[illumos-gate merge]

commit 2de0a7d66c00b4cb047dc93352fe8b77707d2838

14 files changed, 282 insertions, 273 deletions

diff --git a/usr/src/cmd/bnu/in.uucpd.c b/usr/src/cmd/bnu/in.uucpd.c
index 968c752614..bc0b372f3e 100644
--- a/usr/src/cmd/bnu/in.uucpd.c
+++ b/usr/src/cmd/bnu/in.uucpd.c
@@ -23,6 +23,8 @@
  * Use is subject to license terms.
  */
 
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 /*
  * 4.2BSD, 2.9BSD, or ATTSVR4 TCP/IP server for uucico
  * uucico's TCP channel causes this server to be run at the remote end.
@@ -48,6 +50,7 @@
 #ifdef ATTSVR4
 #include <shadow.h>
 #endif
+#include <lastlog.h>
 
 #include <security/pam_appl.h>
 
@@ -62,6 +65,7 @@ pam_handle_t    *pamh;
 --- You may not have both BSD4_2 and BSD2_9 defined for this to work
 #endif	/* check for stupidity */
 
+char lastlog[] = "/var/adm/lastlog";
 struct	passwd nouser = {
 	"", "nope", (uid_t)-1, (gid_t)-1, "", "", "", "", "" };
 #ifdef ATTSVR4
diff --git a/usr/src/cmd/cmd-inet/usr.bin/finger.c b/usr/src/cmd/cmd-inet/usr.bin/finger.c
index ba595ef1d4..cdc94a7be6 100644
--- a/usr/src/cmd/cmd-inet/usr.bin/finger.c
+++ b/usr/src/cmd/cmd-inet/usr.bin/finger.c
@@ -128,6 +128,7 @@ struct person {				/* one for each person fingered */
 	struct person *link;		/* link to next person */
 };
 
+char LASTLOG[] = "/var/adm/lastlog";	/* last login info */
 char PLAN[] = "/.plan";			/* what plan file is */
 char PROJ[] = "/.project";		/* what project file */
 
@@ -732,9 +733,8 @@ decode(struct person *pers)
 void
 fwopen(void)
 {
-	if ((lf = fopen(_PATH_LASTLOG, "r")) == NULL)
-		(void) fprintf(stderr, "finger: %s open error\n",
-		    _PATH_LASTLOG);
+	if ((lf = fopen(LASTLOG, "r")) == NULL)
+		(void) fprintf(stderr, "finger: %s open error\n", LASTLOG);
 }
 
 void
@@ -759,15 +759,14 @@ findwhen(struct person *pers)
 			} else {
 				if (ferror(lf))
 					(void) fprintf(stderr,
-					    "finger: %s read error\n",
-					    _PATH_LASTLOG);
+					    "finger: %s read error\n", LASTLOG);
 				pers->tty[0] = 0;
 				pers->host[0] = 0;
 				pers->loginat = 0L;
 			}
 		} else {
 			(void) fprintf(stderr, "finger: %s fseeko error\n",
-			    _PATH_LASTLOG);
+			    LASTLOG);
 		}
 	} else {
 		pers->tty[0] = 0;
diff --git a/usr/src/cmd/cmd-inet/usr.bin/pppd/auth.c b/usr/src/cmd/cmd-inet/usr.bin/pppd/auth.c
index c6bc01c40b..9bf6587bde 100644
--- a/usr/src/cmd/cmd-inet/usr.bin/pppd/auth.c
+++ b/usr/src/cmd/cmd-inet/usr.bin/pppd/auth.c
@@ -35,6 +35,7 @@
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
 #define RCSID	"$Id: auth.c,v 1.65 2000/04/15 01:27:10 masputra Exp $"
 
 /* Pull in crypt() definition. */
@@ -1370,6 +1371,22 @@ plogin(user, passwd, msg)
 	tty += 5;
     logwtmp(tty, user, remote_name);		/* Add wtmp login entry */
 
+#ifdef _PATH_LASTLOG
+    if (!use_pam && pw != (struct passwd *)NULL) {
+	struct lastlog ll;
+	int fd;
+
+	if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
+	   (void)lseek(fd, (off_t)(pw->pw_uid * sizeof(ll)), SEEK_SET);
+	    BZERO((void *)&ll, sizeof(ll));
+	    (void)time(&ll.ll_time);
+	    (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
+	    (void)write(fd, (char *)&ll, sizeof(ll));
+	    (void)close(fd);
+	}
+    }
+#endif /* _PATH_LASTLOG */
+
     info("user %s logged in", user);
     logged_in = 1;
 
diff --git a/usr/src/cmd/login/login.c b/usr/src/cmd/login/login.c
index f664405296..af665fec75 100644
--- a/usr/src/cmd/login/login.c
+++ b/usr/src/cmd/login/login.c
@@ -69,6 +69,7 @@
 #include <deflt.h>
 #include <grp.h>
 #include <fcntl.h>
+#include <lastlog.h>
 #include <termio.h>
 #include <utmpx.h>
 #include <stdlib.h>
@@ -158,6 +159,7 @@ static int	retry = MAXTRYS;
 #define	SHELL		"/usr/bin/sh"
 #define	SHELL2		"/sbin/sh"
 #define	SUBLOGIN	"<!sublogin>"
+#define	LASTLOG		"/var/adm/lastlog"
 #define	PROG_NAME	"login"
 #define	HUSHLOGIN	".hushlogin"
 
@@ -272,6 +274,8 @@ static	struct	passwd nouser = { "", "no:password", (uid_t)-1 };
  */
 static	char	*log_entry[LOGTRYS];
 static	int	writelog = 0;
+static	int	lastlogok = 0;
+static	struct lastlog ll;
 static	int	dosyslog = 0;
 static	int	flogin = MAXTRYS;	/* flag for SYSLOG_FAILED_LOGINS */
 
