Ubuntu
pam package

Merge ~vorlon/ubuntu/+source/pam:merge into ubuntu/+source/pam:debian/sid

Git
lp:~vorlon/ubuntu/+source/pam
merge
Merge into debian/sid

Proposed by Steve Langasek on 2018-03-17

Status:

Approved

Approved by:

Nish Aravamudan on 2018-04-04

Approved revision:

56be0589c4360b577fcaaca8245090271a5427ea

Proposed branch:

~vorlon/ubuntu/+source/pam:merge

Merge into:

ubuntu/+source/pam:debian/sid

Diff against target:

9799 lines (+9138/-0) (has conflicts)

25 files modified

debian/changelog (+2079/-0)
debian/control (+15/-0)
debian/libpam-modules-bin.install (+5/-0)
debian/libpam-modules.manpages (+4/-0)
debian/libpam-modules.postinst (+15/-0)
debian/libpam0g.postinst (+48/-0)
debian/local/common-session (+8/-0)
debian/local/common-session-noninteractive (+8/-0)
debian/local/pam-auth-update (+18/-0)
debian/local/pam-auth-update.8 (+3/-0)
debian/patches-applied/cve-2015-3238.patch (+6/-0)
debian/patches-applied/extrausers.patch (+6567/-0)
debian/patches-applied/pam_motd-legal-notice (+86/-0)
debian/patches-applied/pam_umask_usergroups_from_login.defs.patch (+127/-0)
debian/patches-applied/series (+11/-0)
debian/patches-applied/ubuntu-rlimit_nice_correction (+17/-0)
debian/patches-applied/update-motd-manpage-ref (+28/-0)
debian/po/eu.po (+6/-0)
debian/po/fi.po (+3/-0)
debian/po/ro.po (+3/-0)
debian/po/tr.po (+3/-0)
debian/po/vi.po (+3/-0)
debian/po/zh_CN.po (+3/-0)
debian/rules (+5/-0)
debian/update-motd.5 (+67/-0)

Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/libpam-modules-bin.install
Conflict in debian/libpam-modules.manpages
Conflict in debian/libpam-modules.postinst
Conflict in debian/libpam0g.postinst
Conflict in debian/local/common-session
Conflict in debian/local/common-session-noninteractive
Conflict in debian/local/pam-auth-update
Conflict in debian/local/pam-auth-update.8
Conflict in debian/patches-applied/cve-2015-3238.patch
Conflict in debian/patches-applied/series
Conflict in debian/po/eu.po
Conflict in debian/po/fi.po
Conflict in debian/po/ro.po
Conflict in debian/po/tr.po
Conflict in debian/po/vi.po
Conflict in debian/po/zh_CN.po
Conflict in debian/rules

Related bugs:

Bug #1558114: package libpam-modules 1.1.8-3.1ubuntu3.1 failed to install/upgrade: trying to overwrite shared '/usr/share/man/man8/pam_unix.8.gz', which is different from other instances of package libpam-modules:i386	Critical	Fix Released
Bug #1571864: update-motd.5 manpage references /var/run/motd	Undecided	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
git-ubuntu developers		2018-03-17	Pending
Review via email: mp+341556@code.launchpad.net

Description of the change

Resubmit of the now-abandoned <https://code.launchpad.net/~vorlon/ubuntu/+source/pam/+git/pam/+merge/332890> against the now reimported repository, with a fixed-up "logical" tag.

Revision history for this message

Nish Aravamudan (nacc) wrote on 2018-04-04:

Because this was already uploaded, we are essentially 'too late' to integrate the rich history directly. I have upload-tagged the source commit and pushed it to the importer repository, though.

In a future merge, the upload tag can be used as the starting point (presuming no further bionic changes), or it can even be used as the starting point of the next bugfix, and then it would get integrated, as long as the upload tag is pushed before the dput.

Unmerged commits

56be058... by Steve Langasek on 2017-10-27: Fix service restart handling to integrate with systemd instead of upstart.
d83e877... by Steve Langasek on 2017-10-27: Fix references to /var/run in update-motd.5. LP: #1571864
e416d7e... by Steve Langasek on 2017-10-27: document bugs fixed upstream
e8b0ebb... by Steve Langasek on 2017-10-27: fix up VCS fields
b6efc2b... by Steve Langasek on 2017-10-27: update-maintainer
5c284b3... by Steve Langasek on 2017-10-27: reconstruct-changelog
5754c62... by Steve Langasek on 2017-10-27: merge-changelogs
763552a... by Steve Langasek on 2017-10-27:   * debian/patches-applied/cve-2015-3238.patch: removed manpage changes
    so they don't get regenerated during build and cause a multiarch
    installation issue. (LP: #1558114)
ef05976... by Steve Langasek on 2017-10-27: - don't notify about xdm restarts during a release-upgrade
b2595de... by Steve Langasek on 2017-10-27: po file cleanups

