From gene@cif.rochester.edu  Mon Feb 15 23:48:30 1999
Received: from roundtable.cif.rochester.edu (roundtable.cif.rochester.edu [128.151.220.14])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA17805
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 15 Feb 1999 23:48:29 -0800 (PST)
          (envelope-from gene@cif.rochester.edu)
Received: (from gene@localhost)
	by roundtable.cif.rochester.edu (8.8.8/8.8.8) id CAA28977;
	Tue, 16 Feb 1999 02:48:25 -0500 (EST)
	(envelope-from gene)
Message-Id: <199902160748.CAA28977@roundtable.cif.rochester.edu>
Date: Tue, 16 Feb 1999 02:48:25 -0500 (EST)
From: gene@cif.rochester.edu
Reply-To: gene@cif.rochester.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: /etc/login.conf still implies LOGIN_CAP_AUTH
X-Send-Pr-Version: 3.2

>Number:         10115
>Category:       conf
>Synopsis:       /etc/login.conf still implies LOGIN_CAP_AUTH
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    sheldonh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 15 23:50:01 PST 1999
>Closed-Date:    Fri Sep 10 08:19:37 PDT 1999
>Last-Modified:  Fri Sep 10 08:20:15 PDT 1999
>Originator:     Gene Skonicki
>Release:        FreeBSD 2.2.8-STABLE i386
>Organization:
University of Rochester
>Environment:
    FreeBSD 2.2.8-RELEASE
    However, I've confirmed my assertion with the CVS repository.

>Description:

    The login.conf file as shipped under standard FreeBSD 3.1 (and 3.0)
still has all its examples involving auth-default and friends.  In recent
memory, (around the inclusion of PAM) the support for login-auth methods was
completely deleted from login.  So, these examples no longer make sense and
could be confusing.

    Likewise, the manpage should probably be generally overhauled to reflect
the new world order.

>How-To-Repeat:

>Fix:
    Update default login.conf file and associated manpage.
    Probably cross-reference pam stuff on login.conf mp.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: sheldonh 
State-Changed-When: Tue Jun 22 05:22:19 PDT 1999 
State-Changed-Why:  
It sounds like you have enough of a handle on the situation to come up 
with the required diffs. Wanna take a crack at it? 


Responsible-Changed-From-To: freebsd-bugs->jdp 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Jun 22 05:22:19 PDT 1999 
Responsible-Changed-Why:  
John brought PAM in, so he'll probably be interested in feedback. 
State-Changed-From-To: feedback->analyzed 
State-Changed-By: sheldonh 
State-Changed-When: Mon Jul 19 02:50:44 PDT 1999 
State-Changed-Why:  
LOGIN_CAP_AUTH needs to be axed. 


Responsible-Changed-From-To: jdp->sheldonh 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Mon Jul 19 02:50:44 PDT 1999 
Responsible-Changed-Why:  
John confirms that  the author of the LOGIN_CAP_AUTH code agrees 
that it should be axed. Since the axe-wielding won't require  
incredible skill, I'll take the task off John's plate. 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: freebsd-gnats-submit@freebsd.org
Cc: jdp@freebsd.org
Subject: Re: conf/10115: /etc/login.conf still implies LOGIN_CAP_AUTH
Date: Fri, 13 Aug 1999 18:57:31 +0200

 I've ripped LOGIN_CAP_AUTH out of the source tree in CURRENT. I'll give
 it a few weeks before attacking STABLE. I'll need someone to take the
 STABLE diff through a ``make world''. Any takers?
 
 Ciao,
 Sheldon.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: conf/10115: /etc/login.conf still implies LOGIN_CAP_AUTH
Date: Mon, 16 Aug 1999 11:07:29 +0200

 Here's a diff against RELENG_3. Anyone pushing this through a successful
 ``make world'', please let me know.
 
 Thanks,
 Sheldon.
 