@@ -353,11 +357,14 @@ static	void	process_rlogin(void);
 static	void	login_authenticate();
 static	void	setup_credentials(void);
 static	void	adjust_nice(void);
-static	void	update_utmpx_entry(int, boolean_t);
+static	void	update_utmpx_entry(int);
 static	void	establish_user_environment(char **);
+static	void	print_banner(void);
+static	void	display_last_login_time(void);
 static	void	exec_the_shell(void);
 static	int	process_chroot_logins(void);
 static 	void	chdir_to_dir_user(void);
+static	void	check_log(void);
 static	void	validate_account(void);
 static	void	doremoteterm(char *);
 static	int	get_options(int, char **);
@@ -388,7 +395,6 @@ main(int argc, char *argv[], char **renvp)
 {
 	int sublogin;
 	int pam_rc;
-	boolean_t silent = B_FALSE;
 
 	login_pid = getpid();
 
@@ -577,15 +583,13 @@ main(int argc, char *argv[], char **renvp)
 
 	setup_credentials();	/* Set user credentials  - exits on failure */
 
-	if (chdir(pwd->pw_dir) == 0)
-		silent = (access(HUSHLOGIN, F_OK) == 0);
 	/*
 	 * NOTE: telnetd and rlogind rely upon this updating of utmpx
 	 * to indicate that the authentication completed  successfully,
 	 * pam_open_session was called and therefore they are required to
 	 * call pam_close_session.
 	 */
-	update_utmpx_entry(sublogin, silent);
+	update_utmpx_entry(sublogin);
 
 	/* set the real (and effective) UID */
 	if (setuid(pwd->pw_uid) == -1) {
@@ -618,6 +622,16 @@ main(int argc, char *argv[], char **renvp)
 	(void) signal(SIGINT, SIG_DFL);
 
 	/*
+	 * Display some useful information to the new user like the banner
+	 * and last login time if not a quiet login.
+	 */
+
+	if (access(HUSHLOGIN, F_OK) != 0) {
+		print_banner();
+		display_last_login_time();
+	}
+
+	/*
 	 * Set SIGXCPU and SIGXFSZ to default disposition.
 	 * Shells inherit signal disposition from parent.
 	 * And the shells should have default dispositions
@@ -1632,6 +1646,8 @@ validate_account(void)
 
 	(void) alarm(0);	/* give user time to come up with password */
 
+	check_log();
+
 	if (Passreqflag)
 		flag = PAM_DISALLOW_NULL_AUTHTOK;
 	else
@@ -1682,6 +1698,29 @@ validate_account(void)
 }
 
 /*
+ * Check_log	- This is really a hack because PAM checks the log, but login
+ *		  wants to know if the log is okay and PAM doesn't have
+ *		  a module independent way of handing this info back.
+ */
+
+static void
+check_log(void)
+{
+	int fdl;
+	long long offset;
+
+	offset = (long long) pwd->pw_uid * (long long) sizeof (struct lastlog);
+
+	if ((fdl = open(LASTLOG, O_RDWR|O_CREAT, 0444)) >= 0) {
+		if (llseek(fdl, offset, SEEK_SET) == offset &&
+		    read(fdl, (char *)&ll, sizeof (ll)) == sizeof (ll) &&
+		    ll.ll_time != 0)
+			lastlogok = 1;
+		(void) close(fdl);
+	}
+}
+
+/*
  * chdir_to_dir_user	- Now chdir after setuid/setgid have happened to
  *			  place us in the user's home directory just in
  *			  case it was protected and the first chdir failed.
@@ -1922,6 +1961,8 @@ get_audit_id(void)
  *				adjust_nice
  *				update_utmpx_entry
  *				establish_user_environment
+ *				print_banner
+ *				display_last_login_time
  *				exec_the_shell
  *
  */
@@ -1963,7 +2004,7 @@ adjust_nice(void)
  */
 
 static void
-update_utmpx_entry(int sublogin, boolean_t silent)
+update_utmpx_entry(int sublogin)
 {
 	int	err;
 	char	*user;
@@ -1973,10 +2014,6 @@ update_utmpx_entry(int sublogin, boolean_t silent)
 	struct utmpx  *u = (struct utmpx *)0;
 	struct utmpx  utmpx;
 	char	*ttyntail;
-	int	pamflags = 0;
-
-	if (silent)
-		pamflags |= PAM_SILENT;
 
 	/*
 	 * If we're not a sublogin then
@@ -1987,7 +2024,7 @@ update_utmpx_entry(int sublogin, boolean_t silent)
 	 * exist.
 	 */
 
-	if ((err = pam_open_session(pamh, pamflags)) != PAM_SUCCESS) {
+	if ((err = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
 		audit_error = ADT_FAIL_PAM + err;
 		login_exit(1);
 	}
@@ -2378,6 +2415,56 @@ switch_env:
 }
 
 /*
+ * print_banner		- Print the banner at start up
+ *			   Do not turn on DOBANNER ifdef.  This is not
+ *			   relevant to SunOS.
+ */
+
+static void
+print_banner(void)
+{
+#ifdef DOBANNER
+	uname(&un);
+#if i386
+	(void) printf("UNIX System V/386 Release %s\n%s\n"
+	    "Copyright (C) 1984, 1986, 1987, 1988 AT&T\n"
+	    "Copyright (C) 1987, 1988 Microsoft Corp.\nAll Rights Reserved\n",
+	    un.release, un.nodename);
+#elif sun
+	(void) printf("SunOS Release %s Sun Microsystems %s\n%s\n"
+	    "Copyright (c) 1984, 1986, 1987, 1988 AT&T\n"
+	    "Copyright (c) 1988, 1989, 1990, 1991 Sun Microsystems\n"
+	    "All Rights Reserved\n",
+	    un.release, un.machine, un.nodename);
+#else
+	(void) printf("UNIX System V Release %s AT&T %s\n%s\n"
+	    "Copyright (c) 1984, 1986, 1987, 1988 AT&T\nAll Rights Reserved\n",
+	    un.release, un.machine, un.nodename);
+#endif /* i386 */
+#endif /* DOBANNER */
+}
+
+/*
+ * display_last_login_time	- Advise the user the time and date
+ *				  that this login-id was last used.
+ */
+
+static void
+display_last_login_time(void)
+{
+	if (lastlogok) {
+		(void) printf("Last login: %.*s ", 24-5, ctime(&ll.ll_time));
+
+		if (*ll.ll_host != '\0')
+			(void) printf("from %.*s\n", sizeof (ll.ll_host),
+			    ll.ll_host);
+		else
+			(void) printf("on %.*s\n", sizeof (ll.ll_line),
+			    ll.ll_line);
+	}
+}
+
+/*
  * exec_the_shell	- invoke the specified shell or start up program
  */
 
