Update security/PAM to 0.77. Changes from version 0.75 include:

* Numerous bug fixes for most of the PAM modules, including several
  string length checks and fixes (update recommended!).

* fix for legacy behavior of pam_setcred and pam_close_session in
  the case that pam_authenticate and pam_open_session hadn't been
  called

* pam_unix:
	- don't zero out password strings during password changing function
* pam_wheel:
	- feature: can use the module to provide wheel access to non-root
	  accounts.
* pam_limits:
	- added '%' domain for maxlogins limiting, now '*' and @group
	  have the old meaning (every) and '%' the new one (all)
	- handle negative priority limits (which can apply to the
	  superuser too).
* pam_userdb:
	- require that all of typed password matches that in database
* pam_access:
	- added the 'fieldsep=' argument, made a PAM_RHOST of ""
	  equivalent to NULL

Incidentally, cups-1.1.18 will once again do PAM authentication using
pam_unix.so if built against PAM-0.77.

29 files changed, 875 insertions, 747 deletions

diff --git a/security/PAM/Makefile b/security/PAM/Makefile
index 0e1ceb41828..199e4b0389a 100644
--- a/security/PAM/Makefile
+++ b/security/PAM/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.11 2002/08/25 18:39:48 jlam Exp $
+# $NetBSD: Makefile,v 1.12 2002/12/23 21:23:56 jlam Exp $
 #
 
 DISTNAME=	Linux-${PKGNAME}
-PKGNAME=	PAM-0.75
+PKGNAME=	PAM-0.77
 CATEGORIES=	security
 MASTER_SITES=	http://www.kernel.org/pub/linux/libs/pam/pre/library/ \
 		ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/
@@ -13,20 +13,29 @@ COMMENT=	Pluggable Authentication Modules
 
 USE_BUILDLINK2=		yes
 USE_GMAKE=		yes
+USE_DB185=		yes
 
 GNU_CONFIGURE=		yes
+CONFIGURE_ARGS+=	--enable-docdir=${PREFIX}/share/doc/PAM
 CONFIGURE_ARGS+=	--enable-includedir=${PREFIX}/include
+CONFIGURE_ARGS+=	--enable-mandir=${PREFIX}/man
 CONFIGURE_ARGS+=	--enable-sconfigdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=	--enable-static-libpam
+CONFIGURE_ENV+=		ac_cv_prog_HAVE_SGML2TXT=no
+CONFIGURE_ENV+=		ac_cv_prog_HAVE_SGML2HTML=no
+CONFIGURE_ENV+=		ac_cv_prog_HAVE_SGML2LATEX=no
+CONFIGURE_ENV+=		ac_cv_prog_HAVE_SGML2PS=no
+CONFIGURE_ENV+=		ac_cv_prog_HAVE_PS2PDF=no
 
-CFLAGS+=		-DHAVE_UTMP_H=1
-CFLAGS+=		-fPIC
+.include "../../mk/bsd.prefs.mk"
+
+.if !empty(OPSYS:M*BSD)
+CFLAGS+=		-DUSE_GETLOGIN=1
+.endif
 MAKE_FLAGS+=		OS_CFLAGS="${CFLAGS}"
 
 PKG_SYSCONFSUBDIR?=	pam
 EGDIR=			${PREFIX}/share/examples/${PKGBASE}
-DOCDIR=			${PREFIX}/share/doc/${PKGBASE}
-HTMLDIR=		${PREFIX}/share/doc/html/${PKGBASE}
 
 CFILES=			access.conf pam_env.conf group.conf time.conf
 CONF_FILES=		${EGDIR}/pam.conf ${PKG_SYSCONFBASE}/pam.conf
@@ -34,12 +43,6 @@ CONF_FILES=		${EGDIR}/pam.conf ${PKG_SYSCONFBASE}/pam.conf
 CONF_FILES+=		${EGDIR}/${FILE} ${PKG_SYSCONFDIR}/${FILE}
 .endfor
 
-post-extract:
-	cd ${WRKSRC}/doc;						\
-	if [ -f ${DISTNAME}-docs.tar.gz ]; then				\
-		${GZCAT} ${DISTNAME}-docs.tar.gz | ${GTAR} -xf -;	\
-	fi
-
 post-install:
 	${INSTALL_DATA_DIR} ${EGDIR}
 	${INSTALL_DATA} ${WRKSRC}/conf/pam.conf ${EGDIR}
@@ -49,14 +52,8 @@ post-install:
 	${INSTALL_DATA} ${WRKSRC}/modules/pam_group/group.conf ${EGDIR}
 	${INSTALL_DATA} ${WRKSRC}/modules/pam_time/time.conf ${EGDIR}
 	${INSTALL_DATA_DIR} ${DOCDIR}
-	cd ${WRKSRC}/doc; for file in modules/*.sgml; do		\
-		${INSTALL_DATA} $${file} ${DOCDIR};			\
-	done
-	${INSTALL_DATA_DIR} ${HTMLDIR}
-	cd ${WRKSRC}/doc; for file in html/*.html; do			\
-		${INSTALL_DATA} $${file} ${HTMLDIR};			\
-	done
 
+.include "../../databases/db/buildlink2.mk"
 .include "../../security/libcrack/buildlink2.mk"
 .include "../../mk/bsd.pkg.install.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/PAM/PLIST b/security/PAM/PLIST
index 932787e26db..8dbde7a8ca5 100644
--- a/security/PAM/PLIST
+++ b/security/PAM/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.3 2002/01/29 21:08:48 jlam Exp $
+@comment $NetBSD: PLIST,v 1.4 2002/12/23 21:23:57 jlam Exp $
 include/security/_pam_aconf.h
 include/security/_pam_compat.h
 include/security/_pam_macros.h
@@ -11,20 +11,22 @@ include/security/pam_modules.h
 lib/libpam.a
 lib/libpam.so
 lib/libpam.so.0
-lib/libpam.so.0.75
+lib/libpam.so.0.77
 lib/libpam_misc.a
 lib/libpam_misc.so
 lib/libpam_misc.so.0
-lib/libpam_misc.so.0.75
+lib/libpam_misc.so.0.77
 lib/libpamc.a
 lib/libpamc.so
 lib/libpamc.so.0
-lib/libpamc.so.0.75
+lib/libpamc.so.0.77
 lib/security/pam_access.so
 lib/security/pam_cracklib.so
+lib/security/pam_debug.so
 lib/security/pam_deny.so
 lib/security/pam_env.so
 lib/security/pam_filter.so
+lib/security/pam_filter/upperLOWER
 lib/security/pam_ftp.so
 lib/security/pam_group.so
 lib/security/pam_issue.so
@@ -55,94 +57,23 @@ man/man3/pam_chauthtok.3
 man/man3/pam_close_session.3
 man/man3/pam_end.3
 man/man3/pam_fail_delay.3
+man/man3/pam_get_item.3
 man/man3/pam_open_session.3
+man/man3/pam_set_item.3
 man/man3/pam_setcred.3
 man/man3/pam_start.3
 man/man3/pam_strerror.3
 man/man8/pam.8
 man/man8/pam.conf.8
 man/man8/pam.d.8
-sbin/pam_filter/upperLOWER
+sbin/pam_tally
 sbin/unix_chkpwd
-share/doc/${PKGBASE}/pam_access.sgml
-share/doc/${PKGBASE}/pam_chroot.sgml
-share/doc/${PKGBASE}/pam_cracklib.sgml
-share/doc/${PKGBASE}/pam_deny.sgml
-share/doc/${PKGBASE}/pam_env.sgml
-share/doc/${PKGBASE}/pam_filter.sgml
-share/doc/${PKGBASE}/pam_ftp.sgml
-share/doc/${PKGBASE}/pam_group.sgml
-share/doc/${PKGBASE}/pam_issue.sgml
-share/doc/${PKGBASE}/pam_krb4.sgml
-share/doc/${PKGBASE}/pam_lastlog.sgml
-share/doc/${PKGBASE}/pam_limits.sgml
-share/doc/${PKGBASE}/pam_listfile.sgml
-share/doc/${PKGBASE}/pam_mail.sgml
-share/doc/${PKGBASE}/pam_mkhomedir.sgml
-share/doc/${PKGBASE}/pam_motd.sgml
-share/doc/${PKGBASE}/pam_nologin.sgml
-share/doc/${PKGBASE}/pam_permit.sgml
-share/doc/${PKGBASE}/pam_pwdb.sgml
-share/doc/${PKGBASE}/pam_radius.sgml
-share/doc/${PKGBASE}/pam_rhosts.sgml
-share/doc/${PKGBASE}/pam_rootok.sgml
-share/doc/${PKGBASE}/pam_securetty.sgml
-share/doc/${PKGBASE}/pam_tally.sgml
-share/doc/${PKGBASE}/pam_time.sgml
-share/doc/${PKGBASE}/pam_unix.sgml
-share/doc/${PKGBASE}/pam_userdb.sgml
-share/doc/${PKGBASE}/pam_warn.sgml
-share/doc/${PKGBASE}/pam_wheel.sgml
-share/doc/html/${PKGBASE}/index.html
-share/doc/html/${PKGBASE}/pam-1.html
-share/doc/html/${PKGBASE}/pam-10.html
-share/doc/html/${PKGBASE}/pam-11.html
-share/doc/html/${PKGBASE}/pam-12.html
-share/doc/html/${PKGBASE}/pam-2.html
-share/doc/html/${PKGBASE}/pam-3.html
-share/doc/html/${PKGBASE}/pam-4.html
-share/doc/html/${PKGBASE}/pam-5.html
-share/doc/html/${PKGBASE}/pam-6.html
-share/doc/html/${PKGBASE}/pam-7.html
-share/doc/html/${PKGBASE}/pam-8.html
-share/doc/html/${PKGBASE}/pam-9.html
-share/doc/html/${PKGBASE}/pam.html
-share/doc/html/${PKGBASE}/pam_appl-1.html
-share/doc/html/${PKGBASE}/pam_appl-10.html
-share/doc/html/${PKGBASE}/pam_appl-11.html
-share/doc/html/${PKGBASE}/pam_appl-12.html
-share/doc/html/${PKGBASE}/pam_appl-13.html
-share/doc/html/${PKGBASE}/pam_appl-14.html
-share/doc/html/${PKGBASE}/pam_appl-2.html
-share/doc/html/${PKGBASE}/pam_appl-3.html
-share/doc/html/${PKGBASE}/pam_appl-4.html
-share/doc/html/${PKGBASE}/pam_appl-5.html
-share/doc/html/${PKGBASE}/pam_appl-6.html
-share/doc/html/${PKGBASE}/pam_appl-7.html
-share/doc/html/${PKGBASE}/pam_appl-8.html
-share/doc/html/${PKGBASE}/pam_appl-9.html
-share/doc/html/${PKGBASE}/pam_appl.html
-share/doc/html/${PKGBASE}/pam_modules-1.html
-share/doc/html/${PKGBASE}/pam_modules-10.html
-share/doc/html/${PKGBASE}/pam_modules-11.html
-share/doc/html/${PKGBASE}/pam_modules-12.html
-share/doc/html/${PKGBASE}/pam_modules-2.html
-share/doc/html/${PKGBASE}/pam_modules-3.html
-share/doc/html/${PKGBASE}/pam_modules-4.html
-share/doc/html/${PKGBASE}/pam_modules-5.html
-share/doc/html/${PKGBASE}/pam_modules-6.html
-share/doc/html/${PKGBASE}/pam_modules-7.html
-share/doc/html/${PKGBASE}/pam_modules-8.html
-share/doc/html/${PKGBASE}/pam_modules-9.html
-share/doc/html/${PKGBASE}/pam_modules.html
 share/examples/${PKGBASE}/access.conf
 share/examples/${PKGBASE}/group.conf
 share/examples/${PKGBASE}/pam.conf
 share/examples/${PKGBASE}/pam_env.conf
 share/examples/${PKGBASE}/time.conf
 @dirrm share/examples/${PKGBASE}
-@dirrm share/doc/html/${PKGBASE}
-@dirrm share/doc/${PKGBASE}
-@dirrm sbin/pam_filter
+@dirrm lib/security/pam_filter
 @dirrm lib/security
 @dirrm include/security
diff --git a/security/PAM/distinfo b/security/PAM/distinfo
index 0d9601e2c70..3d05cf91a79 100644
--- a/security/PAM/distinfo
+++ b/security/PAM/distinfo
@@ -1,23 +1,23 @@
-$NetBSD: distinfo,v 1.4 2002/01/29 17:10:10 jlam Exp $
+$NetBSD: distinfo,v 1.5 2002/12/23 21:23:57 jlam Exp $
 
