Back out recent changes

svn path=/head/; revision=89567

etc/pam.d/ftpd

@@ -9,7 +9,7 @@ auth		required	pam_nologin.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn
 #auth           sufficient      pam_ssh.so      no_warn try_first_pass
-auth [default=ignore success=done cred_err=die]	pam_opie.so	no_warn
+#auth		sufficient	pam_opie.so	no_warn
 auth		required	pam_unix.so	no_warn	try_first_pass
 
 # account

etc/pam.d/login

@@ -9,7 +9,7 @@ auth		required	pam_nologin.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass
 #auth		required	pam_ssh.so	no_warn try_first_pass
-auth [default=ignore success=done cred_err=die]	pam_opie.so	no_warn
+#auth 		sufficient	pam_opie.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass
 
 # account

etc/pam.d/su

@@ -10,7 +10,7 @@ auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
 #auth		required	pam_ssh.so	no_warn try_first_pass
-auth [default=ignore success=done cred_err=die]	pam_opie.so	no_warn
+#auth 		sufficient	pam_opie.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass nullok
 #auth		sufficient	pam_rootok.so	no_warn
 ##auth		sufficient	pam_kerberosIV.so	no_warn

lib/libpam/modules/pam_opie/pam_opie.c

@@ -66,12 +66,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	struct opie opie;
 	struct options options;
 	struct passwd *pwd;
-	int retval, i, pwok;
+	int retval, i;
 	char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
 	char challenge[OPIE_CHALLENGE_MAX];
 	char prompt[OPIE_CHALLENGE_MAX+22];
 	char resp[OPIE_SECRET_MAX];
-	const char *user, *response, *rhost;
+	const char *user;
+	const char *response;
 
 	pam_std_option(&options, other_options, argc, argv);
 
@@ -88,16 +89,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 
 	user = NULL;
 	if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
-		if ((pwd = getpwnam(getlogin())) == NULL)
-			PAM_RETURN(PAM_AUTH_ERR);
+		pwd = getpwnam(getlogin());
 		user = pwd->pw_name;
 	}
 	else {
 		retval = pam_get_user(pamh, (const char **)&user, NULL);
 		if (retval != PAM_SUCCESS)
 			PAM_RETURN(retval);
-		if ((pwd = getpwnam(user)) == NULL)
-			PAM_RETURN(PAM_AUTH_ERR);
 	}
 
 	PAM_LOG("Got user: %s", user);
@@ -108,14 +106,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	 */
 	opiedisableaeh();
 
-	if (opiechallenge(&opie, (char *)user, challenge) == 0) {
-		rhost = NULL;
-		(void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
-		pwok = (rhost != NULL) && (*rhost != '\0') &&
-		       opieaccessfile((char *)rhost) &&
-		       opiealways(pwd->pw_dir);
-	} else
-		PAM_RETURN(PAM_AUTH_ERR);
+	opiechallenge(&opie, (char *)user, challenge);
 	for (i = 0; i < 2; i++) {
 		snprintf(prompt, sizeof prompt, promptstr[i], challenge);
 		retval = pam_get_pass(pamh, &response, prompt, &options);
@@ -134,7 +125,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	}
 
 	/* We have to copy the response, because opieverify mucks with it. */
-	strlcpy(resp, response, sizeof resp);
+	snprintf(resp, sizeof resp, "%s", response);
 
 	/*
 	 * Opieverify is supposed to return -1 only if an error occurs.
@@ -142,10 +133,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	 * it expects.  Thus we can't log an error and can only check for
 	 * success or lack thereof.
 	 */
-	if (opieverify(&opie, resp) != 0)
-		retval = pwok ? PAM_AUTH_ERR : PAM_CRED_ERR;
-	else
-		retval = PAM_SUCCESS;
+	retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR;
 	PAM_RETURN(retval);
 }
 

lib/libpam/modules/pam_unix/pam_unix.c

@@ -152,8 +152,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 
 		retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
 		    PAM_SUCCESS : PAM_AUTH_ERR;
-		if (pwd->pw_expire && time(NULL) >= pwd->pw_expire)
-			retval = PAM_AUTH_ERR;
 	}
 	else {
 
@@ -504,14 +502,15 @@ local_passwd(const char *user, const char *pass)
 		syslog(LOG_ERR, "cannot set password cipher");
 	login_close(lc);
 	/* Salt suitable for anything */
+	srandomdev();
 	gettimeofday(&tv, 0);
-	to64(&salt[0], arc4random(), 3);
+	to64(&salt[0], random(), 3);
 	to64(&salt[3], tv.tv_usec, 3);
 	to64(&salt[6], tv.tv_sec, 2);
-	to64(&salt[8], arc4random(), 5);
-	to64(&salt[13], arc4random(), 5);
-	to64(&salt[17], arc4random(), 5);
-	to64(&salt[22], arc4random(), 5);
+	to64(&salt[8], random(), 5);
+	to64(&salt[13], random(), 5);
+	to64(&salt[17], random(), 5);
+	to64(&salt[22], random(), 5);
 	salt[27] = '\0';
 
 	pwd->pw_passwd = crypt(pass, salt);
@@ -597,14 +596,15 @@ yp_passwd(const char *user, const char *pass)
 		syslog(LOG_ERR, "cannot set password cipher");
 	login_close(lc);
 	/* Salt suitable for anything */
+	srandomdev();
 	gettimeofday(&tv, 0);
-	to64(&salt[0], arc4random(), 3);
+	to64(&salt[0], random(), 3);
 	to64(&salt[3], tv.tv_usec, 3);
 	to64(&salt[6], tv.tv_sec, 2);
-	to64(&salt[8], arc4random(), 5);
-	to64(&salt[13], arc4random(), 5);
-	to64(&salt[17], arc4random(), 5);
-	to64(&salt[22], arc4random(), 5);
+	to64(&salt[8], random(), 5);
+	to64(&salt[13], random(), 5);
+	to64(&salt[17], random(), 5);
+	to64(&salt[22], random(), 5);
 	salt[27] = '\0';
 
 	if (suser_override)