diff --git a/usr/src/head/lastlog.h b/usr/src/head/lastlog.h
index c32050bc1f..3a4e336c1c 100644
--- a/usr/src/head/lastlog.h
+++ b/usr/src/head/lastlog.h
@@ -34,22 +34,27 @@
 
 #ifndef _LASTLOG_H
 #define	_LASTLOG_H
-#include <utmpx.h>
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 #ifdef	__cplusplus
 extern "C" {
 #endif
 
-#include <sys/types.h>
+#ifdef _LP64
+#include <sys/types32.h>
+#endif
 
 struct lastlog {
-	int64_t	ll_time;
-	char	ll_line[sizeof (((struct utmpx *)0)->ut_line)];
-	char	ll_host[sizeof (((struct utmpx *)0)->ut_host)];
+#ifdef _LP64
+	time32_t ll_time;
+#else
+	time_t	ll_time;
+#endif
+	char	ll_line[8];
+	char	ll_host[16];		/* same as in utmp */
 };
 
-#define	_PATH_LASTLOG	"/var/adm/lastlog.v2"
-
 #ifdef	__cplusplus
 }
 #endif
diff --git a/usr/src/lib/pam_modules/unix_account/unix_acct.c b/usr/src/lib/pam_modules/unix_account/unix_acct.c
index 2b095118b3..110eff6d9d 100644
--- a/usr/src/lib/pam_modules/unix_account/unix_acct.c
+++ b/usr/src/lib/pam_modules/unix_account/unix_acct.c
@@ -53,6 +53,7 @@
 #include <libintl.h>
 #include <passwdutil.h>
 
+#define	LASTLOG		"/var/adm/lastlog"
 #define	LOGINADMIN	"/etc/default/login"
 #define	UNIX_AUTH_DATA		"SUNW-UNIX-AUTH-DATA"
 #define	UNIX_AUTHTOK_DATA	"SUNW-UNIX-AUTHTOK-DATA"
@@ -88,16 +89,13 @@ check_for_login_inactivity(
 	struct 	spwd 	*shpwd)
 {
 	int		fdl;
+	struct lastlog	ll;
 	int		retval;
 	offset_t	offset;
-	time_t		lltime = 0;
 
-	if (!(shpwd->sp_inact > 0))
-		return (0);
+	offset = (offset_t)pw_uid * (offset_t)sizeof (struct lastlog);
 
-	if ((fdl = open(_PATH_LASTLOG, O_RDONLY)) >= 0) {
-		struct lastlog	ll;
-		offset = (offset_t)(pw_uid * sizeof (struct lastlog));
+	if ((fdl = open(LASTLOG, O_RDWR|O_CREAT, 0444)) >= 0) {
 		/*
 		 * Read the last login (ll) time
 		 */
@@ -112,29 +110,31 @@ check_for_login_inactivity(
 
 		retval = read(fdl, (char *)&ll, sizeof (ll));
 
-		if (retval == sizeof (ll))
-			lltime = ll.ll_time;
+		/* Check for login inactivity */
 
-		(void) close(fdl);
-	}
-	/* Check for login inactivity */
-	if (lltime) {
-		/*
-		 * account inactive too long.
-		 * and no update password set
-		 * and no last pwd change date in shadow file
-		 * and last pwd change more than inactive time
-		 * then account inactive too long and no access.
-		 */
-		if ((((lltime / DAY) + shpwd->sp_inact) < DAY_NOW) &&
-		    (shpwd->sp_lstchg != 0) &&
-		    (shpwd->sp_lstchg != -1) &&
-		    ((shpwd->sp_lstchg + shpwd->sp_inact) < DAY_NOW)) {
+		if ((shpwd->sp_inact > 0) && (retval == sizeof (ll)) &&
+		    ll.ll_time) {
 			/*
-			 * Account inactive for too long
+			 * account inactive too long.
+			 * and no update password set
+			 * and no last pwd change date in shadow file
+			 * and last pwd change more than inactive time
+			 * then account inactive too long and no access.
 			 */
-			return (1);
+			if (((time_t)((ll.ll_time / DAY) + shpwd->sp_inact)
+			    < DAY_NOW) &&
+			    (shpwd->sp_lstchg != 0) &&
+			    (shpwd->sp_lstchg != -1) &&
+			    ((shpwd->sp_lstchg + shpwd->sp_inact) < DAY_NOW)) {
+				/*
+				 * Account inactive for too long
+				 */
+				(void) close(fdl);
+				return (1);
+			}
 		}
+
+		(void) close(fdl);
 	}
 	return (0);
 }
diff --git a/usr/src/lib/pam_modules/unix_session/unix_session.c b/usr/src/lib/pam_modules/unix_session/unix_session.c
index 0c10906e47..e401d534ea 100644
--- a/usr/src/lib/pam_modules/unix_session/unix_session.c
+++ b/usr/src/lib/pam_modules/unix_session/unix_session.c
@@ -22,10 +22,11 @@
 /*
  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
- * Copyright 2015 Lauri Tirkkonen.
  * Copyright 2016 Toomas Soome <tsoome@me.com>
  */
 
