6874309 Remove NIS+ from Solaris

6 files changed, 60 insertions, 472 deletions

diff --git a/usr/src/lib/pam_modules/authtok_check/authtok_check.c b/usr/src/lib/pam_modules/authtok_check/authtok_check.c
index 9b2cacec7b..db07326a94 100644
--- a/usr/src/lib/pam_modules/authtok_check/authtok_check.c
+++ b/usr/src/lib/pam_modules/authtok_check/authtok_check.c
@@ -252,7 +252,7 @@ get_passwd_defaults(pam_handle_t *pamh, char *user, struct pwdefaults *p)
 	 * and which password-crypt-algorithm is to be used (based on the
 	 * old password, or the system default).
 	 *
-	 * If the user comes from a repository other than FILES/NIS/NIS+,
+	 * If the user comes from a repository other than FILES/NIS
 	 * the module-flag "server_policy" means that we don't perform
 	 * any checks on the user, but let the repository decide instead.
 	 */
@@ -284,8 +284,7 @@ get_passwd_defaults(pam_handle_t *pamh, char *user, struct pwdefaults *p)
 		char *oldpw = attr[0].data.val_s;
 		char *repository = attr[1].data.val_s;
 		if ((strcmp(repository, "files") == 0 ||
-		    strcmp(repository, "nis") == 0 ||
-		    strcmp(repository, "nisplus") == 0) ||
+		    strcmp(repository, "nis") == 0) ||
 		    p->server_policy == B_FALSE) {
 			char *salt;
 			/*
@@ -306,7 +305,7 @@ get_passwd_defaults(pam_handle_t *pamh, char *user, struct pwdefaults *p)
 
 			p->server_policy = B_FALSE; /* we perform checks */
 		} else {
-			/* not files, nis or nisplus AND server_policy is set */
+			/* not files or nis AND server_policy is set */
 			p->maxlength = _PASS_MAX;
 		}
 		free(attr[0].data.val_s);
diff --git a/usr/src/lib/pam_modules/authtok_store/authtok_store.c b/usr/src/lib/pam_modules/authtok_store/authtok_store.c
index d599fb695e..d219b81c6d 100644
--- a/usr/src/lib/pam_modules/authtok_store/authtok_store.c
+++ b/usr/src/lib/pam_modules/authtok_store/authtok_store.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -39,8 +39,6 @@
 #include <passwdutil.h>
 #include <shadow.h>
 
-#define	SUNW_OLDRPCPASS "SUNW-OLD-RPC-PASSWORD"
-
 /*PRINTFLIKE3*/
 static void
 error(int nowarn, pam_handle_t *pamh, char *fmt, ...)
@@ -82,7 +80,7 @@ authtok_is_aged(pam_handle_t *pamh)
 	unix_authtok_data *status;
 
 	if (pam_get_data(pamh, UNIX_AUTHTOK_DATA,
-			(const void **)status) != PAM_SUCCESS)
+	    (const void **)status) != PAM_SUCCESS)
 		return (0);
 
 	return (status->age_status == PAM_NEW_AUTHTOK_REQD)
@@ -99,7 +97,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	pwu_repository_t *pwu_rep;
 	char *user;
 	char *oldpw;
-	char *oldrpcpw = NOPWDRTR;
 	char *newpw;
 	char *service;
 	struct pam_repository *auth_rep;
@@ -132,7 +129,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 #if defined(ENABLE_AGING)
 	if ((flags & PAM_CHANGE_EXPIRED_AUTHTOK) && !authtok_is_aged(pamh)) {
 		syslog(LOG_DEBUG, "pam_authtok_store: System password young");
-		return (PAM_IGNORE)
+		return (PAM_IGNORE);
 	}
 #endif
 
@@ -176,8 +173,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	 * For now, only the LDAP routine treats this attribute
 	 * differently that ATTR_PASSWD. It will skip the
 	 * crypting of the password before storing it in the LDAP
-	 * server. NIS, NISPLUS, and FILES will handle
-	 * ATTR_PASSWD_SERVER_POLICY the same as ATTR_PASSWD.
+	 * server. NIS, and FILES will handle ATTR_PASSWD_SERVER_POLICY
+	 * the same as ATTR_PASSWD.
 	 */
 	if (server_policy)
 		l.type = ATTR_PASSWD_SERVER_POLICY;
@@ -201,22 +198,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		pwu_rep->scope_len = auth_rep->scope_len;
 	}
 