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Steve Langasek

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index ff9229d..89101d7 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,4 @@
++<<<<<<< debian/changelog
  pam (1.1.8-3.7) unstable; urgency=medium
    * Non-maintainer upload.
@@ -7,6 +8,61 @@ pam (1.1.8-3.7) unstable; urgency=medium
      enabling non-default configs without prompting the admin. (LP: #1192719)
   -- Timo Aaltonen <tjaalton@debian.org>  Fri, 02 Feb 2018 16:57:43 +0200
++=======
++pam (1.1.8-3.6ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable.
++    - Fixes unescaped brace in pam_getenv regex.  LP: #1538284.
++    - Fixes pam_namespace defaults for compatibility with dash.  LP: #1081323.
++  * Remaining changes:
++    - debian/control: have libpam-modules recommend update-motd package
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix's explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
++      that is basically just a copy of pam_unix but looks at
++      /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
++    - debian/libpam-modules-bin.install: install the helper binaries for
++      pam_extrausers to /sbin
++    - debian/rules: Make pam_extrausers_chkpwd sguid shadow
++    - pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
++      by default.
++    - don't notify about xdm restarts during a release-upgrade
++    - debian/patches-applied/cve-2015-3238.patch: removed manpage changes
++      so they don't get regenerated during build and cause a multiarch
++      installation issue.
++  * Dropped changes, included in Debian:
++    - Build-depend on libfl-dev.
++    - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
++      soft nofile limit read from pid 1 to FD_SETSIZE.
++  * Fix references to /var/run in update-motd.5.  LP: #1571864
++  * Fix service restart handling to integrate with systemd instead of
++    upstart.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 26 Oct 2017 23:23:18 -0700
++>>>>>>> debian/changelog
  pam (1.1.8-3.6) unstable; urgency=medium
@@ -75,6 +131,77 @@ pam (1.1.8-3.3) unstable; urgency=low
   -- Laurent Bigonville <bigon@debian.org>  Wed, 18 May 2016 02:04:29 +0200
++<<<<<<< debian/changelog
++=======
++pam (1.1.8-3.2ubuntu3) artful; urgency=medium
++
++  * No-change rebuild to pick up -fPIE compiler default in static
++    libraries
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 21 Apr 2017 20:53:23 +0000
++
++pam (1.1.8-3.2ubuntu2) xenial; urgency=medium
++
++  * debian/patches-applied/cve-2015-3238.patch: removed manpage changes
++    so they don't get regenerated during build and cause a multiarch
++    installation issue. (LP: #1558114)
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 16 Mar 2016 13:34:02 -0400
++
++pam (1.1.8-3.2ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix's explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++    - Add /usr/local/games to PATH.
++    - Adjust debian/patches-applied/update-motd to write to
++      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
++      to use this file and no longer links /etc/motd to /var/run/motd.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      include patch to autogenerated manpage file
++    - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
++      Update patch with follow-up changes to loginuid.c
++    - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
++      that is basically just a copy of pam_unix but looks at
++      /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
++    - debian/libpam-modules-bin.install: install the helper binaries for
++      pam_extrausers to /sbin
++    - debian/rules: Make pam_extrausers_chkpwd sguid shadow
++    - debian/patches-applied/extrausers.patch: Ship pre-generated man page
++    - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
++      soft nofile limit read from pid 1 to FD_SETSIZE.
++    - debian/control: have libpam-modules recommend update-motd package
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 16 Mar 2016 09:50:51 -0400
++
++>>>>>>> debian/changelog
  pam (1.1.8-3.2) unstable; urgency=medium
    * Non-maintainer upload.
@@ -83,6 +210,79 @@ pam (1.1.8-3.2) unstable; urgency=medium
   -- Tianon Gravi <tianon@debian.org>  Wed, 06 Jan 2016 15:53:31 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.1.8-3.1ubuntu3) vivid; urgency=medium
++
++  * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
++    soft nofile limit read from pid 1 to FD_SETSIZE.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Wed, 22 Apr 2015 08:55:24 +0000
++
++pam (1.1.8-3.1ubuntu2) vivid; urgency=medium
++
++  * debian/control:
++    - have libpam-modules recommend update-motd package
++      + while libpam-modules provides pam_motd, which does dynamically
++        generate the motd from /etc/update-motd.d on login, hundreds of
++        users have asked in the past few years how they might "force"
++        a MOTD update;  this is provided by /usr/sbin/update-motd
++        in the tiny update-motd package (already in main); recommend
++        this package
++
++ -- Dustin Kirkland <kirkland@ubuntu.com>  Tue, 11 Nov 2014 12:49:14 -0600
++
++pam (1.1.8-3.1ubuntu1) vivid; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix's explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++    - Add /usr/local/games to PATH.
++    - Adjust debian/patches-applied/update-motd to write to
++      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
++      to use this file and no longer links /etc/motd to /var/run/motd.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      include patch to autogenerated manpage file
++    - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
++      Update patch with follow-up changes to loginuid.c
++    - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
++      that is basically just a copy of pam_unix but looks at
++      /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
++    - debian/libpam-modules-bin.install: install the helper binaries for
++      pam_extrausers to /sbin
++    - debian/rules: Make pam_extrausers_chkpwd sguid shadow
++    - debian/patches-applied/extrausers.patch: Ship pre-generated man page
++
++ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 27 Oct 2014 09:57:52 +0100
++
++>>>>>>> debian/changelog
  pam (1.1.8-3.1) unstable; urgency=high
    * Non-maintainer upload by the Security Team.
@@ -93,6 +293,81 @@ pam (1.1.8-3.1) unstable; urgency=high
   -- Michael Gilbert <mgilbert@debian.org>  Sat, 09 Aug 2014 09:50:42 +0000
++<<<<<<< debian/changelog
++=======
++pam (1.1.8-3ubuntu4) utopic; urgency=medium
++
++  * No-change rebuild to get debug symbols on all architectures.
++
++ -- Brian Murray <brian@ubuntu.com>  Tue, 21 Oct 2014 12:32:23 -0700
++
++pam (1.1.8-3ubuntu3) utopic; urgency=medium
++
++  * debian/patches-applied/extrausers.patch:
++    - Ship pre-generated man page
++
++ -- Michael Terry <mterry@ubuntu.com>  Tue, 22 Jul 2014 14:13:31 -0400
++
++pam (1.1.8-3ubuntu2) utopic; urgency=medium
++
++  * debian/patches-applied/extrausers.patch: Add a pam_extrausers module
++    that is basically just a copy of pam_unix but looks at
++    /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
++  * debian/libpam-modules-bin.install: install the helper binaries for
++    pam_extrausers to /sbin
++  * debian/rules: Make pam_extrausers_chkpwd sguid shadow
++
++ -- Michael Terry <mterry@ubuntu.com>  Fri, 18 Jul 2014 14:52:08 -0400
++
++pam (1.1.8-3ubuntu1) utopic; urgency=medium
++
++  [ Stéphane Graber ]
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix's explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++    - Add /usr/local/games to PATH.
++    - Adjust debian/patches-applied/update-motd to write to
++      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
++      to use this file and no longer links /etc/motd to /var/run/motd.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      include patch to autogenerated manpage file
++    - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
++      Update patch with follow-up changes to loginuid.c
++
++  [ Timo Aaltonen ]
++  * pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
++    by default. (LP: #557013)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 02 May 2014 14:59:10 -0400
++
++>>>>>>> debian/changelog
  pam (1.1.8-3) unstable; urgency=low
    * debian/rules: On hurd, link libpam explicitly with -lpthread since glibc
@@ -109,6 +384,57 @@ pam (1.1.8-2) unstable; urgency=medium
   -- Steve Langasek <vorlon@debian.org>  Thu, 13 Feb 2014 15:02:00 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.1.8-1ubuntu2) trusty; urgency=medium
++
++  * debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
++    Update patch with follow-up changes to loginuid.c
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 31 Jan 2014 22:11:02 +0000
++
++pam (1.1.8-1ubuntu1) trusty; urgency=medium
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix's explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++    - Add /usr/local/games to PATH.
++    - Adjust debian/patches-applied/update-motd to write to
++      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
++      to use this file and no longer links /etc/motd to /var/run/motd.
++  * debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: include
++    patch to autogenerated manpage file
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 16 Jan 2014 02:40:41 +0000
++
++>>>>>>> debian/changelog
  pam (1.1.8-1) unstable; urgency=medium
    * New upstream release.
@@ -142,6 +468,50 @@ pam (1.1.8-1) unstable; urgency=medium
   -- Steve Langasek <vorlon@debian.org>  Thu, 16 Jan 2014 00:38:42 +0000
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-11ubuntu1) trusty; urgency=medium
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix's explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++    - Add /usr/local/games to PATH.
++    - Adjust debian/patches-applied/update-motd to write to
++      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
++      to use this file and no longer links /etc/motd to /var/run/motd.
++  * Dropped changes, merged in Debian:
++    - Disable libaudit for stage1 bootstrap.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 13 Jan 2014 21:41:05 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.3-11) unstable; urgency=low
    [ Wookey ]
@@ -155,6 +525,49 @@ pam (1.1.3-11) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 14 Jan 2014 03:33:31 +0000
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-10ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix's explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++    - Add /usr/local/games to PATH.
++    - Disable libaudit for stage1 bootstrap.
++    - Adjust debian/patches-applied/update-motd to write to
++      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
++      to use this file and no longer links /etc/motd to /var/run/motd.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 20 Oct 2013 18:21:34 -0700
++
++>>>>>>> debian/changelog
  pam (1.1.3-10) unstable; urgency=low
    * Fix pam-auth-update handling of trailing blank lines in the fields of
@@ -176,6 +589,59 @@ pam (1.1.3-9) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 12 Feb 2013 23:06:30 +0000
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-8ubuntu3) saucy; urgency=low
++
++  * Adjust debian/patches-applied/update-motd to write to /run/motd.dynamic,
++    as sysvinit/ssh/login in Debian have been changed to use this file and
++    no longer links /etc/motd to /var/run/motd.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 18 May 2013 00:07:43 -0500
++
++pam (1.1.3-8ubuntu2) raring; urgency=low
++
++  * Disable libaudit for stage1 bootstrap (LP: #1126404)
++
++ -- Wookey <wookey@wookware.org>  Fri, 15 Feb 2013 12:45:27 +0000
++
++pam (1.1.3-8ubuntu1) raring; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix' explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++    - Add /usr/local/games to PATH.  LP: #110287.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 11 Feb 2013 22:08:44 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.3-8) unstable; urgency=low
    * Confirm NMU for bug #611136; thanks to Michael Gilbert.
@@ -212,6 +678,58 @@ pam (1.1.3-7.1) unstable; urgency=low
   -- Michael Gilbert <mgilbert@debian.org>  Sun, 29 Apr 2012 02:23:26 -0400
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-7ubuntu3) quantal; urgency=low
++
++  [ Nathan Williams ]
++  * Add /usr/local/games to PATH.  LP: #110287.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 03 Jul 2012 06:55:25 +0000
++
++pam (1.1.3-7ubuntu2) precise; urgency=low
++
++  * No-change rebuild with gzip 1.4-1ubuntu2 to get multiarch-clean
++    compression of manpages.  LP: #871083.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Feb 2012 17:15:39 -0800
++
++pam (1.1.3-7ubuntu1) precise; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix' explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - Build-depend on libfl-dev in addition to flex, for cross-building
++      support.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 28 Jan 2012 11:36:07 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.3-7) unstable; urgency=low
    * Updated debconf translations:
@@ -239,6 +757,52 @@ pam (1.1.3-7) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sat, 28 Jan 2012 10:57:49 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-6ubuntu1) precise; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/libpam0g.postinst: the init script for 'samba' is now named
++      'smbd' in Ubuntu, so fix the restart handling.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix' explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++  * Dropped changes, included in Debian:
++    - debian/patches-applied/update-motd: set a sane umask before calling
++      run-parts, and restore the old mask afterwards, so /run/motd gets
++      consistent permissions.
++    - debian/patches-applied/update-motd: new module option for pam_motd,
++      'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
++    - debian/libpam0g.postinst: drop kdm from the list of services to
++      restart.
++  * Build-depend on libfl-dev in addition to flex, for cross-building
++    support.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 07 Nov 2011 21:15:00 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.3-6) unstable; urgency=low
    * debian/patches-applied/hurd_no_setfsuid: we don't want to check all
@@ -266,6 +830,62 @@ pam (1.1.3-6) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 06 Nov 2011 19:43:14 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-5ubuntu2) precise; urgency=low
++
++  * Rebuild with dpkg 1.16.1.1ubuntu2 to restore large file support.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 01 Nov 2011 16:59:55 -0400
++
++pam (1.1.3-5ubuntu1) precise; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/libpam0g.postinst: drop kdm from the list of services to
++      restart.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix' explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++      (Closes: #583958)
++  * Dropped changes, included in Debian:
++    - debian/patches-applied/CVE-2011-3148.patch
++    - debian/patches-applied/CVE-2011-3149.patch
++    - debian/patches-applied/update-motd: updated to use clean environment
++      and absolute paths in modules/pam_motd/pam_motd.c.
++  * debian/libpam0g.postinst: the init script for 'samba' is now named 'smbd'
++    in Ubuntu, so fix the restart handling.
++  * debian/patches-applied/update-motd: set a sane umask before calling
++    run-parts, and restore the old mask afterwards, so /run/motd gets
++    consistent permissions.  LP: #871943.
++  * debian/patches-applied/update-motd: new module option for pam_motd,
++    'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
++    LP: #805423.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 30 Oct 2011 09:45:00 -0600
++
++>>>>>>> debian/changelog
  pam (1.1.3-5) unstable; urgency=low
    [ Kees Cook ]
@@ -320,6 +940,67 @@ pam (1.1.3-3) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sat, 24 Sep 2011 20:08:56 +0000
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low
++
++  * SECURITY UPDATE: possible code execution via incorrect environment file
++    parsing (LP: #874469)
++    - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
++      whitespace when parsing environment file in modules/pam_env/pam_env.c.
++    - CVE-2011-3148
++  * SECURITY UPDATE: denial of service via overflowed environment variable
++    expansion (LP: #874565)
++    - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
++      with PAM_BUF_ERR in modules/pam_env/pam_env.c.
++    - CVE-2011-3149
++  * SECURITY UPDATE: code execution via incorrect environment cleaning
++    - debian/patches-applied/update-motd: updated to use clean environment
++      and absolute paths in modules/pam_motd/pam_motd.c.
++    - CVE-2011-XXXX
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 18 Oct 2011 09:33:47 -0400
++
++pam (1.1.3-2ubuntu1) oneiric; urgency=low
++
++  * Merge with Debian to get bug fix for unknown kernel rlimits. Remaining
++    changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/libpam0g.postinst: drop kdm from the list of services to
++      restart.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
++      default, now that the umask setting is gone from /etc/profile.
++    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
++    - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++      Deprecate pam_unix' explicit "usergroups" option and instead read it
++      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
++      there. This restores compatibility with the pre-PAM behaviour of login.
++      (Closes: #583958)
++  * Dropped changes:
++    - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
++      no need to bump the hard limit for number of file descriptors any more
++      since we read kernel limits directly now.
++
++ -- Kees Cook <kees@ubuntu.com>  Thu, 18 Aug 2011 16:41:18 -0500
++
++>>>>>>> debian/changelog
  pam (1.1.3-2) unstable; urgency=low
    [ Kees Cook ]
@@ -336,6 +1017,76 @@ pam (1.1.3-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 21 Jun 2011 11:41:12 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.3-1ubuntu3) oneiric; urgency=low
++
++  [ Steve Langasek ]
++  * debian/patches/pam_motd-legal-notice: use pam_modutil_gain/drop_priv
++    common helper functions, instead of hand-rolled uid-setting code.
++
++  [ Martin Pitt ]
++  * debian/local/common-session{,-noninteractive}: Enable pam_umask by
++    default, now that the umask setting is gone from /etc/profile.
++    (LP: #253096, UbuntuSpec:umask-to-0002)
++  * debian/local/pam-auth-update: Add the new md5sum of above files.
++  * Add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
++    Deprecate pam_unix' explicit "usergroups" option and instead read it from
++    /etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
++    This restores compatibility with the pre-PAM behaviour of login.
++    (Closes: #583958)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 24 Jun 2011 11:07:57 +0200
++
++pam (1.1.3-1ubuntu2) oneiric; urgency=low
++
++  * debian/patches-applied/update-motd-manpage-ref: refresh patch to apply
++    cleanly against new upstream.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 04 Jun 2011 14:20:17 -0700
++
++pam (1.1.3-1ubuntu1) oneiric; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
++      bump the hard limit for number of file descriptors, to keep pace with
++      the changes in the kernel.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/libpam0g.postinst: drop kdm from the list of services to
++      restart.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - New patch, lib_security_multiarch_compat, which lets us reuse the
++      upstream --enable-isadir functionality to support a true path for
++      module lookups; this way we don't have to force a hard transition to
++      multiarch, but can support resolving modules in both the multiarch and
++      non-multiarch directories.
++    - build for multiarch, splitting our executables out of libpam-modules
++      into a new package, libpam-modules-bin, so that modules can be
++      co-installable between architectures.
++  * Dropped changes:
++    - bumping the service restart version in libpam0g.postinst to ensure
++      servers don't fail to find the pam modules in the new paths; the min
++      version requirement upstream is higher than this now.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 04 Jun 2011 14:04:19 -0700
++
++>>>>>>> debian/changelog
  pam (1.1.3-1) unstable; urgency=low
    * New upstream release.
@@ -353,6 +1104,49 @@ pam (1.1.3-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sat, 04 Jun 2011 03:10:50 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.2-3ubuntu1) oneiric; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
++      bump the hard limit for number of file descriptors, to keep pace with