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 #include <strings.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -54,16 +55,7 @@
 #include <assert.h>
 #include <nss_dbdefs.h>
 
-#define	LASTLOG_LEGACY		"/var/adm/lastlog"
-struct lastlog_legacy {
-#ifdef _LP64
-	time32_t ll_time;
-#else
-	time_t	ll_time;
-#endif
-	char	ll_line[8];
-	char	ll_host[16];
-};
+#define	LASTLOG		"/var/adm/lastlog"
 
 /*
  * pam_sm_close_session	- Terminate a PAM authenticated session
@@ -90,115 +82,6 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
 	return (PAM_SUCCESS);
 }
 
-static int
-lastlog_seek(int fdl, uid_t uid, boolean_t legacy)
-{
-	offset_t	offset;
-
-	offset = uid;
-	if (legacy)
-		offset *= sizeof (struct lastlog_legacy);
-	else
-		offset *= sizeof (struct lastlog);
-
-	if (llseek(fdl, offset, SEEK_SET) != offset) {
-		syslog(LOG_ERR, "pam_unix_session: %slastlog seek failed for "
-		    "uid %d: %m", (legacy ? "legacy " : ""), uid);
-		return (-1);
-	}
-	return (0);
-}
-
-static int
-lastlog_read(int fdl, uid_t uid, struct lastlog *out, boolean_t legacy)
-{
-	ssize_t			nread = 0;
-	ssize_t			llsize;
-	struct lastlog		ll;
-	struct lastlog_legacy	ll_legacy;
-	void			*llp;
-
-	if (legacy) {
-		llp = &ll_legacy;
-		llsize = sizeof (ll_legacy);
-	} else {
-		llp = &ll;
-		llsize = sizeof (ll);
-	}
-
-	if (lastlog_seek(fdl, uid, legacy) == -1)
-		return (-1);
-
-	while (nread < llsize) {
-		ssize_t ret;
-reread:
-		ret = read(fdl, ((char *)llp) + nread, llsize - nread);
-		if (ret < 0) {
-			if (errno == EINTR)
-				goto reread;
-			syslog(LOG_ERR, "pam_unix_session: read %slastlog "
-			    "failed for uid %d: %m", (legacy ? "legacy " : ""),
-			    uid);
-			return (-1);
-		} else if (ret == 0) {
-			if (nread == 0) {
-				out->ll_time = 0;
-				return (-1);
-			}
-			syslog(LOG_ERR, "pam_unix_session: %slastlog short "
-			    "read for uid %d", (legacy ? "legacy " : ""), uid);
-			return (-1);
-		}
-		nread += ret;
-	}
-	if (legacy) {
-		out->ll_time = ll_legacy.ll_time;
-		ll_legacy.ll_line[sizeof (ll_legacy.ll_line) - 1] = '\0';
-		ll_legacy.ll_host[sizeof (ll_legacy.ll_host) - 1] = '\0';
-		(void) strlcpy(out->ll_line, ll_legacy.ll_line,
-		    sizeof (out->ll_line));
-		(void) strlcpy(out->ll_host, ll_legacy.ll_host,
-		    sizeof (out->ll_line));
-	} else {
-		out->ll_time = ll.ll_time;
-		ll.ll_line[sizeof (ll.ll_line) - 1] = '\0';
-		ll.ll_host[sizeof (ll.ll_host) - 1] = '\0';
-		(void) strlcpy(out->ll_line, ll.ll_line,
-		    sizeof (out->ll_line));
-		(void) strlcpy(out->ll_host, ll.ll_host,
-		    sizeof (out->ll_host));
-	}
-	return (0);
-}
-
-static int
-lastlog_write(int fdl, uid_t uid, const struct lastlog *ll)
-{
-	ssize_t		nwritten = 0;
-	if (lastlog_seek(fdl, uid, B_FALSE))
-		return (-1);
-
-	while (nwritten < sizeof (*ll)) {
-		ssize_t ret;
-rewrite:
-		ret = write(fdl, ((char *)ll) + nwritten,
-		    sizeof (*ll) - nwritten);
-		if (ret < 0) {
-			if (errno == EINTR)
-				goto rewrite;
-			syslog(LOG_ERR, "pam_unix_session: write lastlog "
-			    "failed for uid %d: %m", uid);
-			return (-1);
-		} else if (ret == 0) {
-			syslog(LOG_ERR, "pam_unix_session: lastlog short "
-			    "write for uid %d", uid);
-			return (-1);
-		}
-		nwritten += ret;
-	}
-	return (0);
-}
-
 /*ARGSUSED*/
 int
 pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
@@ -207,15 +90,13 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
 	int	error;
 	char    *ttyn, *rhost, *user;
 	int	fdl;
-	struct lastlog	newll = { 0 };
-	struct lastlog	legacyll;
-	struct lastlog	ll;
-	struct lastlog	*llp = NULL;
+	struct lastlog  newll;
 	struct passwd pwd;
 	char    buffer[NSS_BUFLEN_PASSWD];
 	int	i;
 	int	debug = 0;
-	time_t	cur_time;
+	offset_t	offset;
+	time_t  cur_time;
 
 	for (i = 0; i < argc; i++) {
 		if (strcasecmp(argv[i], "debug") == 0)
@@ -250,91 +131,62 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
 		return (PAM_USER_UNKNOWN);
 	}
 
