11 files changed, 776 insertions, 5 deletions

diff --git a/usr/src/lib/libsasl/Makefile b/usr/src/lib/libsasl/Makefile
index a394d3afbf..c0e42d0b70 100644
--- a/usr/src/lib/libsasl/Makefile
+++ b/usr/src/lib/libsasl/Makefile
@@ -22,8 +22,7 @@
 #
 # Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
 #
 
 include	../Makefile.lib
@@ -49,6 +48,7 @@ MSGFILES=	lib/canonusr.c lib/checkpw.c lib/client.c lib/common.c \
 			$(SRC)/lib/sasl_plugins/cram/cram.c \
 			$(SRC)/lib/sasl_plugins/digestmd5/digestmd5.c \
 			$(SRC)/lib/sasl_plugins/gssapi/gssapi.c \
+			$(SRC)/lib/sasl_plugins/login/login.c \
 			$(SRC)/lib/sasl_plugins/plain/plain.c
 
 .KEEP_STATE:
diff --git a/usr/src/lib/sasl_plugins/Makefile b/usr/src/lib/sasl_plugins/Makefile
index e32bd6d7e1..d014d39264 100644
--- a/usr/src/lib/sasl_plugins/Makefile
+++ b/usr/src/lib/sasl_plugins/Makefile
@@ -21,8 +21,7 @@
 #
 # Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
 #
 
 # Note, to build SASL msg file go to $SRC/lib/libsasl and make _msg
@@ -30,7 +29,7 @@
 
 include	../Makefile.lib
 
-SUBDIRS =	cram digestmd5 gssapi plain
+SUBDIRS =	cram digestmd5 gssapi plain login
 
 all :=		TARGET= all
 clean :=	TARGET= clean
diff --git a/usr/src/lib/sasl_plugins/login/Makefile b/usr/src/lib/sasl_plugins/login/Makefile
new file mode 100644
index 0000000000..d78e1975f0
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/Makefile
@@ -0,0 +1,26 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+#
+
+include		../Makefile.subdirs
diff --git a/usr/src/lib/sasl_plugins/login/Makefile.com b/usr/src/lib/sasl_plugins/login/Makefile.com
new file mode 100644
index 0000000000..cbab8177d0
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/Makefile.com
@@ -0,0 +1,32 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+#
+
+LIBRARY= login.a
+VERS= .1
+
+PLUG_OBJS=	login.o		login_init.o
+
+# include common definitions
+include ../../Makefile.com
diff --git a/usr/src/lib/sasl_plugins/login/amd64/Makefile b/usr/src/lib/sasl_plugins/login/amd64/Makefile
new file mode 100644
index 0000000000..ef7545263e
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/amd64/Makefile
@@ -0,0 +1,29 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+#
+
+include ../Makefile.com
+include ../../../Makefile.lib.64
+
+install: all $(ROOTLIBS64)
diff --git a/usr/src/lib/sasl_plugins/login/i386/Makefile b/usr/src/lib/sasl_plugins/login/i386/Makefile
new file mode 100644
index 0000000000..edbceba8be
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/i386/Makefile
@@ -0,0 +1,28 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+#
+
+include ../Makefile.com
+
+install: all $(ROOTLIBS)
diff --git a/usr/src/lib/sasl_plugins/login/login.c b/usr/src/lib/sasl_plugins/login/login.c
new file mode 100644
index 0000000000..64ba6ca83f
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/login.c
@@ -0,0 +1,554 @@
+/*
+ * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+ */
+
+/* LOGIN is a PLAIN-like authenticator, but for older deployments. */
+
+/* Login SASL plugin
+ * Rob Siemborski (SASLv2 Conversion)
+ * contributed by Rainer Schoepf <schoepf@uni-mainz.de>
+ * based on PLAIN, by Tim Martin <tmartin@andrew.cmu.edu>
+ * $Id: login.c,v 1.25 2003/02/13 19:56:04 rjs3 Exp $
+ */
+/* 
+ * Copyright (c) 1998-2003 Carnegie Mellon University.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. The name "Carnegie Mellon University" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For permission or any other legal
+ *    details, please contact  
+ *      Office of Technology Transfer
+ *      Carnegie Mellon University
+ *      5000 Forbes Avenue
+ *      Pittsburgh, PA  15213-3890
+ *      (412) 268-4387, fax: (412) 268-7395
+ *      tech-transfer@andrew.cmu.edu
+ *
+ * 4. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by Computing Services
+ *     at Carnegie Mellon University (http://www.cmu.edu/computing/)."