++      the changes in the kernel.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++    - debian/libpam0g.postinst: drop kdm from the list of services to
++      restart.
++    - debian/libpam0g.postinst: check if gdm is actually running before
++      trying to reload it.
++    - New patch, lib_security_multiarch_compat, which lets us reuse the
++      upstream --enable-isadir functionality to support a true path for
++      module lookups; this way we don't have to force a hard transition to
++      multiarch, but can support resolving modules in both the multiarch and
++      non-multiarch directories.
++    - build for multiarch, splitting our executables out of libpam-modules
++      into a new package, libpam-modules-bin, so that modules can be
++      co-installable between architectures.
++    - bumping the service restart version in libpam0g.postinst to ensure
++      servers don't fail to find the pam modules in the new paths.
++  * bump debhelper build-dep for final multiarch support.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 20 May 2011 12:53:24 -0700
++
++>>>>>>> debian/changelog
  pam (1.1.2-3) unstable; urgency=low
    [ Kees Cook ]
@@ -371,6 +1165,95 @@ pam (1.1.2-3) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 01 May 2011 01:49:11 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.2-2ubuntu8) natty; urgency=low
++
++  * Check if gdm is actually running before trying to reload it. (LP: #745532)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 11 Apr 2011 21:57:36 -0400
++
++pam (1.1.2-2ubuntu7) natty; urgency=low
++
++  * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
++    bump the hard limit for number of file descriptors, to keep pace with
++    the changes in the kernel.  Fortunately this shadowing should all go
++    away next cycle when we can start to grab defaults directly from /proc.
++    LP: #663090
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 05 Apr 2011 13:02:02 -0700
++
++pam (1.1.2-2ubuntu6) natty; urgency=low
++
++  * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
++    keeps libpam loaded persistently at runtime, so it's not necessary to
++    force a kdm restart on ABI bump.  Which is good, since restarting kdm
++    now seems to also log users out of running sessions, which we rather
++    want to avoid.  LP: #744944.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 29 Mar 2011 13:16:26 -0700
++
++pam (1.1.2-2ubuntu5) natty; urgency=low
++
++  * Force a service restart on upgrade to the new libpam0g, to ensure
++    servers don't fail to find the pam modules in the new paths.
++  * libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
++    for the same reason.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 22 Mar 2011 02:19:51 -0700
++
++pam (1.1.2-2ubuntu4) natty; urgency=low
++
++  * Build for multiarch; FFe LP: #733501.
++  * Split our executables out of libpam-modules into a new package,
++    libpam-modules-bin, so that modules can be co-installable between
++    architectures.
++  * New patch, lib_security_multiarch_compat, which lets us reuse the
++    upstream --enable-isadir functionality to support a true path for module
++    lookups; this way we don't have to force a hard transition to multiarch,
++    but can support resolving modules in both the multiarch and
++    non-multiarch directories.
++  * Build-Depend on the multiarchified debhelper.
++  * Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 18 Mar 2011 00:12:26 -0700
++
++pam (1.1.2-2ubuntu3) natty; urgency=low
++
++  * Er, but let's get this patch applying cleanly.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 21 Feb 2011 16:10:11 -0800
++
++pam (1.1.2-2ubuntu2) natty; urgency=low
++
++  * debian/patches/update-motd-manpage-ref: patch the manpage too, not just
++    the xml source.
++
++ -- Steve Langasek <vorlon@debian.org>  Mon, 21 Feb 2011 15:47:27 -0800
++
++pam (1.1.2-2ubuntu1) natty; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 17 Feb 2011 16:15:47 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.2-2) unstable; urgency=low
    * debian/patches-applied/hurd_no_setfsuid: handle some new calls to
@@ -429,6 +1312,35 @@ pam (1.1.1-7) UNRELEASED; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Wed, 17 Nov 2010 16:53:46 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.1.1-6.1ubuntu1) natty; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++  * Dropped changes:
++    - libpam-modules depend on base-files (>= 5.0.0ubuntu6): 5.0.0ubuntu20
++      is in 10.04 LTS and this is an essential package, so no more need for
++      the versioned dependency.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 15 Feb 2011 23:36:47 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.1-6.1) unstable; urgency=low
    * Non-maintainer upload.
@@ -466,6 +1378,41 @@ pam (1.1.1-5) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 05 Sep 2010 12:42:34 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.1-4ubuntu2) maverick-security; urgency=low
++
++  * SECURITY UPDATE: root privilege escalation via symlink following.
++    - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
++    - CVE-2010-0832
++
++ -- Kees Cook <kees@ubuntu.com>  Mon, 25 Oct 2010 06:40:32 -0700
++
++pam (1.1.1-4ubuntu1) maverick; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
++      not present there or in /etc/security/pam_env.conf. (should send to
++      Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent
++      showing it again.
++    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++      for update-motd, with some best practices and notes of explanation.
++    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
++      to update-motd(5)
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 16 Aug 2010 19:12:35 -0700
++
++>>>>>>> debian/changelog
  pam (1.1.1-4) unstable; urgency=low
    * debian/patches/conditional_module,_conditional_man: if we don't have the
@@ -484,6 +1431,43 @@ pam (1.1.1-4) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 15 Aug 2010 21:53:46 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.1-3ubuntu2) maverick; urgency=low
++
++  * Trigger a rebuild, applying changes from 1.1.1-2ubuntu2 which
++    were previously not committed to bzr
++
++ -- Dustin Kirkland <kirkland@ubuntu.com>  Thu, 13 May 2010 10:04:23 +0200
++
++pam (1.1.1-3ubuntu1) maverick; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++  * Dropped changes:
++    - debian/local/common-{auth,account,password}.md5sums: include the
++      Ubuntu-specific intrepid,jaunty md5sums for use during the
++      common-session-noninteractive upgrade - upgrades to maverick are
++      only supported from lucid, so this delta can be dropped.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: 'missingok' option
++      is obsoleted by 10.04 LTS and no longer needs to be supported for
++      upgrades.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 13 May 2010 00:39:44 +0200
++
++>>>>>>> debian/changelog
  pam (1.1.1-3) unstable; urgency=low
    * pam-auth-update: fix a bug in our handling of module options when the
@@ -494,6 +1478,44 @@ pam (1.1.1-3) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 25 Apr 2010 05:53:44 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.1-2ubuntu2) lucid; urgency=low
++
++  * debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
++    for update-motd, with some best practices and notes of explanation,
++    LP: #562566
++  * debian/patches/update-motd-manpage-ref: add a reference in pam_mod(8)
++    to update-motd(5), LP: #552175
++
++ -- Dustin Kirkland <kirkland@ubuntu.com>  Tue, 13 Apr 2010 16:58:12 -0500
++
++pam (1.1.1-2ubuntu1) lucid; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++    - debian/local/common-{auth,account,password}.md5sums: include the
++      Ubuntu-specific intrepid,jaunty md5sums for use during the
++      common-session-noninteractive upgrade.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 18 Feb 2010 12:04:18 +0000
++
++>>>>>>> debian/changelog
  pam (1.1.1-2) unstable; urgency=low
    * Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and
@@ -502,6 +1524,34 @@ pam (1.1.1-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Wed, 17 Feb 2010 23:21:23 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.1.1-1ubuntu1) lucid; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++    - debian/local/common-{auth,account,password}.md5sums: include the
++      Ubuntu-specific intrepid,jaunty md5sums for use during the
++      common-session-noninteractive upgrade.
++
++ -- Steve Langasek <vorlon@debian.org>  Mon, 01 Feb 2010 09:55:02 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.1-1) unstable; urgency=low
    * New upstream version.
@@ -529,6 +1579,50 @@ pam (1.1.1-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 01 Feb 2010 02:04:33 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.1.0-4ubuntu3) lucid; urgency=low
++
++  * Brown paper bag: remove the right patch from the series file.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 10 Dec 2009 23:09:03 -0800
++
++pam (1.1.0-4ubuntu2) lucid; urgency=low
++
++  * "Rebase" Ubuntu patches to apply them last in the series.
++  * Drop patch ubuntu-regression_fix_securetty, superseded by the more
++    precise fix in pam_securetty_tty_check_before_user_check.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 10 Dec 2009 22:52:20 -0800
++
++pam (1.1.0-4ubuntu1) lucid; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++    - debian/local/common-{auth,account,password}.md5sums: include the
++      Ubuntu-specific intrepid,jaunty md5sums for use during the
++      common-session-noninteractive upgrade.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 05 Nov 2009 21:33:15 -0800
++
++>>>>>>> debian/changelog
  pam (1.1.0-4) unstable; urgency=low
    * debian/patches/pam_securetty_tty_check_before_user_check: new patch,
@@ -578,6 +1672,39 @@ pam (1.1.0-3) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 07 Sep 2009 18:47:45 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.0-2ubuntu1) karmic; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++    - debian/local/common-{auth,account,password}.md5sums: include the
++      Ubuntu-specific intrepid,jaunty md5sums for use during the
++      common-session-noninteractive upgrade.
++  * Changes merged in Debian:
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 04 Sep 2009 01:11:48 -0700
++
++>>>>>>> debian/changelog
  pam (1.1.0-2) unstable; urgency=low
    [ Steve Langasek ]
@@ -606,6 +1733,44 @@ pam (1.1.0-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 31 Aug 2009 14:21:27 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.1.0-1ubuntu1) karmic; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++    - debian/local/common-{auth,account,password}.md5sums: include the
++      Ubuntu-specific intrepid,jaunty md5sums for use during the
++      common-session-noninteractive upgrade.
++  * Dropped changes, superseded upstream:
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 26 Aug 2009 00:40:14 -0700
++
++>>>>>>> debian/changelog
  pam (1.1.0-1) unstable; urgency=low
    * New upstream version.
@@ -649,6 +1814,45 @@ pam (1.1.0-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 25 Aug 2009 20:35:26 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-11ubuntu1) karmic; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++  * debian/local/pam-auth-update: prune some more md5sums from intrepid
++    pre-release versions, reducing the Ubuntu delta some
++  * debian/local/common-{auth,account,password}.md5sums: include the
++    Ubuntu-specific intrepid,jaunty md5sums for use during the
++    common-session-noninteractive upgrade.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 23 Aug 2009 20:14:58 -0700
++
++>>>>>>> debian/changelog
  pam (1.0.1-11) unstable; urgency=low
    * debian/libpam-runtime.postinst: bump the --force version check to
@@ -676,6 +1880,40 @@ pam (1.0.1-11) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 23 Aug 2009 18:07:11 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-10ubuntu1) karmic; urgency=low
++
++  * Merge from Debian, remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++      run-parts does the right thing in /etc/update-motd.d.
++    - debian/patches-applied/pam_motd-legal-notice: display the contents of
++      /etc/legal once, then set a flag in the user's homedir to prevent showing
++      it again.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 07 Aug 2009 09:50:02 +0100
++
++>>>>>>> debian/changelog
  pam (1.0.1-10) unstable; urgency=high
    [ Steve Langasek ]
@@ -712,6 +1950,54 @@ pam (1.0.1-10) unstable; urgency=high
   -- Steve Langasek <vorlon@debian.org>  Thu, 06 Aug 2009 17:54:32 +0100
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-9ubuntu3) karmic; urgency=low
++
++  * Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
++    run-parts does the right thing in /etc/update-motd.d.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 15 Jul 2009 23:55:50 -0700
++
++pam (1.0.1-9ubuntu2) karmic; urgency=low
++
++  [ Dustin Kirkland ]
++  * debian/patches/update-motd: run the update-motd scripts in pam_motd;
++    render update-motd obsolete, LP: #399071
++  * debian/patches-applied/pam_motd-legal-notice: display the contents of
++    /etc/legal once, then set a flag in the user's homedir to prevent showing
++    it again.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 15 Jul 2009 20:41:52 -0700
++
++pam (1.0.1-9ubuntu1) jaunty; urgency=low
++
++  * Merge from Debian unstable
++  * Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 20 Mar 2009 19:12:10 -0700
++
++>>>>>>> debian/changelog
  pam (1.0.1-9) unstable; urgency=low
    * Move the pam module packages to section 'admin'.
@@ -745,6 +2031,59 @@ pam (1.0.1-8) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Fri, 20 Mar 2009 18:15:07 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-7ubuntu1) jaunty; urgency=low
++
++  * Merge from Debian unstable
++  * Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++  * Dropped changes, merged in Debian:
++    - debian/local/pam-auth-update (et al): new interface for managing
++      /etc/pam.d/common-*, using drop-in config snippets provided by module
++      packages.
++    - New patch dont_freeze_password_chain, cherry-picked from upstream:
++      don't always follow the same path through the password stack on
++      the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
++      pass; this Linux-PAM deviation from the original PAM spec causes a
++      number of problems, in particular causing wrong return values when
++      using the refactored pam-auth-update stack.  LP: #303515, #305882.
++    - debian/patches/027_pam_limits_better_init_allow_explicit_root:
++      Add documentation to the patch showing how to set limits for root.
++  * Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6,
++    reducing the delta with Debian.
++  * Drop upgrade handling code from libpam-runtime.postinst that's only
++    needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid
++    pre-release version of the package.
++  * pam-auth-update: swap out known md5sums from intrepid pre-release versions
++    with the md5sums from the released intrepid version
++  * pam-auth-update: drop some md5sums that will only be seen on upgrade from
++    pre-intrepid versions; skipping over the 8.10 final release is not
++    supported, and upgrading via 8.10 means those config files will be
++    replaced so the old md5sums will never be seen again.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 03 Mar 2009 17:34:19 -0800
++
++>>>>>>> debian/changelog
  pam (1.0.1-7) unstable; urgency=low
    * 027_pam_limits_better_init_allow_explicit_root:
@@ -779,6 +2118,70 @@ pam (1.0.1-6) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sat, 28 Feb 2009 13:36:57 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-5ubuntu2) jaunty; urgency=low
++
++  * New patch dont_freeze_password_chain, cherry-picked from upstream:
++    don't always follow the same path through the password stack on
++    the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
++    pass; this Linux-PAM deviation from the original PAM spec causes a
++    number of problems, in particular causing wrong return values when
++    using the refactored pam-auth-update stack.  LP: #303515, #305882.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 27 Feb 2009 16:20:24 -0800
++
++pam (1.0.1-5ubuntu1) jaunty; urgency=low
++
++  * Merge from Debian unstable
++  * Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/pam-auth-update (et al): new interface for managing
++      /etc/pam.d/common-*, using drop-in config snippets provided by module
++      packages.
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++  * Bump the version numbers referenced in the config files, again, as pam
++    has revved in Debian and moved the bar.
++  * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
++    as a present but empty file; thanks to Greg Price for the patch.
++    LP: #294513.
++  * pam-auth-update: Ignore removed profiles when detecting an empty set
++    of currently-enabled modules.  Thanks to Greg Price for this as well.
++  * debian/control: libpam-runtime needs a versioned dependency on
++    debconf, because it uses the x_loadtemplatefile extension that's
++    not supported by debconf versions before hardy.  LP: #295135.
++  * pam-auth-update: trim leading whitespace from multiline fields when
++    parsing PAM profiles.  LP: #295441.
++  * pam-auth-update: factor out the duplicate code used for returning
++    the lines for a given module
++
++  [ Jonathan Marsden ]
++  * debian/patches/027_pam_limits_better_init_allow_explicit_root:
++    Add to patch, documenting how to set limits for root user.
++    Include an example.  Alters limits.conf, limits.conf.5.xml,
++    and limits.conf.5 .  (LP: #65244)
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 08 Jan 2009 20:26:25 +0000
++
++>>>>>>> debian/changelog
  pam (1.0.1-5) unstable; urgency=low
    * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as
@@ -814,6 +2217,114 @@ pam (1.0.1-5) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 06 Jan 2009 00:05:13 -0800
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-4ubuntu5.4) jaunty; urgency=low
++
++  * No-change upload to jaunty to fix publication on armel.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 18 Nov 2008 14:09:00 +0000
++
++pam (1.0.1-4ubuntu5.3) intrepid-updates; urgency=low
++
++  * No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was
++    copied while some ports were not built yet.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Tue, 11 Nov 2008 14:50:12 +0100
++
++pam (1.0.1-4ubuntu5.2) intrepid-proposed; urgency=low
++
++  * No-change rebuild because the archive admin (me) copied the package
++    to jaunty too soon.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 05 Nov 2008 20:28:11 +0000
++
++pam (1.0.1-4ubuntu5.1) intrepid-proposed; urgency=low
++
++  * Allow passwords to change on expired accounts, by passing
++    new_authtok_reqd return codes immediately (LP: #291091).
++
++ -- Kees Cook <kees@ubuntu.com>  Wed, 05 Nov 2008 09:31:45 -0800
++
++pam (1.0.1-4ubuntu5) intrepid; urgency=low
++
++  * debian/libpam0g.postinst: change 'cupsys' to 'cups' in the list of
++    default desktop services that are ignored in deciding whether to prompt
++    for service restarts on upgrade.  Partially addresses LP #278117.
++  * debian/libpam0g.postinst: also filter out samba, which may be installed
++    on the desktop to enable filesharing.
++  * debian/libpam-cracklib.prerm, debian/libpam-runtime.prerm: add the
++    ubiquitous debhelper tokens (currently a no-op)
++  * pam-auth-update: Use -Initial only for the first profile, even when
++    there's no explicit -Initial config for that first profile
++  * fix common-session/common-password to use the same overall stack
++    structure as auth/account, so that we get the correct behavior when
++    all password modules fail.  LP: #272232.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 15 Oct 2008 18:11:13 -0700
++
++pam (1.0.1-4ubuntu4) intrepid; urgency=low
++
++  * Fix a bug in the parser that caused spewing of errors when there
++    were more lines in the config file following the managed block.
++    LP: #270328.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 23 Sep 2008 06:34:56 +0000
++
++pam (1.0.1-4ubuntu3) intrepid; urgency=low
++
++  * Fix up the code that saves state to /var/lib/pam, so that it matches
++    what's expected by the code which later compares the saved and active
++    profiles in the case that there are both primary and additional
++    modules present.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 16 Sep 2008 06:49:56 +0000
++
++pam (1.0.1-4ubuntu2) intrepid; urgency=low
++
++  * Brown paper bag bug: fix a missing comma in pam-auth-update.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 13 Sep 2008 08:55:32 +0000
++
++pam (1.0.1-4ubuntu1) intrepid; urgency=low