-	ll.ll_time = 0;
-reopenll_ro:
-	fdl = open(_PATH_LASTLOG, O_RDONLY);
-	if (fdl < 0) {
-		if (errno == EINTR)
-			goto reopenll_ro;
-		if (errno != ENOENT)
-			syslog(LOG_ERR, "pam_unix_session: unable to open "
-			    "lastlog for uid %d: %m", pwd.pw_uid);
-	} else {
-		if (lastlog_read(fdl, pwd.pw_uid, &ll, B_FALSE) == 0)
-			llp = &ll;
-		(void) close(fdl);
-	}
-
-	if ((fdl = open(LASTLOG_LEGACY, O_RDONLY)) >= 0) {
-		if (lastlog_read(fdl, pwd.pw_uid, &legacyll, B_TRUE) == 0 &&
-		    legacyll.ll_time > ll.ll_time)
-			llp = &legacyll;
-		(void) close(fdl);
-	}
+	if ((fdl = open(LASTLOG, O_RDWR|O_CREAT|O_DSYNC, 0444)) >= 0) {
+		/*
+		 * The value of lastlog is read by the UNIX
+		 * account management module
+		 */
+		offset = (offset_t)pwd.pw_uid *
+		    (offset_t)sizeof (struct lastlog);
+
+		if (llseek(fdl, offset, SEEK_SET) != offset) {
+			syslog(LOG_ERR,
+			    "pam_unix_session: Can't update lastlog: uid %d "
+			    "too large", pwd.pw_uid);
+			(void) close(fdl);
+			return (PAM_SUCCESS);
+		}
+		/*
+		 * use time32_t in case of _LP64
+		 * since it's written in lastlog.h
+		 */
+		(void) time(&cur_time);
 
-	if (llp != NULL && llp->ll_time != 0 && !(flags & PAM_SILENT)) {
-		char timestr[26];
-		char msg[PAM_MAX_MSG_SIZE];
-		int ret;
-		time_t t = llp->ll_time;
-		(void) ctime_r(&t, timestr, sizeof (timestr));
-		timestr[strcspn(timestr, "\n")] = '\0';
-		if (strcmp(llp->ll_host, "") != 0) {
-			ret = snprintf(msg, PAM_MAX_MSG_SIZE,
-			    "Last login: %s from %s", timestr, llp->ll_host);
-		} else if (strcmp(llp->ll_line, "") != 0) {
-			ret = snprintf(msg, PAM_MAX_MSG_SIZE,
-			    "Last login: %s on %s", timestr, llp->ll_line);
+		bzero((char *)&newll, sizeof (struct lastlog));
+#ifdef _LP64
+		newll.ll_time = (time32_t)cur_time;
+#else
+		newll.ll_time = cur_time;
+#endif
+		if ((strncmp(ttyn, "/dev/", 5) == 0)) {
+			(void) strlcpy(newll.ll_line,
+			    (ttyn + sizeof ("/dev/")-1),
+			    sizeof (newll.ll_line));
 		} else {
-			ret = snprintf(msg, PAM_MAX_MSG_SIZE,
-			    "Last login: %s", timestr);
+			(void) strlcpy(newll.ll_line, ttyn,
+			    sizeof (newll.ll_line));
 		}
-		if (!(ret < 0 || ret >= PAM_MAX_MSG_SIZE)) {
-			(void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &msg,
-			    NULL);
+		if (rhost != NULL) {
+			(void) strlcpy(newll.ll_host, rhost,
+			    sizeof (newll.ll_host));
 		}
-	}
-
-reopenll_rw:
-	fdl = open(_PATH_LASTLOG, O_RDWR|O_CREAT|O_DSYNC, 0444);
-	if (fdl < 0) {
-		if (errno == EINTR)
-			goto reopenll_rw;
-		syslog(LOG_ERR, "pam_unix_session: unable to open lastlog for "
-		    "writing for uid %d: %m", pwd.pw_uid);
-		return (PAM_SUCCESS);
-	}
-
-	(void) time(&cur_time);
-
-	newll.ll_time = cur_time;
-	if ((strncmp(ttyn, "/dev/", 5) == 0)) {
-		(void) strlcpy(newll.ll_line,
-		    (ttyn + sizeof ("/dev/")-1),
-		    sizeof (newll.ll_line));
-	} else {
-		(void) strlcpy(newll.ll_line, ttyn,
-		    sizeof (newll.ll_line));
-	}
-	if (rhost != NULL) {
-		(void) strlcpy(newll.ll_host, rhost,
-		    sizeof (newll.ll_host));
-	}
-
-	if (debug) {
-		char	buf[26];
-
-		(void) ctime_r((const time_t *)&cur_time, buf,
-		    sizeof (buf));
-		buf[24] = '\000';
-		syslog(LOG_DEBUG, "pam_unix_session: "
-		    "user = %s, time = %s, tty = %s, host = %s.",
-		    user, buf, newll.ll_line, newll.ll_host);
-	}
-	(void) lastlog_write(fdl, pwd.pw_uid, &newll);
-	if (close(fdl) < 0) {
-		syslog(LOG_ERR, "pam_unix_session: unable to close lastlog for"
-		    " uid %d: %m", pwd.pw_uid);
+		if (debug) {
+			char	buf[26];
+
+			(void) ctime_r((const time_t *)&cur_time, buf,
+			    sizeof (buf));
+			buf[24] = '\000';
+			syslog(LOG_DEBUG, "pam_unix_session: "
+			    "user = %s, time = %s, tty = %s, host = %s.",
+			    user, buf, newll.ll_line, newll.ll_host);
+		}
+		if (write(fdl, (char *)&newll, sizeof (newll))
+		    != sizeof (newll))
+			syslog(LOG_ERR, "pam_unix_session: Can't write "
+			    "lastlog: uid %d: %m", pwd.pw_uid);
+		if (close(fdl) != 0)
+			syslog(LOG_ERR, "pam_unix_session: Can't close "
+			    "lastlog: uid %d: %m", pwd.pw_uid);
 	}
 	return (PAM_SUCCESS);
 }
diff --git a/usr/src/man/man1/finger.1 b/usr/src/man/man1/finger.1
index b82ed09a1c..44830a0d89 100644
--- a/usr/src/man/man1/finger.1
+++ b/usr/src/man/man1/finger.1
@@ -2,7 +2,7 @@
 .\" Copyright 1989 AT&T
 .\" Copyright (c) 1980 Regents of the University of California.  All rights reserved.  The Berkeley software License Agreement specifies the terms and conditions for redistribution.
 .\"   Copyright (c) 2000, Sun Microsystems, Inc.  All Rights Reserved.
-.TH FINGER 1 "Nov 9, 2015"
+.TH FINGER 1 "Nov 6, 2000"
 .SH NAME
 finger \- display information about local and remote users
 .SH SYNOPSIS
@@ -23,6 +23,7 @@ finger \- display information about local and remote users
 .fi
 