-	/*
-	 * The pam_dhkeys module might have set SUNW_OLDRPCPASS if it
-	 * discovered that the user's old password doesn't decrypt the
-	 * user's secure RPC credentials. In that case, the
-	 * item SUNW_OLDRPCPASS contains the correct password to
-	 * decrypt these credentials.
-	 */
-
-	res = pam_get_data(pamh, SUNW_OLDRPCPASS, (const void **)&oldrpcpw);
-	if (res != PAM_SUCCESS && res != PAM_NO_MODULE_DATA) {
-		syslog(LOG_ERR, "pam_authtok_store: error getting OLDRPCPASS");
-		return (PAM_SYSTEM_ERR);
-	}
-
-	res = __set_authtoken_attr(user, oldpw, oldrpcpw, pwu_rep, &l,
-	    &updated_reps);
+	res = __set_authtoken_attr(user, oldpw, pwu_rep, &l, &updated_reps);
 
 	if (pwu_rep != PWU_DEFAULT_REP)
 		free(pwu_rep);
@@ -233,22 +215,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			    "%s: password successfully changed for %s"),
 			    service, user);
 		}
-
-		/*
-		 * If we have updated NIS+, and we got SUCCESS (not one of
-		 * the partial failures), this indicates that the credential
-		 * update went well too... Inform the user
-		 */
-		if (updated_reps & REP_NISPLUS)
-			info(nowarn, pamh, dgettext(TEXT_DOMAIN,
-			    "%s: credential information changed for %s"),
-			    service, user);
 		res = PAM_SUCCESS;
 		break;
 	case PWU_BUSY:
 		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
-			"%s: Password database busy. Try again later."),
-			service);
+		    "%s: Password database busy. Try again later."),
+		    service);
 		res = PAM_AUTHTOK_LOCK_BUSY;
 		break;
 	case PWU_STAT_FAILED:
@@ -268,8 +240,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		/* Different error if repository was explicitly specified */
 		if (auth_rep != NULL) {
 			error(nowarn, pamh, dgettext(TEXT_DOMAIN,
-				"%s: System error: no %s password for %s."),
-				service, auth_rep->type, user);
+			    "%s: System error: no %s password for %s."),
+			    service, auth_rep->type, user);
 		} else {
 			error(nowarn, pamh, dgettext(TEXT_DOMAIN,
 			    "%s: %s does not exist."), service, user);
@@ -278,7 +250,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		break;
 	case PWU_NOMEM:
 		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
-			"%s: Internal memory allocation failure."), service);
+		    "%s: Internal memory allocation failure."), service);
 		res = PAM_BUF_ERR;
 		break;
 	case PWU_SERVER_ERROR:
@@ -305,58 +277,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		    "%s: System error: repository out of range."), service);
 		res = PAM_SYSTEM_ERR;
 		break;
-	case PWU_RECOVERY_ERR:
-		res = PAM_AUTHTOK_RECOVERY_ERR;
-		break;
-	case PWU_NO_PRIV_CRED_UPDATE:
-		/*
-		 * A privileged process has updated a user's password.
-		 * In this case, the password will be updated, but the
-		 * credentials won't. This is not a failure, but we need
-		 * to inform the user about it, and return PAM_SUCCESS
-		 */
-
-		/* First inform the user about the passsword update */
-		info(nowarn, pamh, dgettext(TEXT_DOMAIN,
-			"%s: password successfully changed for %s"),
-			service, user);
-
-		/* and now the bad news */
-		(void) sprintf(msg[0], " ");
-		(void) snprintf(msg[1], sizeof (msg[1]),
-		    dgettext(TEXT_DOMAIN,