+ *
+ * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
+ * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <sasl.h>
+#include <saslplug.h>
+
+#include "plugin_common.h"
+
+#ifndef _SUN_SDK_
+#ifdef WIN32
+/* This must be after sasl.h */
+# include "saslLOGIN.h"
+#endif /* WIN32 */
+#endif /* !_SUN_SDK_ */
+
+/*****************************  Common Section  *****************************/
+
+#ifndef _SUN_SDK_
+static const char plugin_id[] = "$Id: login.c,v 1.25 2003/02/13 19:56:04 rjs3 Exp $";
+#endif /* !_SUN_SDK_ */
+
+/*****************************  Server Section  *****************************/
+
+typedef struct context {
+    int state;
+
+    char *username;
+    size_t username_len;
+} server_context_t;
+
+static int login_server_mech_new(void *glob_context __attribute__((unused)), 
+				 sasl_server_params_t *sparams,
+				 const char *challenge __attribute__((unused)),
+				 unsigned challen __attribute__((unused)),
+				 void **conn_context)
+{
+    server_context_t *text;
+    
+    /* holds state are in */
+    text = sparams->utils->malloc(sizeof(server_context_t));
+    if (text == NULL) {
+	MEMERROR( sparams->utils );
+	return SASL_NOMEM;
+    }
+    
+    memset(text, 0, sizeof(server_context_t));
+    
+    text->state = 1;
+    
+    *conn_context = text;
+    
+    return SASL_OK;
+}
+
+#define USERNAME_CHALLENGE "Username:"
+#define PASSWORD_CHALLENGE "Password:"
+
+static int login_server_mech_step(void *conn_context,
+				  sasl_server_params_t *params,
+				  const char *clientin,
+				  unsigned clientinlen,
+				  const char **serverout,
+				  unsigned *serveroutlen,
+				  sasl_out_params_t *oparams)
+{
+    server_context_t *text = (server_context_t *) conn_context;
+    
+    *serverout = NULL;
+    *serveroutlen = 0;
+    
+    switch (text->state) {
+
+    case 1:
+	text->state = 2;
+
+	/* Check inlen, (possibly we have already the user name) */
+	/* In this case fall through to state 2 */
+	if (clientinlen == 0) {
+	    /* demand username */
+	    
+	    *serveroutlen = strlen(USERNAME_CHALLENGE);
+	    *serverout = USERNAME_CHALLENGE;
+
+	    return SASL_CONTINUE;
+	}
+	
+	
+    case 2:
+	/* Catch really long usernames */
+	if (clientinlen > 1024) {
+#ifdef _SUN_SDK_
+	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
+		"username too long (>1024 characters)");
+#else
+	    SETERROR(params->utils, "username too long (>1024 characters)");
+#endif	/* _SUN_SDK_ */
+	    return SASL_BADPROT;
+	}
+	
+	/* get username */
+	text->username =
+	    params->utils->malloc(sizeof(sasl_secret_t) + clientinlen + 1);
+	if (!text->username) {
+	    MEMERROR( params->utils );
+	    return SASL_NOMEM;
+	}
+	
+	strncpy(text->username, clientin, clientinlen);
+	text->username_len = clientinlen;
+	text->username[clientinlen] = '\0';
+	
+	/* demand password */
+	*serveroutlen = strlen(PASSWORD_CHALLENGE);
+	*serverout = PASSWORD_CHALLENGE;
+	
+	text->state = 3;
+	
+	return SASL_CONTINUE;
+	
+	
+    case 3: {
+	sasl_secret_t *password;
+	int result;
+	
+	/* Catch really long passwords */
+	if (clientinlen > 1024) {
+#ifdef _SUN_SDK_
+	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
+		     "clientinlen is > 1024 characters in LOGIN plugin");
