if (mkdir(subdir, 0700) == 0) {
+ /* Attempt to set the owner to the superuser. */
+ if (lchown(subdir, 0, 0) != 0) {
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "error setting permissions on `%s': %m",
+ subdir);
+ }
+ return PAM_SESSION_ERR;
+ }
+ } else {
+ if (errno != EEXIST) {
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "error creating directory `%s': %m",
+ subdir);
+ }
+ return PAM_SESSION_ERR;
+ }
+ }
+ }
+ }
+
+ /* Generate the message. */
+ text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size());
+ if (text == NULL) {
+ pam_syslog(pamh, LOG_ERR, "unable to allocate memory: %m");
+ return PAM_SESSION_ERR;
+ }
+ p = text;
+
+ strcpy(text, path);
+ p += strlen(path) + 1;
+
+ now = time(NULL);
+ memmove(p, &now, sizeof(now));
+ p += sizeof(now);
+
+ /* Generate the MAC and append it to the plaintext. */
+ hmac_sha1_generate_file(pamh, &mac, &maclen,
+ TIMESTAMPKEY,
+ 0, 0,
+ text, p - text);
+ if (mac == NULL) {
+ pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m");
+ free(text);
+ return PAM_SESSION_ERR;
+ }
+ memmove(p, mac, maclen);
+ p += maclen;
+ free(mac);
+
+ /* Open the file. */
+ fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+ if (fd == -1) {
+ pam_syslog(pamh, LOG_ERR, "unable to open `%s': %m", path);
+ free(text);
+ return PAM_SESSION_ERR;
+ }
+
+ /* Attempt to set the owner to the superuser. */
+ if (fchown(fd, 0, 0) != 0) {
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "error setting ownership of `%s': %m",
+ path);
+ }
+ return PAM_SESSION_ERR;
+ }
+
+
+ /* Write the timestamp to the file. */
+ if (write(fd, text, p - text) != p - text) {
+ pam_syslog(pamh, LOG_ERR, "unable to write to `%s': %m", path);
+ close(fd);
+ free(text);
+ return PAM_SESSION_ERR;
+ }
+
+ /* Close the file and return successfully. */
+ close(fd);
+ free(text);
+ pam_syslog(pamh, LOG_DEBUG, "updated timestamp file `%s'", path);
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED)
+{
+ return PAM_SUCCESS;
+}
+
+#ifdef PAM_STATIC
+/* static module data */
+
+struct pam_module _pam_timestamp_modstruct = {
+ "pam_timestamp",
+ pam_sm_authenticate,
+ pam_sm_setcred,
+ NULL,
+ pam_sm_open_session,
+ pam_sm_close_session,
+ NULL
+};
+#endif
+
+
+#else /* PAM_TIMESTAMP_MAIN */
+
+#define USAGE "Usage: %s [[-k] | [-d]] [target user]\n"
+#define CHECK_INTERVAL 7
+
+int
+main(int argc, char **argv)
+{
+ int i, pretval = -1, retval = 0, dflag = 0, kflag = 0;
+ const char *target_user = NULL, *user = NULL, *tty = NULL;
+ struct passwd *pwd;
+ struct timeval tv;
+ fd_set write_fds;
+ char path[BUFLEN];
+ struct stat st;
+
+ /* Check that there's nothing funny going on with stdio. */
+ if ((fstat(STDIN_FILENO, &st) == -1) ||
+ (fstat(STDOUT_FILENO, &st) == -1) ||
+ (fstat(STDERR_FILENO, &st) == -1)) {
+ /* Appropriate the "no controlling tty" error code. */
+ return 3;
+ }
+
+ /* Parse arguments. */
+ while ((i = getopt(argc, argv, "dk")) != -1) {
+ switch (i) {
+ case 'd':
+ dflag++;
+ break;
+ case 'k':
+ kflag++;
+ break;
+ default:
+ fprintf(stderr, USAGE, argv[0]);
+ return 1;
+ break;
+ }
+ }
+
+ /* Bail if both -k and -d are given together. */
+ if ((kflag + dflag) > 1) {
+ fprintf(stderr, USAGE, argv[0]);
+ return 1;
+ }
+
+ /* Check that we're setuid. */
+ if (geteuid() != 0) {
+ fprintf(stderr, "%s must be setuid root\n",
+ argv[0]);
+ retval = 2;
+ }
+
+ /* Check that we have a controlling tty. */
+ tty = ttyname(STDIN_FILENO);
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ tty = ttyname(STDOUT_FILENO);
+ }
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ tty = ttyname(STDERR_FILENO);
+ }
+ if ((tty == NULL) || (strlen(tty) == 0)) {
+ tty = "unknown";
+ }
+