-SHA1 (Linux-PAM-0.75.tar.gz) = 5151e9f91e69c199988d1397a90d07b0c459896b
-Size (Linux-PAM-0.75.tar.gz) = 874549 bytes
-SHA1 (patch-aa) = 6d10ac69ffead0d4d78adb58081920d68922034a
-SHA1 (patch-ac) = a1816f6d42fdd168c6e689a976cc4d27f72c3d32
-SHA1 (patch-aj) = cd8f889540d8d8794c7ea7d1e252d984509a9ad0
-SHA1 (patch-al) = 3a49be8ca4dcf47e2ba78107455d59c6cfa34889
-SHA1 (patch-an) = fdb8337a06abdfaf020639dec95df68b2a59496a
-SHA1 (patch-ao) = c1fcc3ae3a8d9239dd06a5cf30f5bb52743770de
-SHA1 (patch-ap) = 150bb938c25150a3913520401ec29b6797ede7e8
-SHA1 (patch-ar) = 1f904ee50c7710bd599ee4bed60a8eb5aa90986a
-SHA1 (patch-au) = f339c50f765f8f86a00a6403e276719b035d7745
-SHA1 (patch-av) = d6b89d9d6c434c48fe54e556d150c7ff9ac7288c
-SHA1 (patch-aw) = b4ee852cc4c13b668b5a613668f91c3a6a95b450
-SHA1 (patch-az) = b0caa87c0aeb131c941eeb6a994042ea7742afa4
-SHA1 (patch-ba) = c4dbd3af959222c990f3cd23af2861ec7f3b0701
-SHA1 (patch-bb) = 68e2149c0f1f8186199bfc3690feeb0e3394036c
-SHA1 (patch-bc) = bcb321fa850b17ff7a7dc179c029ab33811cfe56
-SHA1 (patch-bd) = c42a7c8cc3a06648d07e0d1fa5a369e9a8224a75
-SHA1 (patch-be) = 80a993a93e1d786bc3c297227c128de084eba746
-SHA1 (patch-bf) = a5846710b69f36a02b585727abd7ecb22ecc9c81
-SHA1 (patch-bg) = 7f78998a103c344682c8f1d889162a4e219145c1
+SHA1 (Linux-PAM-0.77.tar.gz) = 58dff29aec3c0b6a9e9b53af6fb643056ce0f304
+Size (Linux-PAM-0.77.tar.gz) = 442569 bytes
+SHA1 (patch-aa) = 99f4889c24ff71a9e40e0e913d6071b78a326877
+SHA1 (patch-ab) = c0257ace9538c4cf623a476e602eac30d42301d6
+SHA1 (patch-ac) = 9153b5aa54c68dc07deb6325a9ea03dbc28e1624
+SHA1 (patch-ad) = b3713e7150ecfa5dce47680b03c455317f1596de
+SHA1 (patch-ae) = 7e42fcd8f1d3f621e6a3ff8ea46093a221eb2c6a
+SHA1 (patch-af) = 966d42796a99d38dfa9bbdefb3daf7c48122fc88
+SHA1 (patch-ag) = f7673f80592466e1cdeb22645a620aaa3602903d
+SHA1 (patch-ah) = 30e13e82faa3b8978e28725b7c8cd8577aab8beb
+SHA1 (patch-ai) = 950c9e949c72eaf904452d8afefc0f994101e5a8
+SHA1 (patch-aj) = d47bc58c3dc810497290d6ec4a3646380b5fa4d7
+SHA1 (patch-ak) = 491aa837ee756269d57d642aeba999d1f8cc8187
+SHA1 (patch-al) = 29c9ca136655d49d739d3c4dc664af9f0b1a5fa8
+SHA1 (patch-am) = 9cf69342d0c6665ff6d9eebec35d6c3898854c8a
+SHA1 (patch-an) = 46e85fc6db95eda99ed664e7d4282a49d95437c4
+SHA1 (patch-ao) = da8c42c2afa2c66fee4e8f453970d1a4b3a0f285
+SHA1 (patch-ap) = 0a923b67a909dde6f72129b0c853088f9d48bd91
+SHA1 (patch-aq) = 91587c5b9c6587221708247decb0e82f665ae2bf
+SHA1 (patch-ar) = b7428fcc1f561892510acce57fc91e0dafb044fc
+SHA1 (patch-as) = e4fdfef53c097985c2aa8ff8225fed1caa812c10
diff --git a/security/PAM/patches/patch-aa b/security/PAM/patches/patch-aa
index d5ae2bb418f..dba0b5acc73 100644
--- a/security/PAM/patches/patch-aa
+++ b/security/PAM/patches/patch-aa
@@ -1,29 +1,21 @@
-$NetBSD: patch-aa,v 1.3 2002/01/29 17:10:10 jlam Exp $
+$NetBSD: patch-aa,v 1.4 2002/12/23 21:23:58 jlam Exp $
 
---- Makefile.orig	Sat Jan 20 17:29:47 2001
-+++ Makefile
-@@ -58,20 +58,20 @@
- install: _pam_aconf.h prep
- 	$(MKDIR) $(FAKEROOT)$(INCLUDED)
- 	$(INSTALL) -m 444 security/_pam_aconf.h $(FAKEROOT)$(INCLUDED)
--	for x in $(THINGSTOMAKE) ; do make -C $$x install ; done
-+	for x in $(THINGSTOMAKE) ; do $(MAKE) -C $$x install ; done
+--- _pam_aconf.h.in.orig	Sun Nov 25 22:04:46 2001
++++ _pam_aconf.h.in
+@@ -28,6 +28,16 @@
+ # include <features.h>
+ #endif /* HAVE_FEATURES_H */
  
- remove:
- 	rm -f $(FAKEROOT)$(INCLUDED)/_pam_aconf.h
--	for x in $(THINGSTOMAKE) ; do make -C $$x remove ; done
-+	for x in $(THINGSTOMAKE) ; do $(MAKE) -C $$x remove ; done
++/* we have <utmp.h> */
++#undef HAVE_UTMP_H
++
++/* we have <termios.h> */
++#undef HAVE_TERMIOS_H
++
++/* we have Linux shadow passwords */
++#undef HAVE_SHADOW_H
++#undef HAVE_GETSPNAM
++
+ /* we have libcrack available */
+ #undef HAVE_LIBCRACK
  