+#else
+	    SETERROR(params->utils,
+		     "clientinlen is > 1024 characters in LOGIN plugin");
+#endif	/* _SUN_SDK_ */
+	    return SASL_BADPROT;
+	}
+	
+	/* get password */
+	password =
+	    params->utils->malloc(sizeof(sasl_secret_t) + clientinlen + 1);
+	if (!password) {
+	    MEMERROR(params->utils);
+	    return SASL_NOMEM;
+	}
+	
+	strncpy((char *)password->data, clientin, clientinlen);
+	password->data[clientinlen] = '\0';
+	password->len = clientinlen;
+
+	/* canonicalize username first, so that password verification is
+	 * done against the canonical id */
+	result = params->canon_user(params->utils->conn, text->username,
+				    text->username_len,
+				    SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
+	if (result != SASL_OK) {
+		_plug_free_secret(params->utils, &password);
+		return result;
+	}
+	
+	/* verify_password - return sasl_ok on success */
+	result = params->utils->checkpass(params->utils->conn,
+					oparams->authid, oparams->alen,
+					(char *)password->data, password->len);
+	
+	if (result != SASL_OK) {
+	    _plug_free_secret(params->utils, &password);
+	    return result;
+	}
+	
+	if (params->transition) {
+	    params->transition(params->utils->conn,
+			       (char *)password->data, password->len);
+	}
+	
+	_plug_free_secret(params->utils, &password);
+	
+	*serverout = NULL;
+	*serveroutlen = 0;
+	
+	oparams->doneflag = 1;
+	oparams->mech_ssf = 0;
+	oparams->maxoutbuf = 0;
+	oparams->encode_context = NULL;
+	oparams->encode = NULL;
+	oparams->decode_context = NULL;
+	oparams->decode = NULL;
+	oparams->param_version = 0;
+	
+	return SASL_OK;
+    }
+
+
+    default:
+	params->utils->log(NULL, SASL_LOG_ERR,
+			   "Invalid LOGIN server step %d\n", text->state);
+	return SASL_FAIL;
+    }
+    
+    return SASL_FAIL; /* should never get here */
+}
+
+static void login_server_mech_dispose(void *conn_context,
+				      const sasl_utils_t *utils)
+{
+    server_context_t *text = (server_context_t *) conn_context;
+    
+    if (!text) return;
+    
+    if (text->username) utils->free(text->username);
+    
+    utils->free(text);
+}
+
+static sasl_server_plug_t login_server_plugins[] = 
+{
+    {
+	"LOGIN",			/* mech_name */
+	0,				/* max_ssf */
+	SASL_SEC_NOANONYMOUS,		/* security_flags */
+	0,				/* features */
+	NULL,				/* glob_context */
+	&login_server_mech_new,		/* mech_new */
+	&login_server_mech_step,	/* mech_step */
+	&login_server_mech_dispose,	/* mech_dispose */
+	NULL,				/* mech_free */
+	NULL,				/* setpass */
+	NULL,				/* user_query */
+	NULL,				/* idle */
+	NULL,				/* mech_avail */
+	NULL				/* spare */
+    }
+};
+
+int login_server_plug_init(sasl_utils_t *utils,
+			   int maxversion,
+			   int *out_version,
+			   sasl_server_plug_t **pluglist,
+			   int *plugcount)
+{
+    if (maxversion < SASL_SERVER_PLUG_VERSION) {
+	SETERROR(utils, "LOGIN version mismatch");
+	return SASL_BADVERS;
+    }
+    
+    *out_version = SASL_SERVER_PLUG_VERSION;
+    *pluglist = login_server_plugins;
+    *plugcount = 1;  
+    
+    return SASL_OK;
+}
+
+/*****************************  Client Section  *****************************/
+
+typedef struct client_context {
+    int state;
+
+#ifdef _INTEGRATED_SOLARIS_
+    void *h;