-			"The Secure RPC credential information for %s "
-			"will not be changed."), user);
-		(void) snprintf(msg[2], sizeof (msg[2]),
-		    dgettext(TEXT_DOMAIN, "User %s must do the following to "
-		    "update his/her"), user);
-		(void) snprintf(msg[3], sizeof (msg[3]),
-		    dgettext(TEXT_DOMAIN, "credential information:"));
-		(void) snprintf(msg[4], sizeof (msg[4]),
-		    dgettext(TEXT_DOMAIN, "Use NEW passwd for login and OLD "
-		    "passwd for keylogin."));
-		(void) snprintf(msg[5], sizeof (msg[5]),
-		    dgettext(TEXT_DOMAIN, "Use \"chkey -p\" to reencrypt the "
-		    "credentials with the"));
-		(void) snprintf(msg[6], sizeof (msg[6]),
-		    dgettext(TEXT_DOMAIN, "new login passwd."));
-		(void) snprintf(msg[7], sizeof (msg[7]),
-		    dgettext(TEXT_DOMAIN, "The user must keylogin explicitly "
-		    "after their next login."));
-		(void) sprintf(msg[8], " ");
-		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 9, msg, NULL);
-		res = PAM_SUCCESS;
-		break;
-	case PWU_UPDATED_SOME_CREDS:
-		info(nowarn, pamh, dgettext(TEXT_DOMAIN,
-			"%s: password successfully changed for %s"),
-			service, user);
-
-		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
-		    "WARNING: some but not all credentials were reencrypted "
-		    "for user %s"), user);
-		res = PAM_SUCCESS;
-		break;
 	case PWU_PWD_TOO_SHORT:
 		(void) snprintf(msg[0], sizeof (msg[0]),
 		    dgettext(TEXT_DOMAIN, "%s: Password too short."), service);
@@ -366,30 +286,30 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	case PWU_PWD_INVALID:
 		(void) snprintf(msg[0], sizeof (msg[0]),
 		    dgettext(TEXT_DOMAIN, "%s: Invalid password syntax."),
-			service);
+		    service);
 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, msg, NULL);
 		res = PAM_AUTHTOK_ERR;
 		break;
 	case PWU_PWD_IN_HISTORY:
 		(void) snprintf(msg[0], sizeof (msg[0]),
 		    dgettext(TEXT_DOMAIN, "%s: Reuse of old passwords not "
-			"allowed, the new password is in the history list."),
-			service);
+		    "allowed, the new password is in the history list."),
+		    service);
 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, msg, NULL);
 		res = PAM_AUTHTOK_ERR;
 		break;
 	case PWU_CHANGE_NOT_ALLOWED:
 		(void) snprintf(msg[0], sizeof (msg[0]),
 		    dgettext(TEXT_DOMAIN, "%s: You may not change "
-			"this password."), service);
+		    "this password."), service);
 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, msg, NULL);
 		res = PAM_PERM_DENIED;
 		break;
 	case PWU_WITHIN_MIN_AGE:
 		(void) snprintf(msg[0], sizeof (msg[0]),
 		    dgettext(TEXT_DOMAIN,
-			"%s: Password can not be changed yet, "
-			"not enough time has passed."), service);
+		    "%s: Password can not be changed yet, "
+		    "not enough time has passed."), service);
 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, msg, NULL);
 		res = PAM_PERM_DENIED;
 		break;
diff --git a/usr/src/lib/pam_modules/dhkeys/dhkeys.c b/usr/src/lib/pam_modules/dhkeys/dhkeys.c
index cea8662066..11b3be3fbf 100644
--- a/usr/src/lib/pam_modules/dhkeys/dhkeys.c
+++ b/usr/src/lib/pam_modules/dhkeys/dhkeys.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -64,12 +64,6 @@
 #include "key_call_uid.h"
 #include <shadow.h>
 