 Index: etc/login.conf
 ===================================================================
 RCS file: /home/ncvs/src/etc/login.conf,v
 retrieving revision 1.26.2.3
 diff -u -d -r1.26.2.3 login.conf
 --- login.conf	1999/05/11 07:10:03	1.26.2.3
 +++ login.conf	1999/08/16 08:46:37
 @@ -81,21 +81,6 @@
  ######################################################################
  ######################################################################
  
 -## Authentication methods
 -## Note that these are disabled by default, and libutil must
 -## be rebuilt with LOGIN_CAP_AUTH defined to use them.
 -#
 -#auth-defaults:\
 -#	:auth=krb_skey_or_passwd,passwd,kerberos,skey:
 -#
 -#auth-root-defaults:\
 -#	:auth-login=krb_skey_or_passwd,passwd,kerberos,skey:\
 -#	:auth-rlogin=krb_or_skey,kerberos,skey:
 -#
 -#auth-ftp-defaults:\
 -#	:auth=skey_or_pwd,passwd,skey:
 -#
 -#
  ## Example defaults
  ## These settings are used by login(1) by default for classless users
  ## Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
 Index: lib/libutil/Makefile
 ===================================================================
 RCS file: /home/ncvs/src/lib/libutil/Makefile,v
 retrieving revision 1.21.2.3
 diff -u -d -r1.21.2.3 Makefile
 --- Makefile	1999/07/12 14:28:57	1.21.2.3
 +++ Makefile	1999/08/16 08:46:56
 @@ -4,7 +4,6 @@
  SHLIB_MAJOR= 2
  SHLIB_MINOR= 2
  CFLAGS+=-Wall -DLIBC_SCCS -I${.CURDIR} -I${.CURDIR}/../../sys
 -#CFLAGS+=-DLOGIN_CAP_AUTH
  SRCS=	login.c login_tty.c logout.c logwtmp.c pty.c setproctitle.c \
  	login_cap.c login_class.c login_auth.c login_times.c login_ok.c \
  	_secure_path.c uucplock.c property.c auth.c realhostname.c
 Index: lib/libutil/login.conf.5
 ===================================================================
 RCS file: /home/ncvs/src/lib/libutil/login.conf.5,v
 retrieving revision 1.15.2.1
 diff -u -d -r1.15.2.1 login.conf.5
 --- login.conf.5	1999/04/30 18:48:05	1.15.2.1
 +++ login.conf.5	1999/08/16 08:48:21
 @@ -200,10 +200,6 @@
  .Sy Name	Type	Notes	Description
  .It minpasswordlen	number	6	The minimum length a local password may be.
  .\" .It approve	program 	Program to approve login.
 -.It auth	list	passwd	Allowed authentication styles. The first value is the
 -default style.
 -.It auth-<type>	list		Allowed authentication styles for the
 -authentication type 'type'.
  .It copyright	file		File containing additional copyright information
  .\".It widepasswords	bool	false	Use the wide password format. The wide password
  .\" format allows up to 128 significant characters in the password.
 Index: lib/libutil/login_auth.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libutil/login_auth.c,v
 retrieving revision 1.9
 diff -u -d -r1.9 login_auth.c
 --- login_auth.c	1998/09/16 04:17:47	1.9
 +++ login_auth.c	1999/08/16 08:51:03
 @@ -51,570 +51,6 @@
  #include <err.h>
  #include <libutil.h>
  