+#endif /* _INTEGRATED_SOLARIS_ */
+    sasl_secret_t *password;
+    unsigned int free_password; /* set if we need to free password */
+} client_context_t;
+
+static int login_client_mech_new(void *glob_context __attribute__((unused)),
+				 sasl_client_params_t *params,
+				 void **conn_context)
+{
+    client_context_t *text;
+    
+    /* holds state are in */
+    text = params->utils->malloc(sizeof(client_context_t));
+    if (text == NULL) {
+	MEMERROR(params->utils);
+	return SASL_NOMEM;
+    }
+    
+    memset(text, 0, sizeof(client_context_t));
+    
+    text->state = 1;
+    
+    *conn_context = text;
+    
+    return SASL_OK;
+}
+
+static int login_client_mech_step(void *conn_context,
+				  sasl_client_params_t *params,
+				  const char *serverin __attribute__((unused)),
+				  unsigned serverinlen __attribute__((unused)),
+				  sasl_interact_t **prompt_need,
+				  const char **clientout,
+				  unsigned *clientoutlen,
+				  sasl_out_params_t *oparams)
+{
+    client_context_t *text = (client_context_t *) conn_context;
+    
+    *clientout = NULL;
+    *clientoutlen = 0;
+    
+    switch (text->state) {
+
+    case 1: {
+	const char *user;
+	int auth_result = SASL_OK;
+	int pass_result = SASL_OK;
+	int result;
+	
+	/* check if sec layer strong enough */
+	if (params->props.min_ssf > params->external_ssf) {
+#ifdef _INTEGRATED_SOLARIS_
+	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
+		gettext("SSF requested of LOGIN plugin"));
+#else
+	    SETERROR( params->utils, "SSF requested of LOGIN plugin");
+#endif /* _INTEGRATED_SOLARIS_ */
+	    return SASL_TOOWEAK;
+	}
+	
+	/* try to get the userid */
+	/* Note: we want to grab the authname and not the userid, which is
+	 *       who we AUTHORIZE as, and will be the same as the authname
+	 *       for the LOGIN mech.
+	 */
+	if (oparams->user == NULL) {
+	    auth_result = _plug_get_authid(params->utils, &user, prompt_need);
+	    
+	    if ((auth_result != SASL_OK) && (auth_result != SASL_INTERACT))
+		return auth_result;
+	}
+	
+	/* try to get the password */
+	if (text->password == NULL) {
+	    pass_result = _plug_get_password(params->utils, &text->password,
+					     &text->free_password, prompt_need);
+	    
+	    if ((pass_result != SASL_OK) && (pass_result != SASL_INTERACT))
+		return pass_result;
+	}
+	
+	/* free prompts we got */
+	if (prompt_need && *prompt_need) {
+	    params->utils->free(*prompt_need);
+	    *prompt_need = NULL;
+	}
+	
+	/* if there are prompts not filled in */
+	if ((auth_result == SASL_INTERACT) || (pass_result == SASL_INTERACT)) {
+	    /* make the prompt list */
+	    result =
+#ifdef _INTEGRATED_SOLARIS_
+		_plug_make_prompts(params->utils, &text->h, prompt_need,
+		    NULL, NULL,
+		    auth_result == SASL_INTERACT ?
+		    gettext("Please enter your authentication name") : NULL,
+		    NULL,
+		    pass_result == SASL_INTERACT ?
+		    gettext("Please enter your password") : NULL, NULL,
+		    NULL, NULL, NULL,
+		    NULL, NULL, NULL);
+#else
+		_plug_make_prompts(params->utils, prompt_need,
+				   NULL, NULL,
+				   auth_result == SASL_INTERACT ?
+				   "Please enter your authentication name" : NULL,
+				   NULL,
+				   pass_result == SASL_INTERACT ?