- release:
--	@if [ ! -f Make.Rules ]; then echo make Make.Rules first ; exit 1; fi
-+	@if [ ! -f Make.Rules ]; then echo $(MAKE) Make.Rules first ; exit 1; fi
- 	@if [ ! -L ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) ]; then \
- 	   echo generating ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) link ; \
- 	   ln -sf $(DISTNAME) ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) ; \
- 	   echo to ../$(DISTNAME) . ; fi
- 	@diff ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/Make.Rules Make.Rules
--	make distclean
-+	$(MAKE) distclean
- 	cd .. ; tar zvfc $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL).tar.gz \
- 		--exclude CVS --exclude .cvsignore --exclude '.#*' \
- 		$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/*
diff --git a/security/PAM/patches/patch-ab b/security/PAM/patches/patch-ab
new file mode 100644
index 00000000000..c622a83c854
--- /dev/null
+++ b/security/PAM/patches/patch-ab
@@ -0,0 +1,55 @@
+$NetBSD: patch-ab,v 1.3 2002/12/23 21:23:58 jlam Exp $
+
+--- configure.in.orig	Tue Jul  9 02:17:13 2002
++++ configure.in
+@@ -199,7 +199,7 @@ AC_CHECK_LIB(crack, FascistCheck, HAVE_L
+ 	HAVE_LIBCRACK=no)
+ AC_SUBST(HAVE_LIBCRACK)
+ 
+-AC_CHECK_LIB(crypt, fcrypt, HAVE_LIBCRYPT=yes ; AC_DEFINE(HAVE_LIBCRYPT),
++AC_CHECK_LIB(crypt, crypt, HAVE_LIBCRYPT=yes ; AC_DEFINE(HAVE_LIBCRYPT),
+ 	HAVE_LIBCRYPT=no)
+ AC_SUBST(HAVE_LIBCRYPT)
+ AC_CHECK_LIB(util, logwtmp, HAVE_LIBUTIL=yes ; AC_DEFINE(HAVE_LIBUTIL),
+@@ -240,6 +240,13 @@ AC_CHECK_HEADERS(fcntl.h limits.h malloc
+ dnl Linux wants features.h in some of the source files.
+ AC_CHECK_HEADERS(features.h)
+ 
++dnl For module/pam_filter
++AC_CHECK_HEADERS(termios.h)
++
++dnl For module/pam_unix
++AC_CHECK_HEADERS(shadow.h)
++AC_CHECK_FUNCS(getspnam)
++
+ dnl For module/pam_cracklib
+ AC_CHECK_HEADERS(crypt.h)
+ 
+@@ -257,7 +264,7 @@ dnl being found.
+ 
+ dnl Look for cracklib dictionary
+ AC_MSG_CHECKING(path to cracklib dictionary)
+-DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \
++DICT_DIR_CANDIDATES="${prefix}/libdata /usr/lib /usr/share/dict /usr/share/lib \
+   /usr/local/lib /usr/local/share/lib"
+ DICT_FILE_CANDIDATES="pw_dict cracklib_dict"
+ CRACKLIB_DICTPATH=""
+@@ -305,6 +312,18 @@ if test "$GCC" = yes; then
+ 	case $OS in
+ 	linux)
+ 		OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic"
++		LD_D="gcc -shared -Xlinker -x"
++		WARNINGS="$GCC_WARNINGS"
++		PIC="-fPIC"
++		DYNTYPE=so
++		LD=ld				
++		LD_L="$LD -x -shared"
++		RANLIB=ranlib
++		STRIP=strip
++		CC_STATIC="-Xlinker -export-dynamic"
++		;;
++	netbsd)
++		OS_CFLAGS=""
+ 		LD_D="gcc -shared -Xlinker -x"
+ 		WARNINGS="$GCC_WARNINGS"
+ 		PIC="-fPIC"
diff --git a/security/PAM/patches/patch-ac b/security/PAM/patches/patch-ac
index f90b376e9cc..ec194130fc6 100644
--- a/security/PAM/patches/patch-ac
+++ b/security/PAM/patches/patch-ac
@@ -1,13 +1,222 @@
-$NetBSD: patch-ac,v 1.2 2002/01/29 17:10:10 jlam Exp $
+$NetBSD: patch-ac,v 1.3 2002/12/23 21:23:58 jlam Exp $
 
---- modules/pam_access/Makefile.orig	Mon Jan 28 17:28:23 2002
-+++ modules/pam_access/Makefile
-@@ -14,8 +14,4 @@
- DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\"
- CFLAGS += $(DEFS)
- 
--MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)"
--MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE)
--MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age
--
- include ../Simple.Rules
+--- configure.orig	Tue Jul  9 02:17:13 2002
++++ configure
+@@ -1507,9 +1507,9 @@ fi
+ 
+ 
+ 
+-echo $ac_n "checking for fcrypt in -lcrypt""... $ac_c" 1>&6
+-echo "configure:1512: checking for fcrypt in -lcrypt" >&5
+-ac_lib_var=`echo crypt'_'fcrypt | sed 'y%./+-%__p_%'`
++echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6
++echo "configure:1512: checking for crypt in -lcrypt" >&5
++ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1521,10 +1521,10 @@ cat > conftest.$ac_ext <<EOF
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+     builtin and then its argument prototype would still apply.  */
+-char fcrypt();
++char crypt();
+ 
+ int main() {
+-fcrypt()
++crypt()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:1531: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+@@ -2312,7 +2312,7 @@ fi
+ done
+ 
+ 
+-for ac_hdr in crypt.h
++for ac_hdr in termios.h
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+@@ -2353,7 +2353,7 @@ fi
+ done
+ 
+ 
+-for ac_hdr in ndbm.h db.h
++for ac_hdr in shadow.h
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+@@ -2393,6 +2393,143 @@ else
+ fi
+ done
+ 
++for ac_func in getspnam
++do
++echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
++echo "configure:2400: checking for $ac_func" >&5
++if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
++  echo $ac_n "(cached) $ac_c" 1>&6
++else
++  cat > conftest.$ac_ext <<EOF
++#line 2405 "configure"
++#include "confdefs.h"
++/* System header to define __stub macros and hopefully few prototypes,
++    which can conflict with char $ac_func(); below.  */
++#include <assert.h>
++/* Override any gcc2 internal prototype to avoid an error.  */
++/* We use char because int might match the return type of a gcc2
++    builtin and then its argument prototype would still apply.  */
++char $ac_func();
++
++int main() {
++
++/* The GNU C library defines this for functions which it implements
++    to always fail with ENOSYS.  Some functions are actually named
++    something starting with __ and the normal name is an alias.  */
++#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
++choke me
++#else
++$ac_func();
++#endif
++
++; return 0; }
++EOF
++if { (eval echo configure:2428: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++  rm -rf conftest*
++  eval "ac_cv_func_$ac_func=yes"
++else
++  echo "configure: failed program was:" >&5
++  cat conftest.$ac_ext >&5
++  rm -rf conftest*
++  eval "ac_cv_func_$ac_func=no"
++fi
++rm -f conftest*
++fi
++
++if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
++  echo "$ac_t""yes" 1>&6
++    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
++  cat >> confdefs.h <<EOF
++#define $ac_tr_func 1
++EOF
++ 
++else
++  echo "$ac_t""no" 1>&6
++fi
++done
++
++
++for ac_hdr in crypt.h
++do
++ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
++echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
++echo "configure:2457: checking for $ac_hdr" >&5
++if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
++  echo $ac_n "(cached) $ac_c" 1>&6
++else
++  cat > conftest.$ac_ext <<EOF
++#line 2462 "configure"
++#include "confdefs.h"
++#include <$ac_hdr>
++EOF
++ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
++{ (eval echo configure:2467: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
++if test -z "$ac_err"; then
++  rm -rf conftest*
++  eval "ac_cv_header_$ac_safe=yes"
++else
++  echo "$ac_err" >&5
++  echo "configure: failed program was:" >&5
++  cat conftest.$ac_ext >&5
++  rm -rf conftest*
++  eval "ac_cv_header_$ac_safe=no"
++fi
++rm -f conftest*
++fi
++if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
++  echo "$ac_t""yes" 1>&6
++    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
++  cat >> confdefs.h <<EOF
++#define $ac_tr_hdr 1
++EOF
++ 
++else
++  echo "$ac_t""no" 1>&6
++fi
++done
++
++
++for ac_hdr in ndbm.h db.h
++do
++ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
++echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
++echo "configure:2498: checking for $ac_hdr" >&5
++if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
++  echo $ac_n "(cached) $ac_c" 1>&6
++else
++  cat > conftest.$ac_ext <<EOF
++#line 2503 "configure"
++#include "confdefs.h"
++#include <$ac_hdr>
++EOF
++ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
++{ (eval echo configure:2508: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
++if test -z "$ac_err"; then
++  rm -rf conftest*
++  eval "ac_cv_header_$ac_safe=yes"
++else
++  echo "$ac_err" >&5
++  echo "configure: failed program was:" >&5
++  cat conftest.$ac_ext >&5
++  rm -rf conftest*
++  eval "ac_cv_header_$ac_safe=no"
++fi
++rm -f conftest*
++fi
++if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
++  echo "$ac_t""yes" 1>&6
++    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
++  cat >> confdefs.h <<EOF
++#define $ac_tr_hdr 1
++EOF
++ 
++else
++  echo "$ac_t""no" 1>&6
++fi
++done
++
+ HAVE_NDBM_H=$ac_cv_header_ndbm_h
+ 
+ 
+@@ -2439,8 +2576,8 @@ done
+ 
+ 
+ echo $ac_n "checking path to cracklib dictionary""... $ac_c" 1>&6
+-echo "configure:2443: checking path to cracklib dictionary" >&5
+-DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \
++echo "configure:2580: checking path to cracklib dictionary" >&5
++DICT_DIR_CANDIDATES="${prefix}/libdata /usr/lib /usr/share/dict /usr/share/lib \
+   /usr/local/lib /usr/local/share/lib"
+ DICT_FILE_CANDIDATES="pw_dict cracklib_dict"
+ CRACKLIB_DICTPATH=""
+@@ -2475,6 +2612,18 @@ if test "$GCC" = yes; then
+ 	case $OS in
+ 	linux)
+ 		OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic"
++		LD_D="gcc -shared -Xlinker -x"
++		WARNINGS="$GCC_WARNINGS"
++		PIC="-fPIC"
++		DYNTYPE=so
++		LD=ld				
++		LD_L="$LD -x -shared"
++		RANLIB=ranlib
++		STRIP=strip
++		CC_STATIC="-Xlinker -export-dynamic"
++		;;
++	netbsd)
++		OS_CFLAGS=""
+ 		LD_D="gcc -shared -Xlinker -x"
+ 		WARNINGS="$GCC_WARNINGS"
+ 		PIC="-fPIC"
diff --git a/security/PAM/patches/patch-be b/security/PAM/patches/patch-ad
index f177b68cd37..5e8986285d9 100644
--- a/security/PAM/patches/patch-be
+++ b/security/PAM/patches/patch-ad
@@ -1,8 +1,8 @@
-$NetBSD: patch-be,v 1.1 2002/01/29 17:10:12 jlam Exp $
+$NetBSD: patch-ad,v 1.3 2002/12/23 21:23:58 jlam Exp $
 
---- libpam/Makefile.orig	Mon Jan 28 19:00:46 2002
+--- libpam/Makefile.orig	Sun Dec  9 16:44:58 2001
 +++ libpam/Makefile
-@@ -125,8 +125,9 @@
+@@ -125,8 +125,9 @@ ifeq ($(DYNAMIC_LIBPAM),yes)
  	$(INSTALL) -m $(SHLIBMODE) $(LIBPAM) $(FAKEROOT)$(libdir)/$(LIBPAMFULL)
  	$(LDCONFIG)
    ifneq ($(DYNTYPE),"sl")
diff --git a/security/PAM/patches/patch-bf b/security/PAM/patches/patch-ae
index ada9b4f5a2f..f21c9a72d03 100644
--- a/security/PAM/patches/patch-bf
+++ b/security/PAM/patches/patch-ae
@@ -1,8 +1,8 @@
-$NetBSD: patch-bf,v 1.1 2002/01/29 17:10:12 jlam Exp $
+$NetBSD: patch-ae,v 1.3 2002/12/23 21:23:58 jlam Exp $
 