++
++  * Merge from Debian unstable
++  * Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/pam-auth-update (et al): new interface for managing
++      /etc/pam.d/common-*, using drop-in config snippets provided by module
++      packages.
++    - debian/local/common-password, debian/pam-configs/unix: switch from
++      "md5" to "sha512" as password crypt default.
++  * Bump the version numbers referenced in the config files, again, as pam
++    has revved in Debian and moved the bar.
++  * debian/pam-config/*: refine the password profiles to use a 'primary'
++    block, to better parallel the auth structure.
++  * Drop '-Final' from the field names in /usr/share/pam-configs, supporting
++    these field names for backwards compatibility only
++  * Bump the dependency version requirement to 1.0.1-4ubuntu1 for the above
++    change
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 13 Sep 2008 08:55:19 +0000
++
++>>>>>>> debian/changelog
  pam (1.0.1-4) unstable; urgency=high
    * High-urgency upload for RC bugfix.
@@ -836,6 +2347,91 @@ pam (1.0.1-4) unstable; urgency=high
   -- Steve Langasek <vorlon@debian.org>  Thu, 28 Aug 2008 22:59:23 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-3ubuntu5) intrepid; urgency=low
++
++  [ Steve Langasek ]
++  * Never remove the .pam-old files; just avoid creating them if --force isn't
++    set.
++  * Add a manpage for pam-auth-update.
++  * Automatically upgrade the boilerplate for /etc/pam.d/common-* if we
++    detect that they have not been locally modified.
++
++  [ Kees Cook ]
++  * debian/local/common-password, debian/pam-configs/unix: switch from "md5"
++    to "sha512" as password crypt default.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 26 Aug 2008 06:33:07 +0000
++
++pam (1.0.1-3ubuntu4) intrepid; urgency=low
++
++  * If two profiles have the same Priority, sort by the profile name to
++    ensure a complete sort so we can filter out all the duplicates from the
++    list and not write out broken configs.  LP: #260371.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 22 Aug 2008 17:33:14 +0000
++
++pam (1.0.1-3ubuntu3) intrepid; urgency=low
++
++  * s/pam-auth-config/pam-auth-update/ in the source, I can't seem to get
++    this name consistent to save my life - I'm starting to think I named it
++    wrong...
++  * Fix the regex used when suppressing jump counts when reading the saved
++    config, so that we don't clobber module options with numbers in them.
++  * If the target doesn't already exist, don't try to copy it.
++  * Filter the config list to exclude configs that no longer exist.
++    LP: #260122.
++  * Avoid unnecessary sort/grep in the case where we already have a sorted
++    list.
++  * Implement pam-auth-update --remove, for use in package prerms when called
++    with "remove".
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 21 Aug 2008 15:38:37 -0700
++
++pam (1.0.1-3ubuntu2) intrepid; urgency=high
++
++  * debian/local/common-session: the session stack needs to be handled the
++    same way as the password stack, with the possibility of zero primary
++    modules; required to fix build failures on the Ubuntu buildds due to
++    su not being able to open sessions by default.  LP: #259867.
++  * debian/libpam-runtime.postinst: when upgrading from the broken
++    1.0.1-2ubuntu1 version, manually edit /etc/pam.d/common-session to
++    recover.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 20 Aug 2008 13:27:10 -0700
++
++pam (1.0.1-3ubuntu1) intrepid; urgency=low
++
++  * Merge from Debian unstable
++  * Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++    - debian/local/pam-auth-update (et al): new interface for managing
++      /etc/pam.d/common-*, using drop-in config snippets provided by module
++      packages.
++  * Remove spurious 'conflict' with a non-existent module, which was added
++    just as an example
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 20 Aug 2008 11:58:35 -0700
++
++>>>>>>> debian/changelog
  pam (1.0.1-3) unstable; urgency=high
    * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL
@@ -845,6 +2441,43 @@ pam (1.0.1-3) unstable; urgency=high
   -- Steve Langasek <vorlon@debian.org>  Wed, 20 Aug 2008 11:55:47 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-2ubuntu1) intrepid; urgency=low
++
++  * Merge from Debian unstable
++  * Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam-runtime.postinst,
++      debian/local/common-{auth,password}{,.md5sums}:
++      Use the new 'missingok' option by default for pam_smbpass in case
++      libpam-smbpass is not installed (LP: #216990); must use "requisite"
++      rather than "required" to prevent "pam_smbpass migrate" from firing in
++      the event of an auth failure; md5sums updated accordingly.
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - Change Vcs-Bzr to point at the Ubuntu branch.
++  * debian/local/pam-auth-update (et al): new interface for managing
++    /etc/pam.d/common-*, using drop-in config snippets provided by module
++    packages.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 20 Aug 2008 09:17:28 +0000
++
++>>>>>>> debian/changelog
  pam (1.0.1-2) unstable; urgency=low
    * 007_modules_pam_unix: update the documentation to correctly document
@@ -869,6 +2502,52 @@ pam (1.0.1-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Fri, 08 Aug 2008 10:47:26 -0700
++<<<<<<< debian/changelog
++=======
++pam (1.0.1-1ubuntu1) intrepid; urgency=low
++
++  * Merge from Debian unstable
++  * Dropped changes:
++    - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
++      is 2 years newer than Debian's, contains a number of character escaping
++      fixes plus content updates
++    - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
++      correctly support seusers (backported from changes in PAM 0.99.8).
++    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
++      The nis package handles overriding this as necessary.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Bound RLIMIT_NICE
++      from below as well as from above. Fix off-by-one error when converting
++      RLIMIT_NICE to the range of values used by the kernel.
++  * Remaining changes:
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf. (should send to Debian).
++    - debian/libpam-runtime.postinst,
++      debian/local/common-{auth,password}{,.md5sums}:
++      Use the new 'missingok' option by default for pam_smbpass in case
++      libpam-smbpass is not installed (LP: #216990); must use "requisite"
++      rather than "required" to prevent "pam_smbpass migrate" from firing in
++      the event of an auth failure; md5sums updated accordingly.
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running.
++    - debian/patches-applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
++      password on bad username.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++  * Refresh patch ubuntu-no-error-if-missingok for the new upstream version.
++  * Change Vcs-Bzr to point at the new Ubuntu branch.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 28 Jul 2008 20:58:26 +0000
++
++>>>>>>> debian/changelog
  pam (1.0.1-1) unstable; urgency=low
    * New upstream version.
@@ -984,6 +2663,72 @@ pam (0.99.7.1-7) unstable; urgency=medium
   -- Steve Langasek <vorlon@debian.org>  Mon, 21 Jul 2008 11:49:59 -0700
++<<<<<<< debian/changelog
++=======
++pam (0.99.7.1-6ubuntu2) intrepid; urgency=low
++
++  * debian/libpam-modules.postinst: revert addition of ~/bin to the end of the
++    default PATH set in /etc/environment as it was pointed out by Colin
++    Watson that getenv() does not properly expand '~'
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 24 Jun 2008 06:29:40 -0400
++
++pam (0.99.7.1-6ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable
++  * Dropped changes:
++    - Linux-PAM/modules/pam_limits/README,
++      Linux-PAM/modules/pam_selinux/README: Ubuntu versions had some
++      insignificant character differences, dropping in favor of Debian
++      versions; pam_selinux documentation has dropped "multiple", and added
++      "select_context", and "use_current_range" as options.
++    - debian/control, debian/local/common-session{,md5sums}: use
++      libpam-foreground for session management.
++    - Build using db4.5 instead of db4.6.
++  * Remaining changes:
++    - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
++      is 2 years newer than Debian's, contains a number of character escaping
++      fixes plus content updates; (should send to Debian).
++    - debian/control: Maintainer updated.
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf; add ~/bin to PATH
++      (LP: #64064); (should send to Debian).
++    - debian/libpam-runtime.postinst,
++      debian/local/common-{auth,password}{,.md5sums}:
++      Use the new 'missingok' option by default for pam_smbpass in case
++      libpam-smbpass is not installed (LP: #216990); must use "requisite"
++      rather than "required" to prevent "pam_smbpass migrate" from firing in
++      the event of an auth failure; md5sums updated accordingly.
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running (LP: #141309).
++    - debian/applied/series: Ubuntu patches are as below ...
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++      module option 'missingok' which will suppress logging of errors by
++      libpam if the module is not found.
++    - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
++      correctly support seusers (backported from changes in PAM 0.99.8).
++      Without this patch login will not get correct security context when
++      using libselinux >= 1.27.2 (LP: #187822).
++    - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
++      earlier behavior would correctly prompt for password on bad usernames
++      (LP: #139075).
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
++      RLIMIT_NICE from below as well as from above. Fix off-by-one error when
++      converting RLIMIT_NICE to the range of values used by the kernel.
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
++      The nis package handles overriding this as necessary.
++  * Alphabetized this merge changelog entry by filename (easier reading
++    against Ubuntu patch).
++
++ -- Dustin Kirkland <kirkland@ubuntu.com>  Fri, 20 Jun 2008 10:32:00 -0500
++
++>>>>>>> debian/changelog
  pam (0.99.7.1-6) unstable; urgency=low
    * Debconf translations:
@@ -1010,6 +2755,101 @@ pam (0.99.7.1-6) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 16 Mar 2008 02:06:28 -0700
++<<<<<<< debian/changelog
++=======
++pam (0.99.7.1-5ubuntu8) intrepid; urgency=low
++
++  * debian/libpam-modules.postinst: Add ~/bin to the end of the default PATH
++    set in /etc/environment (LP: #64064).
++
++ -- Dustin Kirkland <kirkland@ubuntu.com>  Thu, 19 Jun 2008 12:52:48 -0500
++
++pam (0.99.7.1-5ubuntu7) intrepid; urgency=low
++
++  * debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
++    module option 'missingok' which will suppress logging of errors by
++    libpam if the module is not found.
++  * debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
++    Use the new 'missingok' option by default for pam_smbpass, to
++    correct the problem of very loud logging introduced in the previous
++    upload when libpam-smbpass is not installed.  LP: #216990.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 22 Apr 2008 18:53:37 +0000
++
++pam (0.99.7.1-5ubuntu6) hardy; urgency=low
++
++  * debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
++    Add pam_smbpass as an optional module in the stack, to keep NTLM
++    passwords (for filesharing) in sync with the main system passwords on a
++    best-effort basis.  LP: #208419.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 08 Apr 2008 18:21:40 +0000
++
++pam (0.99.7.1-5ubuntu5) hardy; urgency=low
++
++  * debian/local/common-session: Drop libpam-foreground. It's gone for good,
++    and we do not want this in the PAM config for new installations, since it
++    just spams syslog with error messages. (LP: #198714)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Tue, 11 Mar 2008 11:22:11 +0100
++
++pam (0.99.7.1-5ubuntu4) hardy; urgency=low
++
++  * ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support
++    seusers (backported from changes in PAM 0.99.8).  Without this patch
++    login will not get correct security context when using libselinux
++    >= 1.27.2 (LP: #187822).
++
++ -- Caleb Case <ccase@tresys.com>  Wed, 30 Jan 2008 06:39:48 -0500
++
++pam (0.99.7.1-5ubuntu3) hardy; urgency=low
++
++  * Temporarily reenable libpam-foreground in common-session again, until
++    dbus' at_console policy works with ConsoleKit.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 29 Nov 2007 15:17:54 +0100
++
++pam (0.99.7.1-5ubuntu2) hardy; urgency=low
++
++  * debian/local/common-session{,.md5sums}, debian/control: Drop
++    libpam-foreground, superseded by ConsoleKit integration into hal.
++  * debian/control: Build against libdb4.6 again. This drops this Debian delta
++    and 4.6 is our target version in Hardy.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 22 Nov 2007 18:56:47 +0100
++
++pam (0.99.7.1-5ubuntu1) gutsy; urgency=low
++
++  * Resynchronise with Debian. Remaining changes:
++    - debian/control, debian/local/common-session{,md5sums}: use
++      libpam-foreground for session management.
++    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
++      The nis package handles overriding this as necessary.
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf.
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
++      RLIMIT_NICE from below as well as from above. Fix off-by-one error when
++      converting RLIMIT_NICE to the range of values used by the kernel.
++      (Originally patch 101; converted to quilt.)
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++    - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
++      earlier behavior would correctly prompt for password on bad usernames
++      (LP: #139075).
++    - Build using db4.5 instead of db4.6.
++    - debian/libpam0g.postinst: only ask questions during update-manager when
++      there are non-default services running (LP: #141309).
++  * debian/libpam0g.postinst: don't display a debconf warning about display
++    managers that need restarting when update-manager is running, instead
++    signal to update-notifier if a reboot is required.
++
++ -- Steve Langasek <vorlon@debian.org>  Fri, 28 Sep 2007 23:45:24 -0700
++
++>>>>>>> debian/changelog
  pam (0.99.7.1-5) unstable; urgency=low
    * More lintian overrides, related to debconf prompting in the postinst
@@ -1054,6 +2894,58 @@ pam (0.99.7.1-5) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Fri, 28 Sep 2007 00:17:00 -0700
++<<<<<<< debian/changelog
++=======
++pam (0.99.7.1-4ubuntu4) gutsy; urgency=low
++
++  * debian/libpam0g.postinst: call "reload" for all display managers
++    (LP: #139065).
++  * debian/libpam0g.postinst: only ask questions during update-manager when
++    there are non-default services running (LP: #141309).
++
++ -- Kees Cook <kees@ubuntu.com>  Mon, 24 Sep 2007 15:01:29 -0700
++
++pam (0.99.7.1-4ubuntu3) gutsy; urgency=low
++
++  * ubuntu-regression_fix_securetty: securetty's earlier behavior would
++    correctly prompt for password on bad usernames (LP: #139075).
++
++ -- Kees Cook <kees@ubuntu.com>  Wed, 12 Sep 2007 15:20:09 -0700
++
++pam (0.99.7.1-4ubuntu2) gutsy; urgency=low
++
++  * Build using db4.5 (instead of db4.6).  One db4.x version less on the CD.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 12 Sep 2007 17:44:25 +0200
++
++pam (0.99.7.1-4ubuntu1) gutsy; urgency=low
++
++  * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes:
++    - debian/control, debian/local/common-session{,md5sums}: use
++      libpam-foreground for session management.
++    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
++      The nis package handles overriding this as necessary.
++    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
++      present there or in /etc/security/pam_env.conf.
++    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
++      type rather than __u8.
++    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
++      initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
++      RLIMIT_NICE from below as well as from above. Fix off-by-one error when
++      converting RLIMIT_NICE to the range of values used by the kernel.
++      (Originally patch 101; converted to quilt.)
++    - debian/patches-applied/ubuntu-user_defined_environment: Look at
++      ~/.pam_environment too, with the same format as
++      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
++  * Dropped:
++    - debian/rules: bashism fixes (merged upstream).
++    - debian/control: Conflict on ancient nis (expired with Breezy).
++    - debian/libpam-runtime.postinst: check for ancient pam (expired with
++      Breezy).
++
++ -- Kees Cook <kees@ubuntu.com>  Wed, 05 Sep 2007 15:18:36 -0700
++
++>>>>>>> debian/changelog
  pam (0.99.7.1-4) unstable; urgency=low
    * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
@@ -1300,6 +3192,35 @@ pam (0.99.7.1-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 26 Aug 2007 19:15:09 -0700
++<<<<<<< debian/changelog
++=======
++pam (0.79-4ubuntu2) feisty; urgency=low
++
++  * Remove /usr/bin/X11 from default PATH (new installs only).
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Wed, 20 Dec 2006 16:14:37 +0000
++
++pam (0.79-4ubuntu1) feisty; urgency=low
++
++  * Resynchronise with Debian. Remaining changes:
++    - Patch 100 (renumbered from 060): Look at ~/.pam_environment too, with
++      the same format as /etc/security/pam_env.conf.
++    - Patch 101 (renumbered from 061): Explicitly initialise RLIMIT_NICE
++      rather than relying on the kernel limits. Bound RLIMIT_NICE from below
++      as well as from above. Fix off-by-one error when converting
++      RLIMIT_NICE to the range of values used by the kernel.
++    - Add PATH to /etc/environment if it's not present there or in
++      /etc/security/pam_env.conf.
++    - debian/rules: Fix a bashism.
++    - Install unix_chkpwd setgid shadow instead of setuid root. The nis
++      package handles overriding this as necessary.
++    - Use pam_foreground in the default session.
++    - Linux-PAM/libpamc/test/regress/test.libpamc.c: Use standard u_int8_t
++      type rather than __u8.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 19 Dec 2006 10:32:47 +0000
++
++>>>>>>> debian/changelog
  pam (0.79-4) unstable; urgency=medium
    * Medium-urgency upload; at least one RC bugfix, but also a
@@ -1352,6 +3273,15 @@ pam (0.79-3.2) unstable; urgency=low
   -- Margarita Manterola <marga@debian.org>  Sat,  5 Aug 2006 02:11:22 -0300
++<<<<<<< debian/changelog
++=======
++pam (0.79-3.1ubuntu1) edgy; urgency=low
++
++  * Resynchronise with Debian.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 29 Jun 2006 17:27:34 +0100
++
++>>>>>>> debian/changelog
  pam (0.79-3.1) unstable; urgency=low
    * Non-maintainer upload.
@@ -1362,6 +3292,117 @@ pam (0.79-3.1) unstable; urgency=low
   -- Roger Leigh <rleigh@debian.org>  Sun,  5 Feb 2006 21:46:59 +0000
++<<<<<<< debian/changelog
++=======
++pam (0.79-3ubuntu14) dapper; urgency=low
++
++  * debian/patches-applied/061_pam_rlimits_nice_rtprio: Protect use of
++    RLIMIT_NICE in init_limits() with an #ifdef.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Fri, 12 May 2006 17:42:40 +0100
++
++pam (0.79-3ubuntu13) dapper; urgency=low
++
++  * debian/patches-applied/061_pam_rlimits_nice_rtprio: Set soft and hard
++    nice limits to 20 (= userland nice value 0) rather than unlimited by
++    default. Correct off-by-one error (the same error as in Linux 2.6.12,
++    but fixed in 2.6.13) in user<->kernel translation of nice limit.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 11 May 2006 11:29:58 +0100
++
++pam (0.79-3ubuntu12) dapper; urgency=low
++
++  * debian/control: Add libpam-foreground dependency to libpam-runtime, since
++    the default /etc/pam.d/common-session refers to it. Closes: LP#35142
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 10 Apr 2006 14:42:40 +0200
++
++pam (0.79-3ubuntu11) dapper; urgency=low
++
++  [ Dana Olson ]
++  * debian/patches-applied/061_pam_rlimits_nice_rtprio: removed glibc
++    workaround now that glibc is aware of rlimits.
++
++  [ Martin Pitt ]
++  * debian/rules: Fix bashisms.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu,  6 Apr 2006 15:03:37 +0200
++
++pam (0.79-3ubuntu10) dapper; urgency=low
++
++  * debian/patches-applied/061_pam_rlimits_nice_rtprio: Support "nice" and
++    "rtprio" rlimits, new in Linux 2.6.12. Backported from upstream thanks
++    to Dana Olson and others (closes: Malone #17348).
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 23 Feb 2006 16:22:12 +0000
++
++pam (0.79-3ubuntu9) dapper; urgency=low
++
++  * Fix operator precedence in libpam-modules.postinst.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 16 Feb 2006 15:23:04 +0000
++
++pam (0.79-3ubuntu8) dapper; urgency=low