+				   "Please enter your password" : NULL, NULL,
+				   NULL, NULL, NULL,
+				   NULL, NULL, NULL);
+#endif /* _INTEGRATED_SOLARIS_ */
+	    if (result != SASL_OK) return result;
+	    
+	    return SASL_INTERACT;
+	}
+	
+	if (!text->password) {
+	    PARAMERROR(params->utils);
+	    return SASL_BADPARAM;
+	}
+    
+	result = params->canon_user(params->utils->conn, user, 0,
+				    SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
+	if (result != SASL_OK) return result;
+	
+	/* server should have sent request for username - we ignore it */
+	if (!serverin) {
+#ifdef _SUN_SDK_
+	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
+		      "Server didn't issue challenge for USERNAME");
+#else
+	    SETERROR( params->utils,
+		      "Server didn't issue challenge for USERNAME");
+#endif /* _SUN_SDK_ */
+	    return SASL_BADPROT;
+	}
+	
+	if (!clientout) {
+	    PARAMERROR( params->utils );
+	    return SASL_BADPARAM;
+	}
+	
+	if (clientoutlen) *clientoutlen = oparams->alen;
+	*clientout = oparams->authid;
+	
+	text->state = 2;
+	
+	return SASL_CONTINUE;
+    }
+
+    case 2:
+	/* server should have sent request for password - we ignore it */
+	if (!serverin) {
+#ifdef _SUN_SDK_
+	    params->utils->log(params->utils->conn, SASL_LOG_ERR,
+		      "Server didn't issue challenge for PASSWORD");
+#else
+	    SETERROR( params->utils,
+		      "Server didn't issue challenge for PASSWORD");
+#endif /* _SUN_SDK_ */
+	    return SASL_BADPROT;
+	}
+	
+	if (!clientout) {
+	    PARAMERROR(params->utils);
+	    return SASL_BADPARAM;
+	}
+	
+	if (clientoutlen) *clientoutlen = text->password->len;
+	*clientout = (char *)text->password->data;
+	
+	/* set oparams */
+	oparams->doneflag = 1;
+	oparams->mech_ssf = 0;
+	oparams->maxoutbuf = 0;
+	oparams->encode_context = NULL;
+	oparams->encode = NULL;
+	oparams->decode_context = NULL;
+	oparams->decode = NULL;
+	oparams->param_version = 0;
+	
+	return SASL_OK;
+
+    default:
+	params->utils->log(NULL, SASL_LOG_ERR,
+			   "Invalid LOGIN client step %d\n", text->state);
+	return SASL_FAIL;
+    }
+
+    return SASL_FAIL; /* should never get here */
+}
+
+static void login_client_mech_dispose(void *conn_context,
+				      const sasl_utils_t *utils)
+{
+    client_context_t *text = (client_context_t *) conn_context;
+    
+    if (!text) return;
+    
+    /* free sensitive info */
+    if (text->free_password) _plug_free_secret(utils, &(text->password));
+#ifdef _INTEGRATED_SOLARIS_
+    convert_prompt(utils, &text->h, NULL);
+#endif /* _INTEGRATED_SOLARIS_ */
+    
+    utils->free(text);
+}
+
+static sasl_client_plug_t login_client_plugins[] = 
+{
+    {
+	"LOGIN",			/* mech_name */
+	0,				/* max_ssf */
+	SASL_SEC_NOANONYMOUS,		/* security_flags */
+	SASL_FEAT_SERVER_FIRST,		/* features */
+	NULL,				/* required_prompts */
+	NULL,				/* glob_context */
+	&login_client_mech_new,		/* mech_new */
+	&login_client_mech_step,	/* mech_step */
+	&login_client_mech_dispose,	/* mech_dispose */
+	NULL,				/* mech_free */
+	NULL,				/* idle */
+	NULL,				/* spare */
+	NULL				/* spare */
+    }
+};
+
+int login_client_plug_init(sasl_utils_t *utils,