 -#ifdef	LOGIN_CAP_AUTH
 -/*
 - * Comment from BSDI's authenticate.c module:
 - * NOTE: THIS MODULE IS TO BE DEPRECATED.  FUTURE VERSIONS OF BSD/OS WILL
 - * HAVE AN UPDATED API, THOUGH THESE FUNCTIONS WILL CONTINUE TO BE AVAILABLE
 - * FOR BACKWARDS COMPATABILITY
 - */
 -
 -
 -#define AUTHMAXSPOOL	(8 * 1024) /* Max size of authentication data */
 -#define	AUTHCOMM_FD	3	   /* Handle used to read/write auth data */
 -
 -struct rmfiles {
 -    struct rmfiles  *next;
 -    char	    file[1];
 -};
 -
 -struct authopts {
 -    struct authopts *next;
 -    char	    opt[1];
 -};
 -
 -static char *spoolbuf = NULL;
 -static int spoolidx = 0;
 -static struct rmfiles *rmfirst = NULL;
 -static struct authopts *optfirst = NULL;
 -
 -
 -/*
 - * Setup a known environment for all authentication scripts.
 - */
 -
 -static char *auth_environ[] = {
 -    "PATH=" _PATH_DEFPATH,
 -    "SHELL=" _PATH_BSHELL,
 -    NULL,
 -};
 -
 -
 -
 -/*
 - * nextline()
 - * Get the next line from the data buffer collected from
 - * the authentication program. This function relies on the
 - * fact that lines are nul terminated.
 - */
 -
 -static char *
 -nextline(int *idx)
 -{
 -    char    *ptr = NULL;
 -
 -    if (spoolbuf != NULL && *idx < spoolidx) {
 -	ptr = spoolbuf + *idx;
 -	*idx += strlen(ptr) + 1;
 -    }
 -    return ptr;
 -}
 -
 -
 -/*
 - * spooldata()
 - * Read data returned on authentication backchannel and
 - * stuff it into our spool buffer. We also replace \n with nul
 - * to make parsing easier later.
 - */
 -
 -static int
 -spooldata(int fd)
 -{
 -
 -    if (spoolbuf)
 -	free(spoolbuf);
 -    spoolidx = 0;
 -
 -    if (spoolbuf == NULL && (spoolbuf = malloc(AUTHMAXSPOOL)) == NULL)
 -	syslog(LOG_ERR, "authbuffer malloc: %m");
 -
 -    else while (spoolidx < sizeof(spoolbuf) - 1) {
 -	int	r = read(fd, spoolbuf + spoolidx, sizeof(spoolbuf)-spoolidx);
 -	char	*b;
 -
 -	if (r <= 0) {
 -	    spoolbuf[spoolidx] = '\0';
 -	    return 0;
 -	}
 -	/*
 -	 * Convert newlines into NULs to allow
 -	 * easier scanning of the file.
 -	 */
 -	while ((b = memchr(spoolbuf + spoolidx, '\n', r)) != NULL)
 -	    *b = '\0';
 -	spoolidx += r;
 -    }
 -    return -1;
 -}
 -
 -
 -/*
 - * auth_check()
 - * Starts an auth_script() for the given <user>, with a class <class>,
 - * style <style>, and service <service>.  <style> is necessary,
 - * as are <user> and <class>, but <service> is optional -- it defaults
 - * to "login".
 - * Since auth_script() expects an execl'able program name, authenticate()
 - * also concatenates <style> to _PATH_AUTHPROG.
 - * Lastly, calls auth_scan(0) to see if there are any "reject" statements,
 - * or lack of "auth" statements.
 - * Returns -1 on error, 0 on rejection, and >0 on success.
 - * (See AUTH_* for the return values.)
 - *
 - */
 -
 -int
 -auth_check(const char *name, const char *clss, const char *style,
 -	   const char *service, int *status)
 -{
 -    int	    _status;
 -
 -    if (status == NULL)
 -	status = &_status;
 -    *status = 0;
 -
 -    if (style != NULL) {
 -	char	path[MAXPATHLEN];
 -
 -	if (service == NULL)
 -	    service = LOGIN_DEFSERVICE;
 -
 -	snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style);