++
++  * Make pam_env be quiet if it can't find the user's configuration file,
++    since it's optional.
++
++ -- Tollef Fog Heen <tfheen@ubuntu.com>  Sat,  4 Feb 2006 16:44:12 +0100
++
++pam (0.79-3ubuntu7) dapper; urgency=low
++
++  * Add the PATH on initial install for real this time.
++
++ -- Tollef Fog Heen <tfheen@ubuntu.com>  Thu,  2 Feb 2006 20:33:42 +0100
++
++pam (0.79-3ubuntu6) dapper; urgency=low
++
++  * Changes from Roger Leigh:
++
++  * Linux-PAM/libpamc/include/security/pam_client.h,
++    Linux-PAM/libpamc/pamc_converse.c: Apply patch from
++    latest upstream version to remove redefinition of internal
++    glibc/libstdc++ types.  Closes: #344447.
++  * Linux-PAM/libpamc/test/regress/test.libpamc.c: Also switch to standard
++    types; not taken from upstream.
++
++ -- Reinhard Tartler <siretart@ubuntu.com>  Wed,  1 Feb 2006 13:14:24 +0000
++
++pam (0.79-3ubuntu5) dapper; urgency=low
++
++  * Add pam_foreground to /etc/pam.d/common-session
++
++ -- Matthew Garrett <mjg59@srcf.ucam.org>  Tue, 24 Jan 2006 02:26:19 +0000
++
++pam (0.79-3ubuntu4) dapper; urgency=low
++
++  * Add PATH on initial install, too.
++
++ -- Tollef Fog Heen <tfheen@ubuntu.com>  Mon, 23 Jan 2006 15:55:40 +0100
++
++pam (0.79-3ubuntu3) dapper; urgency=low
++
++  * Add PATH to /etc/environment if it's not present there or in
++    /etc/security/pam_env.conf and we are upgrading from a version which
++    didn't add it.
++
++ -- Tollef Fog Heen <tfheen@ubuntu.com>  Tue, 17 Jan 2006 15:54:01 +0100
++
++pam (0.79-3ubuntu2) dapper; urgency=low
++
++  * Look at ~/.pam_environment too.  Same format as
++    /etc/security/pam_env.conf.  The patch is recorded as
++    patches-applied/060_pam_env_per_user
++
++ -- Tollef Fog Heen <tfheen@ubuntu.com>  Tue, 17 Jan 2006 15:32:55 +0100
++
++pam (0.79-3ubuntu1) dapper; urgency=low
++
++  * Resynchronise with Debian.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 21 Nov 2005 12:15:44 +0000
++
++>>>>>>> debian/changelog
  pam (0.79-3) unstable; urgency=low
    * Patch 059
@@ -1442,6 +3483,37 @@ pam (0.76-23) unstable; urgency=low
   -- Sam Hartman <hartmans@debian.org>  Sun, 10 Jul 2005 16:42:25 -0400
++<<<<<<< debian/changelog
++=======
++pam (0.76-22ubuntu3) breezy; urgency=low
++
++  * Fix pam_getenv, which never worked:
++    - Parse /etc/security/pam_env.conf using its own syntax, and then
++      /etc/environment using its own syntax rather than the syntax of
++      /etc/security/pam_env.conf.
++    - 'my $val' was used in an incorrect scope; fixed.
++    - Exit non-zero if the requested environment variable is not found.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 12 Sep 2005 18:32:54 +0100
++
++pam (0.76-22ubuntu2) breezy; urgency=low
++
++  * debian/rules: Install unix_chkpwd setgid shadow instead of setuid root.
++    This only breaks when using NIS lookups, therefore the new nis package
++    dpkg-statoverrides it back to setuid root while being installed.
++    (Debian #155583, http://udu.wiki.ubuntu.com/ProactiveSecurityRoadmap)
++  * debian/control: Added conflict to nis (<< 3.13-3ubuntu1): This is the
++    version that corrects the permissions for usage with NIS.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 17 Jun 2005 12:34:23 +0200
++
++pam (0.76-22ubuntu1) breezy; urgency=low
++
++  * Fix FTBFS with gcc-3.4 (closes: #259634). Ubuntu 9037.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed,  4 May 2005 18:14:51 +0200
++
++>>>>>>> debian/changelog
  pam (0.76-22) unstable; urgency=medium
    * Add uploaders
@@ -1861,8 +3933,11 @@ pam (0.72-20) unstable; urgency=low
   -- Sam Hartman <hartmans@debian.org>  Fri,  6 Apr 2001 06:38:15 -0400
++<<<<<<< debian/changelog
++=======
++>>>>>>> debian/changelog
  pam (0.72-19) unstable; urgency=low
    * New maintainer, closes: #92353
@@ -2668,3 +4743,7 @@ pam (0.56-1) unstable; urgency=low
    * Reorganization of package structure (-dev, -dbg, etc).
   -- Klee Dienes <klee@debian.org>  Sat, 8 Mar 1997 01:21:17 -0500
++<<<<<<< debian/changelog
++=======
++
++>>>>>>> debian/changelog
 diff --git a/debian/control b/debian/control
 index 9c76380..766d319 100644
 --- a/debian/control
 +++ b/debian/control
@@ -2,13 +2,24 @@ Source: pam
  Section: libs
  Priority: optional
  Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>
++<<<<<<< debian/control
  Maintainer: Steve Langasek <vorlon@debian.org>
++=======
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
++>>>>>>> debian/control
  Standards-Version: 3.9.8
  Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config, libfl-dev, libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m
  Build-Conflicts-Indep: fop
  Build-Conflicts: libdb4.2-dev, libxcrypt-dev
++<<<<<<< debian/control
  Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
  Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
++=======
++Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu
++XS-Debian-Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
++XS-Debian-Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
++>>>>>>> debian/control
  Homepage: http://www.linux-pam.org/
  Package: libpam0g
@@ -36,6 +47,10 @@ Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam0g (>= 1.1.3-2),
  	libpam-modules-bin (= ${binary:Version})
  Conflicts: libpam-motd, libpam-mkhomedir, libpam-umask
  Replaces: libpam0g-util, libpam-umask
++<<<<<<< debian/control
++=======
++Recommends: update-motd
++>>>>>>> debian/control
  Provides: libpam-motd, libpam-mkhomedir, libpam-umask
  Description: Pluggable Authentication Modules for PAM
   This package completes the set of modules for PAM. It includes the
 diff --git a/debian/libpam-modules-bin.install b/debian/libpam-modules-bin.install
 index fee3bce..6ab6ac7 100644
 --- a/debian/libpam-modules-bin.install
 +++ b/debian/libpam-modules-bin.install
@@ -4,3 +4,8 @@ sbin/pam_tally		sbin
  sbin/pam_tally2         sbin
  sbin/mkhomedir_helper	sbin
  sbin/pam_timestamp_check	usr/sbin
++<<<<<<< debian/libpam-modules-bin.install
++=======
++sbin/pam_extrausers_chkpwd	sbin
++sbin/pam_extrausers_update	sbin
++>>>>>>> debian/libpam-modules-bin.install
 diff --git a/debian/libpam-modules.manpages b/debian/libpam-modules.manpages
 index a9f488d..9287b2e 100644
 --- a/debian/libpam-modules.manpages
 +++ b/debian/libpam-modules.manpages
@@ -1,2 +1,6 @@
  debian/tmp/usr/share/man/man8/pam_*.8
  debian/tmp/usr/share/man/man5/*conf.5
++<<<<<<< debian/libpam-modules.manpages
++=======
++debian/update-motd.5
++>>>>>>> debian/libpam-modules.manpages
 diff --git a/debian/libpam-modules.postinst b/debian/libpam-modules.postinst
 index ce03090..0969526 100644
 --- a/debian/libpam-modules.postinst
 +++ b/debian/libpam-modules.postinst
@@ -17,6 +17,21 @@ then
  	touch /etc/environment
  fi
++<<<<<<< debian/libpam-modules.postinst
++=======
++# Add PATH to /etc/environment if it's not present there or in
++# /etc/security/pam_env.conf
++if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 1.1.3-7ubuntu3; then
++	if ! grep -qs ^PATH /etc/security/pam_env.conf; then
++		if ! grep -qs ^PATH= /etc/environment; then
++			echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"' >> /etc/environment
++		elif ! grep -qs "^PATH=.*/usr/local/games" /etc/environment; then
++			sed -i '/^PATH=/ s,:/usr/games,:/usr/games:/usr/local/games,g' /etc/environment
++		fi
++	fi
++fi
++
++>>>>>>> debian/libpam-modules.postinst
  if dpkg --compare-versions "$2" lt-nl 1.1.2-1 \
     && grep -q 'pam_unix.*\bmin=[0-9]\+' /etc/pam.d/common-password
  then
 diff --git a/debian/libpam0g.postinst b/debian/libpam0g.postinst
 index bc8a52f..16affb8 100644
 --- a/debian/libpam0g.postinst
 +++ b/debian/libpam0g.postinst
@@ -69,6 +69,10 @@ installed_services() {
  	    -e's/\bhylafax-server\b/hylafax/g' \
  	    -e's/\bpartimage-server\b/partimaged/g' \
  	    -e's/\bpostgresql-common\b/postgresql/g' \
++<<<<<<< debian/libpam0g.postinst
++=======
++	    -e's/\bsamba\b/smbd-ad-dc/g' \
++>>>>>>> debian/libpam0g.postinst
  	    -e's/\bsasl2-bin\b/saslauthd/g' \
+     )
@@ -112,13 +116,36 @@ then
  	    echo "Checking init scripts..."
  	    services=$(installed_services "$check")
  	    if [ -n "$services" ]; then
++<<<<<<< debian/libpam0g.postinst
  		db_input critical libraries/restart-without-asking || true
++=======
++		db_reset libpam0g/restart-services
++		db_set libpam0g/restart-services "$services"
++		question_priority="critical"
++		# Do not prompt when we're running in the upgrade-manager
++		# and only default services need restarting.
++		nondefault_services=$(echo "$services" | sed \
++			-e's/\batd\b//g' \
++			-e's/\bcron\b//g' \
++			-e's/\bcups\b//g' \
++			-e's/\bgdm\b//g' \
++			-e's/\bsmbd\b//g' \
++			-e's/^ *//g')
++		if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] && [ -z "$nondefault_services" ]; then
++			question_priority="medium"
++		fi
++		db_input "$question_priority" libraries/restart-without-asking || true
++>>>>>>> debian/libpam0g.postinst
  		db_go || true
  		db_get libraries/restart-without-asking
  		if [ "$RET" != true ]; then
  		    db_reset libpam0g/restart-services
  		    db_set libpam0g/restart-services "$services"
++<<<<<<< debian/libpam0g.postinst
  		    db_input critical libpam0g/restart-services || true
++=======
++		    db_input "$question_priority" libpam0g/restart-services || true
++>>>>>>> debian/libpam0g.postinst
  		    db_go || true
  		    db_get libpam0g/restart-services
@@ -139,6 +166,16 @@ then
  			case "$service" in
  			    gdm)
++<<<<<<< debian/libpam0g.postinst
++=======
++				# If gdm isn't running, there's no need to reload it (LP: #745532)
++				if ! $idl status | grep -q 'Active: active (running)'
++				then
++					echo "  $service: not running, no reload needed."
++					continue
++				fi
++
++>>>>>>> debian/libpam0g.postinst
  				echo -n "  $service: reloading..."
  				if $idl reload > /dev/null 2>&1; then
  				    echo "done."
@@ -184,8 +221,19 @@ then
  		done
  		services=$(installed_services "$dms")
  		if [ -n "$services" ]; then
++<<<<<<< debian/libpam0g.postinst
  		    db_input critical libpam0g/xdm-needs-restart || true
  		    db_go || true
++=======
++		    if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] \
++		       && [ -x /usr/share/update-notifier/notify-reboot-required ]
++		    then
++			/usr/share/update-notifier/notify-reboot-required
++		    else
++			db_input critical libpam0g/xdm-needs-restart || true
++			db_go || true
++		    fi
++>>>>>>> debian/libpam0g.postinst
  		fi
  	    fi
 diff --git a/debian/local/common-session b/debian/local/common-session
 index 2e94d6c..bd831f2 100644
 --- a/debian/local/common-session
 +++ b/debian/local/common-session
@@ -20,6 +20,14 @@ session	requisite			pam_deny.so
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  session	required			pam_permit.so
++<<<<<<< debian/local/common-session
++=======
++# The pam_umask module will set the umask according to the system default in
++# /etc/login.defs and user settings, solving the problem of different
++# umask settings with different shells, display managers, remote sessions etc.
++# See "man pam_umask".
++session optional			pam_umask.so
++>>>>>>> debian/local/common-session
  # and here are more per-package modules (the "Additional" block)
  $session_additional
  # end of pam-auth-update config
 diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive
 index 1dd1a17..063f1ca 100644
 --- a/debian/local/common-session-noninteractive
 +++ b/debian/local/common-session-noninteractive
@@ -20,6 +20,14 @@ session	requisite			pam_deny.so
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  session	required			pam_permit.so
++<<<<<<< debian/local/common-session-noninteractive
++=======
++# The pam_umask module will set the umask according to the system default in
++# /etc/login.defs and user settings, solving the problem of different
++# umask settings with different shells, display managers, remote sessions etc.
++# See "man pam_umask".
++session optional			pam_umask.so
++>>>>>>> debian/local/common-session-noninteractive
  # and here are more per-package modules (the "Additional" block)
  $session_nonint_additional
  # end of pam-auth-update config
 diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
 index 5fb4f40..9682062 100644
 --- a/debian/local/pam-auth-update
 +++ b/debian/local/pam-auth-update
@@ -39,7 +39,11 @@ my $blanktemplate = 'libpam-runtime/no_profiles_chosen';
  my $titletemplate = 'libpam-runtime/title';
  my $confdir = '/etc/pam.d';
  my $savedir = '/var/lib/pam';
++<<<<<<< debian/local/pam-auth-update
  my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable);
++=======
++my (%profiles, @sorted, @enabled, @conflicts, @new, %removals);
++>>>>>>> debian/local/pam-auth-update
  my $force = 0;
  my $package = 0;
  my $priority = 'high';
@@ -54,9 +58,17 @@ my %md5sums = (
  	'session' => [
  		'240fb92986c885b327cdb21dd641da8c',
  		'4a25673e8b36f1805219027d3be02cd2',
++<<<<<<< debian/local/pam-auth-update
  	],
  	'session-noninteractive' => [
  		'ad2b78ce1498dd637ef36469430b6ac6',
++=======
++		'73144a2f4e609a922a51e301cd66a57e',
++	],
++	'session-noninteractive' => [
++		'ad2b78ce1498dd637ef36469430b6ac6',
++		'a20e8df3469bfe25c13a3b39161b30f0',
++>>>>>>> debian/local/pam-auth-update
  	],
  );
@@ -89,6 +101,7 @@ while ($#ARGV >= 0) {
+ 		}
  		# --remove implies --package
  		$package = 1 if (keys(%removals));
++<<<<<<< debian/local/pam-auth-update
  	} elsif ($opt eq '--enable') {
  		while ($#ARGV >= 0) {
  			last if ($ARGV[0] =~ /^--/);
@@ -96,6 +109,8 @@ while ($#ARGV >= 0) {
+ 		}
  		# --enable implies --package
  		$package = 1 if (keys(%to_enable));
++=======
++>>>>>>> debian/local/pam-auth-update
+ 	}
+ }
@@ -143,10 +158,13 @@ if (!@enabled) {
  	$priority = 'high' unless ($force);
+ }
++<<<<<<< debian/local/pam-auth-update
  # add configs to enable
  push(@enabled,
       grep { $to_enable{$_} } @sorted);
++=======
++>>>>>>> debian/local/pam-auth-update
  # add any previously-unseen configs
  push(@enabled,
       grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted);
 diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8
 index a5ebdba..933fb0f 100644
 --- a/debian/local/pam-auth-update.8
 +++ b/debian/local/pam-auth-update.8
@@ -68,10 +68,13 @@ Indicate that the caller is a package maintainer script; lowers the
  priority of debconf questions to `medium' so that the user is not
  prompted by default.
  .TP
++<<<<<<< debian/local/pam-auth-update.8
  .B \-\-enable \fIprofile \fR[\fIprofile\fR...]
  Enable the specified profiles in system configuration. This is used to
  enable profiles that are not on by default.
  .TP
++=======
++>>>>>>> debian/local/pam-auth-update.8
  .B \-\-remove \fIprofile \fR[\fIprofile\fR...]
  Remove the specified profiles from the system configuration.
  .B pam\-auth\-update \-\-remove
 diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
 index cb5e8c0..7515fad 100644
 --- a/debian/patches-applied/cve-2015-3238.patch
 +++ b/debian/patches-applied/cve-2015-3238.patch
@@ -15,6 +15,7 @@ pipe that has a limited capacity.
  With this fix, the verifiable password length will be limited to
  PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
++<<<<<<< debian/patches-applied/cve-2015-3238.patch
  diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
  index 2379366..d1b00a2 100644
  --- a/modules/pam_exec/pam_exec.8.xml
@@ -29,6 +30,8 @@ index 2379366..d1b00a2 100644
               </para>
             </listitem>
           </varlistentry>
++=======
++>>>>>>> debian/patches-applied/cve-2015-3238.patch
  diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
  index 5ab9630..17ba6ca 100644
  --- a/modules/pam_exec/pam_exec.c
@@ -47,6 +50,7 @@ index 5ab9630..17ba6ca 100644
   	  if (pipe(fds) != 0)
+  	    {
++<<<<<<< debian/patches-applied/cve-2015-3238.patch
  diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
  index 4008402..a8b64bb 100644
  --- a/modules/pam_unix/pam_unix.8.xml
@@ -65,6 +69,8 @@ index 4008402..a8b64bb 100644
         The password component of this module performs the task of updating
         the user's password. The default encryption hash is taken from the
         <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
++=======
++>>>>>>> debian/patches-applied/cve-2015-3238.patch
  diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
  index 2d330e5..c2e5de5 100644
  --- a/modules/pam_unix/pam_unix_passwd.c
 diff --git a/debian/patches-applied/extrausers.patch b/debian/patches-applied/extrausers.patch
 new file mode 100644
 index 0000000..f316f1d
 --- /dev/null
 +++ b/debian/patches-applied/extrausers.patch
@@ -0,0 +1,6567 @@
++Index: pam-1.1.8/modules/pam_extrausers/Makefile.am
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/Makefile.am
++@@ -0,0 +1,70 @@
+++#
+++# Copyright (c) 2005, 2006, 2009, 2011 Thorsten Kukuk <kukuk@suse.de>
+++#
+++
+++CLEANFILES = *~
+++MAINTAINERCLEANFILES = $(MANS)
+++
+++EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(MANS) \
+++		tst-pam_extrausers $(XMLS)
+++
+++man_MANS = pam_extrausers.8
+++XMLS = pam_extrausers.8.xml
+++
+++#TESTS = tst-pam_extrausers
+++
+++securelibdir = $(SECUREDIR)
+++secureconfdir = $(SCONFIGDIR)
+++
+++AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+++	-DCHKPWD_HELPER=\"$(sbindir)/pam_extrausers_chkpwd\" \
+++	-DUPDATE_HELPER=\"$(sbindir)/pam_extrausers_update\" \
+++	$(NIS_CFLAGS)
+++
+++if HAVE_LIBSELINUX
+++  AM_CFLAGS += -D"WITH_SELINUX"
+++endif
+++
+++pam_extrausers_la_LDFLAGS = -no-undefined -avoid-version -module
+++if HAVE_VERSIONING
+++  pam_extrausers_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+++endif
+++pam_extrausers_la_LIBADD = $(top_builddir)/libpam/libpam.la \
+++	@LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \
+++	../pam_securetty/tty_secure.lo
+++
+++securelib_LTLIBRARIES = pam_extrausers.la
+++
+++noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h \
+++		 pam_unix_static.h
+++
+++sbin_PROGRAMS = pam_extrausers_chkpwd pam_extrausers_update
+++
+++noinst_PROGRAMS = bigcrypt
+++
+++pam_extrausers_la_SOURCES = bigcrypt.c pam_unix_acct.c \
+++	pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+++	passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
+++if STATIC_MODULES
+++pam_extrausers_la_SOURCES += pam_unix_static.c
+++endif
+++
+++bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
+++bigcrypt_CFLAGS = $(AM_CFLAGS)
+++bigcrypt_LDADD = @LIBCRYPT@
+++
+++pam_extrausers_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
+++	passverify.c
+++pam_extrausers_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_chkpwd\"
+++pam_extrausers_chkpwd_LDFLAGS = @PIE_LDFLAGS@
+++pam_extrausers_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
+++
+++pam_extrausers_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
+++	passverify.c
+++pam_extrausers_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_update\"
+++pam_extrausers_update_LDFLAGS = @PIE_LDFLAGS@
+++pam_extrausers_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
+++
+++if ENABLE_REGENERATE_MAN
+++-include $(top_srcdir)/Make.xml.rules
+++endif
++Index: pam-1.1.8/modules/pam_extrausers/README
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/README
++@@ -0,0 +1,5 @@
+++This is a simple fork of pam_unix, but with the following changes:
+++
+++ - The expected namespace changes
+++ - References to /etc or /etc/secure are replaced with /var/lib/extrausers
+++ - Unconditionally use our custom lckpwdf methods and namespace them
++Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/bigcrypt.c
++@@ -0,0 +1,159 @@
+++/*
+++ * This function implements the "bigcrypt" algorithm specifically for
+++ * Linux-PAM.
+++ *
+++ * This algorithm is algorithm 0 (default) shipped with the C2 secure
+++ * implementation of Digital UNIX.
+++ *
+++ * Disclaimer: This work is not based on the source code to Digital
+++ * UNIX, nor am I connected to Digital Equipment Corp, in any way
+++ * other than as a customer. This code is based on published
+++ * interfaces and reasonable guesswork.
+++ *
+++ * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8
+++ * characters or less. Each block is encrypted using the standard UNIX
+++ * libc crypt function. The result of the encryption for one block
+++ * provides the salt for the suceeding block.
+++ *
+++ * Restrictions: The buffer used to hold the encrypted result is
+++ * statically allocated. (see MAX_PASS_LEN below).  This is necessary,
+++ * as the returned pointer points to "static data that are overwritten
+++ * by each call", (XPG3: XSI System Interface + Headers pg 109), and
+++ * this is a drop in replacement for crypt();
+++ *
+++ * Andy Phillips <atp@mssl.ucl.ac.uk>
+++ */
+++
+++#include "config.h"
+++
+++#include <string.h>
+++#include <stdlib.h>
+++#include <security/_pam_macros.h>
+++#ifdef HAVE_LIBXCRYPT
+++#include <xcrypt.h>
+++#elif defined(HAVE_CRYPT_H)
+++#include <crypt.h>
+++#endif
+++
+++#include "bigcrypt.h"
+++
+++/*
+++ * Max cleartext password length in segments of 8 characters this
+++ * function can deal with (16 segments of 8 chars= max 128 character
+++ * password).
+++ */
+++
+++#define MAX_PASS_LEN       16