---- libpam_misc/Makefile.orig	Mon Jan 28 19:00:46 2002
+--- libpam_misc/Makefile.orig	Thu Jun 27 00:04:54 2002
 +++ libpam_misc/Makefile
-@@ -85,7 +85,7 @@
+@@ -86,7 +86,7 @@ ifeq ($(DYNAMIC_LIBPAM),yes)
  	$(INSTALL) -m $(SHLIBMODE) $(LIBNAMED) $(FAKEROOT)$(libdir)/$(LIBNAMEDFULL)
  	$(LDCONFIG)
    ifneq ($(DYNTYPE),"sl")
diff --git a/security/PAM/patches/patch-bg b/security/PAM/patches/patch-af
index d0300df7d44..2a61cae0783 100644
--- a/security/PAM/patches/patch-bg
+++ b/security/PAM/patches/patch-af
@@ -1,8 +1,8 @@
-$NetBSD: patch-bg,v 1.1 2002/01/29 17:10:13 jlam Exp $
+$NetBSD: patch-af,v 1.3 2002/12/23 21:23:58 jlam Exp $
 
---- libpamc/Makefile.orig	Mon Jan 28 19:00:46 2002
+--- libpamc/Makefile.orig	Sat Feb 10 02:17:53 2001
 +++ libpamc/Makefile
-@@ -85,7 +85,7 @@
+@@ -85,7 +85,7 @@ ifeq ($(DYNAMIC_LIBPAM),yes)
  	$(INSTALL) -m $(SHLIBMODE) $(LIBNAMED) $(FAKEROOT)$(libdir)/$(LIBNAMEDFULL)
  	$(LDCONFIG)
    ifneq ($(DYNTYPE),"sl")
diff --git a/security/PAM/patches/patch-ag b/security/PAM/patches/patch-ag
new file mode 100644
index 00000000000..4de2339b78f
--- /dev/null
+++ b/security/PAM/patches/patch-ag
@@ -0,0 +1,19 @@
+$NetBSD: patch-ag,v 1.3 2002/12/23 21:23:58 jlam Exp $
+
+--- modules/Makefile.orig	Sun Dec  9 17:15:11 2001
++++ modules/Makefile
+@@ -12,7 +12,7 @@ MODDIRS=$(shell /bin/ls -d pam_*)
+ 
+ all:	
+ 	@echo building the static modutil library
+-	make -C pammodutil all
++	$(MAKE) -C pammodutil all
+ 	@echo modules sources available are:
+ 	@ls -d $(MODDIRS) 2>/dev/null ; echo :--------
+ 	@echo
+@@ -55,4 +55,4 @@ clean: lclean
+ 			$(MAKE) -C $$i clean ; \
+ 		} fi ; \
+ 	done
+-	make -C pammodutil clean
++	$(MAKE) -C pammodutil clean
diff --git a/security/PAM/patches/patch-ah b/security/PAM/patches/patch-ah
new file mode 100644
index 00000000000..de584276bd5
--- /dev/null
+++ b/security/PAM/patches/patch-ah
@@ -0,0 +1,22 @@
+$NetBSD: patch-ah,v 1.4 2002/12/23 21:23:59 jlam Exp $
+
+--- modules/Simple.Rules.orig	Sun Dec  9 17:15:11 2001
++++ modules/Simple.Rules
+@@ -59,7 +59,7 @@ endif
+ 
+ ifdef DYNAMIC
+ $(LIBSHARED):	$(LIBOBJD)
+-	$(LD_D) -o $@ $(LIBOBJD) $(MODULE_SIMPLE_EXTRALIBS) $(NEED_LINK_LIB_C) $(LINK_PAMMODUTILS)
++	$(LD_D) $(LDFLAGS) -o $@ $(LIBOBJD) $(MODULE_SIMPLE_EXTRALIBS) $(NEED_LINK_LIB_C) $(LINK_PAMMODUTILS)
+ 
+ endif
+ 
+@@ -69,7 +69,7 @@ endif
+ 
+ ifdef STATIC
+ $(LIBSTATIC): $(LIBOBJS)
+-	$(LD) -r -o $@ $(LIBOBJS) $(MODULE_SIMPLE_EXTRALIBS) $(LINK_PAMMODUTILS)
++	$(LD) $(LDFLAGS) -r -o $@ $(LIBOBJS) $(MODULE_SIMPLE_EXTRALIBS) $(LINK_PAMMODUTILS)
+ endif
+ 
+ install: all
diff --git a/security/PAM/patches/patch-av b/security/PAM/patches/patch-ai
index 89d19f1c359..bef7f8d3fcf 100644
--- a/security/PAM/patches/patch-av
+++ b/security/PAM/patches/patch-ai
@@ -1,8 +1,8 @@
-$NetBSD: patch-av,v 1.2 2002/01/29 17:10:12 jlam Exp $
+$NetBSD: patch-ai,v 1.3 2002/12/23 21:23:59 jlam Exp $
 
---- modules/pam_env/Makefile.orig	Mon Jan 28 17:28:23 2002
-+++ modules/pam_env/Makefile
-@@ -15,8 +15,4 @@
+--- modules/pam_access/Makefile.orig	Sun Nov 19 18:54:03 2000
++++ modules/pam_access/Makefile
+@@ -14,8 +14,4 @@ INSTALLED_CONFILE=$(SCONFIGD)/access.con
  DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\"
  CFLAGS += $(DEFS)
  
diff --git a/security/PAM/patches/patch-aj b/security/PAM/patches/patch-aj
index 573b2c75b66..083a122e1fa 100644
--- a/security/PAM/patches/patch-aj
+++ b/security/PAM/patches/patch-aj
@@ -1,86 +1,13 @@
-$NetBSD: patch-aj,v 1.2 2002/01/29 17:10:11 jlam Exp $
+$NetBSD: patch-aj,v 1.3 2002/12/23 21:23:59 jlam Exp $
 
---- modules/pam_filter/pam_filter.c.orig	Sun Nov 19 18:54:03 2000
-+++ modules/pam_filter/pam_filter.c
-@@ -21,7 +21,7 @@
- #include <sys/stat.h>
- #include <sys/socket.h>
- #include <sys/ioctl.h>
--#include <termio.h>
-+#include <termios.h>
- 
- #include <signal.h>
- 
-@@ -278,7 +278,7 @@
- {
-     int status=-1;
-     char terminal[TERMINAL_LEN];
--    struct termio stored_mode;           /* initial terminal mode settings */
-+    struct termios stored_mode;           /* initial terminal mode settings */
-     int fd[2], child=0, child2=0, aterminal;
- 
-     if (filtername == NULL || *filtername != '/') {
-@@ -305,28 +305,32 @@
- 	/* set terminal into raw mode.. remember old mode so that we can
- 	   revert to it after the child has quit. */
- 
--	/* this is termio terminal handling... */
-+	/* this is termios terminal handling... */
- 
--	if (ioctl(STDIN_FILENO, TCGETA, (char *) &stored_mode ) < 0) {
-+	if (tcgetattr(STDIN_FILENO, &stored_mode ) < 0) {
- 	    /* in trouble, so close down */
- 	    close(fd[0]);
- 	    _pam_log(LOG_CRIT, "couldn't copy terminal mode");
- 	    return PAM_ABORT;
- 	} else {
--	    struct termio t_mode = stored_mode;
-+	    struct termios t_mode = stored_mode;
- 
- 	    t_mode.c_iflag = 0;            /* no input control */
- 	    t_mode.c_oflag &= ~OPOST;      /* no ouput post processing */
- 
- 	    /* no signals, canonical input, echoing, upper/lower output */
-+#ifdef XCASE
- 	    t_mode.c_lflag &= ~(ISIG|ICANON|ECHO|XCASE);
-+#else
-+	    t_mode.c_lflag &= ~(ISIG|ICANON|ECHO);
-+#endif
- 	    t_mode.c_cflag &= ~(CSIZE|PARENB);  /* no parity */
- 	    t_mode.c_cflag |= CS8;              /* 8 bit chars */
- 
- 	    t_mode.c_cc[VMIN] = 1; /* number of chars to satisfy a read */
- 	    t_mode.c_cc[VTIME] = 0;          /* 0/10th second for chars */
- 
--	    if (ioctl(STDIN_FILENO, TCSETA, (char *) &t_mode) < 0) {
-+	    if (tcsetattr(STDIN_FILENO, TCSANOW, &t_mode) < 0) {
- 		close(fd[0]);
- 		_pam_log(LOG_WARNING, "couldn't put terminal in RAW mode");
- 		return PAM_ABORT;
-@@ -356,7 +360,7 @@
- 
- 	_pam_log(LOG_WARNING,"first fork failed");
- 	if (aterminal) {
--	    (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
-+	    (void) tcsetattr(STDIN_FILENO, TCSANOW, &stored_mode);
- 	}
- 
- 	return PAM_AUTH_ERR;
-@@ -398,7 +402,7 @@
- 	    /* initialize the child's terminal to be the way the
- 	       parent's was before we set it into RAW mode */
- 
--	    if (ioctl(fd[1], TCSETA, (char *) &stored_mode) < 0) {
-+	    if (tcsetattr(fd[1], TCSANOW, &stored_mode) < 0) {
- 		_pam_log(LOG_WARNING,"cannot set slave terminal mode; %s"
- 			 ,terminal);
- 		close(fd[1]);
-@@ -572,7 +576,7 @@
- 
-     if (aterminal) {
- 	/* reset to initial terminal mode */
--	(void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
-+	(void) tcsetattr(STDIN_FILENO, TCSANOW, &stored_mode);
-     }
- 
-     if (ctrl & FILTER_DEBUG) {
+--- modules/pam_env/Makefile.orig	Sun Nov 19 18:54:03 2000
++++ modules/pam_env/Makefile
+@@ -15,8 +15,4 @@ INSTALLED_CONFILE=$(SCONFIGD)/pam_env.co
+ DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\"
+ CFLAGS += $(DEFS)
+ 
+-MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)"
+-MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE)
+-MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age
+-
+ include ../Simple.Rules
diff --git a/security/PAM/patches/patch-ak b/security/PAM/patches/patch-ak
new file mode 100644
index 00000000000..3c2b40bb254
--- /dev/null
+++ b/security/PAM/patches/patch-ak
@@ -0,0 +1,90 @@
+$NetBSD: patch-ak,v 1.3 2002/12/23 21:23:59 jlam Exp $
+
+--- modules/pam_filter/pam_filter.c.orig	Sun Nov 11 02:43:54 2001
++++ modules/pam_filter/pam_filter.c
+@@ -21,7 +21,17 @@
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+ #include <sys/ioctl.h>
++#ifdef HAVE_TERMIOS_H
++#include <termios.h>
++#define STRUCT_TERMIO		struct termios
++#define TCGETATTR(fd, p_termio)	tcgetattr(fd, p_termio)
++#define TCSETATTR(fd, p_termio)	tcsetattr(fd, TCSANOW, p_termio)
++#else
+ #include <termio.h>
++#define STRUCT_TERMIO		struct termio
++#define TCGETATTR(fd, p_termio)	ioctl(fd, TCGETA, (char *) p_termio)
++#define TCSETATTR(fd, p_termio)	ioctl(fd, TCSETA, (char *) p_termio)
++#endif
+ 
+ #include <signal.h>
+ 
+@@ -278,7 +288,7 @@ static int set_filter(pam_handle_t *pamh
+ {
+     int status=-1;
+     char terminal[TERMINAL_LEN];
+-    struct termio stored_mode;           /* initial terminal mode settings */
++    STRUCT_TERMIO stored_mode;           /* initial terminal mode settings */
+     int fd[2], child=0, child2=0, aterminal;
+ 
+     if (filtername == NULL || *filtername != '/') {
+@@ -307,17 +317,20 @@ static int set_filter(pam_handle_t *pamh
+ 
+ 	/* this is termio terminal handling... */
+ 
+-	if (ioctl(STDIN_FILENO, TCGETA, (char *) &stored_mode ) < 0) {
++	if (TCGETATTR(STDIN_FILENO, &stored_mode ) < 0) {
+ 	    /* in trouble, so close down */
+ 	    close(fd[0]);
+ 	    _pam_log(LOG_CRIT, "couldn't copy terminal mode");
+ 	    return PAM_ABORT;
+ 	} else {
+-	    struct termio t_mode = stored_mode;
++	    STRUCT_TERMIO t_mode = stored_mode;
+ 
+ 	    t_mode.c_iflag = 0;            /* no input control */
+ 	    t_mode.c_oflag &= ~OPOST;      /* no ouput post processing */
+ 
++#ifndef XCASE
++#define XCASE 0
++#endif
+ 	    /* no signals, canonical input, echoing, upper/lower output */
+ 	    t_mode.c_lflag &= ~(ISIG|ICANON|ECHO|XCASE);
+ 	    t_mode.c_cflag &= ~(CSIZE|PARENB);  /* no parity */
+@@ -326,7 +339,7 @@ static int set_filter(pam_handle_t *pamh
+ 	    t_mode.c_cc[VMIN] = 1; /* number of chars to satisfy a read */
+ 	    t_mode.c_cc[VTIME] = 0;          /* 0/10th second for chars */
+ 
+-	    if (ioctl(STDIN_FILENO, TCSETA, (char *) &t_mode) < 0) {
++	    if (TCSETATTR(STDIN_FILENO, &t_mode) < 0) {
+ 		close(fd[0]);
+ 		_pam_log(LOG_WARNING, "couldn't put terminal in RAW mode");
+ 		return PAM_ABORT;
+@@ -356,7 +369,7 @@ static int set_filter(pam_handle_t *pamh
+ 
+ 	_pam_log(LOG_WARNING,"first fork failed");
+ 	if (aterminal) {
+-	    (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
++	    (void) TCSETATTR(STDIN_FILENO, &stored_mode);
+ 	}
+ 
+ 	return PAM_AUTH_ERR;
+@@ -398,7 +411,7 @@ static int set_filter(pam_handle_t *pamh
+ 	    /* initialize the child's terminal to be the way the
+ 	       parent's was before we set it into RAW mode */
+ 
+-	    if (ioctl(fd[1], TCSETA, (char *) &stored_mode) < 0) {
++	    if (TCSETATTR(fd[1], &stored_mode) < 0) {
+ 		_pam_log(LOG_WARNING,"cannot set slave terminal mode; %s"
+ 			 ,terminal);
+ 		close(fd[1]);
+@@ -572,7 +585,7 @@ static int set_filter(pam_handle_t *pamh
+ 
+     if (aterminal) {
+ 	/* reset to initial terminal mode */
+-	(void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
++	(void) TCSETATTR(STDIN_FILENO, &stored_mode);
+     }
+ 
+     if (ctrl & FILTER_DEBUG) {
diff --git a/security/PAM/patches/patch-al b/security/PAM/patches/patch-al
index ab79d039881..917f0ba6c47 100644
--- a/security/PAM/patches/patch-al
+++ b/security/PAM/patches/patch-al
@@ -1,37 +1,13 @@
-$NetBSD: patch-al,v 1.2 2002/01/29 17:10:11 jlam Exp $
+$NetBSD: patch-al,v 1.3 2002/12/23 21:23:59 jlam Exp $
 
---- modules/pam_issue/pam_issue.c.orig	Wed Feb 21 23:49:45 2001
-+++ modules/pam_issue/pam_issue.c
-@@ -21,6 +21,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <sys/types.h>
-+#include <sys/param.h>
- #include <sys/stat.h>
- #include <time.h>
- #include <fcntl.h>
-@@ -215,12 +216,24 @@
- 	      case 'U':
- 		{
- 		    int users = 0;
-+#if (defined(BSD) && BSD >= 199306)
-+		    struct utmp ut;
-+		    FILE *uf;
-+
-+		    if ((uf == fopen(_PATH_UTMP, "r")) != NULL) {
-+			while (fread(&ut, sizeof(ut), 1, uf) > 0)
-+			    if (ut.ut_name[0] != '\0')
-+				++users;
-+			(void) fclose(uf);
-+		}
-+#else
- 		    struct utmp *ut;
- 		    setutent();
- 		    while ((ut = getutent()))
- 			if (ut->ut_type == USER_PROCESS)
- 			users++;
- 		    endutent();
-+#endif
- 		    printf ("%d ", users);
- 		    if (c == 'U')
- 			snprintf (buf, 1024, "%s", (users == 1) ?
+--- modules/pam_group/Makefile.orig	Sun Nov 19 18:54:04 2000
++++ modules/pam_group/Makefile
+@@ -14,8 +14,4 @@ INSTALLED_CONFILE=$(SCONFIGD)/group.conf
+ DEFS=-DDEFAULT_CONF_FILE=\"$(CONFILE)\"
+ CFLAGS += $(DEFS)
+ 
+-MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)"
+-MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE)
+-MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age
+-
+ include ../Simple.Rules
diff --git a/security/PAM/patches/patch-am b/security/PAM/patches/patch-am
new file mode 100644
index 00000000000..2fb8cbf285a
--- /dev/null
+++ b/security/PAM/patches/patch-am
@@ -0,0 +1,37 @@
+$NetBSD: patch-am,v 1.4 2002/12/23 21:23:59 jlam Exp $
+
+--- modules/pam_issue/pam_issue.c.orig	Sun Nov 11 21:23:29 2001
++++ modules/pam_issue/pam_issue.c
+@@ -21,6 +21,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <sys/types.h>
++#include <sys/param.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <string.h>
+@@ -244,12 +245,24 @@ char *do_prompt(FILE *fd)
+ 	      case 'U':
+ 		{
+ 		    int users = 0;
++#if (defined(BSD) && BSD >= 199306)
++		    struct utmp ut;
++		    FILE *uf;
++
++		    if ((uf == fopen(_PATH_UTMP, "r")) != NULL) {
++			while (fread(&ut, sizeof(ut), 1, uf) > 0)
++			    if (ut.ut_name[0] != '\0')
++				++users;
++			    (void) fclose(uf);
++		    }
++#else
+ 		    struct utmp *ut;
+ 		    setutent();
+ 		    while ((ut = getutent()))
+ 			if (ut->ut_type == USER_PROCESS)
+ 			users++;
+ 		    endutent();
++#endif
+ 		    printf ("%d ", users);
+ 		    if (c == 'U')
+ 			snprintf (buf, 1024, "%s", (users == 1) ?
diff --git a/security/PAM/patches/patch-an b/security/PAM/patches/patch-an
index 9720f36dfe0..95110d429cd 100644
--- a/security/PAM/patches/patch-an
+++ b/security/PAM/patches/patch-an
@@ -1,89 +1,12 @@
-$NetBSD: patch-an,v 1.2 2002/01/29 17:10:11 jlam Exp $
+$NetBSD: patch-an,v 1.3 2002/12/23 21:23:59 jlam Exp $
 
---- modules/pam_unix/pam_unix_acct.c.orig	Wed Dec 20 00:15:05 2000
-+++ modules/pam_unix/pam_unix_acct.c
-@@ -41,9 +41,12 @@
- #include <string.h>
+--- modules/pam_mkhomedir/pam_mkhomedir.c.orig	Fri Feb  8 00:20:17 2002
++++ modules/pam_mkhomedir/pam_mkhomedir.c
+@@ -34,6 +34,7 @@
+ #include <sys/stat.h>
+ #include <fcntl.h>
  #include <unistd.h>
- #include <sys/types.h>
-+#include <sys/param.h>
- #include <syslog.h>
++#include <limits.h>
  #include <pwd.h>
-+#ifndef BSD
- #include <shadow.h>
-+#endif
- #include <time.h>		/* for time() */
- 
- #include <security/_pam_macros.h>
-@@ -72,7 +75,7 @@
- 	const char *uname;
- 	int retval, daysleft;
- 	time_t curdays;
--	struct spwd *spent;
-+	struct spwd *spent = NULL;
- 	struct passwd *pwent;
- 	char buf[80];
- 
-@@ -113,6 +116,9 @@
- 					return PAM_CRED_INSUFFICIENT;
- 			}
- 		}
-+#ifdef BSD
-+		spent = NULL;
-+#else
- 		spent = getspnam( uname );
- 		if (save_uid == pwent->pw_uid)
- 			setreuid( save_uid, save_euid );
-@@ -121,16 +127,42 @@
- 			setreuid( save_uid, -1 );
- 			setreuid( -1, save_euid );
- 		}
--
-+#endif
- 	} else if (!strcmp( pwent->pw_passwd, "x" )) {
-+#ifdef BSD
-+		spent = NULL;
-+#else
- 		spent = getspnam(uname);
-+#endif
- 	} else {
-+#if (defined(BSD) && BSD >= 199306)
-+		time_t now = time(NULL);
-+		if (now > pwent->pw_expire) {
-+			_log_err(LOG_NOTICE
-+				 ,"account %s has expired (account expired)"
-+				 ,uname);
-+			_make_remark(pamh, ctrl, PAM_ERROR_MSG,
-+			    	"Your account has expired; please contact your system administrator");
-+			D(("account expired"));
-+			return PAM_ACCT_EXPIRED;
-+		}
-+		else if (now + _PASSWORD_WARNDAYS * 86400 > pwent->pw_expire) {
-+			daysleft = (pwent->pw_expire - now) / 86400;
-+			_log_err(LOG_DEBUG
-+				 ,"password for user %s will expire in %d days"
-+				 ,uname, daysleft);
-+			snprintf(buf, 80, "Warning: your password will expire in %d day%.2s",
-+				 daysleft, daysleft == 1 ? "" : "s");
-+			_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
-+		}
-+#endif
- 		return PAM_SUCCESS;
- 	}
- 
- 	if (!spent)
- 		return PAM_AUTHINFO_UNAVAIL;	/* Couldn't get username from shadow */
- 
-+#ifndef BSD
- 	curdays = time(NULL) / (60 * 60 * 24);
- 	D(("today is %d, last change %d", curdays, spent->sp_lstchg));
- 	if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)
-@@ -183,7 +215,7 @@
- 			 daysleft, daysleft == 1 ? "" : "s");
- 		_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
- 	}
--
-+#endif
- 	D(("all done"));
- 
- 	return PAM_SUCCESS;
+ #include <stdlib.h>
+ #include <stdio.h>
diff --git a/security/PAM/patches/patch-ao b/security/PAM/patches/patch-ao
index 0771ddd3b6e..82cc4027224 100644
--- a/security/PAM/patches/patch-ao
+++ b/security/PAM/patches/patch-ao
@@ -1,100 +1,13 @@
-$NetBSD: patch-ao,v 1.2 2002/01/29 17:10:11 jlam Exp $
+$NetBSD: patch-ao,v 1.3 2002/12/23 21:23:59 jlam Exp $
 
