Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Build libpam modules in parallel.

MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division

style.Makefile(5) police
(I've tried to keep to the spirit of the original formatting)

Reviewed by: des

Switch to OpenPAM. Bump library version. Modules are now versioned, so
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.

Sponsored by: DARPA, NAI Labs

Connect the pam_lastlog(8) and pam_login_access(8) modules to the build.

Sponsored by: DARPA, NAI Labs

Add a new module, pam_opieaccess(8), which is responsible for checking
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.

Sponsored by: DARPA, NAI Labs
Reviewed by: ache, markm

Add a pam_self authentication module that succeeds if and only if the local
and remote user names are the same.

Sponsored by: DARPA, NAI Labs

Don't try to make pam_ssh module if NO_OPENSSH is set.

(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module
from ports.

Big module cleanup.

Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.

Build new modules.

Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).

Bring in a few useful PAM modules.

pam_krb5 is a Kerberos 5 (Heimdal) authentication module.

pam_nologin checks for /etc/nologin and does the "usual stuff"
if it is found, otherwise it silently succeeds.

pam_rootok silently succeeds if the user is root, otherwise
it fails.

pam_wheel silently succeeds if the user is a member of group
"wheel" (or another nominated group), and fails
otherwise.

There is an issue with kerberosIV and kerberos5 - if both are
being built, then static linking fails with duplicate symbols.
This will take a bit of work to sort out in the kerberii.

I've been meaning to take pam_ssh out of the base system for a while now.
Finally do it.

Connect pam_opie to the build.

Buildworld fixes for NO_OPENSSH and NO_OPENSSL

Approved by: jkh

Don't try to build k5 PAM; it ain't ready yet.

Argh, I can't win today. Spell ${.CURDIR} correctly.

Don't build pam_ssh if the crypto code is missing.

Found by: sos

Use libcrypto instead of libdes.

Also - OpenSSH blesses us with a module for PAM.

Don't include Kerberos if NOCRYPT is defined, because it isn't build
if NOCRYPT is defined. Likewise, don't include DES if NOSECURE is
defined.

Revive the pam_deny and pam_permit modules from Linux-PAM. They are
simple enough to be trusted.

Add account management functionality to the pam_unix module.

These changes should make it possible to use PAM in some ports.

Submitted by: Max Khon <fjoe@iclub.nsu.ru>

This commit was generated by cvs2svn to compensate for changes in r41227,
which included commits to RCS files with non-trunk default branches.

Build structure for contribified Linux-PAM, plus some home-grown
modules for FreeBSD's standard authentication methods. Although
the Linux-PAM modules are present in the contrib tree, we don't
use any of them.

The main library "libpam" is composed of sources taken from three
places. First are the standard Linux-PAM libpam sources from the
contrib tree. Second are the Linux-PAM "libpam_misc" sources, also
from the contrib tree. In Linux these form a separate library.
But as Mike Smith pointed out to me, that seems pointless, so I
have combined them into the libpam library. Third are some additional
sources from the "src/lib/libpam" tree with some common functions
that make it easier to write modules. Those I wrote myself.

This work has been donated to FreeBSD by Juniper Networks, Inc.