 -	if (auth_script(path, style, "-s", service, name, clss, 0))
 -	    status = 0;
 -	else
 -	    *status = auth_scan(0);
 -
 -	return *status & AUTH_ALLOW;
 -    }
 -    return -1;
 -}
 -
 -
 -int
 -auth_response(const char *name, const char *class, const char *style,
 -	      const char *service, int *status,
 -	      const char *challenge, const char *response)
 -{
 -    int	    _status;
 -
 -    if (status == NULL)
 -	status = &_status;
 -    *status = 0;
 -
 -    if (style != NULL) {
 -	int	datalen;
 -	char    *data;
 -
 -	if (service == NULL)
 -	    service = LOGIN_DEFSERVICE;
 -
 -	datalen = strlen(challenge) + strlen(response) + 2;
 -
 -	if ((data = malloc(datalen)) == NULL) {
 -	    syslog(LOG_ERR, "auth_response: %m");
 -	    warnx("internal resource failure");
 -	} else {
 -	    char    path[MAXPATHLEN];
 -
 -	    snprintf(data, datalen, "%s%c%s", challenge, 0, response);
 -	    snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style);
 -	    if (auth_script_data(data, datalen, path, style, "-s", service,
 -				 name, class, 0))
 -		*status = 0;
 -	    else
 -		*status = auth_scan(0);
 -	    free(data);
 -	    return (*status & AUTH_ALLOW);
 -	}
 -    }
 -    return -1;
 -}
 -
 -
 -int
 -auth_approve(login_cap_t *lc, const char *name, const char *service)
 -{
 -    int	    r = -1;
 -    char    path[MAXPATHLEN];
 -
 -    if (lc == NULL) {
 -	if (strlen(name) > MAXPATHLEN) {
 -	    syslog(LOG_ERR, "%s: username too long", name);
 -	    warnx("username too long");
 -	} else {
 -	    struct passwd   *pwd;
 -	    char	    *p;
 -
 -	    pwd = getpwnam(name);
 -	    if (pwd == NULL && (p = strchr(name, '.')) != NULL) {
 -		int	i = p - name;
 -
 -		if (i >= MAXPATHLEN)
 -		    i = MAXPATHLEN - 1;
 -		strncpy(path, name, i);
 -		path[i] = '\0';
 -		pwd = getpwnam(path); /* Fixed bug in BSDI code... */
 -	    }
 -	    if ((lc = login_getpwclass(pwd ? pwd->pw_class : NULL)) == NULL)
 -		warnx("unable to classify user '%s'", name);
 -	}
 -    }
 -
 -    if (lc != NULL) {
 -	char	*approve;
 -	char	*s;
 -
 -	if (service != NULL)
 -		service = LOGIN_DEFSERVICE;
 -
 -	snprintf(path, sizeof(path), "approve-%s", service);
 -
 -        if ((approve = login_getcapstr(lc, s = path, NULL, NULL)) == NULL &&
 -	    (approve = login_getcapstr(lc, s = "approve", NULL, NULL)) == NULL)
 -	    r = AUTH_OKAY;
 -	else {
 -
 -	    if (approve[0] != '/') {
 -		syslog(LOG_ERR, "Invalid %s script: %s", s, approve);
 -		warnx("invalid path to approval script");
 -	    } else {
 -		char	*s;
 -
 -		s = strrchr(approve, '/') + 1;
 -		if (auth_script(approve, s, name,
 -				lc->lc_class, service, 0) == 0 &&
 -		    (r = auth_scan(AUTH_OKAY) & AUTH_ALLOW) != 0)
 -		    auth_env();
 -	    }
 -	}
 -    }
 -    return r;
 -}
 -
 -
 -void
 -auth_env(void)
 -{
 -    int	    idx = 0;
 -    char    *line;
 -
 -    while ((line = nextline(&idx)) != NULL) {
 -	if (!strncasecmp(line, BI_SETENV, sizeof(BI_SETENV)-1)) {
 -	    line += sizeof(BI_SETENV) - 1;
 -	    if (*line && isspace(*line)) {
 -		char	*name;
 -		char	ch, *p;
 -
 -		while (*line && isspace(*line))
 -		    ++line;
 -		name = line;
 -		while (*line && !isspace(*line))
 -		    ++line;
 -		ch = *(p = line);
 -		if (*line)
 -		    ++line;