+ /* Get the name of the invoking (requesting) user. */
+ pwd = getpwuid(getuid());
+ if (pwd == NULL) {
+ retval = 4;
+ }
+
+ /* Get the name of the target user. */
+ user = strdup(pwd->pw_name);
+ if (user == NULL) {
+ retval = 4;
+ } else {
+ target_user = (optind < argc) ? argv[optind] : user;
+ if ((strchr(target_user, '.') != NULL) ||
+ (strchr(target_user, '/') != NULL) ||
+ (strchr(target_user, '%') != NULL)) {
+ fprintf(stderr, "unknown user: %s\n",
+ target_user);
+ retval = 4;
+ }
+ }
+
+ /* Sanity check the tty to make sure we should be checking
+ * for timestamps which pertain to it. */
+ if (retval == 0) {
+ tty = check_tty(tty);
+ if (tty == NULL) {
+ fprintf(stderr, "invalid tty\n");
+ retval = 6;
+ }
+ }
+
+ do {
+ /* Sanity check the timestamp directory itself. */
+ if (retval == 0) {
+ if (check_dir_perms(NULL, TIMESTAMPDIR) != PAM_SUCCESS) {
+ retval = 5;
+ }
+ }
+
+ if (retval == 0) {
+ /* Generate the name of the timestamp file. */
+ format_timestamp_name(path, sizeof(path), TIMESTAMPDIR,
+ tty, user, target_user);
+ }
+
+ if (retval == 0) {
+ if (kflag) {
+ /* Remove the timestamp. */
+ if (lstat(path, &st) != -1) {
+ retval = unlink(path);
+ }
+ } else {
+ /* Check the timestamp. */
+ if (lstat(path, &st) != -1) {
+ /* Check oldest login against timestamp */
+ if (check_login_time(user, st.st_mtime) != PAM_SUCCESS) {
+ retval = 7;
+ } else if (!timestamp_good(st.st_mtime, time(NULL),
+ DEFAULT_TIMESTAMP_TIMEOUT) == PAM_SUCCESS) {
+ retval = 7;
+ }
+ } else {
+ retval = 7;
+ }
+ }
+ }
+
+ if (dflag > 0) {
+ struct timeval now;
+ /* Send the would-be-returned value to our parent. */
+ signal(SIGPIPE, SIG_DFL);
+ fprintf(stdout, "%d\n", retval);
+ fflush(stdout);
+ /* Wait. */
+ gettimeofday(&now, NULL);
+ tv.tv_sec = CHECK_INTERVAL;
+ /* round the sleep time to get woken up on a whole second */
+ tv.tv_usec = 1000000 - now.tv_usec;
+ if (now.tv_usec < 500000)
+ tv.tv_sec--;
+ FD_ZERO(&write_fds);
+ FD_SET(STDOUT_FILENO, &write_fds);
+ select(STDOUT_FILENO + 1,
+ NULL, NULL, &write_fds,
+ &tv);
+ pretval = retval;
+ retval = 0;
+ }
+ } while (dflag > 0);
+
+ return retval;
+}
+
+#endif
diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8
new file mode 100644
index 00000000..4c4a5d96
--- /dev/null
+++ b/modules/pam_timestamp/pam_timestamp_check.8
@@ -0,0 +1,289 @@
+.\" Title: pam_timestamp_check
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+.\" Date: 06/16/2009
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_TIMESTAMP_CHECK" "8" "06/16/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * (re)Define some macros
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" toupper - uppercase a string (locale-aware)
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de toupper
+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+\\$*
+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH-xref - format a cross-reference to an SH section
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de SH-xref
+.ie n \{\
+.\}
+.toupper \\$*
+.el \{\
+\\$*
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH - level-one heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SH
+.\" put an extra blank line of space above the head in non-TTY output
+.if t \{\
+.sp 1
+.\}
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[an-margin]u
+.ti 0
+.HTML-TAG ".NH \\n[an-level]"
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+\." make the size of the head bigger
+.ps +3
+.ft B
+.ne (2v + 1u)
+.ie n \{\
+.\" if n (TTY output), use uppercase
+.toupper \\$*
+.\}
+.el \{\
+.nr an-break-flag 0
+.\" if not n (not TTY), use normal case (not uppercase)
+\\$1
+.in \\n[an-margin]u
+.ti 0