+			   int maxversion,
+			   int *out_version,
+			   sasl_client_plug_t **pluglist,
+			   int *plugcount)
+{
+    if (maxversion < SASL_CLIENT_PLUG_VERSION) {
+	SETERROR(utils, "Version mismatch in LOGIN");
+	return SASL_BADVERS;
+    }
+    
+    *out_version = SASL_CLIENT_PLUG_VERSION;
+    *pluglist = login_client_plugins;
+    *plugcount = 1;
+    
+    return SASL_OK;
+}
diff --git a/usr/src/lib/sasl_plugins/login/login_init.c b/usr/src/lib/sasl_plugins/login/login_init.c
new file mode 100644
index 0000000000..cad7575294
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/login_init.c
@@ -0,0 +1,43 @@
+
+#include <config.h>
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#ifndef macintosh
+#include <sys/stat.h>
+#endif
+#include <fcntl.h>
+#include <assert.h>
+
+#include <sasl.h>
+#include <saslplug.h>
+#include <saslutil.h>
+
+#include "plugin_common.h"
+
+#ifdef macintosh
+#include <sasl_login_plugin_decl.h>
+#endif
+
+#ifdef WIN32
+BOOL APIENTRY DllMain( HANDLE hModule, 
+                       DWORD  ul_reason_for_call, 
+                       LPVOID lpReserved
+					 )
+{
+    switch (ul_reason_for_call)
+	{
+		case DLL_PROCESS_ATTACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+		case DLL_PROCESS_DETACH:
+			break;
+    }
+    return TRUE;
+}
+#endif
+
+SASL_CLIENT_PLUG_INIT( login )
+SASL_SERVER_PLUG_INIT( login )
+
diff --git a/usr/src/lib/sasl_plugins/login/sparc/Makefile b/usr/src/lib/sasl_plugins/login/sparc/Makefile
new file mode 100644
index 0000000000..edbceba8be
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/sparc/Makefile
@@ -0,0 +1,28 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+#
+
+include ../Makefile.com
+
+install: all $(ROOTLIBS)
diff --git a/usr/src/lib/sasl_plugins/login/sparcv9/Makefile b/usr/src/lib/sasl_plugins/login/sparcv9/Makefile
new file mode 100644
index 0000000000..314d898f70
--- /dev/null
+++ b/usr/src/lib/sasl_plugins/login/sparcv9/Makefile
@@ -0,0 +1,29 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
+#
+
+include ../Makefile.com
+include $(SRC)/lib/Makefile.lib.64
+
+install: all $(ROOTLIBS64)
diff --git a/usr/src/pkg/manifests/system-library-security-libsasl.mf b/usr/src/pkg/manifests/system-library-security-libsasl.mf
index 227cde611f..5b5a6c7589 100644
--- a/usr/src/pkg/manifests/system-library-security-libsasl.mf
+++ b/usr/src/pkg/manifests/system-library-security-libsasl.mf
@@ -21,6 +21,7 @@
 
 #
 # Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright 2011 Nexenta Systems, Inc.
 #
 
 set name=pkg.fmri value=pkg:/system/library/security/libsasl@$(PKGVERS)
@@ -40,9 +41,11 @@ file path=usr/lib/$(ARCH64)/libsasl.so.1
 file path=usr/lib/libsasl.so.1
 file path=usr/lib/sasl/$(ARCH64)/crammd5.so.1
 file path=usr/lib/sasl/$(ARCH64)/digestmd5.so.1
+file path=usr/lib/sasl/$(ARCH64)/login.so.1
 file path=usr/lib/sasl/$(ARCH64)/plain.so.1
 file path=usr/lib/sasl/crammd5.so.1
 file path=usr/lib/sasl/digestmd5.so.1
+file path=usr/lib/sasl/login.so.1
 file path=usr/lib/sasl/plain.so.1
 legacy pkg=SUNWlibsasl \
     desc="Simple Authentication and Security Layer (SASL) v2 shared library and plugins" \