2 files changed, 20 insertions, 2 deletions

diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8 b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8
index b5392029c2ed..93f01c1136a5 100644
--- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8
+++ b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8
@@ -96,7 +96,16 @@ Otherwise, it returns
 .Dv PAM_AUTH_ERR .
 .Pp
 The following options may be passed to the authentication module:
-.Bl -tag -width ".Cm no_warn"
+.Bl -tag -width ".Cm allow_local"
+.It Cm allow_local
+Always allow local logins.
+If this option is not specified, local logins are treated as remote
+logins from
+.Dq localhost ,
+and will be refused unless an appropriate
+.Dq allow
+entry exists in
+.Pa /etc/opieaccess .
 .It Cm debug
 .Xr syslog 3
 debugging information at
@@ -107,6 +116,14 @@ suppress warning messages to the user.
 These messages include reasons why the user's authentication attempt
 was declined.
 .El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa /etc/opieaccess
+List of trusted hosts or networks.
+See
+.Xr opieaccess 5
+for a description of its syntax.
+.El
 .Sh SEE ALSO
 .Xr opie 4 ,
 .Xr opieaccess 5 ,
diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
index 3201dc2a8ded..47d443d406ff 100644
--- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
+++ b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
@@ -74,7 +74,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	if (r != PAM_SUCCESS)
 		return (r);
 	if (rhost == NULL)
-		rhost = "localhost";
+		rhost = openpam_get_option(pamh, "allow_local") ?
+		    "" : "localhost";
 
 	if (opieaccessfile(rhost) != 0 && opiealways(pwent->pw_dir) != 0)
 		return (PAM_SUCCESS);