 -		if (setenv(name, line, 1))
 -		    warn("setenv(%s, %s)", name, line);
 -		*p = ch;
 -	    }
 -	}
 -    }
 -}
 -
 -
 -char *
 -auth_value(const char *what)
 -{
 -    int	    idx = 0;
 -    char    *line;
 -
 -    while ((line = nextline(&idx)) != NULL) {
 -	if (!strncasecmp(line, BI_VALUE, sizeof(BI_VALUE)-1)) {
 -	    char    *name;
 -
 -	    line += sizeof(BI_VALUE) - 1;
 -	    while (*line && isspace(*line))
 -		++line;
 -	    name = line;
 -	    if (*line) {
 -		int	i;
 -		char	ch, *p;
 -
 -		ch = *(p = line);
 -		*line++ = '\0';
 -		i = strcmp(name, what);
 -		*p = ch;
 -		if (i == 0)
 -		    return auth_mkvalue(line);
 -	    }
 -	}
 -    }
 -    return NULL;
 -}
 -
 -char *
 -auth_mkvalue(const char *value)
 -{
 -    char *big, *p;
 -
 -    big = malloc(strlen(value) * 4 + 1);
 -    if (big != NULL) {
 -	for (p = big; *value; ++value) {
 -	    switch (*value) {
 -	    case '\r':
 -		*p++ = '\\';
 -		*p++ = 'r';
 -		break;
 -	    case '\n':
 -		*p++ = '\\';
 -		*p++ = 'n';
 -		break;
 -	    case '\\':
 -		*p++ = '\\';
 -		*p++ = *value;
 -		break;
 -	    case '\t':
 -	    case ' ':
 -		if (p == big)
 -		    *p++ = '\\';
 -		*p++ = *value;
 -		break;
 -	    default:
 -		if (!isprint(*value)) {
 -		    *p++ = '\\';
 -		    *p++ = ((*value >> 6) & 0x3) + '0';
 -		    *p++ = ((*value >> 3) & 0x7) + '0';
 -		    *p++ = ((*value     ) & 0x7) + '0';
 -		} else
 -		    *p++ = *value;
 -		break;
 -	    }
 -	}
 -	*p = '\0';
 -	big = reallocf(big, strlen(big) + 1);
 -    }
 -    return big;
 -}
 -
 -
 -#define NARGC	63
 -static int
 -_auth_script(const char *data, int nbytes, const char *path, va_list ap)
 -{
 -    int		    r, argc, status;
 -    int		    pfd[2];
 -    pid_t	    pid;
 -    struct authopts *e;
 -    char	    *argv[NARGC+1];
 -
 -    r = -1;
 -    argc = 0;
 -    for (e = optfirst; argc < (NARGC - 1) && e != NULL; e = e->next) {
 -	argv[argc++] = "-v";
 -	argv[argc++] = e->opt;
 -    }
 -    while (argc < NARGC && (argv[argc] = va_arg(ap, char *)) != NULL)
 -	++argc;
 -    argv[argc] = NULL;
 -
 -    if (argc >= NARGC && va_arg(ap, char *))
 -	syslog(LOG_ERR, "too many arguments");
 -    else if (_secure_path(path, 0, 0) < 0) {
 -	syslog(LOG_ERR, "%s: path not secure", path);
 -	warnx("invalid script: %s", path);
 -    } else if (socketpair(PF_LOCAL, SOCK_STREAM, 0, pfd) < 0) {
 -	syslog(LOG_ERR, "unable to create backchannel %m");
 -	warnx("internal resource failure");
 -    } else switch (pid = fork()) {
 -    case -1:			/* fork() failure */
 -	close(pfd[0]);
 -	close(pfd[1]);
 -	syslog(LOG_ERR, "fork %s: %m", path);
 -	warnx("internal resource failure");
 -	break;
 -    case 0:			/* child process */
 -	close(pfd[0]);
 -	if (pfd[1] != AUTHCOMM_FD) {
 -	    if (dup2(pfd[1], AUTHCOMM_FD) < 0)
 -		err(1, "dup backchannel");
 -	    close(pfd[1]);
 -	}
 -	for (r = getdtablesize(); --r > AUTHCOMM_FD; )
 -	    close(r);
 -	execve(path, argv, auth_environ);
 -	syslog(LOG_ERR, "exec %s: %m", path);
 -	err(1, path);
 -    default:			/* parent */
 -	close(pfd[1]);
 -	if (data && nbytes)
 -	    write(pfd[0], data, nbytes);
 -	r = spooldata(pfd[0]);
 -	close(pfd[0]);
 -	if (waitpid(pid, &status, 0) < 0) {
 -	    syslog(LOG_ERR, "%s: waitpid: %m", path);