 .SH DESCRIPTION
+.sp
 .LP
 By default, the \fBfinger\fR command displays in multi-column format the
 following information about each logged-in user:
@@ -134,6 +135,7 @@ allows all characters greater than decimal 126 \fBASCII\fR. \fBPASS=low,high\fR
 or \fBPASS=high,low\fR allows both characters less than 32 and greater than 126
 to pass through.
 .SH OPTIONS
+.sp
 .LP
 The following options are supported, except that the  \fIusername@hostname\fR
 form supports only the \fB-l\fR option:
@@ -232,6 +234,7 @@ Suppresses printing the full name in a short format printout.
 .RE
 
 .SH FILES
+.sp
 .ne 2
 .na
 \fB\fB$HOME/.plan    \fR \fR
@@ -270,7 +273,7 @@ password file
 .sp
 .ne 2
 .na
-\fB\fB/var/adm/lastlog.v2\fR \fR
+\fB\fB/var/adm/lastlog\fR \fR
 .ad
 .RS 24n
 time of last login
@@ -286,6 +289,7 @@ accounting
 .RE
 
 .SH SEE ALSO
+.sp
 .LP
 \fBpasswd\fR(1), \fBwho\fR(1), \fBwhois\fR(1), \fBpasswd\fR(4),
 \fBattributes\fR(5)
@@ -295,6 +299,7 @@ Zimmerman, D., \fIThe Finger User Information Protocol\fR, RFC 1288, Center for
 Discrete Mathematics and Theoretical Computer Science (DIMACS), Rutgers
 University, December 1991.
 .SH NOTES
+.sp
 .LP
 The \fBfinger user information protocol\fR limits the options that may be used
 with the remote form of this command.
diff --git a/usr/src/man/man1/login.1 b/usr/src/man/man1/login.1
index 4cac809780..20cc1516e7 100644
--- a/usr/src/man/man1/login.1
+++ b/usr/src/man/man1/login.1
@@ -4,7 +4,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH LOGIN 1 "Nov 9, 2015"
+.TH LOGIN 1 "Jan 7, 2008"
 .SH NAME
 login \- sign on to the system
 .SH SYNOPSIS
@@ -17,6 +17,7 @@ login \- sign on to the system
 .fi
 
 .SH DESCRIPTION
+.sp
 .LP
 The \fBlogin\fR command is used at the beginning of each terminal session to
 identify oneself to the system. \fBlogin\fR is invoked by the system when a
@@ -199,6 +200,7 @@ To enable remote logins by root, edit the \fB/etc/default/login\fR file by
 inserting a \fB#\fR (pound sign) before the \fBCONSOLE=/dev/console\fR entry.
 See FILES.
 .SH SECURITY
+.sp
 .LP
 For accounts in name services which support automatic account locking, the
 account can be configured to be automatically locked (see \fBuser_attr\fR(4)
@@ -252,6 +254,7 @@ can be prompted for multiple passwords.
 When \fBlogin\fR is invoked through \fBrlogind\fR or \fBtelnetd\fR, the service
 name used by \fBPAM\fR is \fBrlogin\fR or \fBtelnet\fR, respectively.
 .SH OPTIONS
+.sp
 .LP
 The following options are supported:
 .sp
@@ -348,6 +351,7 @@ line parameter. Normally (non-Kerberos authenticated \fBrlogin\fR), the
 .RE
 
 .SH EXIT STATUS
+.sp
 .LP
 The following exit values are returned:
 .sp
@@ -369,6 +373,7 @@ Error.
 .RE
 
 .SH FILES
+.sp
 .ne 2
 .na
 \fB\fB$HOME/.cshrc\fR\fR
@@ -516,7 +521,7 @@ User's default command interpreter.
 .sp
 .ne 2
 .na
-\fB\fB/var/adm/lastlog.v2\fR\fR
+\fB\fB/var/adm/lastlog\fR\fR
 .ad
 .RS 23n
 Time of last login.
@@ -729,6 +734,7 @@ before a failed login message is logged, using the \fBsyslog\fR(3C)
 .RE
 
 .SH ATTRIBUTES
+.sp
 .LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
@@ -744,6 +750,7 @@ Interface Stability	Committed
 .TE
 
 .SH SEE ALSO
+.sp
 .LP
 \fBcsh\fR(1), \fBexit\fR(1), \fBksh\fR(1), \fBksh93\fR(1), \fBmail\fR(1),
 \fBmailx\fR(1), \fBnewgrp\fR(1), \fBpasswd\fR(1), \fBrlogin\fR(1),
@@ -761,6 +768,7 @@ Interface Stability	Committed
 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
 \fBtermio\fR(7I)
 .SH DIAGNOSTICS
+.sp
 .ne 2
 .na
 \fB\fBLogin incorrect\fR\fR
@@ -813,6 +821,7 @@ The machine is in the process of being shut down and logins have been disabled.
 .RE
 