---- modules/pam_unix/pam_unix_passwd.c.orig	Sun Feb 11 01:33:53 2001
-+++ modules/pam_unix/pam_unix_passwd.c
-@@ -47,7 +47,10 @@
- #include <sys/types.h>
- #include <pwd.h>
- #include <syslog.h>
-+#include <sys/param.h>
-+#ifndef BSD
- #include <shadow.h>
-+#endif
- #include <time.h>		/* for time() */
- #include <fcntl.h>
- #include <ctype.h>
-@@ -77,7 +80,7 @@
- #include "md5.h"
- #include "support.h"
- 
--#if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1))
-+#if !defined(BSD) && !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1))
- extern int getrpcport(const char *host, unsigned long prognum,
- 		      unsigned long versnum, unsigned int proto);
- #endif				/* GNU libc 2.1 */
-@@ -330,6 +333,9 @@
- 
- static int _update_passwd(const char *forwho, const char *towhat)
- {
-+#ifdef BSD
-+	return PAM_AUTHTOK_ERR;
-+#else
- 	struct passwd *tmpent = NULL;
- 	FILE *pwfile, *opwfile;
- 	int retval = 0;
-@@ -372,10 +378,14 @@
- 		unlink(PW_TMPFILE);
- 
- 	return retval;
-+#endif
- }
- 
- static int _update_shadow(const char *forwho, char *towhat)
- {
-+#ifdef BSD
-+	return PAM_AUTHTOK_ERR;
-+#else
- 	struct spwd *spwdent = NULL, *stmpent = NULL;
- 	FILE *pwfile, *opwfile;
- 	int retval = 0;
-@@ -424,6 +434,7 @@
- 		unlink(SH_TMPFILE);
- 
- 	return retval;
-+#endif
- }
- 
- static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat,
-@@ -531,15 +542,18 @@
- 		return PAM_AUTHINFO_UNAVAIL;	/* We don't need to do the rest... */
- 
- 	if (strcmp(pwd->pw_passwd, "x") == 0) {
-+#ifndef BSD
- 		/* ...and shadow password file entry for this user, if shadowing
- 		   is enabled */
- 		setspent();
- 		spwdent = getspnam(user);
- 		endspent();
-+#endif
- 
- 		if (spwdent == NULL)
- 			return PAM_AUTHINFO_UNAVAIL;
- 	} else {
-+#ifndef BSD
- 		if (strcmp(pwd->pw_passwd,"*NP*") == 0) { /* NIS+ */                 
- 			uid_t save_uid;
- 
-@@ -552,8 +566,15 @@
- 				return PAM_AUTHINFO_UNAVAIL;
- 		} else
- 			spwdent = NULL;
-+#endif
- 	}
- 
-+#ifdef BSD
-+	if (off(UNIX__IAMROOT, ctrl)) {
-+		if (time(NULL) > pwd->pw_expire)
-+			retval = PAM_ACCT_EXPIRED;
-+	}
-+#else
- 	if (spwdent != NULL) {
- 		/* We have the user's information, now let's check if their account
- 		   has expired (60 * 60 * 24 = number of seconds in a day) */
-@@ -579,6 +600,7 @@
- 				retval = PAM_ACCT_EXPIRED;
- 		}
- 	}
-+#endif
- 	return retval;
- }
- 
+--- modules/pam_time/Makefile.orig	Sun Nov 19 18:54:05 2000
++++ modules/pam_time/Makefile
+@@ -14,8 +14,4 @@ INSTALLED_CONFILE=$(SCONFIGD)/time.conf
+ DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\"
+ CFLAGS += $(DEFS)
+ 
+-MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)"
+-MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE)
+-MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age
+-
+ include ../Simple.Rules
diff --git a/security/PAM/patches/patch-ap b/security/PAM/patches/patch-ap
index aa5d3f25ba0..2984b120b4f 100644
--- a/security/PAM/patches/patch-ap
+++ b/security/PAM/patches/patch-ap
@@ -1,74 +1,141 @@
-$NetBSD: patch-ap,v 1.2 2002/01/29 17:10:11 jlam Exp $
+$NetBSD: patch-ap,v 1.3 2002/12/23 21:23:59 jlam Exp $
 
---- modules/pam_unix/support.c.orig	Sun Feb 11 01:33:53 2001
-+++ modules/pam_unix/support.c
-@@ -12,7 +12,10 @@
- #include <string.h>
- #include <malloc.h>
+--- modules/pam_unix/pam_unix_acct.c.orig	Wed Dec 20 00:15:05 2000
++++ modules/pam_unix/pam_unix_acct.c
+@@ -43,7 +43,9 @@
+ #include <sys/types.h>
+ #include <syslog.h>
  #include <pwd.h>
-+#include <sys/param.h>
-+#ifndef BSD
++#ifdef HAVE_SHADOW_H
  #include <shadow.h>
 +#endif
- #include <limits.h>
- #include <utmp.h>
+ #include <time.h>		/* for time() */
  
-@@ -111,6 +114,9 @@
-    */
- char *PAM_getlogin(void)
- {
-+#ifdef BSD
-+	return getlogin();
-+#else
- 	struct utmp *ut, line;
- 	char *curr_tty, *retval;
- 	static char curr_user[sizeof(ut->ut_user) + 4];
-@@ -132,6 +138,7 @@
- 	D(("PAM_getlogin retval: %s", retval));
- 
- 	return retval;
+ #include <security/_pam_macros.h>
+@@ -71,8 +73,10 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+ 	unsigned int ctrl;
+ 	const char *uname;
+ 	int retval, daysleft;
+-	time_t curdays;
++	time_t now, curdays;
++#ifdef HAVE_GETSPNAM
+ 	struct spwd *spent;
 +#endif
- }
+ 	struct passwd *pwent;
+ 	char buf[80];
  
- /*
-@@ -330,6 +337,7 @@
- 	pwd = getpwnam(name);	/* Get password file entry... */
+@@ -113,7 +117,9 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+ 					return PAM_CRED_INSUFFICIENT;
+ 			}
+ 		}
++#ifdef HAVE_GETSPNAM
+ 		spent = getspnam( uname );
++#endif
+ 		if (save_uid == pwent->pw_uid)
+ 			setreuid( save_uid, save_euid );
+ 		else {
+@@ -123,15 +129,21 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+ 		}
  
- 	if (pwd != NULL) {
-+#ifndef BSD
- 		if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
- 		{ /* NIS+ */                 
- 			uid_t save_euid, save_uid;
-@@ -367,6 +375,7 @@
- 		if (spwdent)
- 			salt = x_strdup(spwdent->sp_pwdp);
- 		else
+ 	} else if (!strcmp( pwent->pw_passwd, "x" )) {
++#ifdef HAVE_GETSPNAM
+ 		spent = getspnam(uname);
 +#endif
- 			salt = x_strdup(pwd->pw_passwd);
+ 	} else {
+ 		return PAM_SUCCESS;
  	}
- 	/* Does this user have a password? */
-@@ -481,6 +490,7 @@
- 	pwd = getpwnam(name);	/* Get password file entry... */
  