 -	    warnx("internal failure");
 -	    r = -1;
 -	} else {
 -	    if (r != 0 || !WIFEXITED(status) || WEXITSTATUS(status) != 0)
 -		r = -1;
 -	}
 -	/* kill the buffer if it is of no use */
 -	if (r != 0) {
 -	    free(spoolbuf);
 -	    spoolbuf = NULL;
 -	    spoolidx = 0;
 -	}
 -	break;
 -    }
 -    return r;
 -}
 -
 -
 -
 -/*
 - * auth_script()
 - * Runs an authentication program with specified arguments.
 - * It sets up file descriptor 3 for the program to write to;
 - * it stashes the output somewhere.  The output of the program
 - * consists of statements:
 - *	reject [challenge|silent]
 - *	authorize [root|secure]
 - *	setenv <name> [<value>]
 - *	remove <file>
 - *
 - * Terribly exciting, isn't it?
 - * Output cannot exceed AUTHMAXSPOOL characters.
 - */
 -
 -int
 -auth_script(const char *path, ...)
 -{
 -    int		r;
 -    va_list	ap;
 -
 -    va_start(ap, path);
 -    r = _auth_script(NULL, 0, path, ap);
 -    va_end(ap);
 -    return r;
 -}
 -
 -
 -int
 -auth_script_data(const char *data, int nbytes, const char *path, ...)
 -{
 -    int		r;
 -    va_list	ap;
 -
 -    va_start(ap, path);
 -    r = _auth_script(data, nbytes, path, ap);
 -    va_end(ap);
 -    return r;
 -}
 -
 -
 -static void
 -add_rmlist(const char *file)
 -{
 -    struct rmfiles *rm;
 -
 -    if ((rm = malloc(sizeof(struct rmfiles) + strlen(file) + 1)) == NULL)
 -	syslog(LOG_ERR, "add_rmfile malloc: %m");
 -    else {
 -	strcpy(rm->file, file);
 -	rm->next = rmfirst;
 -	rmfirst = rm;
 -    }
 -}
 -
 -
 -int
 -auth_scan(int okay)
 -{
 -    int	    idx = 0;
 -    char    *line;
 -
 -    while ((line = nextline(&idx)) != NULL) {
 -	if (!strncasecmp(line, BI_REJECT, sizeof(BI_REJECT)-1)) {
 -	    line += sizeof(BI_REJECT) - 1;
 -	    while (*line && isspace(*line))
 -		++line;
 -	    if (*line) {
 -		if (!strcasecmp(line, "silent"))
 -		    return AUTH_SILENT;
 -		if (!strcasecmp(line, "challenge"))
 -		    return AUTH_CHALLENGE;
 -	    }
 -	    return 0;
 -	} else if (!strncasecmp(line, BI_AUTH, sizeof(BI_AUTH)-1)) {
 -	    line += sizeof(BI_AUTH) - 1;
 -	    while (*line && isspace(*line))
 -		++line;
 -	    if (*line == '\0')
 -		okay |= AUTH_OKAY;
 -	    else if (!strcasecmp(line, "root"))
 -		okay |= AUTH_ROOTOKAY;
 -	    else if (!strcasecmp(line, "secure"))
 -		okay |= AUTH_SECURE;
 -	}
 -	else if (!strncasecmp(line, BI_REMOVE, sizeof(BI_REMOVE)-1)) {
 -	    line += sizeof(BI_REMOVE) - 1;
 -	    while (*line && isspace(*line))
 -		++line;
 -	    if (*line)
 -		add_rmlist(line);
 -	}
 -    }
 -
 -    return okay;
 -}
 -
 -
 -int
 -auth_setopt(const char *n, const char *v)
 -{
 -    int		    r;
 -    struct authopts *e;
 -
 -    if ((e = malloc(sizeof(*e) + strlen(n) + strlen(v) + 1)) == NULL)
 -	r = -1;
 -    else {
 -	sprintf(e->opt, "%s=%s", n, v);
 -	e->next = optfirst;
 -	optfirst = e;
 -	r = 0;
 -    }
 -    return r;
 -}
 -
 -
 -void
 -auth_clropts(void)
 -{
 -    struct authopts *e;
 -
 -    while ((e = optfirst) != NULL) {
 -	optfirst = e->next;
 -	free(e);
 -    }
 -}
 -
 -
 -void
 -auth_rmfiles(void)
 -{
 -    struct rmfiles  *rm;
 -
 -    while ((rm = rmfirst) != NULL) {
 -	unlink(rm->file);
 -	rmfirst = rm->next;
 -	free(rm);
 -    }
 -}
 -
 -#endif
 -
  