+.\" if not n (not TTY), put a border/line under subheading
+.sp -.6
+\l'\n(.lu'
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SS - level-two heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SS
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[IN]u
+.ti \\n[SN]u
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.ps \\n[PS-SS]u
+\." make the size of the head bigger
+.ps +2
+.ft B
+.ne (2v + 1u)
+.if \\n[.$] \&\\$*
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BB/BE - put background/screen (filled box) around block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BB
+.if t \{\
+.sp -.5
+.br
+.in +2n
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EB
+.if t \{\
+.if "\\$2"adjust-for-leading-newline" \{\
+.sp -1
+.\}
+.br
+.di
+.in
+.ll
+.gcolor
+.nr BW \\n(.lu-\\n(.i
+.nr BH \\n(dn+.5v
+.ne \\n(BHu+.5v
+.ie "\\$2"adjust-for-leading-newline" \{\
+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.el \{\
+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.in 0
+.sp -.5v
+.nf
+.BX
+.in
+.sp .5v
+.fi
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BM/EM - put colored marker in margin next to block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BM
+.if t \{\
+.br
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EM
+.if t \{\
+.br
+.di
+.ll
+.gcolor
+.nr BH \\n(dn
+.ne \\n(BHu
+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+.in 0
+.nf
+.BX
+.in
+.fi
+.\}
+..
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "Name"
+pam_timestamp_check \- Check to see if the default timestamp is valid
+.SH "Synopsis"
+.fam C
+.HP \w'\fBpam_timestamp_check\fR\ 'u
+\fBpam_timestamp_check\fR [\-k] [\-d] [\fItarget_user\fR]
+.fam
+.SH "DESCRIPTION"
+.PP
+With no arguments
+\fBpam_timestamp_check\fR
+will check to see if the default timestamp is valid, or optionally remove it\&.
+.SH "OPTIONS"
+.PP
+\fB\-k\fR
+.RS 4
+Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\'s
+\fI\-k\fR
+option\&.
+.RE
+.PP
+\fB\-d\fR
+.RS 4
+Instead of returning validity using an exit status, loop indefinitely, polling regularly and printing the status on standard output\&.
+.RE
+.PP
+\fB\fItarget_user\fR\fR
+.RS 4
+By default
+\fBpam_timestamp_check\fR
+checks or removes timestamps generated by
+\fIpam_timestamp\fR
+when the user authenticates as herself\&. When the user authenticates as a different user, the name of the timestamp file changes to accommodate this\&.
+\fItarget_user\fR
+allows to specify this user name\&.
+.RE
+.SH "RETURN VALUES"
+.PP
+0
+.RS 4
+The timestamp is valid\&.
+.RE
+.PP
+2
+.RS 4
+The binary is not setuid root\&.
+.RE
+.PP
+3
+.RS 4
+Invalid invocation\&.
+.RE
+.PP
+4
+.RS 4
+User is unknown\&.
+.RE
+.PP
+5
+.RS 4
+Permissions error\&.
+.RE
+.PP
+6
+.RS 4
+Invalid controlling tty\&.
+.RE
+.PP
+7
+.RS 4
+Timestamp is not valid\&.
+.RE
+.SH "NOTES"
+.PP
+Users can get confused when they are not always asked for passwords when running a given program\&. Some users reflexively begin typing information before noticing that it is not being asked for\&.
+.SH "EXAMPLES"
+.sp
+.if n \{\
+.RS 4
+.\}
+.fam C
+.ps -1
+.nf
+.if t \{\
+.sp -1
+.\}
+.BB lightgray adjust-for-leading-newline
+.sp -1
+
+auth sufficient pam_timestamp\&.so verbose
+auth required pam_unix\&.so
+
+session required pam_unix\&.so
+session optional pam_timestamp\&.so
+
+.EB lightgray adjust-for-leading-newline
+.if t \{\
+.sp 1
+.\}
+.fi
+.fam
+.ps +1
+.if n \{\
+.RE
+.\}
+.SH "FILES"
+.PP
+\FC/var/run/sudo/\&.\&.\&.\F[]
+.RS 4
+timestamp files and directories
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBpam_timestamp_check\fR(8),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_tally was written by Nalin Dahyabhai\&.
diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml
new file mode 100644
index 00000000..7ec7140e
--- /dev/null
+++ b/modules/pam_timestamp/pam_timestamp_check.8.xml
@@ -0,0 +1,208 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_timestamp_check">
+
+ <refmeta>
+ <refentrytitle>pam_timestamp_check</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_timestamp_check-name">
+ <refname>pam_timestamp_check</refname>
+ <refpurpose>Check to see if the default timestamp is valid</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_timestamp_check-cmdsynopsis">
+ <command>pam_timestamp_check</command>
+ <arg choice="opt">
+ -k
+ </arg>
+ <arg choice="opt">
+ -d
+ </arg>
+ <arg choice="opt">
+ <replaceable>target_user</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_timestamp_check-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ With no arguments <command>pam_timestamp_check</command> will check to
+see if the default timestamp is valid, or optionally remove it.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_timestamp_check-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>-k</option>
+ </term>
+ <listitem>
+ <para>
+ Instead of checking the validity of a timestamp, remove it.
+ This is analogous to sudo's <emphasis>-k</emphasis> option.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-d</option>
+ </term>
+ <listitem>
+ <para>
+ Instead of returning validity using an exit status,
+ loop indefinitely, polling regularly and printing the status on
+ standard output.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option><replaceable>target_user</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ By default <command>pam_timestamp_check</command> checks or removes
+ timestamps generated by <emphasis>pam_timestamp</emphasis> when
+ the user authenticates as herself. When the user authenticates as a
+ different user, the name of the timestamp file changes to
+ accommodate this. <replaceable>target_user</replaceable> allows
+ to specify this user name.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp_check-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>0</term>
+ <listitem>
+ <para>
+ The timestamp is valid.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>2</term>
+ <listitem>
+ <para>
+ The binary is not setuid root.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>3</term>
+ <listitem>
+ <para>
+ Invalid invocation.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>4</term>
+ <listitem>
+ <para>
+ User is unknown.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>5</term>
+ <listitem>
+ <para>
+ Permissions error.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>6</term>
+ <listitem>
+ <para>
+ Invalid controlling tty.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>7</term>
+ <listitem>
+ <para>
+ Timestamp is not valid.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-notes'>
+ <title>NOTES</title>
+ <para>
+ Users can get confused when they are not always asked for passwords when
+running a given program. Some users reflexively begin typing information before
+noticing that it is not being asked for.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+auth sufficient pam_timestamp.so verbose
+auth required pam_unix.so
+
+session required pam_unix.so
+session optional pam_timestamp.so
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id="pam_timestamp-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>/var/run/sudo/...</filename></term>
+ <listitem>
+ <para>timestamp files and directories</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam_timestamp_check</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_timestamp-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_tally was written by Nalin Dahyabhai.
+ </para>
+ </refsect1>
+
+</refentry>
+
diff --git a/modules/pam_timestamp/pam_timestamp_check.c b/modules/pam_timestamp/pam_timestamp_check.c
new file mode 100644
index 00000000..52b5a95a
--- /dev/null
+++ b/modules/pam_timestamp/pam_timestamp_check.c
@@ -0,0 +1,42 @@
+/******************************************************************************
+ * A module for Linux-PAM that will cache authentication results, inspired by
+ * (and implemented with an eye toward being mixable with) sudo.
+ *
+ * Copyright (c) 2002 Red Hat, Inc.
+ * Written by Nalin Dahyabhai <nalin@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#define PAM_TIMESTAMP_MAIN 1
+#include "pam_timestamp.c"
diff --git a/modules/pam_timestamp/sha1.c b/modules/pam_timestamp/sha1.c
new file mode 100644
index 00000000..e6705eb5
--- /dev/null
+++ b/modules/pam_timestamp/sha1.c
@@ -0,0 +1,254 @@
+/* Yet another SHA-1 implementation.
+ *
+ * Copyright (c) 2003 Red Hat, Inc.
+ * Written by Nalin Dahyabhai <nalin@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/* See http://www.itl.nist.gov/fipspubs/fip180-1.htm for descriptions. */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <endian.h>
+#include <unistd.h>
+#include "sha1.h"
+
+static unsigned char
+padding[SHA1_BLOCK_SIZE] = {
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+};
+
+static u_int32_t
+F(u_int32_t b, u_int32_t c, u_int32_t d)
+{
+ return (b & c) | ((~b) & d);
+}
+
+static u_int32_t
+G(u_int32_t b, u_int32_t c, u_int32_t d)
+{
+ return b ^ c ^ d;
+}
+
+static u_int32_t
+H(u_int32_t b, u_int32_t c, u_int32_t d)
+{
+ return (b & c) | (b & d) | (c & d);
+}
+
+static u_int32_t
+RL(u_int32_t n, u_int32_t s)
+{
+ return (n << s) | (n >> (32 - s));
+}
+
+static u_int32_t
+sha1_round(u_int32_t (*FUNC)(u_int32_t, u_int32_t, u_int32_t),
+ u_int32_t a, u_int32_t b, u_int32_t c, u_int32_t d, u_int32_t e,
+ u_int32_t i, u_int32_t n)
+{
+ return RL(a, 5) + FUNC(b, c, d) + e + i + n;
+}
+
+void
+sha1_init(struct sha1_context *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->a = 0x67452301;
+ ctx->b = 0xefcdab89;
+ ctx->c = 0x98badcfe;
+ ctx->d = 0x10325476;
+ ctx->e = 0xc3d2e1f0;
+}
+
+static void
+sha1_process(struct sha1_context *ctx, u_int32_t buffer[SHA1_BLOCK_SIZE / 4])
+{
+ u_int32_t a, b, c, d, e, temp;
+ u_int32_t data[80];
+ int i;
+
+ for (i = 0; i < 16; i++) {
+ data[i] = htonl(buffer[i]);
+ }
+ for (i = 16; i < 80; i++) {
+ data[i] = RL(data[i - 3] ^ data[i - 8] ^ data[i - 14] ^ data[i - 16], 1);
+ }
+
+ a = ctx->a;
+ b = ctx->b;
+ c = ctx->c;
+ d = ctx->d;
+ e = ctx->e;
+
+ for (i = 0; i < 20; i++) {
+ temp = sha1_round(F, a, b, c, d, e, data[i], 0x5a827999);
+ e = d; d = c; c = RL(b, 30); b = a; a = temp;
+ }
+ for (i = 20; i < 40; i++) {
+ temp = sha1_round(G, a, b, c, d, e, data[i], 0x6ed9eba1);
+ e = d; d = c; c = RL(b, 30); b = a; a = temp;
+ }
+ for (i = 40; i < 60; i++) {
+ temp = sha1_round(H, a, b, c, d, e, data[i], 0x8f1bbcdc);
+ e = d; d = c; c = RL(b, 30); b = a; a = temp;
+ }
+ for (i = 60; i < 80; i++) {
+ temp = sha1_round(G, a, b, c, d, e, data[i], 0xca62c1d6);
+ e = d; d = c; c = RL(b, 30); b = a; a = temp;
+ }
+
+ ctx->a += a;
+ ctx->b += b;
+ ctx->c += c;
+ ctx->d += d;
+ ctx->e += e;
+
+ memset(buffer, 0, sizeof(buffer[0]) * SHA1_BLOCK_SIZE / 4);
+ memset(data, 0, sizeof(data));
+}
+
+void
+sha1_update(struct sha1_context *ctx, const unsigned char *data, size_t length)
+{
+ size_t i = 0, l = length, c, t;
+ u_int32_t count = 0;
+
+ /* Process any pending + data blocks. */
+ while (l + ctx->pending_count >= SHA1_BLOCK_SIZE) {
+ c = ctx->pending_count;
+ t = SHA1_BLOCK_SIZE - c;
+ memcpy(ctx->pending + c, &data[i], t);
+ sha1_process(ctx, (u_int32_t*) ctx->pending);
+ i += t;
+ l -= t;
+ ctx->pending_count = 0;
+ }
+
+ /* Save what's left of the data block as a pending data block. */
+ c = ctx->pending_count;
+ memcpy(ctx->pending + c, &data[i], l);
+ ctx->pending_count += l;
+
+ /* Update the message length. */
+ ctx->count += length;
+
+ /* Update our internal counts. */
+ if (length != 0) {
+ count = ctx->counts[0];