-/* to keep track of codepath */
-#define	CODEPATH_PAM_SM_AUTHENTICATE	0
-#define	CODEPATH_PAM_SM_SETCRED		1
-
-#define	SUNW_OLDRPCPASS	"SUNW-OLD-RPC-PASSWORD"
-
 extern	int	_nfssys(int, void *);
 
 /*
@@ -175,32 +169,23 @@ get_and_set_seckey(
  * stack so we should only return failures or PAM_IGNORE. Returning PAM_SUCCESS
  * may short circuit the stack and circumvent later critical checks.
  *
- * Because this routine is used for both pam_authenticate *and*
- * pam_setcred, we have to be somewhat careful:
- *
- *      - if called from pam_sm_authenticate:
- *		1. if no NIS+, we don't set credentials and return PAM_IGNORE.
- *              2. else, we try to establish credentials;
+ * we are called from pam_sm_setcred:
+ *	1. if we are root (uid == 0), we do nothing and return
+ *	   PAM_IGNORE.
+ *	2. else, we try to establish credentials.
  *
- *	- if called from pam_sm_setcred:
- *		1. if we are root (uid == 0), we do nothing and return
- *		   PAM_IGNORE.
- *		2. else, we try to establish credentials.
+ * We return framework errors as appropriate such as PAM_USER_UNKNOWN,
+ * PAM_BUF_ERR, PAM_PERM_DENIED.
  *
- *      We return framework errors as appropriate such as PAM_USER_UNKNOWN,
- *      PAM_BUF_ERR, PAM_PERM_DENIED.
+ * If we succeed in establishing credentials we return PAM_IGNORE.
  *
- *	If we succeed in establishing credentials we return PAM_IGNORE.
- *
- *	If we fail to establish credentials then we return:
- *	- PAM_IGNORE if we are called from pam_sm_authenticate and we
- *	  don't need credentials;
- *	- PAM_SERVICE_ERR (credentials needed) or PAM_SYSTEM_ERR
- *	  (credentials not needed) if netname could not be created;
- *	- PAM_AUTH_ERR (credentials needed) or PAM_IGNORE (credentials
- *	  not needed) if no credentials were retrieved;
- *	- PAM_AUTH_ERR if the password didn't decrypt the cred;
- *	- PAM_SYSTEM_ERR if the cred's could not be stored.
+ * If we fail to establish credentials then we return:
+ *    - PAM_SERVICE_ERR (credentials needed) or PAM_SYSTEM_ERR
+ *      (credentials not needed) if netname could not be created;
+ *    - PAM_AUTH_ERR (credentials needed) or PAM_IGNORE (credentials
+ *      not needed) if no credentials were retrieved;
+ *    - PAM_AUTH_ERR if the password didn't decrypt the cred;
+ *    - PAM_SYSTEM_ERR if the cred's could not be stored.
  *
  * This routine returns the user's netname in "netname".
  *
@@ -210,8 +195,7 @@ get_and_set_seckey(
  * Therefore, we use a local variable "short_pass" to hold those 8 char's.
  */
 static int
-establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
-	char *netname)
+establish_key(pam_handle_t *pamh, int flags, int debug, char *netname)
 {
 	char	*user;
 	char	*passwd;
@@ -225,24 +209,6 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 	char	*scratch;
 	int	scratchlen;
 
-	/*
-	 * Default is that credentials are needed until we explicitly
-	 * check they are. This means all failure codes are returned
-	 * until then.
-	 */
-	int	need_cred = -1;
-	int	auth_cred_flags;
-				/*
-				 * no_warn if creds not needed and
-				 * authenticating
-				 */
-	int	auth_path = (codepath == CODEPATH_PAM_SM_AUTHENTICATE);
-	char *repository_name = NULL;	/* which repository are we using */
-	char *repository_pass = NULL;	/* user's password from that rep */
-	pwu_repository_t *pwu_rep;
-	struct pam_repository *auth_rep;
-	attrlist attr_pw[2];
-
 	mechanism_t	**mechs;
 	mechanism_t	**mpp;
 	int	get_seckey_cnt = 0;
@@ -274,83 +240,17 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 
 	/*
 	 * We don't set credentials when root logs in.
-	 * We do, however, need to set the credentials if the NIS+ permissions
-	 * require so. Thus, we only bail out if we're root and we're
-	 * called from pam_setcred.
 	 */
-	if (uid == 0 && codepath == CODEPATH_PAM_SM_SETCRED) {
+	if (uid == 0) {
 		result = PAM_IGNORE;
 		goto out;
 	}
 