+++#define SEGMENT_SIZE       8
+++#define SALT_SIZE          2
+++#define KEYBUF_SIZE        ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE)
+++#define ESEGMENT_SIZE      11
+++#define CBUF_SIZE          ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1)
+++
+++char *bigcrypt(const char *key, const char *salt)
+++{
+++	char *dec_c2_cryptbuf;
+++#ifdef HAVE_CRYPT_R
+++	struct crypt_data *cdata;
+++#endif
+++	unsigned long int keylen, n_seg, j;
+++	char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr;
+++	char keybuf[KEYBUF_SIZE + 1];
+++
+++	D(("called with key='%s', salt='%s'.", key, salt));
+++
+++	/* reset arrays */
+++	dec_c2_cryptbuf = malloc(CBUF_SIZE);
+++	if (!dec_c2_cryptbuf) {
+++		return NULL;
+++	}
+++#ifdef HAVE_CRYPT_R
+++	cdata = malloc(sizeof(*cdata));
+++	if(!cdata) {
+++		free(dec_c2_cryptbuf);
+++		return NULL;
+++	}
+++	cdata->initialized = 0;
+++#endif
+++	memset(keybuf, 0, KEYBUF_SIZE + 1);
+++	memset(dec_c2_cryptbuf, 0, CBUF_SIZE);
+++
+++	/* fill KEYBUF_SIZE with key */
+++	strncpy(keybuf, key, KEYBUF_SIZE);
+++
+++	/* deal with case that we are doing a password check for a
+++	   conventially encrypted password: the salt will be
+++	   SALT_SIZE+ESEGMENT_SIZE long. */
+++	if (strlen(salt) == (SALT_SIZE + ESEGMENT_SIZE))
+++		keybuf[SEGMENT_SIZE] = '\0';	/* terminate password early(?) */
+++
+++	keylen = strlen(keybuf);
+++
+++	if (!keylen) {
+++		n_seg = 1;
+++	} else {
+++		/* work out how many segments */
+++		n_seg = 1 + ((keylen - 1) / SEGMENT_SIZE);
+++	}
+++
+++	if (n_seg > MAX_PASS_LEN)
+++		n_seg = MAX_PASS_LEN;	/* truncate at max length */
+++
+++	/* set up some pointers */
+++	cipher_ptr = dec_c2_cryptbuf;
+++	plaintext_ptr = keybuf;
+++
+++	/* do the first block with supplied salt */
+++#ifdef HAVE_CRYPT_R
+++	tmp_ptr = crypt_r(plaintext_ptr, salt, cdata);	/* libc crypt_r() */
+++#else
+++	tmp_ptr = crypt(plaintext_ptr, salt);	/* libc crypt() */
+++#endif
+++	if (tmp_ptr == NULL) {
+++		free(dec_c2_cryptbuf);
+++		return NULL;
+++	}
+++	/* and place in the static area */
+++	strncpy(cipher_ptr, tmp_ptr, 13);
+++	cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
+++	plaintext_ptr += SEGMENT_SIZE;	/* first block of SEGMENT_SIZE */
+++
+++	/* change the salt (1st 2 chars of previous block) - this was found
+++	   by dowsing */
+++
+++	salt_ptr = cipher_ptr - ESEGMENT_SIZE;
+++
+++	/* so far this is identical to "return crypt(key, salt);", if
+++	   there is more than one block encrypt them... */
+++
+++	if (n_seg > 1) {
+++		for (j = 2; j <= n_seg; j++) {
+++
+++#ifdef HAVE_CRYPT_R
+++			tmp_ptr = crypt_r(plaintext_ptr, salt_ptr, cdata);
+++#else
+++			tmp_ptr = crypt(plaintext_ptr, salt_ptr);
+++#endif
+++			if (tmp_ptr == NULL) {
+++				_pam_overwrite(dec_c2_cryptbuf);
+++				free(dec_c2_cryptbuf);
+++				return NULL;
+++			}
+++
+++			/* skip the salt for seg!=0 */
+++			strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
+++
+++			cipher_ptr += ESEGMENT_SIZE;
+++			plaintext_ptr += SEGMENT_SIZE;
+++			salt_ptr = cipher_ptr - ESEGMENT_SIZE;
+++		}
+++	}
+++	D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf));
+++
+++#ifdef HAVE_CRYPT_R
+++	free(cdata);
+++#endif
+++
+++	/* this is the <NUL> terminated encrypted password */
+++	return dec_c2_cryptbuf;
+++}
++Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.h
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/bigcrypt.h
++@@ -0,0 +1 @@
+++extern char *bigcrypt(const char *key, const char *salt);
++Index: pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c
++@@ -0,0 +1,18 @@
+++#include <stdio.h>
+++#include <string.h>
+++
+++#include "bigcrypt.h"
+++
+++int
+++main(int argc, char **argv)
+++{
+++	if (argc < 3) {
+++		fprintf(stderr, "Usage: %s password salt\n",
+++			strchr(argv[0], '/') ?
+++			(strchr(argv[0], '/') + 1) :
+++			argv[0]);
+++		return 0;
+++	}
+++	fprintf(stdout, "%s\n", bigcrypt(argv[1], argv[2]));
+++	return 0;
+++}
++Index: pam-1.1.8/modules/pam_extrausers/lckpwdf.-c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/lckpwdf.-c
++@@ -0,0 +1,142 @@
+++/*
+++ * This is a hack, but until libc and glibc both include this function
+++ * by default (libc only includes it if nys is not being used, at the
+++ * moment, and glibc doesn't appear to have it at all) we need to have
+++ * it here, too.  :-(
+++ *
+++ * This should not become an official part of PAM.
+++ *
+++ * BEGIN_HACK
+++ */
+++
+++/*
+++ * lckpwdf.c -- prevent simultaneous updates of password files
+++ *
+++ * Before modifying any of the password files, call lckpwdf().  It may block
+++ * for up to 15 seconds trying to get the lock.  Return value is 0 on success
+++ * or -1 on failure.  When you are done, call ulckpwdf() to release the lock.
+++ * The lock is also released automatically when the process exits.  Only one
+++ * process at a time may hold the lock.
+++ *
+++ * These functions are supposed to be conformant with AT&T SVID Issue 3.
+++ *
+++ * Written by Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>,
+++ * public domain.
+++ */
+++
+++#include <fcntl.h>
+++#include <signal.h>
+++#ifdef WITH_SELINUX
+++#include <selinux/selinux.h>
+++#endif
+++
+++#define LOCKFILE "/var/lib/extrausers/.pwd.lock"
+++#define TIMEOUT 15
+++
+++static int lockfd = -1;
+++
+++static int set_close_on_exec(int fd)
+++{
+++	int flags = fcntl(fd, F_GETFD, 0);
+++	if (flags == -1)
+++		return -1;
+++	flags |= FD_CLOEXEC;
+++	return fcntl(fd, F_SETFD, flags);
+++}
+++
+++static int do_lock(int fd)
+++{
+++	struct flock fl;
+++
+++	memset(&fl, 0, sizeof fl);
+++	fl.l_type = F_WRLCK;
+++	fl.l_whence = SEEK_SET;
+++	return fcntl(fd, F_SETLKW, &fl);
+++}
+++
+++static void alarm_catch(int sig)
+++{
+++/* does nothing, but fcntl F_SETLKW will fail with EINTR */
+++}
+++
+++static int extrausers_lckpwdf(void)
+++{
+++	struct sigaction act, oldact;
+++	sigset_t set, oldset;
+++
+++	if (lockfd != -1)
+++		return -1;
+++
+++#ifdef WITH_SELINUX
+++	if(is_selinux_enabled()>0)
+++	{
+++		lockfd = open(LOCKFILE, O_WRONLY);
+++		if(lockfd == -1 && errno == ENOENT)
+++		{
+++			security_context_t create_context;
+++			int rc;
+++
+++			if(getfilecon("/var/lib/extrausers/passwd", &create_context))
+++				return -1;
+++			rc = setfscreatecon(create_context);
+++			freecon(create_context);
+++			if(rc)
+++				return -1;
+++			lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
+++			if(setfscreatecon(NULL))
+++				return -1;
+++		}
+++	}
+++	else
+++#endif
+++	lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
+++	if (lockfd == -1)
+++		return -1;
+++	if (set_close_on_exec(lockfd) == -1)
+++		goto cleanup_fd;
+++
+++	memset(&act, 0, sizeof act);
+++	act.sa_handler = alarm_catch;
+++	act.sa_flags = 0;
+++	sigfillset(&act.sa_mask);
+++	if (sigaction(SIGALRM, &act, &oldact) == -1)
+++		goto cleanup_fd;
+++
+++	sigemptyset(&set);
+++	sigaddset(&set, SIGALRM);
+++	if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1)
+++		goto cleanup_sig;
+++
+++	alarm(TIMEOUT);
+++	if (do_lock(lockfd) == -1)
+++		goto cleanup_alarm;
+++	alarm(0);
+++	sigprocmask(SIG_SETMASK, &oldset, NULL);
+++	sigaction(SIGALRM, &oldact, NULL);
+++	return 0;
+++
+++      cleanup_alarm:
+++	alarm(0);
+++	sigprocmask(SIG_SETMASK, &oldset, NULL);
+++      cleanup_sig:
+++	sigaction(SIGALRM, &oldact, NULL);
+++      cleanup_fd:
+++	close(lockfd);
+++	lockfd = -1;
+++	return -1;
+++}
+++
+++static int extrausers_ulckpwdf(void)
+++{
+++	unlink(LOCKFILE);
+++	if (lockfd == -1)
+++		return -1;
+++
+++	if (close(lockfd) == -1) {
+++		lockfd = -1;
+++		return -1;
+++	}
+++	lockfd = -1;
+++	return 0;
+++}
+++/* END_HACK */
++Index: pam-1.1.8/modules/pam_extrausers/md5.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/md5.c
++@@ -0,0 +1,255 @@
+++/*
+++ * $Id$
+++ *
+++ * This code implements the MD5 message-digest algorithm.
+++ * The algorithm is due to Ron Rivest.  This code was
+++ * written by Colin Plumb in 1993, no copyright is claimed.
+++ * This code is in the public domain; do with it what you wish.
+++ *
+++ * Equivalent code is available from RSA Data Security, Inc.
+++ * This code has been tested against that, and is equivalent,
+++ * except that you don't need to include two pages of legalese
+++ * with every copy.
+++ *
+++ * To compute the message digest of a chunk of bytes, declare an
+++ * MD5Context structure, pass it to MD5Init, call MD5Update as
+++ * needed on buffers full of bytes, and then call MD5Final, which
+++ * will fill a supplied 16-byte array with the digest.
+++ *
+++ */
+++
+++#include <string.h>
+++#include "md5.h"
+++
+++#ifndef HIGHFIRST
+++#define byteReverse(buf, len)	/* Nothing */
+++#else
+++static void byteReverse(unsigned char *buf, unsigned longs);
+++
+++#ifndef ASM_MD5
+++/*
+++ * Note: this code is harmless on little-endian machines.
+++ */
+++static void byteReverse(unsigned char *buf, unsigned longs)
+++{
+++	uint32 t;
+++	do {
+++		t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
+++		    ((unsigned) buf[1] << 8 | buf[0]);
+++		*(uint32 *) buf = t;
+++		buf += 4;
+++	} while (--longs);
+++}
+++#endif
+++#endif
+++
+++/*
+++ * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
+++ * initialization constants.
+++ */
+++void MD5Name(MD5Init)(struct MD5Context *ctx)
+++{
+++	ctx->buf[0] = 0x67452301U;
+++	ctx->buf[1] = 0xefcdab89U;
+++	ctx->buf[2] = 0x98badcfeU;
+++	ctx->buf[3] = 0x10325476U;
+++
+++	ctx->bits[0] = 0;
+++	ctx->bits[1] = 0;
+++}
+++
+++/*
+++ * Update context to reflect the concatenation of another buffer full
+++ * of bytes.
+++ */
+++void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len)
+++{
+++	uint32 t;
+++
+++	/* Update bitcount */
+++
+++	t = ctx->bits[0];
+++	if ((ctx->bits[0] = t + ((uint32) len << 3)) < t)
+++		ctx->bits[1]++;	/* Carry from low to high */
+++	ctx->bits[1] += len >> 29;
+++
+++	t = (t >> 3) & 0x3f;	/* Bytes already in shsInfo->data */
+++
+++	/* Handle any leading odd-sized chunks */
+++
+++	if (t) {
+++		unsigned char *p = (unsigned char *) ctx->in + t;
+++
+++		t = 64 - t;
+++		if (len < t) {
+++			memcpy(p, buf, len);
+++			return;
+++		}
+++		memcpy(p, buf, t);
+++		byteReverse(ctx->in, 16);
+++		MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+++		buf += t;
+++		len -= t;
+++	}
+++	/* Process data in 64-byte chunks */
+++
+++	while (len >= 64) {
+++		memcpy(ctx->in, buf, 64);
+++		byteReverse(ctx->in, 16);
+++		MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+++		buf += 64;
+++		len -= 64;
+++	}
+++
+++	/* Handle any remaining bytes of data. */
+++
+++	memcpy(ctx->in, buf, len);
+++}
+++
+++/*
+++ * Final wrapup - pad to 64-byte boundary with the bit pattern
+++ * 1 0* (64-bit count of bits processed, MSB-first)
+++ */
+++void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
+++{
+++	unsigned count;
+++	unsigned char *p;
+++
+++	/* Compute number of bytes mod 64 */
+++	count = (ctx->bits[0] >> 3) & 0x3F;
+++
+++	/* Set the first char of padding to 0x80.  This is safe since there is
+++	   always at least one byte free */
+++	p = ctx->in + count;
+++	*p++ = 0x80;
+++
+++	/* Bytes of padding needed to make 64 bytes */
+++	count = 64 - 1 - count;
+++
+++	/* Pad out to 56 mod 64 */
+++	if (count < 8) {
+++		/* Two lots of padding:  Pad the first block to 64 bytes */
+++		memset(p, 0, count);
+++		byteReverse(ctx->in, 16);
+++		MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+++
+++		/* Now fill the next block with 56 bytes */
+++		memset(ctx->in, 0, 56);
+++	} else {
+++		/* Pad block to 56 bytes */
+++		memset(p, 0, count - 8);
+++	}
+++	byteReverse(ctx->in, 14);
+++
+++	/* Append length in bits and transform */
+++	memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+++
+++	MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+++	byteReverse((unsigned char *) ctx->buf, 4);
+++	memcpy(digest, ctx->buf, 16);
+++	memset(ctx, 0, sizeof(*ctx));	/* In case it's sensitive */
+++}
+++
+++#ifndef ASM_MD5
+++
+++/* The four core functions - F1 is optimized somewhat */
+++
+++/* #define F1(x, y, z) (x & y | ~x & z) */
+++#define F1(x, y, z) (z ^ (x & (y ^ z)))
+++#define F2(x, y, z) F1(z, x, y)
+++#define F3(x, y, z) (x ^ y ^ z)
+++#define F4(x, y, z) (y ^ (x | ~z))
+++
+++/* This is the central step in the MD5 algorithm. */
+++#define MD5STEP(f, w, x, y, z, data, s) \
+++	( w += f(x, y, z) + data,  w = w<<s | w>>(32-s),  w += x )
+++
+++/*
+++ * The core of the MD5 algorithm, this alters an existing MD5 hash to
+++ * reflect the addition of 16 longwords of new data.  MD5Update blocks
+++ * the data and converts bytes into longwords for this routine.
+++ */
+++void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16])
+++{
+++	register uint32 a, b, c, d;
+++
+++	a = buf[0];
+++	b = buf[1];
+++	c = buf[2];
+++	d = buf[3];
+++
+++	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7);
+++	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12);
+++	MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17);
+++	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22);
+++	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7);
+++	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12);
+++	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17);
+++	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22);
+++	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7);
+++	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12);
+++	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17);
+++	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22);
+++	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7);
+++	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12);
+++	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17);
+++	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22);
+++
+++	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5);
+++	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9);
+++	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14);
+++	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20);
+++	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5);
+++	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9);
+++	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14);
+++	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20);
+++	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5);
+++	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9);
+++	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14);
+++	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20);
+++	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5);
+++	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9);
+++	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14);
+++	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20);
+++
+++	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4);
+++	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11);
+++	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16);
+++	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23);
+++	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4);
+++	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11);
+++	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16);
+++	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23);
+++	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4);
+++	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11);
+++	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16);
+++	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23);
+++	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4);
+++	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11);
+++	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16);
+++	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23);
+++
+++	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6);
+++	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10);
+++	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15);
+++	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21);
+++	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6);
+++	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10);
+++	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15);
+++	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21);
+++	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6);
+++	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10);
+++	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15);
+++	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21);
+++	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6);
+++	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10);
+++	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15);
+++	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21);
+++
+++	buf[0] += a;
+++	buf[1] += b;
+++	buf[2] += c;
+++	buf[3] += d;
+++}
+++
+++#endif
++Index: pam-1.1.8/modules/pam_extrausers/md5.h
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/md5.h
++@@ -0,0 +1,31 @@
+++
+++#ifndef MD5_H
+++#define MD5_H
+++
+++typedef unsigned int uint32;
+++
+++struct MD5Context {
+++	uint32 buf[4];
+++	uint32 bits[2];
+++	unsigned char in[64];
+++};
+++
+++void GoodMD5Init(struct MD5Context *);
+++void GoodMD5Update(struct MD5Context *, unsigned const char *, unsigned);
+++void GoodMD5Final(unsigned char digest[16], struct MD5Context *);
+++void GoodMD5Transform(uint32 buf[4], uint32 const in[16]);
+++void BrokenMD5Init(struct MD5Context *);
+++void BrokenMD5Update(struct MD5Context *, unsigned const char *, unsigned);
+++void BrokenMD5Final(unsigned char digest[16], struct MD5Context *);
+++void BrokenMD5Transform(uint32 buf[4], uint32 const in[16]);
+++
+++char *Goodcrypt_md5(const char *pw, const char *salt);
+++char *Brokencrypt_md5(const char *pw, const char *salt);
+++
+++/*
+++ * This is needed to make RSAREF happy on some MS-DOS compilers.
+++ */
+++
+++typedef struct MD5Context MD5_CTX;
+++
+++#endif				/* MD5_H */
++Index: pam-1.1.8/modules/pam_extrausers/md5_broken.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/md5_broken.c
++@@ -0,0 +1,4 @@
+++#define MD5Name(x) Broken##x
+++
+++#include "md5.c"
+++#include "md5_crypt.c"
++Index: pam-1.1.8/modules/pam_extrausers/md5_crypt.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/md5_crypt.c
++@@ -0,0 +1,154 @@
+++/*
+++ * $Id$
+++ *
+++ * ----------------------------------------------------------------------------
+++ * "THE BEER-WARE LICENSE" (Revision 42):
+++ * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
+++ * can do whatever you want with this stuff. If we meet some day, and you think
+++ * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
+++ * ----------------------------------------------------------------------------
+++ *
+++ * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp
+++ *
+++ */
+++
+++#include <string.h>
+++#include <stdlib.h>
+++#include "md5.h"
+++
+++static unsigned char itoa64[] =	/* 0 ... 63 => ascii - 64 */
+++"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+++
+++static void to64(char *s, unsigned long v, int n)
+++{
+++	while (--n >= 0) {
+++		*s++ = itoa64[v & 0x3f];
+++		v >>= 6;
+++	}
+++}
+++
+++/*
+++ * UNIX password
+++ *
+++ * Use MD5 for what it is best at...
+++ */
+++
+++char *MD5Name(crypt_md5)(const char *pw, const char *salt)
+++{
+++	const char *magic = "$1$";
+++	/* This string is magic for this algorithm.  Having
+++	 * it this way, we can get get better later on */
+++	char *passwd, *p;
+++	const char *sp, *ep;
+++	unsigned char final[16];
+++	int sl, pl, i, j;
+++	MD5_CTX ctx, ctx1;
+++	unsigned long l;
+++
+++	/* Refine the Salt first */
+++	sp = salt;
+++
+++	/* TODO: now that we're using malloc'ed memory, get rid of the
+++	   strange constant buffer size. */
+++	passwd = malloc(120);
+++
+++	/* If it starts with the magic string, then skip that */
+++	if (!strncmp(sp, magic, strlen(magic)))
+++		sp += strlen(magic);
+++
+++	/* It stops at the first '$', max 8 chars */
+++	for (ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
+++		continue;
+++
+++	/* get the length of the true salt */
+++	sl = ep - sp;
+++
+++	MD5Name(MD5Init)(&ctx);
+++
+++	/* The password first, since that is what is most unknown */
+++	MD5Name(MD5Update)(&ctx,(unsigned const char *)pw,strlen(pw));
+++
+++	/* Then our magic string */
+++	MD5Name(MD5Update)(&ctx,(unsigned const char *)magic,strlen(magic));
+++
+++	/* Then the raw salt */
+++	MD5Name(MD5Update)(&ctx,(unsigned const char *)sp,sl);
+++
+++	/* Then just as many characters of the MD5(pw,salt,pw) */
+++	MD5Name(MD5Init)(&ctx1);
+++	MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
+++	MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
+++	MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
+++	MD5Name(MD5Final)(final,&ctx1);
+++	for (pl = strlen(pw); pl > 0; pl -= 16)
+++		MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl);
+++
+++	/* Don't leave anything around in vm they could use. */
+++	memset(final, 0, sizeof final);
+++
+++	/* Then something really weird... */
+++	for (j = 0, i = strlen(pw); i; i >>= 1)
+++		if (i & 1)
+++			MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1);
+++		else
+++			MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1);