+ ctx->counts[0] += length;
+ if (count >= ctx->counts[0]) {
+ ctx->counts[1]++;
+ }
+ }
+}
+
+size_t
+sha1_output(struct sha1_context *ctx, unsigned char *out)
+{
+ struct sha1_context ctx2;
+
+ /* Output the sum. */
+ if (out != NULL) {
+ u_int32_t c;
+ memcpy(&ctx2, ctx, sizeof(ctx2));
+
+ /* Pad this block. */
+ c = ctx2.pending_count;
+ memcpy(ctx2.pending + c,
+ padding, SHA1_BLOCK_SIZE - c);
+
+ /* Do we need to process two blocks now? */
+ if (c >= (SHA1_BLOCK_SIZE - (sizeof(u_int32_t) * 2))) {
+ /* Process this block. */
+ sha1_process(&ctx2,
+ (u_int32_t*) ctx2.pending);
+ /* Set up another block. */
+ ctx2.pending_count = 0;
+ memset(ctx2.pending, 0, SHA1_BLOCK_SIZE);
+ ctx2.pending[0] =
+ (c == SHA1_BLOCK_SIZE) ? 0x80 : 0;
+ }
+
+ /* Process the final block. */
+ ctx2.counts[1] <<= 3;
+ if (ctx2.counts[0] >> 29) {
+ ctx2.counts[1] |=
+ (ctx2.counts[0] >> 29);
+ }
+ ctx2.counts[0] <<= 3;
+ ctx2.counts[0] = htonl(ctx2.counts[0]);
+ ctx2.counts[1] = htonl(ctx2.counts[1]);
+ memcpy(ctx2.pending + 56,
+ &ctx2.counts[1], sizeof(u_int32_t));
+ memcpy(ctx2.pending + 60,
+ &ctx2.counts[0], sizeof(u_int32_t));
+ sha1_process(&ctx2, (u_int32_t*) ctx2.pending);
+
+ /* Output the data. */
+ out[ 3] = (ctx2.a >> 0) & 0xff;
+ out[ 2] = (ctx2.a >> 8) & 0xff;
+ out[ 1] = (ctx2.a >> 16) & 0xff;
+ out[ 0] = (ctx2.a >> 24) & 0xff;
+
+ out[ 7] = (ctx2.b >> 0) & 0xff;
+ out[ 6] = (ctx2.b >> 8) & 0xff;
+ out[ 5] = (ctx2.b >> 16) & 0xff;
+ out[ 4] = (ctx2.b >> 24) & 0xff;
+
+ out[11] = (ctx2.c >> 0) & 0xff;
+ out[10] = (ctx2.c >> 8) & 0xff;
+ out[ 9] = (ctx2.c >> 16) & 0xff;
+ out[ 8] = (ctx2.c >> 24) & 0xff;
+
+ out[15] = (ctx2.d >> 0) & 0xff;
+ out[14] = (ctx2.d >> 8) & 0xff;
+ out[13] = (ctx2.d >> 16) & 0xff;
+ out[12] = (ctx2.d >> 24) & 0xff;
+
+ out[19] = (ctx2.e >> 0) & 0xff;
+ out[18] = (ctx2.e >> 8) & 0xff;
+ out[17] = (ctx2.e >> 16) & 0xff;
+ out[16] = (ctx2.e >> 24) & 0xff;
+ }
+
+ return SHA1_OUTPUT_SIZE;
+}
diff --git a/modules/pam_timestamp/sha1.h b/modules/pam_timestamp/sha1.h
new file mode 100644
index 00000000..667b87ca
--- /dev/null
+++ b/modules/pam_timestamp/sha1.h
@@ -0,0 +1,60 @@
+/* Yet another SHA-1 implementation.
+ *
+ * Copyright (c) 2003 Red Hat, Inc.
+ * Written by Nalin Dahyabhai <nalin@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+#ifndef pam_timestamp_sha1_h
+#define pam_timestamp_sha1_h
+
+#include <sys/types.h>
+
+#define SHA1_BLOCK_SIZE 64
+
+struct sha1_context {
+ size_t count;
+ unsigned char pending[SHA1_BLOCK_SIZE];
+ u_int32_t counts[2];
+ size_t pending_count;
+ u_int32_t a, b, c, d, e;
+};
+
+#define SHA1_OUTPUT_SIZE 20
+
+void sha1_init(struct sha1_context *ctx);
+void sha1_update(struct sha1_context *ctx,
+ const unsigned char *data, size_t length);
+size_t sha1_output(struct sha1_context *ctx, unsigned char *out);
+
+#endif
diff --git a/modules/pam_timestamp/tst-pam_timestamp b/modules/pam_timestamp/tst-pam_timestamp
new file mode 100755
index 00000000..1d425b83
--- /dev/null
+++ b/modules/pam_timestamp/tst-pam_timestamp
@@ -0,0 +1,2 @@
+#!/bin/sh
+../../tests/tst-dlopen .libs/pam_timestamp.so