-	/*
-	 * Check to see if we REALLY need to set the credentials, i.e.
-	 * whether not being able to do so is an error or whether we
-	 * can ignore it.
-	 * We need to get the password from the repository that we're
-	 * currently authenticating against. If this is the auth_path
-	 * and the repository isn't NIS+ we can skip establishing credentials.
-	 * Otherwise, we will try to establish credentials but it's only
-	 * critical iff the password is "*NP*" and the repository is NIS+.
-	 */
-	(void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep);
-	if (auth_rep != NULL) {
-		if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
-			return (PAM_BUF_ERR);
-		pwu_rep->type = auth_rep->type;
-		pwu_rep->scope = auth_rep->scope;
-		pwu_rep->scope_len = auth_rep->scope_len;
-	} else
-		pwu_rep = PWU_DEFAULT_REP;
-
-	attr_pw[0].type = ATTR_PASSWD; attr_pw[0].next = &attr_pw[1];
-	attr_pw[1].type = ATTR_REP_NAME; attr_pw[1].next = NULL;
-	result = __get_authtoken_attr(user, pwu_rep, attr_pw);
-
-	if (pwu_rep != PWU_DEFAULT_REP)
-		free(pwu_rep);
-
-	if (result == PWU_NOT_FOUND) {
-		if (debug)
-			syslog(LOG_DEBUG, "pam_dhkeys: user %s not found",
-			    user);
-		result = PAM_USER_UNKNOWN;
-		goto out;
-	} else if (result != PWU_SUCCESS) {
-		result = PAM_PERM_DENIED;
-		goto out;
-	}
-
-	repository_name = attr_pw[1].data.val_s;
-	repository_pass = attr_pw[0].data.val_s;
-
-	if (auth_path && (strcmp(repository_name, "nisplus") != 0)) {
-		result = PAM_IGNORE;
-		goto out;
-	}
-
-	need_cred = (strcmp(repository_name, "nisplus") == 0 &&
-	    strcmp(repository_pass, NOPWDRTR) == 0);
-	if (auth_path) {
-		auth_cred_flags =
-		    (need_cred ? flags : flags | PAM_SILENT);
-	} else {
-		auth_cred_flags = flags;
-	}
-
-	if (uid == 0)		/* "root", need to create a host-netname */
-		err = host2netname(netname, NULL, NULL);
-	else
-		err = user2netname(netname, uid, NULL);
+	err = user2netname(netname, uid, NULL);
 
 	if (err != 1) {
 		if (debug)
 			syslog(LOG_DEBUG, "pam_dhkeys: user2netname failed");
-		if (need_cred) {
-			syslog(LOG_ALERT, "pam_dhkeys: user %s needs "
-			    "Secure RPC Credentials to login.", user);
-			result = PAM_SERVICE_ERR;
-		} else
 			result = PAM_SYSTEM_ERR;
 		goto out;
 	}
@@ -381,7 +281,7 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 			if (!get_and_set_seckey(pamh, netname, mp->keylen,
 			    mp->algtype, short_passp, uid, gid,
 			    &get_seckey_cnt, &good_pw_cnt, &set_seckey_cnt,
-			    auth_cred_flags, debug)) {
+			    flags, debug)) {
 				result = PAM_BUF_ERR;
 				goto out;
 			}
@@ -390,7 +290,7 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 		/* fall through to AUTH_DES below */
 	} else {
 		/*
-		 * No usable mechs found in NIS+ security cf thus
+		 * No usable mechs found in security congifuration file thus
 		 * fallback to AUTH_DES compat.
 		 */
 		if (debug)
@@ -399,13 +299,12 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 	}
 
 	/*
-	 * We always perform AUTH_DES for the benefit of non-NIS+
-	 * services (e.g. NFS) that may depend on the classic des
-	 * 192bit key being set.
+	 * We always perform AUTH_DES for the benefit of services like NFS
+	 * that may depend on the classic des 192bit key being set.
 	 */
 	if (!get_and_set_seckey(pamh, netname, AUTH_DES_KEYLEN,
 	    AUTH_DES_ALGTYPE, short_passp, uid, gid, &get_seckey_cnt,
-	    &good_pw_cnt, &set_seckey_cnt, auth_cred_flags, debug)) {
+	    &good_pw_cnt, &set_seckey_cnt, flags, debug)) {
 		result = PAM_BUF_ERR;
 		goto out;
 	}
@@ -423,7 +322,7 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 	}
 
 	if (get_seckey_cnt == 0) {		/* No credentials */
-		result = need_cred ? PAM_AUTH_ERR : PAM_IGNORE;
+		result = PAM_IGNORE;
 		goto out;
 	}
 
@@ -436,7 +335,7 @@ establish_key(pam_handle_t *pamh, int flags, int codepath, int debug,
 		result = PAM_SYSTEM_ERR;
 		goto out;
 	}
-	/* Credentials have been successfully establish, return PAM_IGNORE. */
+	/* Credentials have been successfully established, return PAM_IGNORE */
 	result = PAM_IGNORE;
 out:
 	/*
@@ -445,13 +344,6 @@ out:
 	 * definitely needed them. Thus always return PAM_IGNORE
 	 * if we are authenticating and credentials were not needed.
 	 */
-	if (auth_path && !need_cred)
-		result = PAM_IGNORE;
-	if (repository_name)
-		free(repository_name);
-	if (repository_pass)
-		free(repository_pass);
-
 	free(scratch);
 