+++
+++	/* Now make the output string */
+++	strcpy(passwd, magic);
+++	strncat(passwd, sp, sl);
+++	strcat(passwd, "$");
+++
+++	MD5Name(MD5Final)(final,&ctx);
+++
+++	/*
+++	 * and now, just to make sure things don't run too fast
+++	 * On a 60 Mhz Pentium this takes 34 msec, so you would
+++	 * need 30 seconds to build a 1000 entry dictionary...
+++	 */
+++	for (i = 0; i < 1000; i++) {
+++		MD5Name(MD5Init)(&ctx1);
+++		if (i & 1)
+++			MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
+++		else
+++			MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
+++
+++		if (i % 3)
+++			MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
+++
+++		if (i % 7)
+++			MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
+++
+++		if (i & 1)
+++			MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
+++		else
+++			MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
+++		MD5Name(MD5Final)(final,&ctx1);
+++	}
+++
+++	p = passwd + strlen(passwd);
+++
+++	l = (final[0] << 16) | (final[6] << 8) | final[12];
+++	to64(p, l, 4);
+++	p += 4;
+++	l = (final[1] << 16) | (final[7] << 8) | final[13];
+++	to64(p, l, 4);
+++	p += 4;
+++	l = (final[2] << 16) | (final[8] << 8) | final[14];
+++	to64(p, l, 4);
+++	p += 4;
+++	l = (final[3] << 16) | (final[9] << 8) | final[15];
+++	to64(p, l, 4);
+++	p += 4;
+++	l = (final[4] << 16) | (final[10] << 8) | final[5];
+++	to64(p, l, 4);
+++	p += 4;
+++	l = final[11];
+++	to64(p, l, 2);
+++	p += 2;
+++	*p = '\0';
+++
+++	/* Don't leave anything around in vm they could use. */
+++	memset(final, 0, sizeof final);
+++
+++	return passwd;
+++}
++Index: pam-1.1.8/modules/pam_extrausers/md5_good.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/md5_good.c
++@@ -0,0 +1,5 @@
+++#define HIGHFIRST
+++#define MD5Name(x) Good##x
+++
+++#include "md5.c"
+++#include "md5_crypt.c"
++Index: pam-1.1.8/modules/pam_extrausers/obscure.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/obscure.c
++@@ -0,0 +1,198 @@
+++/*
+++ * Copyright 1989 - 1994, Julianne Frances Haugh
+++ * All rights reserved.
+++ *
+++ * Redistribution and use in source and binary forms, with or without
+++ * modification, are permitted provided that the following conditions
+++ * are met:
+++ * 1. Redistributions of source code must retain the above copyright
+++ *    notice, this list of conditions and the following disclaimer.
+++ * 2. Redistributions in binary form must reproduce the above copyright
+++ *    notice, this list of conditions and the following disclaimer in the
+++ *    documentation and/or other materials provided with the distribution.
+++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
+++ *    may be used to endorse or promote products derived from this software
+++ *    without specific prior written permission.
+++ *
+++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+++ * ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+++ * SUCH DAMAGE.
+++ */
+++
+++#include "config.h"
+++
+++#include <ctype.h>
+++#include <stdio.h>
+++#include <unistd.h>
+++#include <string.h>
+++#include <stdlib.h>
+++#include <pwd.h>
+++#include <security/pam_modules.h>
+++#include <security/_pam_macros.h>
+++
+++
+++#include "support.h"
+++
+++/* can't be a palindrome - like `R A D A R' or `M A D A M' */
+++static int palindrome(const char *old, const char *new) {
+++	int	i, j;
+++
+++	i = strlen (new);
+++
+++	for (j = 0;j < i;j++)
+++		if (new[i - j - 1] != new[j])
+++			return 0;
+++
+++	return 1;
+++}
+++
+++/* more than half of the characters are different ones. */
+++static int similar(const char *old, const char *new) {
+++	int i, j;
+++
+++	/*
+++	 * XXX - sometimes this fails when changing from a simple password
+++	 * to a really long one (MD5).  For now, I just return success if
+++	 * the new password is long enough.  Please feel free to suggest
+++	 * something better...  --marekm
+++	 */
+++	if (strlen(new) >= 8)
+++		return 0;
+++
+++	for (i = j = 0; new[i] && old[i]; i++)
+++		if (strchr(new, old[i]))
+++			j++;
+++
+++	if (i >= j * 2)
+++		return 0;
+++
+++	return 1;
+++}
+++
+++/* a nice mix of characters. */
+++static int simple(const char *old, const char *new) {
+++	int	digits = 0;
+++	int	uppers = 0;
+++	int	lowers = 0;
+++	int	others = 0;
+++	int	size;
+++	int	i;
+++
+++	for (i = 0;new[i];i++) {
+++		if (isdigit (new[i]))
+++			digits++;
+++		else if (isupper (new[i]))
+++			uppers++;
+++		else if (islower (new[i]))
+++			lowers++;
+++		else
+++			others++;
+++	}
+++
+++	/*
+++	 * The scam is this - a password of only one character type
+++	 * must be 8 letters long.  Two types, 7, and so on.
+++	 */
+++
+++	size = 9;
+++	if (digits) size--;
+++	if (uppers) size--;
+++	if (lowers) size--;
+++	if (others) size--;
+++
+++	if (size <= i)
+++		return 0;
+++
+++	return 1;
+++}
+++
+++static char *str_lower(char *string) {
+++	char *cp;
+++
+++	for (cp = string; *cp; cp++)
+++		*cp = tolower(*cp);
+++	return string;
+++}
+++
+++static const char * password_check(const char *old, const char *new,
+++				   const struct passwd *pwdp) {
+++	const char *msg = NULL;
+++	char *oldmono, *newmono, *wrapped;
+++
+++	if (strcmp(new, old) == 0)
+++		return _("Bad: new password must be different than the old one");
+++
+++	newmono = str_lower(strdup(new));
+++	oldmono = str_lower(strdup(old));
+++	wrapped = (char *)malloc(strlen(oldmono) * 2 + 1);
+++	strcpy (wrapped, oldmono);
+++	strcat (wrapped, oldmono);
+++
+++	if (palindrome(oldmono, newmono)) {
+++		msg = _("Bad: new password cannot be a palindrome");
+++	} else if (strcmp(oldmono, newmono) == 0) {
+++		msg = _("Bad: new and old password must differ by more than just case");
+++	} else if (similar(oldmono, newmono)) {
+++		msg = _("Bad: new and old password are too similar");
+++	} else if (simple(old, new)) {
+++		msg = _("Bad: new password is too simple");
+++	} else if (strstr(wrapped, newmono)) {
+++		msg = _("Bad: new password is just a wrapped version of the old one");
+++	}
+++
+++	_pam_delete(newmono);
+++	_pam_delete(oldmono);
+++	_pam_delete(wrapped);
+++
+++	return msg;
+++}
+++
+++const char *obscure_msg(const char *old, const char *new,
+++			       const struct passwd *pwdp, unsigned int ctrl) {
+++	int oldlen, newlen;
+++	char *new1, *old1;
+++	const char *msg;
+++
+++	if (old == NULL)
+++		return NULL; /* no check if old is NULL */
+++
+++	oldlen = strlen(old);
+++	newlen = strlen(new);
+++
+++	/* Remaining checks are optional. */
+++	if (off(UNIX_OBSCURE_CHECKS,ctrl))
+++		return NULL;
+++
+++	if ((msg = password_check(old, new, pwdp)) != NULL)
+++		return msg;
+++
+++	/* The traditional crypt() truncates passwords to 8 chars.  It is
+++	   possible to circumvent the above checks by choosing an easy
+++	   8-char password and adding some random characters to it...
+++	   Example: "password$%^&*123".  So check it again, this time
+++	   truncated to the maximum length.  Idea from npasswd.  --marekm */
+++
+++	if (!UNIX_DES_CRYPT(ctrl))
+++		return NULL;  /* unlimited password length */
+++
+++	if (oldlen <= 8 && newlen <= 8)
+++		return NULL;
+++
+++	new1 = strndup(new,8);
+++	old1 = strndup(old,8);
+++
+++	msg = password_check(old1, new1, pwdp);
+++
+++	_pam_delete(new1);
+++	_pam_delete(old1);
+++
+++	return msg;
+++}
++Index: pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c
++@@ -0,0 +1,304 @@
+++/*
+++ * Copyright Elliot Lee, 1996.  All rights reserved.
+++ * Copyright Jan R\EAkorajski, 1999.  All rights reserved.
+++ *
+++ * Redistribution and use in source and binary forms, with or without
+++ * modification, are permitted provided that the following conditions
+++ * are met:
+++ * 1. Redistributions of source code must retain the above copyright
+++ *    notice, and the entire permission notice in its entirety,
+++ *    including the disclaimer of warranties.
+++ * 2. Redistributions in binary form must reproduce the above copyright
+++ *    notice, this list of conditions and the following disclaimer in the
+++ *    documentation and/or other materials provided with the distribution.
+++ * 3. The name of the author may not be used to endorse or promote
+++ *    products derived from this software without specific prior
+++ *    written permission.
+++ *
+++ * ALTERNATIVELY, this product may be distributed under the terms of
+++ * the GNU Public License, in which case the provisions of the GPL are
+++ * required INSTEAD OF the above restrictions.  (This clause is
+++ * necessary due to a potential bad interaction between the GPL and
+++ * the restrictions contained in a BSD-style copyright.)
+++ *
+++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+++ * OF THE POSSIBILITY OF SUCH DAMAGE.
+++ */
+++
+++#include "config.h"
+++
+++#include <stdlib.h>
+++#include <stdio.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <sys/types.h>
+++#include <sys/resource.h>
+++#include <syslog.h>
+++#include <pwd.h>
+++#include <shadow.h>
+++#include <time.h>		/* for time() */
+++#include <errno.h>
+++#include <sys/wait.h>
+++
+++#include <security/_pam_macros.h>
+++
+++/* indicate that the following groups are defined */
+++
+++#ifdef PAM_STATIC
+++# include "pam_unix_static.h"
+++#else
+++# define PAM_SM_ACCOUNT
+++#endif
+++
+++#include <security/pam_modules.h>
+++#include <security/pam_ext.h>
+++#include <security/pam_modutil.h>
+++
+++#include "support.h"
+++#include "passverify.h"
+++
+++int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
+++	const char *user, int *daysleft)
+++{
+++  int retval=0, child, fds[2];
+++  struct sigaction newsa, oldsa;
+++  D(("running verify_binary"));
+++
+++  /* create a pipe for the messages */
+++  if (pipe(fds) != 0) {
+++    D(("could not make pipe"));
+++    pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m");
+++    return PAM_AUTH_ERR;
+++  }
+++  D(("called."));
+++
+++  if (off(UNIX_NOREAP, ctrl)) {
+++    /*
+++     * This code arranges that the demise of the child does not cause
+++     * the application to receive a signal it is not expecting - which
+++     * may kill the application or worse.
+++     *
+++     * The "noreap" module argument is provided so that the admin can
+++     * override this behavior.
+++     */
+++     memset(&newsa, '\0', sizeof(newsa));
+++     newsa.sa_handler = SIG_DFL;
+++     sigaction(SIGCHLD, &newsa, &oldsa);
+++  }
+++
+++  /* fork */
+++  child = fork();
+++  if (child == 0) {
+++    int i=0;
+++    struct rlimit rlim;
+++    static char *envp[] = { NULL };
+++    char *args[] = { NULL, NULL, NULL, NULL };
+++
+++    /* reopen stdout as pipe */
+++    dup2(fds[1], STDOUT_FILENO);
+++
+++    /* XXX - should really tidy up PAM here too */
+++
+++    if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+++      if (rlim.rlim_max >= MAX_FD_NO)
+++        rlim.rlim_max = MAX_FD_NO;
+++      for (i=0; i < (int)rlim.rlim_max; i++) {
+++	if (i != STDOUT_FILENO) {
+++	  close(i);
+++	}
+++      }
+++    }
+++
+++    if (geteuid() == 0) {
+++      /* must set the real uid to 0 so the helper will not error
+++         out if pam is called from setuid binary (su, sudo...) */
+++      if (setuid(0) == -1) {
+++          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+++          printf("-1\n");
+++          fflush(stdout);
+++          _exit(PAM_AUTHINFO_UNAVAIL);
+++      }
+++    }
+++
+++    /* exec binary helper */
+++    args[0] = x_strdup(CHKPWD_HELPER);
+++    args[1] = x_strdup(user);
+++    args[2] = x_strdup("chkexpiry");
+++
+++    execve(CHKPWD_HELPER, args, envp);
+++
+++    pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+++    /* should not get here: exit with error */
+++    D(("helper binary is not available"));
+++    printf("-1\n");
+++    fflush(stdout);
+++    _exit(PAM_AUTHINFO_UNAVAIL);
+++  } else {
+++    close(fds[1]);
+++    if (child > 0) {
+++      char buf[32];
+++      int rc=0;
+++      /* wait for helper to complete: */
+++      while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
+++      if (rc<0) {
+++	pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd waitpid returned %d: %m", rc);
+++	retval = PAM_AUTH_ERR;
+++      } else if (!WIFEXITED(retval)) {
+++        pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd abnormal exit: %d", retval);
+++        retval = PAM_AUTH_ERR;
+++      } else {
+++	retval = WEXITSTATUS(retval);
+++        rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1);
+++	if(rc > 0) {
+++	      buf[rc] = '\0';
+++	      if (sscanf(buf,"%d", daysleft) != 1 )
+++	        retval = PAM_AUTH_ERR;
+++	    }
+++	else {
+++	    pam_syslog(pamh, LOG_ERR, "read pam_extrausers_chkpwd output error %d: %m", rc);
+++	    retval = PAM_AUTH_ERR;
+++	  }
+++      }
+++    } else {
+++      pam_syslog(pamh, LOG_ERR, "Fork failed: %m");
+++      D(("fork failed"));
+++      retval = PAM_AUTH_ERR;
+++    }
+++    close(fds[0]);
+++  }
+++
+++  if (off(UNIX_NOREAP, ctrl)) {
+++        sigaction(SIGCHLD, &oldsa, NULL);   /* restore old signal handler */
+++  }
+++
+++  D(("Returning %d",retval));
+++  return retval;
+++}
+++
+++/*
+++ * PAM framework looks for this entry-point to pass control to the
+++ * account management module.
+++ */
+++
+++int
+++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
+++{
+++	unsigned int ctrl;
+++	const void *void_uname;
+++	const char *uname;
+++	int retval, daysleft;
+++	struct spwd *spent;
+++	struct passwd *pwent;
+++	char buf[256];
+++
+++	D(("called."));
+++
+++	ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
+++
+++	retval = pam_get_item(pamh, PAM_USER, &void_uname);
+++	uname = void_uname;
+++	D(("user = `%s'", uname));
+++	if (retval != PAM_SUCCESS || uname == NULL) {
+++		pam_syslog(pamh, LOG_ALERT,
+++			 "could not identify user (from uid=%lu)",
+++			 (unsigned long int)getuid());
+++		return PAM_USER_UNKNOWN;
+++	}
+++
+++	retval = get_account_info(pamh, uname, &pwent, &spent);
+++	if (retval == PAM_USER_UNKNOWN) {
+++		pam_syslog(pamh, LOG_ALERT,
+++			 "could not identify user (from getpwnam(%s))",
+++			 uname);
+++		return retval;
+++	}
+++
+++	if (retval == PAM_SUCCESS && spent == NULL)
+++		return PAM_SUCCESS;
+++
+++	if (retval == PAM_UNIX_RUN_HELPER) {
+++		retval = _unix_run_verify_binary(pamh, ctrl, uname, &daysleft);
+++		if (retval == PAM_AUTHINFO_UNAVAIL &&
+++			on(UNIX_BROKEN_SHADOW, ctrl))
+++			return PAM_SUCCESS;
+++	} else if (retval != PAM_SUCCESS) {
+++		if (on(UNIX_BROKEN_SHADOW,ctrl))
+++			return PAM_SUCCESS;
+++		else
+++			return retval;
+++	} else
+++		retval = check_shadow_expiry(pamh, spent, &daysleft);
+++
+++	switch (retval) {
+++	case PAM_ACCT_EXPIRED:
+++		pam_syslog(pamh, LOG_NOTICE,
+++			"account %s has expired (account expired)",
+++			uname);
+++		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
+++			_("Your account has expired; please contact your system administrator"));
+++		break;
+++	case PAM_NEW_AUTHTOK_REQD:
+++		if (daysleft == 0) {
+++			pam_syslog(pamh, LOG_NOTICE,
+++				"expired password for user %s (root enforced)",
+++				uname);
+++			_make_remark(pamh, ctrl, PAM_ERROR_MSG,
+++				_("You are required to change your password immediately (root enforced)"));
+++		} else {
+++			pam_syslog(pamh, LOG_DEBUG,
+++				"expired password for user %s (password aged)",
+++				uname);
+++			_make_remark(pamh, ctrl, PAM_ERROR_MSG,
+++				_("You are required to change your password immediately (password aged)"));
+++		}
+++		break;
+++	case PAM_AUTHTOK_EXPIRED:
+++		pam_syslog(pamh, LOG_NOTICE,
+++			"account %s has expired (failed to change password)",
+++			uname);
+++		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
+++			_("Your account has expired; please contact your system administrator"));
+++		break;
+++	case PAM_AUTHTOK_ERR:
+++		retval = PAM_SUCCESS;
+++		/* fallthrough */
+++	case PAM_SUCCESS:
+++		if (daysleft >= 0) {
+++			pam_syslog(pamh, LOG_DEBUG,
+++				"password for user %s will expire in %d days",
+++				uname, daysleft);
+++#if defined HAVE_DNGETTEXT && defined ENABLE_NLS
+++			snprintf (buf, sizeof (buf),
+++				dngettext(PACKAGE,
+++				  "Warning: your password will expire in %d day",
+++				  "Warning: your password will expire in %d days",
+++				  daysleft),
+++				daysleft);
+++#else
+++			if (daysleft == 1)
+++			    snprintf(buf, sizeof (buf),
+++				_("Warning: your password will expire in %d day"),
+++				daysleft);
+++			else
+++			    snprintf(buf, sizeof (buf),
+++			    /* TRANSLATORS: only used if dngettext is not supported */
+++				_("Warning: your password will expire in %d days"),
+++				daysleft);
+++#endif
+++			_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
+++		}
+++	}
+++
+++	D(("all done"));
+++
+++	return retval;
+++}
++Index: pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c
++@@ -0,0 +1,218 @@
+++/*
+++ * Copyright Alexander O. Yuriev, 1996.  All rights reserved.
+++ * NIS+ support by Thorsten Kukuk <kukuk@weber.uni-paderborn.de>
+++ * Copyright Jan R\EAkorajski, 1999.  All rights reserved.
+++ *
+++ * Redistribution and use in source and binary forms, with or without
+++ * modification, are permitted provided that the following conditions
+++ * are met:
+++ * 1. Redistributions of source code must retain the above copyright
+++ *    notice, and the entire permission notice in its entirety,
+++ *    including the disclaimer of warranties.
+++ * 2. Redistributions in binary form must reproduce the above copyright
+++ *    notice, this list of conditions and the following disclaimer in the
+++ *    documentation and/or other materials provided with the distribution.
+++ * 3. The name of the author may not be used to endorse or promote
+++ *    products derived from this software without specific prior
+++ *    written permission.
+++ *
+++ * ALTERNATIVELY, this product may be distributed under the terms of
+++ * the GNU Public License, in which case the provisions of the GPL are
+++ * required INSTEAD OF the above restrictions.  (This clause is
+++ * necessary due to a potential bad interaction between the GPL and
+++ * the restrictions contained in a BSD-style copyright.)
+++ *
+++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+++ * OF THE POSSIBILITY OF SUCH DAMAGE.
+++ */
+++
+++#include "config.h"
+++
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <stdarg.h>
+++#include <string.h>
+++#include <unistd.h>
+++#include <fcntl.h>
+++#include <ctype.h>
+++#include <sys/types.h>
+++#include <sys/stat.h>
+++#include <syslog.h>
+++
+++/* indicate the following groups are defined */
+++
+++#ifdef PAM_STATIC
+++# include "pam_unix_static.h"
+++#else
+++# define PAM_SM_AUTH
+++#endif
+++
+++#define _PAM_EXTERN_FUNCTIONS
+++#include <security/_pam_macros.h>
+++#include <security/pam_modules.h>
+++#include <security/pam_ext.h>
+++
+++#include "support.h"
+++
+++/*
+++ * PAM framework looks for these entry-points to pass control to the
+++ * authentication module.
+++ */
+++
+++/* Fun starts here :)
+++
+++ * pam_sm_authenticate() performs UNIX/shadow authentication
+++ *
+++ *      First, if shadow support is available, attempt to perform
+++ *      authentication using shadow passwords. If shadow is not
+++ *      available, or user does not have a shadow password, fallback
+++ *      onto a normal UNIX authentication
+++ */
+++
+++#define _UNIX_AUTHTOK  "-UN*X-PASS"
+++
+++#define AUTH_RETURN						\
+++do {								\
+++	if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) {		\
+++		D(("recording return code for next time [%d]",	\
+++					retval));		\
+++		*ret_data = retval;				\
+++		pam_set_data(pamh, "unix_setcred_return",	\
+++		             (void *) ret_data, setcred_free);	\
+++	} else if (ret_data)					\
+++	  free (ret_data);                                      \
+++	D(("done. [%s]", pam_strerror(pamh, retval)));		\
+++	return retval;						\
+++} while (0)
+++
+++
+++static void
+++setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
+++{
+++	if (ptr)
+++		free (ptr);
+++}
+++
+++int
+++pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+++{
+++	unsigned int ctrl;
+++	int retval, *ret_data = NULL;
+++	const char *name;
+++	const void *p;
+++
+++	D(("called."));
+++
+++	ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
+++
+++	/* Get a few bytes so we can pass our return value to
+++	   pam_sm_setcred(). */
+++	if (on(UNIX_LIKE_AUTH, ctrl))
+++		ret_data = malloc(sizeof(int));
+++
+++	/* get the user'name' */
+++
+++	retval = pam_get_user(pamh, &name, NULL);
+++	if (retval == PAM_SUCCESS) {
+++		/*
+++		 * Various libraries at various times have had bugs related to
+++		 * '+' or '-' as the first character of a user name. Don't
+++		 * allow this characters here.
+++		 */
+++		if (name == NULL || name[0] == '-' || name[0] == '+') {
+++			pam_syslog(pamh, LOG_ERR, "bad username [%s]", name);
+++			retval = PAM_USER_UNKNOWN;
+++			AUTH_RETURN;
+++		}
+++		if (on(UNIX_DEBUG, ctrl))
+++			D(("username [%s] obtained", name));
+++	} else {
+++		D(("trouble reading username"));
+++		if (retval == PAM_CONV_AGAIN) {
+++			D(("pam_get_user/conv() function is not ready yet"));
+++			/* it is safe to resume this function so we translate this
+++			 * retval to the value that indicates we're happy to resume.
+++			 */
+++			retval = PAM_INCOMPLETE;