- 	if (pwd != NULL) {
-+#ifndef BSD	
- 		if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
- 		{ /* NIS+ */                 
- 			uid_t save_euid, save_uid;
-@@ -498,7 +508,7 @@
- 						return PAM_CRED_INSUFFICIENT;
- 				}
- 			}
--	
++#ifdef HAVE_GETSPNAM
+ 	if (!spent)
+ 		return PAM_AUTHINFO_UNAVAIL;	/* Couldn't get username from shadow */
++#endif
+ 
+-	curdays = time(NULL) / (60 * 60 * 24);
++	now = time(NULL);
++	curdays = now / (60 * 60 * 24);
++#ifdef HAVE_GETSPNAM
+ 	D(("today is %d, last change %d", curdays, spent->sp_lstchg));
+ 	if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)
+ 	    && (spent->sp_lstchg != 0)) {
+@@ -143,6 +155,29 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+ 		D(("account expired"));
+ 		return PAM_ACCT_EXPIRED;
+ 	}
++#else
++	if ((now > pwent->pw_expire) && (pwent->pw_expire != 0)) {
++		_log_err(LOG_NOTICE, pamh
++			 ,"account %s has expired (account expired)"
++			 ,uname);
++		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
++			    "Your account has expired; please contact your system administrator");
++		D(("account expired"));
++		return PAM_ACCT_EXPIRED;
++	}
++	if ((now + _PASSWORD_WARNDAYS * 60 * 60 * 24 > pwent->pw_expire)
++	    && (pwent->pw_expire != 0)) {
++		daysleft = (pwent->pw_expire - now) / (60 * 60 * 24);
++		_log_err(LOG_DEBUG, pamh
++			 ,"account for user %s will expire in %d days"
++			 ,uname, daysleft);
++		snprintf(buf, 80, "Warning: your account will expire in %d day%.2s",
++			 daysleft, daysleft == 1 ? "" : "s");
++		_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
++	}
++#endif
 +
- 			spwdent = getspnam( name );
- 			if (save_uid == pwd->pw_uid)
- 				setreuid( save_uid, save_euid );
-@@ -517,6 +527,7 @@
- 		if (spwdent)
- 			salt = x_strdup(spwdent->sp_pwdp);
- 		else
++#ifdef HAVE_GETSPNAM
+ 	if ((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact))
+ 	    && (spent->sp_max != -1) && (spent->sp_inact != -1)
+ 	    && (spent->sp_lstchg != 0)) {
+@@ -154,7 +189,9 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+ 		D(("account expired 2"));
+ 		return PAM_ACCT_EXPIRED;
+ 	}
 +#endif
- 			salt = x_strdup(pwd->pw_passwd);
+ 	D(("when was the last change"));
++#ifdef HAVE_GETSPNAM
+ 	if (spent->sp_lstchg == 0) {
+ 		_log_err(LOG_NOTICE, pamh
+ 			 ,"expired password for user %s (root enforced)"
+@@ -173,6 +210,19 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+ 		D(("need a new password 2"));
+ 		return PAM_NEW_AUTHTOK_REQD;
+ 	}
++#else
++	if (pwent->pw_change == -1) {
++		_log_err(LOG_NOTICE, pamh
++			 ,"expired password for user %s (root enforced)"
++			 ,uname);
++		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
++			    "You are required to change your password immediately (root enforced)");
++		D(("need a new password"));
++		return PAM_NEW_AUTHTOK_REQD;
++	}
++#endif
++
++#ifdef HAVE_GETSPNAM
+ 	if ((curdays > (spent->sp_lstchg + spent->sp_max - spent->sp_warn))
+ 	    && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
+ 		daysleft = (spent->sp_lstchg + spent->sp_max) - curdays;
+@@ -183,6 +233,21 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand
+ 			 daysleft, daysleft == 1 ? "" : "s");
+ 		_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
  	}
++#else
++#ifndef _PASSWORD_WARNDAYS
++#define _PASSWORD_WARNDAYS 14
++#endif
++	if ((now + _PASSWORD_WARNDAYS * 60 * 60 * 24 > pwent->pw_change)
++	    && (pwent->pw_change != 0) && (pwent->pw_change != -1)) {
++		daysleft = (pwent->pw_change - now) / (60 * 60 * 24);
++		_log_err(LOG_DEBUG, pamh
++			 ,"password for user %s will expire in %d days"
++			 ,uname, daysleft);
++		snprintf(buf, 80, "Warning: your password will expire in %d day%.2s",
++			 daysleft, daysleft == 1 ? "" : "s");
++		_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
++	}
++#endif
+ 
+ 	D(("all done"));
  
diff --git a/security/PAM/patches/patch-aq b/security/PAM/patches/patch-aq
new file mode 100644
index 00000000000..67d202130ae
--- /dev/null
+++ b/security/PAM/patches/patch-aq
@@ -0,0 +1,81 @@
+$NetBSD: patch-aq,v 1.4 2002/12/23 21:23:59 jlam Exp $
+
+--- modules/pam_unix/pam_unix_passwd.c.orig	Tue Jul  9 00:44:18 2002
++++ modules/pam_unix/pam_unix_passwd.c
+@@ -47,7 +47,10 @@
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <syslog.h>
++#include <sys/param.h>
++#ifdef HAVE_SHADOW_H
+ #include <shadow.h>
++#endif
+ #include <time.h>		/* for time() */
+ #include <fcntl.h>
+ #include <ctype.h>
+@@ -77,7 +80,7 @@
+ #include "md5.h"
+ #include "support.h"
+ 
+-#if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1))
++#if !defined(BSD) && !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1))
+ extern int getrpcport(const char *host, unsigned long prognum,
+ 		      unsigned long versnum, unsigned int proto);
+ #endif				/* GNU libc 2.1 */
+@@ -346,6 +349,7 @@ static int save_old_password(const char 
+ static int _update_passwd(pam_handle_t *pamh,
+ 			  const char *forwho, const char *towhat)
+ {
++#ifdef HAVE_SHADOW_H
+     struct passwd *tmpent = NULL;
+     FILE *pwfile, *opwfile;
+     int err = 1;
+@@ -401,10 +405,14 @@ static int _update_passwd(pam_handle_t *
+ 	unlink(PW_TMPFILE);
+ 	return PAM_AUTHTOK_ERR;
+     }
++#else
++    return PAM_AUTHTOK_ERR;
++#endif
+ }
+ 
+ static int _update_shadow(const char *forwho, char *towhat)
+ {
++#ifdef HAVE_GETSPNAM
+     struct spwd *spwdent = NULL, *stmpent = NULL;
+     FILE *pwfile, *opwfile;
+     int err = 1;
+@@ -461,6 +469,9 @@ static int _update_shadow(const char *fo
+ 	unlink(SH_TMPFILE);
+ 	return PAM_AUTHTOK_ERR;
+     }
++#else
++    return PAM_AUTHTOK_ERR;
++#endif
+ }
+ 
+ static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat,
+@@ -569,6 +580,7 @@ static int _unix_verify_shadow(const cha
+ 	if (pwd == NULL)
+ 		return PAM_AUTHINFO_UNAVAIL;	/* We don't need to do the rest... */
+ 
++#ifdef HAVE_GETSPNAM
+ 	if (strcmp(pwd->pw_passwd, "x") == 0) {
+ 		/* ...and shadow password file entry for this user, if shadowing
+ 		   is enabled */
+@@ -619,6 +631,15 @@ static int _unix_verify_shadow(const cha
+ 		}
+ 	}
+ 	return retval;
++#else
++	if (strcmp(pwd->pw_passwd, "x") == 0)
++		return PAM_AUTHINFO_UNAVAIL;
++
++	if (off(UNIX__IAMROOT, ctrl)) {
++		if (time(NULL) > pwd->pw_expire)
++			return PAM_ACCT_EXPIRED;
++	}
++#endif
+ }
+ 
+ static int _pam_unix_approve_pass(pam_handle_t * pamh
diff --git a/security/PAM/patches/patch-ar b/security/PAM/patches/patch-ar
index 5daeda92eb0..a891f0bcf8d 100644
--- a/security/PAM/patches/patch-ar
+++ b/security/PAM/patches/patch-ar
@@ -1,34 +1,79 @@
-$NetBSD: patch-ar,v 1.2 2002/01/29 17:10:11 jlam Exp $
+$NetBSD: patch-ar,v 1.3 2002/12/23 21:24:00 jlam Exp $
 
---- modules/pam_unix/unix_chkpwd.c.orig	Sun Feb 11 01:33:53 2001
-+++ modules/pam_unix/unix_chkpwd.c
-@@ -22,8 +22,11 @@
- #include <syslog.h>
+--- modules/pam_unix/support.c.orig	Mon Sep 23 13:33:22 2002
++++ modules/pam_unix/support.c
+@@ -6,13 +6,17 @@
+ 
+ #define _BSD_SOURCE
+ 
++#include <security/_pam_aconf.h>
++
+ #include <stdlib.h>
  #include <unistd.h>
- #include <sys/types.h>
-+#include <sys/param.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #include <malloc.h>
  #include <pwd.h>
-+#ifndef BSD
++#ifdef HAVE_SHADOW_H
  #include <shadow.h>
 +#endif
- #include <signal.h>
+ #include <limits.h>
+ #include <utmp.h>
+ #include <errno.h>
+@@ -113,6 +117,12 @@ int _make_remark(pam_handle_t * pamh, un
+    */
+ char *PAM_getlogin(void)
+ {
++#ifdef USE_GETLOGIN
++	char *retval = NULL;
++	retval = getlogin();
++	D(("PAM_getlogin retval: %s", retval));
++	return retval;
++#else
+ 	struct utmp *ut, line;
+ 	char *curr_tty, *retval;
+ 	static char curr_user[sizeof(ut->ut_user) + 4];
+@@ -135,6 +145,7 @@ char *PAM_getlogin(void)
+ 	D(("PAM_getlogin retval: %s", retval));
+ 
+ 	return retval;
++#endif
+ }
+ 
+ /*
+@@ -358,6 +369,7 @@ int _unix_blankpasswd(unsigned int ctrl,
+ #endif
  