 	(void) memset(short_pass, '\0', sizeof (short_pass));
@@ -459,25 +351,11 @@ out:
 	return (result);
 }
 
+/*ARGSUSED*/
 int
 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-	int	i;
-	int	debug = 0;
-	int	result;
-	char	netname[MAXNETNAMELEN + 1];
-
-	for (i = 0; i < argc; i++) {
-		if (strcmp(argv[i], "debug") == 0)
-			debug = 1;
-		else if (strcmp(argv[i], "nowarn") == 0)
-			flags |= PAM_SILENT;
-	}
-
-	result = establish_key(pamh, flags, CODEPATH_PAM_SM_AUTHENTICATE, debug,
-	    netname);
-
-	return (result);
+	return (PAM_IGNORE);
 }
 
 
@@ -647,8 +525,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			syslog(LOG_DEBUG, "pam_dhkeys: removing creds\n");
 		result = remove_key(pamh, flags, debug);
 	} else {
-		result = establish_key(pamh, flags, CODEPATH_PAM_SM_SETCRED,
-		    debug, netname);
+		result = establish_key(pamh, flags, debug, netname);
 		/* Some diagnostics */
 		if ((flags & PAM_SILENT) == 0) {
 			if (result == PAM_AUTH_ERR)
@@ -678,182 +555,9 @@ rpc_cleanup(pam_handle_t *pamh, void *data, int pam_status)
 	}
 }
 