 .SH WARNINGS
+.sp
 .LP
 Users with a \fBUID\fR greater than 76695844 are not subject to password aging,
 and the system does not record their last login time.
@@ -822,6 +831,7 @@ If you use the \fBCONSOLE\fR setting to disable root logins, you should arrange
 that remote command execution by root is also disabled. See \fBrsh\fR(1),
 \fBrcmd\fR(3SOCKET), and \fBhosts.equiv\fR(4) for further details.
 .SH NOTES
+.sp
 .LP
 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
 provided by \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
diff --git a/usr/src/man/man1m/in.fingerd.1m b/usr/src/man/man1m/in.fingerd.1m
index 580530a322..a8dfa6ceac 100644
--- a/usr/src/man/man1m/in.fingerd.1m
+++ b/usr/src/man/man1m/in.fingerd.1m
@@ -4,7 +4,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH IN.FINGERD 1M "Nov 9, 2015"
+.TH IN.FINGERD 1M "Jul 31, 2004"
 .SH NAME
 in.fingerd, fingerd \- remote user information server
 .SH SYNOPSIS
@@ -14,6 +14,7 @@ in.fingerd, fingerd \- remote user information server
 .fi
 
 .SH DESCRIPTION
+.sp
 .LP
 \fBfingerd\fR implements the server side of the Name/Finger protocol, specified
 in \fIRFC 742\fR. The Name/Finger protocol provides a remote interface to
@@ -28,6 +29,7 @@ reads a single command line terminated by RETURN-LINEFEED and passes the
 arguments to \fBfinger\fR(1), prepended with \fB-s\fR. \fBfingerd\fR closes its
 connections as soon as the output is finished.
 .SH FILES
+.sp
 .ne 2
 .na
 \fB\fB/var/adm/utmpx\fR\fR
@@ -48,7 +50,7 @@ System password file.
 .sp
 .ne 2
 .na
-\fB\fB/var/adm/lastlog.v2\fR\fR
+\fB\fB/var/adm/lastlog\fR\fR
 .ad
 .RS 20n
 Last login times.
@@ -73,9 +75,11 @@ User's projects.
 .RE
 
 .SH USAGE
+.sp
 .LP
 \fBfingerd\fR and \fBin.fingerd\fR are IPv6-enabled. See \fBip6\fR(7P).
 .SH SEE ALSO
+.sp
 .LP
 \fBfinger\fR(1), \fBsvcs\fR(1), \fBinetadm\fR(1M), \fBinetd\fR(1M),
 \fBsvcadm\fR(1M), \fBattributes\fR(5), \fBsmf\fR(5), \fBip6\fR(7P)
@@ -84,6 +88,7 @@ User's projects.
 Harrenstien, Ken, \fIRFC 742, NAME/FINGER\fR,  Network Information Center, SRI
 International, Menlo Park, Calif., December 1977.
 .SH NOTES
+.sp
 .LP
 Connecting directly to the server from a \fBTIP\fR or an equally narrow-minded
 TELNET-protocol user program can result in meaningless attempts at option
diff --git a/usr/src/man/man1m/in.uucpd.1m b/usr/src/man/man1m/in.uucpd.1m
index dd49a84c8b..f8fac56b7c 100644
--- a/usr/src/man/man1m/in.uucpd.1m
+++ b/usr/src/man/man1m/in.uucpd.1m
@@ -3,7 +3,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH IN.UUCPD 1M "Nov 9, 2015"
+.TH IN.UUCPD 1M "Aug 12, 2004"
 .SH NAME
 in.uucpd, uucpd \- UUCP server
 .SH SYNOPSIS
@@ -13,6 +13,7 @@ in.uucpd, uucpd \- UUCP server
 .fi
 
 .SH DESCRIPTION
+.sp
 .LP
 \fBin.uucpd\fR is the server for supporting \fBUUCP\fR connections over
 networks.
@@ -43,10 +44,12 @@ Otherwise, \fBuucico\fR is run, with the user \fBID\fR, group \fBID\fR, group
 set, and home directory for that account, with the environment variables
 \fBUSER\fR and \fB LOGNAME\fR set to the specified username, and with a
 \fB-u\fR flag specifying the username. Unless the \fB-n\fR flag is specified,
-entries are made in \fB/var/adm/utmpx\fR and \fB/var/adm/wtmpx\fR for the
-username. \fBin.uucpd\fR must be invoked by a user with appropriate privilege
-(usually root) in order to be able to verify that the password is correct.
+entries are made in \fB/var/adm/utmpx\fR, \fB/var/adm/wtmpx\fR, and
+\fB/var/adm/lastlog\fR for the username. \fBin.uucpd\fR must be invoked by a
+user with appropriate privilege (usually root) in order to be able to verify
+that the password is correct.
 .SH SECURITY
+.sp
 .LP
 \fBin.uucpd\fR uses \fBpam\fR(3PAM) for authentication, account management, and
 session management.  The \fBPAM\fR configuration policy, listed through
@@ -74,6 +77,7 @@ If there are no entries for the \fBuucp\fR service, then the entries for the
 "other" service will be used. If multiple authentication modules are listed,
 then the peer may be prompted for multiple passwords.
 .SH FILES
+.sp
 .ne 2
 .na
 \fB\fB/var/adm/utmpx\fR\fR
@@ -91,7 +95,17 @@ accounting
 accounting
 .RE
 
+.sp
+.ne 2
+.na
+\fB\fB/var/adm/lastlog\fR\fR
+.ad
+.RS 20n
+time of last login
+.RE
+
 .SH SEE ALSO
+.sp
 .LP
 \fBsvcs\fR(1), \fBinetadm\fR(1M), \fBinetd\fR(1M), \fBsvcadm\fR(1M),
 \fBuucico\fR(1M), \fBpam\fR(3PAM), \fBpam.conf\fR(4), \fBservices\fR(4),
@@ -100,6 +114,7 @@ accounting
 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5),
 \fBsmf\fR(5)
 .SH DIAGNOSTICS
+.sp
 .LP
 All diagnostic messages are returned on the connection, after which the
 connection is closed.
@@ -133,6 +148,7 @@ account.
 .RE
 