+++		}
+++		AUTH_RETURN;
+++	}
+++
+++	/* if this user does not have a password... */
+++
+++	if (_unix_blankpasswd(pamh, ctrl, name)) {
+++		D(("user '%s' has blank passwd", name));
+++		name = NULL;
+++		retval = PAM_SUCCESS;
+++		AUTH_RETURN;
+++	}
+++	/* get this user's authentication token */
+++
+++	retval = _unix_read_password(pamh, ctrl, NULL, _("Password: "), NULL
+++				     ,_UNIX_AUTHTOK, &p);
+++	if (retval != PAM_SUCCESS) {
+++		if (retval != PAM_CONV_AGAIN) {
+++			pam_syslog(pamh, LOG_CRIT,
+++			    "auth could not identify password for [%s]", name);
+++		} else {
+++			D(("conversation function is not ready yet"));
+++			/*
+++			 * it is safe to resume this function so we translate this
+++			 * retval to the value that indicates we're happy to resume.
+++			 */
+++			retval = PAM_INCOMPLETE;
+++		}
+++		name = NULL;
+++		AUTH_RETURN;
+++	}
+++	D(("user=%s, password=[%s]", name, p));
+++
+++	/* verify the password of this user */
+++	retval = _unix_verify_password(pamh, name, p, ctrl);
+++	name = p = NULL;
+++
+++	AUTH_RETURN;
+++}
+++
+++
+++/*
+++ * The only thing _pam_set_credentials_unix() does is initialization of
+++ * UNIX group IDs.
+++ *
+++ * Well, everybody but me on linux-pam is convinced that it should not
+++ * initialize group IDs, so I am not doing it but don't say that I haven't
+++ * warned you. -- AOY
+++ */
+++
+++int
+++pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
+++		int argc UNUSED, const char **argv UNUSED)
+++{
+++	int retval;
+++	const void *pretval = NULL;
+++
+++	D(("called."));
+++
+++	retval = PAM_SUCCESS;
+++
+++	D(("recovering return code from auth call"));
+++	/* We will only find something here if UNIX_LIKE_AUTH is set --
+++	   don't worry about an explicit check of argv. */
+++	if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
+++	    && pretval) {
+++	        retval = *(const int *)pretval;
+++		pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
+++		D(("recovered data indicates that old retval was %d", retval));
+++	}
+++
+++	return retval;
+++}
++Index: pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c
++===================================================================
++--- /dev/null
+++++ pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c
++@@ -0,0 +1,843 @@
+++/*
+++ * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
+++ * Copyright (C) 1996.
+++ * Copyright (c) Jan Rêkorajski, 1999.
+++ * Copyright (c) Red Hat, Inc., 2007, 2008.
+++ *
+++ * Redistribution and use in source and binary forms, with or without
+++ * modification, are permitted provided that the following conditions
+++ * are met:
+++ * 1. Redistributions of source code must retain the above copyright
+++ *    notice, and the entire permission notice in its entirety,
+++ *    including the disclaimer of warranties.
+++ * 2. Redistributions in binary form must reproduce the above copyright
+++ *    notice, this list of conditions and the following disclaimer in the
+++ *    documentation and/or other materials provided with the distribution.
+++ * 3. The name of the author may not be used to endorse or promote
+++ *    products derived from this software without specific prior
+++ *    written permission.
+++ *
+++ * ALTERNATIVELY, this product may be distributed under the terms of
+++ * the GNU Public License, in which case the provisions of the GPL are
+++ * required INSTEAD OF the above restrictions.  (This clause is
+++ * necessary due to a potential bad interaction between the GPL and
+++ * the restrictions contained in a BSD-style copyright.)
+++ *
+++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+++ * OF THE POSSIBILITY OF SUCH DAMAGE.
+++ */
+++
+++#include "config.h"
+++
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <stdarg.h>
+++#include <string.h>
+++#include <malloc.h>
+++#include <unistd.h>
+++#include <errno.h>
+++#include <sys/types.h>
+++#include <pwd.h>
+++#include <syslog.h>
+++#include <shadow.h>
+++#include <time.h>		/* for time() */
+++#include <fcntl.h>
+++#include <ctype.h>
+++#include <sys/time.h>
+++#include <sys/stat.h>
+++
+++#include <signal.h>
+++#include <errno.h>
+++#include <sys/wait.h>
+++#include <sys/resource.h>
+++
+++#include <security/_pam_macros.h>
+++
+++/* indicate the following groups are defined */
+++
+++#ifdef PAM_STATIC
+++# include "pam_unix_static.h"
+++#else
+++# define PAM_SM_PASSWORD
+++#endif
+++
+++#include <security/pam_modules.h>
+++#include <security/pam_ext.h>
+++#include <security/pam_modutil.h>
+++
+++#include "md5.h"
+++#include "support.h"
+++#include "passverify.h"
+++#include "bigcrypt.h"
+++
+++#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
+++# define HAVE_NIS
+++#endif
+++
+++#ifdef HAVE_NIS
+++# include <rpc/rpc.h>
+++
+++# if HAVE_RPCSVC_YP_PROT_H
+++#  include <rpcsvc/yp_prot.h>
+++# endif
+++
+++# if HAVE_RPCSVC_YPCLNT_H
+++#  include <rpcsvc/ypclnt.h>
+++# endif
+++
+++# include "yppasswd.h"
+++
+++# if !HAVE_DECL_GETRPCPORT
+++extern int getrpcport(const char *host, unsigned long prognum,
+++		      unsigned long versnum, unsigned int proto);
+++# endif				/* GNU libc 2.1 */
+++#endif
+++
+++extern const char *obscure_msg(const char *, const char *, const struct passwd *,
+++			       unsigned int);
+++
+++/*
+++   How it works:
+++   Gets in username (has to be done) from the calling program
+++   Does authentication of user (only if we are not running as root)
+++   Gets new password/checks for sanity
+++   Sets it.
+++ */
+++
+++/* data tokens */
+++
+++#define _UNIX_OLD_AUTHTOK	"-UN*X-OLD-PASS"
+++#define _UNIX_NEW_AUTHTOK	"-UN*X-NEW-PASS"
+++
+++#define MAX_PASSWD_TRIES	3
+++
+++#ifdef HAVE_NIS
+++static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
+++{
+++	char *master;
+++	char *domainname;
+++	int port, err;
+++
+++#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
+++	if ((err = yp_get_default_domain(&domainname)) != 0) {
+++		pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s",
+++			 yperr_string(err));
+++		return NULL;
+++	}
+++#elif defined(HAVE_GETDOMAINNAME)
+++	char domainname_res[256];
+++
+++	if (getdomainname (domainname_res, sizeof (domainname_res)) == 0)
+++	  {
+++	    if (strcmp (domainname_res, "(none)") == 0)
+++	      {
+++		/* If domainname is not set, some systems will return "(none)" */
+++		domainname_res[0] = '\0';
+++	      }
+++	    domainname = domainname_res;
+++	  }
+++	else domainname = NULL;
+++#endif
+++
+++	if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
+++		pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s",
+++			 yperr_string(err));
+++		return NULL;
+++	}
+++	port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
+++	if (port == 0) {
+++		pam_syslog(pamh, LOG_WARNING,
+++		         "yppasswdd not running on NIS master host");
+++		return NULL;
+++	}
+++	if (port >= IPPORT_RESERVED) {
+++		pam_syslog(pamh, LOG_WARNING,
+++		         "yppasswd daemon running on illegal port");
+++		return NULL;
+++	}
+++	if (on(UNIX_DEBUG, ctrl)) {
+++	  pam_syslog(pamh, LOG_DEBUG, "Use NIS server on %s with port %d",
+++		     master, port);
+++	}
+++	return master;
+++}
+++#endif
+++
+++#ifdef WITH_SELINUX
+++
+++static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
+++    const char *fromwhat, const char *towhat, int remember)
+++{
+++    int retval, child, fds[2];
+++    struct sigaction newsa, oldsa;
+++
+++    D(("called."));
+++    /* create a pipe for the password */
+++    if (pipe(fds) != 0) {
+++	D(("could not make pipe"));
+++	return PAM_AUTH_ERR;
+++    }
+++
+++    if (off(UNIX_NOREAP, ctrl)) {
+++	/*
+++	 * This code arranges that the demise of the child does not cause
+++	 * the application to receive a signal it is not expecting - which
+++	 * may kill the application or worse.
+++	 *
+++	 * The "noreap" module argument is provided so that the admin can
+++	 * override this behavior.
+++	 */
+++        memset(&newsa, '\0', sizeof(newsa));
+++        newsa.sa_handler = SIG_DFL;
+++        sigaction(SIGCHLD, &newsa, &oldsa);
+++    }
+++
+++    /* fork */
+++    child = fork();
+++    if (child == 0) {
+++        int i=0;
+++        struct rlimit rlim;
+++	static char *envp[] = { NULL };
+++	char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
+++        char buffer[16];
+++
+++	/* XXX - should really tidy up PAM here too */
+++
+++	/* reopen stdin as pipe */
+++	dup2(fds[0], STDIN_FILENO);
+++
+++	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+++	  if (rlim.rlim_max >= MAX_FD_NO)
+++	    rlim.rlim_max = MAX_FD_NO;
+++	  for (i=0; i < (int)rlim.rlim_max; i++) {
+++	    if (i != STDIN_FILENO)
+++		close(i);
+++	  }
+++	}
+++
+++	/* exec binary helper */
+++	args[0] = x_strdup(UPDATE_HELPER);
+++	args[1] = x_strdup(user);
+++	args[2] = x_strdup("update");
+++	if (on(UNIX_SHADOW, ctrl))
+++		args[3] = x_strdup("1");
+++	else
+++		args[3] = x_strdup("0");
+++
+++        snprintf(buffer, sizeof(buffer), "%d", remember);
+++        args[4] = x_strdup(buffer);
+++
+++	execve(UPDATE_HELPER, args, envp);
+++
+++	/* should not get here: exit with error */
+++	D(("helper binary is not available"));
+++	_exit(PAM_AUTHINFO_UNAVAIL);
+++    } else if (child > 0) {
+++	/* wait for child */
+++	/* if the stored password is NULL */
+++        int rc=0;
+++	if (fromwhat)
+++	  pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
+++	else
+++	  pam_modutil_write(fds[1], "", 1);
+++	if (towhat) {
+++	  pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
+++	}
+++	else
+++	  pam_modutil_write(fds[1], "", 1);
+++
+++	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
+++	close(fds[1]);
+++	/* wait for helper to complete: */
+++	while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
+++	if (rc<0) {
+++	  pam_syslog(pamh, LOG_ERR, "pam_extrausers_update waitpid failed: %m");
+++	  retval = PAM_AUTHTOK_ERR;
+++	} else if (!WIFEXITED(retval)) {
+++          pam_syslog(pamh, LOG_ERR, "pam_extrausers_update abnormal exit: %d", retval);
+++          retval = PAM_AUTHTOK_ERR;
+++        } else {
+++	  retval = WEXITSTATUS(retval);
+++	}
+++    } else {
+++	D(("fork failed"));
+++	close(fds[0]);
+++	close(fds[1]);
+++	retval = PAM_AUTH_ERR;
+++    }
+++
+++    if (off(UNIX_NOREAP, ctrl)) {
+++        sigaction(SIGCHLD, &oldsa, NULL);   /* restore old signal handler */
+++    }
+++
+++    return retval;
+++}
+++#endif
+++
+++static int check_old_password(const char *forwho, const char *newpass)
+++{
+++	static char buf[16384];
+++	char *s_luser, *s_uid, *s_npas, *s_pas;
+++	int retval = PAM_SUCCESS;
+++	FILE *opwfile;
+++	size_t len = strlen(forwho);
+++
+++	opwfile = fopen(OLD_PASSWORDS_FILE, "r");
+++	if (opwfile == NULL)
+++		return PAM_ABORT;
+++
+++	while (fgets(buf, 16380, opwfile)) {
+++		if (!strncmp(buf, forwho, len) && (buf[len] == ':' ||
+++			buf[len] == ',')) {
+++			char *sptr;
+++			buf[strlen(buf) - 1] = '\0';
+++			s_luser = strtok_r(buf, ":,", &sptr);
+++			s_uid = strtok_r(NULL, ":,", &sptr);
+++			s_npas = strtok_r(NULL, ":,", &sptr);
+++			s_pas = strtok_r(NULL, ":,", &sptr);
+++			while (s_pas != NULL) {
+++				char *md5pass = Goodcrypt_md5(newpass, s_pas);
+++				if (!strcmp(md5pass, s_pas)) {
+++					_pam_delete(md5pass);
+++					retval = PAM_AUTHTOK_ERR;
+++					break;
+++				}
+++				s_pas = strtok_r(NULL, ":,", &sptr);
+++				_pam_delete(md5pass);
+++			}
+++			break;
+++		}
+++	}
+++	fclose(opwfile);
+++
+++	return retval;
+++}
+++
+++static int _do_setpass(pam_handle_t* pamh, const char *forwho,
+++		       const char *fromwhat,
+++		       char *towhat, unsigned int ctrl, int remember)
+++{
+++	struct passwd *pwd = NULL;
+++	int retval = 0;
+++	int unlocked = 0;
+++	char *master = NULL;
+++
+++	D(("called"));
+++
+++	pwd = getpwnam(forwho);
+++
+++	if (pwd == NULL) {
+++		retval = PAM_AUTHTOK_ERR;
+++		goto done;
+++	}
+++
+++	if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
+++#ifdef HAVE_NIS
+++	  if ((master=getNISserver(pamh, ctrl)) != NULL) {
+++		struct timeval timeout;
+++		struct yppasswd yppwd;
+++		CLIENT *clnt;
+++		int status;
+++		enum clnt_stat err;
+++
+++		/* Unlock passwd file to avoid deadlock */
+++		unlock_pwdf();
+++		unlocked = 1;
+++
+++		/* Initialize password information */
+++		yppwd.newpw.pw_passwd = pwd->pw_passwd;
+++		yppwd.newpw.pw_name = pwd->pw_name;
+++		yppwd.newpw.pw_uid = pwd->pw_uid;
+++		yppwd.newpw.pw_gid = pwd->pw_gid;
+++		yppwd.newpw.pw_gecos = pwd->pw_gecos;
+++		yppwd.newpw.pw_dir = pwd->pw_dir;
+++		yppwd.newpw.pw_shell = pwd->pw_shell;
+++		yppwd.oldpass = fromwhat ? strdup (fromwhat) : strdup ("");
+++		yppwd.newpw.pw_passwd = towhat;
+++
+++		D(("Set password %s for %s", yppwd.newpw.pw_passwd, forwho));
+++
+++		/* The yppasswd.x file said `unix authentication required',
+++		 * so I added it. This is the only reason it is in here.
+++		 * My yppasswdd doesn't use it, but maybe some others out there
+++		 * do.                                        --okir
+++		 */
+++		clnt = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
+++		clnt->cl_auth = authunix_create_default();
+++		memset((char *) &status, '\0', sizeof(status));
+++		timeout.tv_sec = 25;
+++		timeout.tv_usec = 0;
+++		err = clnt_call(clnt, YPPASSWDPROC_UPDATE,
+++				(xdrproc_t) xdr_yppasswd, (char *) &yppwd,
+++				(xdrproc_t) xdr_int, (char *) &status,
+++				timeout);
+++
+++		free (yppwd.oldpass);
+++
+++		if (err) {
+++			_make_remark(pamh, ctrl, PAM_TEXT_INFO,
+++				clnt_sperrno(err));
+++		} else if (status) {
+++			D(("Error while changing NIS password.\n"));
+++		}
+++		D(("The password has%s been changed on %s.",
+++		   (err || status) ? " not" : "", master));
+++		pam_syslog(pamh, LOG_NOTICE, "password%s changed for %s on %s",
+++			 (err || status) ? " not" : "", pwd->pw_name, master);
+++
+++		auth_destroy(clnt->cl_auth);
+++		clnt_destroy(clnt);
+++		if (err || status) {
+++			_make_remark(pamh, ctrl, PAM_TEXT_INFO,
+++				_("NIS password could not be changed."));
+++			retval = PAM_TRY_AGAIN;
+++		}
+++#ifdef PAM_DEBUG
+++		sleep(5);
+++#endif
+++	    } else {
+++		    retval = PAM_TRY_AGAIN;
+++	    }
+++#else
+++          if (on(UNIX_DEBUG, ctrl)) {
+++            pam_syslog(pamh, LOG_DEBUG, "No NIS support available");
+++          }
+++
+++          retval = PAM_TRY_AGAIN;
+++#endif
+++	}
+++
+++	if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
+++		if(unlocked) {
+++			if (lock_pwdf() != PAM_SUCCESS) {
+++				return PAM_AUTHTOK_LOCK_BUSY;
+++			}
+++		}
+++#ifdef WITH_SELINUX
+++	        if (unix_selinux_confined())
+++			  return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember);
+++#endif
+++		/* first, save old password */
+++		if (save_old_password(pamh, forwho, fromwhat, remember)) {
+++			retval = PAM_AUTHTOK_ERR;
+++			goto done;
+++		}
+++		if (on(UNIX_SHADOW, ctrl) || is_pwd_shadowed(pwd)) {
+++			retval = unix_update_shadow(pamh, forwho, towhat);
+++			if (retval == PAM_SUCCESS)
+++				if (!is_pwd_shadowed(pwd))
+++					retval = unix_update_passwd(pamh, forwho, "x");
+++		} else {
+++			retval = unix_update_passwd(pamh, forwho, towhat);
+++		}
+++	}
+++
+++
+++done:
+++	unlock_pwdf();
+++
+++	return retval;
+++}
+++
+++static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl)
+++{
+++	struct passwd *pwent = NULL;	/* Password and shadow password */
+++	struct spwd *spent = NULL;	/* file entries for the user */
+++	int daysleft;
+++	int retval;
+++
+++	retval = get_account_info(pamh, user, &pwent, &spent);
+++	if (retval == PAM_USER_UNKNOWN) {
+++		return retval;
+++	}
+++
+++	if (retval == PAM_SUCCESS && spent == NULL)
+++		return PAM_SUCCESS;
+++
+++	if (retval == PAM_UNIX_RUN_HELPER) {
+++		retval = _unix_run_verify_binary(pamh, ctrl, user, &daysleft);
+++		if (retval == PAM_AUTH_ERR || retval == PAM_USER_UNKNOWN)
+++			return retval;
+++	}
+++	else if (retval == PAM_SUCCESS)
+++		retval = check_shadow_expiry(pamh, spent, &daysleft);
+++
+++	if (on(UNIX__IAMROOT, ctrl) || retval == PAM_NEW_AUTHTOK_REQD)
+++		return PAM_SUCCESS;
+++
+++	return retval;
+++}
+++
+++static int _pam_unix_approve_pass(pam_handle_t * pamh
+++				  ,unsigned int ctrl
+++				  ,const char *pass_old
+++				  ,const char *pass_new,
+++                                  int pass_min_len)
+++{
+++	const void *user;
+++	const char *remark = NULL;
+++	int retval = PAM_SUCCESS;
+++
+++	D(("&new=%p, &old=%p", pass_old, pass_new));
+++	D(("new=[%s]", pass_new));
+++	D(("old=[%s]", pass_old));
+++
+++	if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
+++		if (on(UNIX_DEBUG, ctrl)) {
+++			pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
+++		}
+++		_make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
+++			_("No password supplied") : _("Password unchanged"));
+++		return PAM_AUTHTOK_ERR;
+++	}
+++	/*
+++	 * if one wanted to hardwire authentication token strength
+++	 * checking this would be the place - AGM
+++	 */
+++
+++	retval = pam_get_item(pamh, PAM_USER, &user);
+++	if (retval != PAM_SUCCESS) {
+++		if (on(UNIX_DEBUG, ctrl)) {
+++			pam_syslog(pamh, LOG_ERR, "Can not get username");
+++			return PAM_AUTHTOK_ERR;
+++		}
+++	}
+++	if (off(UNIX__IAMROOT, ctrl)) {
+++		if (strlen(pass_new) < pass_min_len)
+++		  remark = _("You must choose a longer password");
+++		D(("length check [%s]", remark));
+++		if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
+++			if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
+++			  remark = _("Password has been already used. Choose another.");
+++			if (retval == PAM_ABORT) {
+++				pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
+++					OLD_PASSWORDS_FILE);
+++				return retval;
+++			}
+++		}
+++		if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
+++			struct passwd *pwd;
+++			pwd = pam_modutil_getpwnam(pamh, user);
+++			remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
+++		}
+++	}
+++	if (remark) {
+++		_make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
+++		retval = PAM_AUTHTOK_ERR;
+++	}
+++	return retval;
+++}
+++
+++int
+++pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+++{
+++	unsigned int ctrl, lctrl;
+++	int retval;
+++	int remember = -1;
+++	int rounds = -1;
+++	int pass_min_len = 6;
+++
+++	/* <DO NOT free() THESE> */
+++	const char *user;
+++	const void *pass_old, *pass_new;
+++	/* </DO NOT free() THESE> */
+++
+++	D(("called."));
+++
+++	ctrl = _set_ctrl(pamh, flags, &remember, &rounds, &pass_min_len,
+++	                 argc, argv);
+++
+++	/*
+++	 * First get the name of a user
+++	 */
+++	retval = pam_get_user(pamh, &user, NULL);
+++	if (retval == PAM_SUCCESS) {
+++		/*
+++		 * Various libraries at various times have had bugs related to
+++		 * '+' or '-' as the first character of a user name. Don't
+++		 * allow them.
+++		 */
+++		if (user == NULL || user[0] == '-' || user[0] == '+') {
+++			pam_syslog(pamh, LOG_ERR, "bad username [%s]", user);
+++			return PAM_USER_UNKNOWN;
+++		}
+++		if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
+++			pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained",
+++			         user);
+++	} else {
+++		if (on(UNIX_DEBUG, ctrl))
+++			pam_syslog(pamh, LOG_DEBUG,
+++			         "password - could not identify user");
+++		return retval;
+++	}
+++
+++	D(("Got username of %s", user));
+++
+++	/*
+++	 * Before we do anything else, check to make sure that the user's
+++	 * info is in one of the databases we can modify from this module,
+++	 * which currently is 'files' and 'nis'.  We have to do this because
+++	 * getpwnam() doesn't tell you *where* the information it gives you
+++	 * came from, nor should it.  That's our job.
+++	 */
+++	if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) {
+++		pam_syslog(pamh, LOG_DEBUG,
+++			 "user \"%s\" does not exist in /var/lib/extrausers/passwd%s",
+++			 user, on(UNIX_NIS, ctrl) ? " or NIS" : "");
+++		return PAM_USER_UNKNOWN;
+++	} else {
+++		struct passwd *pwd;
+++		_unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
+++		if (pwd == NULL) {
+++			pam_syslog(pamh, LOG_DEBUG,
+++				"user \"%s\" has corrupted passwd entry",
+++				user);
+++			return PAM_USER_UNKNOWN;
+++		}
+++	}
+++
+++	/*
+++	 * This is not an AUTH module!
+++	 */
+++	if (on(UNIX__NONULL, ctrl))
+++		set(UNIX__NULLOK, ctrl);
+++
+++	if (on(UNIX__PRELIM, ctrl)) {
+++		/*
+++		 * obtain and verify the current password (OLDAUTHTOK) for
+++		 * the user.
+++		 */
+++		char *Announce;
+++
+++		D(("prelim check"));
+++
+++		if (_unix_blankpasswd(pamh, ctrl, user)) {
+++			return PAM_SUCCESS;
+++		} else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) {
+++			/* instruct user what is happening */
+++			if (asprintf(&Announce, _("Changing password for %s."),
+++				user) < 0) {
+++				pam_syslog(pamh, LOG_CRIT,
+++				         "password - out of memory");
+++				return PAM_BUF_ERR;
+++			}
+++
+++			lctrl = ctrl;
+++			set(UNIX__OLD_PASSWD, lctrl);
+++			retval = _unix_read_password(pamh, lctrl
+++						     ,Announce
+++					     ,(on(UNIX__IAMROOT, ctrl)
+++			                       ? _("NIS server root password: ")
+++			                       : _("(current) UNIX password: "))
+++						     ,NULL
+++						     ,_UNIX_OLD_AUTHTOK
+++					     ,&pass_old);
+++			free(Announce);

Ubuntupam package