+/*ARGSUSED*/
 int
 pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-	int i;
-	int debug = 0;
-	int res;
-	pam_repository_t *pam_rep;
-	pwu_repository_t *pwu_rep;
-	char *oldpw;
-	char *user;
-	int tries;
-	int oldpw_ok;
-	char *oldrpcpw;
-	char *oldrpcpass;
-	char *data;
-	/* password truncated at 8 chars, see comment at establish_key() */
-	char short_pass[sizeof (des_block)+1], *short_passp;
-
-	for (i = 0; i < argc; i++)
-		if (strcmp(argv[i], "debug") == 0)
-			debug = 1;
-
-	if (debug)
-		syslog(LOG_DEBUG, "pam_dhkeys: entered pam_sm_chauthtok()");
-
-	if ((flags & PAM_PRELIM_CHECK) == 0)
-		return (PAM_IGNORE);
-
-	/*
-	 * See if the old secure-rpc password has already been set
-	 */
-	res = pam_get_data(pamh, SUNW_OLDRPCPASS, (const void **)&oldrpcpass);
-	if (res == PAM_SUCCESS) {
-		if (debug)
-			syslog(LOG_DEBUG,
-			    "pam_dhkeys: OLDRPCPASS already set");
-		return (PAM_IGNORE);
-	}
-
-	(void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&pam_rep);
-
-	(void) pam_get_item(pamh, PAM_USER, (void **)&user);
-
-	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&oldpw);
-
-	if (user == NULL || *user == '\0') {
-		if (debug)
-			syslog(LOG_DEBUG, "pam_dhkeys: user NULL or empty");
-		return (PAM_USER_UNKNOWN);
-	}
-
-	/* oldpw can be NULL (eg. root changing someone's passwd) */
-	if (oldpw) {
-		(void) strlcpy(short_pass, oldpw, sizeof (short_pass));
-		short_passp = short_pass;
-	} else
-		short_passp = NULL;
-
-	/*
-	 * For NIS+ we need to check whether the old password equals
-	 * the RPC password. If it doesn't, we won't be able to update
-	 * the secure RPC credentials later on in the process.
-	 */
-
-	if (pam_rep == NULL)
-		pwu_rep = PWU_DEFAULT_REP;
-	else {
-		if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
-			return (PAM_BUF_ERR);
-		pwu_rep->type = pam_rep->type;
-		pwu_rep->scope = pam_rep->scope;
-		pwu_rep->scope_len = pam_rep->scope_len;
-	}
-
-	switch (__verify_rpc_passwd(user, short_passp, pwu_rep)) {
-	case PWU_SUCCESS:
-		/* oldpw matches RPC password, or no RPC password needed */
-
-		if (pwu_rep != PWU_DEFAULT_REP)
-			free(pwu_rep);
-
-		if (short_passp) {
-			if ((data = strdup(short_pass)) == NULL) {
-				(void) memset(short_pass, '\0',
-				    sizeof (short_pass));
-				return (PAM_BUF_ERR);
-			}
-		} else
-			data = NULL;
-
-		(void) pam_set_data(pamh, SUNW_OLDRPCPASS, data, rpc_cleanup);
-		return (PAM_IGNORE);
-
-	case PWU_NOT_FOUND:
-		if (pwu_rep != PWU_DEFAULT_REP)
-			free(pwu_rep);
-		(void) memset(short_pass, '\0', sizeof (short_pass));
-		return (PAM_USER_UNKNOWN);
-	case PWU_BAD_CREDPASS:
-		/* The old password does not decrypt any credentials */
-		break;
-	case PWU_CRED_ERROR:
-		/*
-		 * Indicates that the user's credentials could not be
-		 * retrieved or removed.  This could occur when a NIS+
-		 * user is in transition to another account authority.
-		 */
-		if (pwu_rep != PWU_DEFAULT_REP)
-			free(pwu_rep);
-		(void) memset(short_pass, '\0', sizeof (short_pass));
-		return (PAM_AUTHTOK_ERR);
-	default:
-		if (pwu_rep != PWU_DEFAULT_REP)
-			free(pwu_rep);
-		(void) memset(short_pass, '\0', sizeof (short_pass));
-		return (PAM_SYSTEM_ERR);
-	}
-
-	/*
-	 * We got here because the OLDAUTHTOK doesn't match the Secure RPC
-	 * password. In compliance with the old behavior, we give the
-	 * user two chances to get the password right. If that succeeds
-	 * all is well; if it doesn't, we'll return an error.
-	 */
-
-	(void) msg(pamh, dgettext(TEXT_DOMAIN,
-	    "This password differs from your secure RPC password."));
-
-	tries = 0;
-	oldpw_ok = 0;
-
-	while (oldpw_ok == 0 && ++tries < 3) {
-		if (tries > 1)
-			(void) msg(pamh, dgettext(TEXT_DOMAIN,
-			    "This password does not decrypt your "
-			    "secure RPC password."));
-		res = __pam_get_authtok(pamh, PAM_PROMPT, 0,
-		    dgettext(TEXT_DOMAIN,
-		    "Please enter your old Secure RPC password: "), &oldpw);
-		if (res != PAM_SUCCESS) {
-			if (pwu_rep != PWU_DEFAULT_REP)
-				free(pwu_rep);
-			return (res);
-		}
-		(void) strlcpy(short_pass, oldpw, sizeof (short_pass));
-		(void) memset(oldpw, 0, strlen(oldpw));
-		free(oldpw);
-		oldpw = NULL;
-		if (__verify_rpc_passwd(user, short_pass, pwu_rep) ==
-		    PWU_SUCCESS)
-			oldpw_ok = 1;
-	}
-
-	if (pwu_rep != PWU_DEFAULT_REP)
-		free(pwu_rep);
-
-	if (oldpw_ok == 0) {
-		(void) memset(short_pass, '\0', sizeof (short_pass));
-		return (PAM_AUTHTOK_ERR);
-	}
-
-	/*
-	 * Since the PAM framework only provides space for two different
-	 * password (one old and one current), there is officially no
-	 * place to put additional passwords (like our old rpc password).
-	 * We have no choice but to stuff it in a data item, and hope it
-	 * will be picked up by the password-update routines.
-	 */
-
-	oldrpcpw = strdup(short_pass);
-	(void) memset(short_pass, '\0', sizeof (short_pass));
-
-	if (oldrpcpw == NULL)
-		return (PAM_BUF_ERR);
-
-	res = pam_set_data(pamh, SUNW_OLDRPCPASS, oldrpcpw, rpc_cleanup);
-
-	return (res);
+	return (PAM_IGNORE);
 }
diff --git a/usr/src/lib/pam_modules/passwd_auth/passwd_auth.c b/usr/src/lib/pam_modules/passwd_auth/passwd_auth.c
index 4e882a44b8..051f509224 100644
--- a/usr/src/lib/pam_modules/passwd_auth/passwd_auth.c
+++ b/usr/src/lib/pam_modules/passwd_auth/passwd_auth.c
@@ -232,14 +232,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	repository_name = al[7].data.val_s;
 