 .SH NOTES
+.sp
 .LP
 The \fBin.uucpd\fR service is managed by the service management facility,
 \fBsmf\fR(5), under the service identifier:
diff --git a/usr/src/man/man4/shadow.4 b/usr/src/man/man4/shadow.4
index 7f8956bd79..e04051a484 100644
--- a/usr/src/man/man4/shadow.4
+++ b/usr/src/man/man4/shadow.4
@@ -3,10 +3,11 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH SHADOW 4 "Nov 9, 2015"
+.TH SHADOW 4 "Sep 15, 2005"
 .SH NAME
 shadow \- shadow password file
 .SH DESCRIPTION
+.sp
 .LP
 \fB/etc/shadow\fR is an access-restricted ASCII system file that stores users'
 encrypted passwords and related information. The shadow file can be used in
@@ -149,6 +150,7 @@ includes ``+'' and ``-'' entries if the \fBcompat\fR source is being used (see
 Values for the various time-related fields are interpreted as Greenwich Mean
 Time.
 .SH FILES
+.sp
 .ne 2
 .na
 \fB\fB/etc/shadow\fR\fR
@@ -178,13 +180,14 @@ name-service switch configuration file
 .sp
 .ne 2
 .na
-\fB\fB/var/adm/lastlog.v2\fR\fR
+\fB\fB/var/adm/lastlog\fR\fR
 .ad
 .RS 22n
 time of last login
 .RE
 
 .SH ATTRIBUTES
+.sp
 .LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
@@ -200,6 +203,7 @@ Interface Stability	Stable
 .TE
 
 .SH SEE ALSO
+.sp
 .LP
 \fBlogin\fR(1), \fBpasswd\fR(1), \fBuseradd\fR(1M), \fBuserdel\fR(1M),
 \fBusermod\fR(1M), \fBstrtol\fR(3C), \fBcrypt\fR(3C), \fBcrypt_gensalt\fR(3C),
@@ -207,6 +211,7 @@ Interface Stability	Stable
 \fBpasswd\fR(4), \fBattributes\fR(5), \fBpam_unix_account\fR(5),
 \fBpam_unix_auth\fR(5)
 .SH NOTES
+.sp
 .LP
 If password aging is turned on in any name service the \fIpasswd:\fR line in
 the \fB/etc/nsswitch.conf\fR file must have a format specified in the
diff --git a/usr/src/man/man4/sshd_config.sunssh.4 b/usr/src/man/man4/sshd_config.sunssh.4
index 944f90329d..ef134886a2 100644
--- a/usr/src/man/man4/sshd_config.sunssh.4
+++ b/usr/src/man/man4/sshd_config.sunssh.4
@@ -643,8 +643,7 @@ Multiple options of this type are permitted. See also \fBListenAddress\fR.
 .sp .6
 .RS 4n
 Specifies whether \fBsshd\fR should display the date and time when the user
-last logged in. On illumos this is always ignored, because pam_unix_session(5)
-reports the last login time.
+last logged in. The default is \fByes\fR.
 .RE
 
 .sp
diff --git a/usr/src/man/man5/pam_unix_session.5 b/usr/src/man/man5/pam_unix_session.5
index c9598ac1f5..91cf5112bd 100644
--- a/usr/src/man/man5/pam_unix_session.5
+++ b/usr/src/man/man5/pam_unix_session.5
@@ -15,15 +15,15 @@ pam_unix_session \- session management PAM module for UNIX
 .fi
 
 .SH DESCRIPTION
+.sp
 .LP
 The \fBpam_unix_session\fR module implements \fBpam_sm_open_session\fR(3PAM)
 and \fBpam_sm_close_session\fR(3PAM).
 .sp
 .LP
-\fBpam_sm_open_session()\fR reads \fB/var/adm/lastlog.v2\fR to report the
-user's last login time via a PAM_TEXT_INFO message as well as updates the file
-with information contained in the \fBPAM_USER\fR, \fBPAM_TTY\fR, and
-\fBPAM_RHOSTS\fR items.  \fBpam_unix_account\fR(5) also uses this file to
+\fBpam_sm_open_session()\fR updates the \fB/var/adm/lastlog\fR file with the
+information contained in the \fBPAM_USER\fR, \fBPAM_TTY\fR, and
+\fBPAM_RHOSTS\fR items. \fBpam_unix_account\fR(5) uses this account to
 determine the previous time the user logged in.
 .sp
 .LP
@@ -50,6 +50,7 @@ Turn off last login PAM_TEXT_INFO message.
 .RE
 
 .SH ERRORS
+.sp
 .LP
 Upon successful completion, \fBPAM_SUCCESS\fR is returned. The following error
 codes are returned upon error:
@@ -63,6 +64,7 @@ Cannot make or remove the entry for the specified session (PAM_TTY is not
 present).
 .RE
 
+.sp
 .ne 2
 .na
 \fB\fBPAM_USER_UNKNOWN\fR\fR
@@ -72,6 +74,7 @@ No account is present for \fIuser\fR.
 .RE
 
 .SH ATTRIBUTES
+.sp
 .LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
@@ -89,6 +92,7 @@ MT Level	MT-Safe with exceptions
 .TE
 
 .SH SEE ALSO
+.sp
 .LP
 \fBpam\fR(3PAM), \fBpam_authenticate\fR(3PAM), \fBsyslog\fR(3C),
 \fBlibpam\fR(3LIB), \fBpam.conf\fR(4), \fBnsswitch.conf\fR(4),
@@ -96,6 +100,7 @@ MT Level	MT-Safe with exceptions
 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
 \fBpam_unix_account\fR(5),\fBpam_unix_auth\fR(5),
 .SH NOTES
+.sp
 .LP
 The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the
 multi-threaded application uses its own PAM handle.