- #define MAXPASS		200	/* the maximum length of a password */
-@@ -94,6 +97,9 @@
- 	pwd = getpwnam(name);	/* Get password file entry... */
- 	endpwent();
  	if (pwd != NULL) {
-+#ifdef BSD
++#ifdef HAVE_GETSPNAM
+ 		if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
+ 		{ /* NIS+ */                 
+ 			uid_t save_euid, save_uid;
+@@ -400,6 +412,9 @@ int _unix_blankpasswd(unsigned int ctrl,
+ 			salt = x_strdup(spwdent->sp_pwdp);
+ 		else
+ 			salt = x_strdup(pwd->pw_passwd);
++#else
 +		salt = x_strdup(pwd->pw_passwd);
++#endif
+ 	}
+ 	/* Does this user have a password? */
+ 	if (salt == NULL) {
+@@ -535,6 +550,7 @@ int _unix_verify_password(pam_handle_t *
+ 	pwd = getpwnam(name);	/* Get password file entry... */
+ 
+ 	if (pwd != NULL) {
++#ifdef GETSPNAM
+ 		if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
+ 		{ /* NIS+ */                 
+ 			uid_t save_euid, save_uid;
+@@ -572,6 +588,9 @@ int _unix_verify_password(pam_handle_t *
+ 			salt = x_strdup(spwdent->sp_pwdp);
+ 		else
+ 			salt = x_strdup(pwd->pw_passwd);
 +#else
- 		if (strcmp(pwd->pw_passwd, "x") == 0) {
- 			/*
- 			 * ...and shadow password file entry for this user,
-@@ -120,6 +126,7 @@
- 				salt = x_strdup(pwd->pw_passwd);
- 			}
- 		}
++		salt = x_strdup(pwd->pw_passwd);
 +#endif
  	}
- 	if (pwd == NULL || salt == NULL) {
- 		_log_err(LOG_ALERT, "check pass; user unknown");
+ 
+ 	data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name));
diff --git a/security/PAM/patches/patch-as b/security/PAM/patches/patch-as
new file mode 100644
index 00000000000..2af7b25fe24
--- /dev/null
+++ b/security/PAM/patches/patch-as
@@ -0,0 +1,32 @@
+$NetBSD: patch-as,v 1.3 2002/12/23 21:24:00 jlam Exp $
+
+--- modules/pam_unix/unix_chkpwd.c.orig	Mon Sep 23 13:33:22 2002
++++ modules/pam_unix/unix_chkpwd.c
+@@ -29,7 +29,9 @@
+ #include <unistd.h>
+ #include <sys/types.h>
+ #include <pwd.h>
++#ifdef HAVE_SHADOW_H
+ #include <shadow.h>
++#endif
+ #include <signal.h>
+ 
+ #define MAXPASS		200	/* the maximum length of a password */
+@@ -101,6 +103,7 @@ static int _unix_verify_password(const c
+ 	pwd = getpwnam(name);	/* Get password file entry... */
+ 	endpwent();
+ 	if (pwd != NULL) {
++#ifdef HAVE_GETSPNAM
+ 		if (strcmp(pwd->pw_passwd, "x") == 0) {
+ 			/*
+ 			 * ...and shadow password file entry for this user,
+@@ -127,6 +130,9 @@ static int _unix_verify_password(const c
+ 				salt = x_strdup(pwd->pw_passwd);
+ 			}
+ 		}
++#else
++		salt = x_strdup(pwd->pw_passwd);
++#endif
+ 	}
+ 	if (pwd == NULL || salt == NULL) {
+ 		_log_err(LOG_ALERT, "check pass; user unknown");
diff --git a/security/PAM/patches/patch-au b/security/PAM/patches/patch-au
deleted file mode 100644
index 8a2f5fc81e9..00000000000
--- a/security/PAM/patches/patch-au
+++ /dev/null
@@ -1,14 +0,0 @@
-$NetBSD: patch-au,v 1.2 2002/01/29 17:10:12 jlam Exp $
-
---- modules/pam_userdb/Makefile.orig	Sat Feb 17 22:03:31 2001
-+++ modules/pam_userdb/Makefile
-@@ -12,7 +12,9 @@
- 
- ifeq ($(HAVE_NDBM_H),yes)
-  WHICH_DB=ndbm
-+ifeq ($(HAVE_LIBNDBM),yes)
-  MODULE_SIMPLE_EXTRALIBS = -lndbm
-+endif
- else
- ifeq ($(HAVE_LIBDB),yes)
-  WHICH_DB=db
diff --git a/security/PAM/patches/patch-aw b/security/PAM/patches/patch-aw
deleted file mode 100644
index a0686af4373..00000000000
--- a/security/PAM/patches/patch-aw
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-aw,v 1.2 2002/01/29 17:10:12 jlam Exp $
-
---- modules/pam_group/Makefile.orig	Mon Jan 28 17:28:23 2002
-+++ modules/pam_group/Makefile
-@@ -14,8 +14,4 @@
- DEFS=-DDEFAULT_CONF_FILE=\"$(CONFILE)\"
- CFLAGS += $(DEFS)
- 
--MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)"
--MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE)
--MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age
--
- include ../Simple.Rules
diff --git a/security/PAM/patches/patch-az b/security/PAM/patches/patch-az
deleted file mode 100644
index b979b886f0b..00000000000
--- a/security/PAM/patches/patch-az
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-az,v 1.2 2002/01/29 17:10:12 jlam Exp $
-
---- modules/pam_time/Makefile.orig	Mon Jan 28 17:28:23 2002
-+++ modules/pam_time/Makefile
-@@ -14,8 +14,4 @@
- DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\"
- CFLAGS += $(DEFS)
- 
--MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)"
--MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE)
--MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age
--
- include ../Simple.Rules
diff --git a/security/PAM/patches/patch-ba b/security/PAM/patches/patch-ba
deleted file mode 100644
index 31c8fdca516..00000000000
--- a/security/PAM/patches/patch-ba
+++ /dev/null
@@ -1,53 +0,0 @@
-$NetBSD: patch-ba,v 1.1 2002/01/29 17:10:12 jlam Exp $
-
---- configure.in.orig	Sun Mar 18 20:56:36 2001
-+++ configure.in
-@@ -172,7 +172,7 @@
- 	HAVE_LIBCRACK=no)
- AC_SUBST(HAVE_LIBCRACK)
- 
--AC_CHECK_LIB(crypt, fcrypt, HAVE_LIBCRYPT=yes ; AC_DEFINE(HAVE_LIBCRYPT),
-+AC_CHECK_LIB(crypt, crypt, HAVE_LIBCRYPT=yes ; AC_DEFINE(HAVE_LIBCRYPT),
- 	HAVE_LIBCRYPT=no)
- AC_SUBST(HAVE_LIBCRYPT)
- AC_CHECK_LIB(util, logwtmp, HAVE_LIBUTIL=yes ; AC_DEFINE(HAVE_LIBUTIL),
-@@ -220,7 +220,7 @@
- 
- dnl Look for cracklib dictionary
- AC_MSG_CHECKING(path to cracklib dictionary)
--DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \
-+DICT_DIR_CANDIDATES="${prefix}/libdata /usr/lib /usr/share/dict /usr/share/lib \
-   /usr/local/lib /usr/local/share/lib"
- DICT_FILE_CANDIDATES="pw_dict cracklib_dict"
- CRACKLIB_DICTPATH=""
-@@ -264,6 +264,21 @@
- if test "$GCC" = yes; then
- ###
- ### Non-Linux needs attention on per-OS basis
-+    case $OS in
-+    netbsd*)
-+	OS_CFLAGS=""
-+	WARNINGS="$GCC_WARNINGS"
-+	PIC="-fPIC"
-+#can/should we use LD=gcc ???
-+	LD=ld				
-+	LD_D="\$(CC) -shared -Xlinker -x"
-+	LD_L="$LD -x -shared"
-+	RANLIB=ranlib
-+	STRIP=strip
-+	CC_STATIC="-Xlinker -export-dynamic"
-+	;;
-+
-+    *)
- 	OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic"
- 	WARNINGS="$GCC_WARNINGS"
- 	PIC="-fPIC"
-@@ -274,6 +289,8 @@
- 	RANLIB=ranlib
- 	STRIP=strip
- 	CC_STATIC="-Xlinker -export-dynamic"
-+	;;
-+    esac
- else
- ###
- ### Non-gcc needs attention on per-OS basis
diff --git a/security/PAM/patches/patch-bb b/security/PAM/patches/patch-bb
deleted file mode 100644
index 02b96f924c0..00000000000
--- a/security/PAM/patches/patch-bb
+++ /dev/null
@@ -1,69 +0,0 @@
-$NetBSD: patch-bb,v 1.1 2002/01/29 17:10:12 jlam Exp $
-
---- configure.orig	Sun Mar 18 20:56:36 2001
-+++ configure
-@@ -1460,9 +1460,9 @@
- 
- 
- 
--echo $ac_n "checking for fcrypt in -lcrypt""... $ac_c" 1>&6
--echo "configure:1465: checking for fcrypt in -lcrypt" >&5
--ac_lib_var=`echo crypt'_'fcrypt | sed 'y%./+-%__p_%'`
-+echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6
-+echo "configure:1465: checking for crypt in -lcrypt" >&5
-+ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-%__p_%'`
- if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
-   echo $ac_n "(cached) $ac_c" 1>&6
- else
-@@ -1474,10 +1474,10 @@
- /* Override any gcc2 internal prototype to avoid an error.  */
- /* We use char because int might match the return type of a gcc2
-     builtin and then its argument prototype would still apply.  */
--char fcrypt();
-+char crypt();
- 
- int main() {
--fcrypt()
-+crypt()
- ; return 0; }
- EOF
- if { (eval echo configure:1484: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
-@@ -2257,7 +2257,7 @@
- 
- echo $ac_n "checking path to cracklib dictionary""... $ac_c" 1>&6
- echo "configure:2260: checking path to cracklib dictionary" >&5
--DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \
-+DICT_DIR_CANDIDATES="${prefix}/libdata /usr/lib /usr/share/dict /usr/share/lib \
-   /usr/local/lib /usr/local/share/lib"
- DICT_FILE_CANDIDATES="pw_dict cracklib_dict"
- CRACKLIB_DICTPATH=""
-@@ -2288,6 +2288,20 @@
- if test "$GCC" = yes; then
- ###
- ### Non-Linux needs attention on per-OS basis
-+    case $OS in
-+    netbsd*)
-+	OS_CFLAGS=""
-+	WARNINGS="$GCC_WARNINGS"
-+	PIC="-fPIC"
-+	LD=ld
-+	LD_D="\$(CC) -shared -Xlinker -x"
-+	LD_L="$LD -x -shared"
-+	RANLIB=ranlib
-+	STRIP=strip
-+	CC_STATIC="-Xlinker -export-dynamic"
-+	;;
-+
-+    *)
- 	OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic"
- 	WARNINGS="$GCC_WARNINGS"
- 	PIC="-fPIC"
-@@ -2298,6 +2312,8 @@
- 	RANLIB=ranlib
- 	STRIP=strip
- 	CC_STATIC="-Xlinker -export-dynamic"
-+	;;
-+    esac
- else
- ###
- ### Non-gcc needs attention on per-OS basis
diff --git a/security/PAM/patches/patch-bc b/security/PAM/patches/patch-bc
deleted file mode 100644
index 6dd94142df1..00000000000
--- a/security/PAM/patches/patch-bc
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-bc,v 1.1 2002/01/29 17:10:12 jlam Exp $
-
---- modules/Simple.Rules.orig	Wed Feb 21 23:55:41 2001
-+++ modules/Simple.Rules
-@@ -56,7 +56,7 @@
- 
- ifdef DYNAMIC
- $(LIBSHARED):	$(LIBOBJD)
--	$(LD_D) -o $@ $(LIBOBJD) $(MODULE_SIMPLE_EXTRALIBS) $(NEED_LINK_LIB_C)
-+	$(LD_D) -o $@ $(LIBOBJD) $(LDFLAGS) $(MODULE_SIMPLE_EXTRALIBS) $(NEED_LINK_LIB_C)
- 
- endif
- 
diff --git a/security/PAM/patches/patch-bd b/security/PAM/patches/patch-bd
deleted file mode 100644
index 04aeeddf2c2..00000000000
--- a/security/PAM/patches/patch-bd
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-bd,v 1.1 2002/01/29 17:10:12 jlam Exp $
-
---- doc/Makefile.orig	Mon Jan 28 18:45:38 2002
-+++ doc/Makefile
-@@ -5,7 +5,7 @@
- 
- # These two should probably be moved into autoconf...
- DOCDIR=/usr/doc/Linux-PAM
--MANDIR=/usr/man
-+MANDIR=${mandir}
- 
- #######################################################
-