 	/*
-	 * if repository isn't files|nis|nisplus, and
-	 * user wants to follow server policy,
-	 * return PAM_IGNORE
+	 * if repository isn't files|nis, and user wants to follow server
+	 * policy, return PAM_IGNORE
 	 */
 	if (server_policy &&
 	    strcmp(repository_name, "files") != 0 &&
-	    strcmp(repository_name, "nis") != 0 &&
-	    strcmp(repository_name, "nisplus") != 0) {
+	    strcmp(repository_name, "nis") != 0) {
 		retval = PAM_IGNORE;
 		goto out;
 	}
diff --git a/usr/src/lib/pam_modules/unix_account/unix_acct.c b/usr/src/lib/pam_modules/unix_account/unix_acct.c
index 14b8030921..110eff6d9d 100644
--- a/usr/src/lib/pam_modules/unix_account/unix_acct.c
+++ b/usr/src/lib/pam_modules/unix_account/unix_acct.c
@@ -368,14 +368,12 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	}
 
 	/*
-	 * if repository is not files|nis|nisplus, and
-	 * user wants server_policy, we don't care
-	 * about aging and hence return PAM_IGNORE
+	 * if repository is not files|nis, and user wants server_policy,
+	 * we don't care about aging and hence return PAM_IGNORE
 	 */
 	if (server_policy &&
 	    strcmp(repository_name, "files") != 0 &&
-	    strcmp(repository_name, "nis") != 0 &&
-	    strcmp(repository_name, "nisplus") != 0) {
+	    strcmp(repository_name, "nis") != 0) {
 		error = PAM_IGNORE;
 		goto out;
 	}
diff --git a/usr/src/lib/pam_modules/unix_auth/unix_auth.c b/usr/src/lib/pam_modules/unix_auth/unix_auth.c
index 1fcda7e2b8..c1d2e7d042 100644
--- a/usr/src/lib/pam_modules/unix_auth/unix_auth.c
+++ b/usr/src/lib/pam_modules/unix_auth/unix_auth.c
@@ -132,9 +132,9 @@ display_warning(pam_handle_t *pamh, int failures, char *homedir)
  * PAM_AUTHTOK item is indeed the password that belongs to the user
  * as stored in PAM_USER.
  *
- * This routine will not establish Secure RPC Credentials. If these
- * credentials are needed to obtain the password from the NIS+ service,
- * the pam_dhkeys module should be stacked before us!
+ * This routine will not establish Secure RPC Credentials, the pam_dhkeys
+ * module should be stacked before us if Secure RPC Credentials are needed
+ * to obtain passwords.
  */
 int
 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
@@ -142,7 +142,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	int	i;
 	int	debug = 0;
 	int	nowarn = (flags & PAM_SILENT) != 0;
-	char	messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
 	char	*user;
 	char	*passwd;
 	char	*rep_passwd;
@@ -279,39 +278,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		goto out;
 	}
 
-	/*
-	 * "rep_passwd" holds the encrypted password.
-	 * If, however, we detect that the password equals NOPWDRTR,
-	 * while we've obtained it from NIS+, it
-	 * means that the permissions on the NIS+ table are too tight
-	 * for us to get the password without having Secure RPC
-	 * Credentials. In that case, we log an error stating that
-	 * the Secure RPC credential Module should be on the PAM stack
-	 * before the unix_auth module. We also tell the user to go
-	 * and inform the administrator of this error.
-	 */
-	if (strcmp(repository_name, "nisplus") == 0 &&
-	    strcmp(rep_passwd, NOPWDRTR) == 0) {
-		__pam_log(LOG_AUTH | LOG_ERR,
-		    "pam_unix_auth: NIS+ permissions require that"
-		    "the pam_dhkeys module is on the PAM stack before "
-		    "pam_unix_auth");
-		if (nowarn == 0) {
-			(void) snprintf(messages[0], sizeof (messages[0]),
-			    dgettext(TEXT_DOMAIN,
-			    "NIS+ permissions are too tight. "
-			    "Please inform your administrator."));
-			(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1,
-			    messages, NULL);
-		}
-		result = PAM_USER_UNKNOWN;
-		goto out;
-	}
-
 	if (server_policy &&
 	    strcmp(repository_name, "files") != 0 &&
-	    strcmp(repository_name, "nis") != 0 &&
-	    strcmp(repository_name, "nisplus") != 0) {
+	    strcmp(repository_name, "nis") != 0) {
 		result = PAM_IGNORE;
 		goto out;
 	}