  /*
   * auth_checknologin()
 Index: usr.bin/su/Makefile
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/su/Makefile,v
 retrieving revision 1.21
 diff -u -d -r1.21 Makefile
 --- Makefile	1998/09/19 22:42:05	1.21
 +++ Makefile	1999/08/16 08:53:21
 @@ -4,24 +4,16 @@
  PROG=	su
  SRCS=	su.c
  
 -#LC_AUTH=-DLOGIN_CAP_AUTH
 -COPTS+= -DLOGIN_CAP $(LC_AUTH)
 -LDADD+= -lutil
 -DPADD+= ${LIBUTIL}
 -
 -.if !defined(LC_AUTH)
 -COPTS+=	-DSKEY
 -LDADD+= -lskey -lmd -lcrypt
 -DPADD+= ${LIBSKEY} ${LIBMD} ${LIBCRYPT}
 -.endif
 +COPTS+=	-DLOGIN_CAP -DSKEY
 +DPADD=	${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT}
 +LDADD=	-lutil -lskey -lmd -lcrypt
  
  .if defined(WHEELSU)
  COPTS+=	-DWHEELSU
  .endif
  CFLAGS+= -Wall
  
 -.if exists(${DESTDIR}${LIBDIR}/libkrb.a) && defined(MAKE_KERBEROS4) \
 -	&& !defined(LC_AUTH)
 +.if exists(${DESTDIR}${LIBDIR}/libkrb.a) && defined(MAKE_KERBEROS4)
  CFLAGS+=-DKERBEROS
  DPADD+=	${LIBKRB} ${LIBDES}
  LDADD+=	-lkrb -ldes
 Index: usr.bin/su/su.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/su/su.c,v
 retrieving revision 1.29
 diff -u -d -r1.29 su.c
 --- su.c	1998/10/09 20:14:48	1.29
 +++ su.c	1999/08/16 08:54:56
 @@ -63,10 +63,6 @@
  
  #ifdef LOGIN_CAP
  #include <login_cap.h>
 -#ifdef LOGIN_CAP_AUTH
 -#undef SKEY
 -#undef KERBEROS
 -#endif
  #endif
  
  #ifdef	SKEY
 @@ -121,9 +117,6 @@
  	login_cap_t *lc;
  	char *class=NULL;
  	int setwhat;
 -#ifdef LOGIN_CAP_AUTH
 -	char *style, *approvep, *auth_method = NULL;
 -#endif
  #endif
  #ifdef KERBEROS
  	char *k;
 @@ -221,15 +214,6 @@
  		}
  	}
  
 -#ifdef LOGIN_CAP_AUTH
 -	if (auth_method = strchr(user, ':')) {
 -		*auth_method = '\0';
 -		auth_method++;
 -		if (*auth_method == '\0')
 -			auth_method = NULL;
 -	}
 -#endif /* !LOGIN_CAP_AUTH */
 -
  	/* get target login information, default to root */
  	if ((pwd = getpwnam(user)) == NULL) {
  		errx(1, "unknown login: %s", user);
 @@ -284,40 +268,6 @@
  		}
  		/* if target requires a password, verify it */
  		if (*pwd->pw_passwd) {
 -#ifdef LOGIN_CAP_AUTH
 -		/*
 -		 * This hands off authorisation to an authorisation program,
 -		 * depending on the styles available for the "auth-su",
 -		 * authorisation styles.
 -		 */
 -		if ((style = login_getstyle(lc, auth_method, "su")) == NULL)
 -			errx(1, "auth method available for su.\n");
 -		if (authenticate(user, lc ? lc->lc_class : "default", style, "su") != 0) {
 -#ifdef WHEELSU
 -			if (!iswheelsu || authenticate(username, lc ? lc->lc_class : "default", style, "su") != 0) {
 -#endif /* WHEELSU */
 -			{
 -			fprintf(stderr, "Sorry\n");
 -			syslog(LOG_AUTH|LOG_WARNING,"BAD SU %s to %s%s", username, user, ontty());
 -			exit(1);
 -			}
 -		}
 -
 -		/*
 -		 * If authentication succeeds, run any approval
 -		 * program, if applicable for this class.
 -		 */
 -		approvep = login_getcapstr(lc, "approve", NULL, NULL);
 -		if (approvep==NULL || auth_script(approvep, approvep, username, lc->lc_class, 0) == 0) {
 -			int     r = auth_scan(AUTH_OKAY);
 -			/* See what the authorise program says */
 -			if (!(r & AUTH_ROOTOKAY) && pwd->pw_uid == 0) {
 -				fprintf(stderr, "Sorry\n");
 -				syslog(LOG_AUTH|LOG_WARNING,"UNAPPROVED ROOT SU %s%s", user, ontty());
 -				exit(1);
 -			}
 -		}
 -#else /* !LOGIN_CAP_AUTH */
  #ifdef	SKEY
  #ifdef WHEELSU
  			if (iswheelsu) {
 @@ -348,7 +298,6 @@
  				pwd = getpwnam(user);
  			}
  #endif /* WHEELSU */
 -#endif /* LOGIN_CAP_AUTH */
  		}
  		if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) {
  			fprintf(stderr, "Sorry - account expired\n");
 
State-Changed-From-To: analyzed->closed 
State-Changed-By: sheldonh 
State-Changed-When: Fri Sep 10 08:19:37 PDT 1999 
State-Changed-Why:  
Merged to STABLE. This means that 3.3-RELEASE will go out sans 
this cruft. 
>Unformatted:
