Vendor import of OpenPAM Calamitevendor/openpam/CALAMITE

87 files changed, 6867 insertions, 0 deletions

diff --git a/contrib/openpam/HISTORY b/contrib/openpam/HISTORY
new file mode 100644
index 000000000000..58ba3c8eddd0
--- /dev/null
+++ b/contrib/openpam/HISTORY
@@ -0,0 +1,6 @@
+============================================================================
+OpenPAM	Calamite						2002-02-09
+
+First (beta) release.
+============================================================================
+$Id$
diff --git a/contrib/openpam/INSTALL b/contrib/openpam/INSTALL
new file mode 100644
index 000000000000..96d8067d0d49
--- /dev/null
+++ b/contrib/openpam/INSTALL
@@ -0,0 +1,25 @@
+
+			  Installing OpenPAM
+			  ==================
+
+1. REQUIREMENTS
+
+  This release of OpenPAM is targeted at FreeBSD-CURRENT, and has not
+  been tested on other platforms.  It should, however, build with
+  little or no trouble other BSDs such as BSDI, Darwin, NetBSD or
+  OpenBSD, and should not prove much of a challenge to port to other
+  platforms, except for the static linking support.
+
+2. CONFIGURATION
+
+  No configuration is necessary or possible at this time.
+
+3. COMPILATION
+
+  Change into the top-level OpenPAM directory and run 'make'.
+
+4. INSTALLATION
+ 
+  Change into the top-level OpenPAM directory and run 'make install'.
+
+$Id$
diff --git a/contrib/openpam/LICENSE b/contrib/openpam/LICENSE
new file mode 100644
index 000000000000..c8076d130b96
--- /dev/null
+++ b/contrib/openpam/LICENSE
@@ -0,0 +1,34 @@
+
+Copyright (c) 2002 Networks Associates Technologies, Inc.
+All rights reserved.
+
+This software was developed for the FreeBSD Project by ThinkSec AS and
+NAI Labs, the Security Research Division of Network Associates, Inc.
+under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+DARPA CHATS research program.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. The name of the author may not be used to endorse or promote
+   products derived from this software without specific prior written
+   permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+$Id$
diff --git a/contrib/openpam/MANIFEST b/contrib/openpam/MANIFEST
new file mode 100644
index 000000000000..9f973ddda0d1
--- /dev/null
+++ b/contrib/openpam/MANIFEST
@@ -0,0 +1,87 @@
+HISTORY
+INSTALL
+LICENSE
+MANIFEST
+Makefile
+README
+RELNOTES
+bin/Makefile
+bin/su/Makefile
+bin/su/su.c
+doc/Makefile
+doc/man/Makefile
+doc/man/pam.3
+doc/man/pam_acct_mgmt.3
+doc/man/pam_authenticate.3
+doc/man/pam_chauthtok.3
+doc/man/pam_close_session.3
+doc/man/pam_end.3
+doc/man/pam_error.3
+doc/man/pam_get_authtok.3
+doc/man/pam_get_data.3
+doc/man/pam_get_item.3
+doc/man/pam_get_user.3
+doc/man/pam_getenv.3
+doc/man/pam_getenvlist.3
+doc/man/pam_info.3
+doc/man/pam_open_session.3
+doc/man/pam_prompt.3
+doc/man/pam_putenv.3
+doc/man/pam_set_data.3
+doc/man/pam_set_item.3
+doc/man/pam_setcred.3
+doc/man/pam_setenv.3
+doc/man/pam_start.3
+doc/man/pam_strerror.3
+doc/man/pam_verror.3
+doc/man/pam_vinfo.3
+doc/man/pam_vprompt.3
+include/security/openpam.h
+include/security/pam_appl.h
+include/security/pam_constants.h
+include/security/pam_modules.h
+include/security/pam_types.h
+lib/Makefile
+lib/openpam_dispatch.c
+lib/openpam_findenv.c
+lib/openpam_impl.h
+lib/openpam_load.c
+lib/openpam_log.c
+lib/openpam_ttyconv.c
+lib/pam_acct_mgmt.c
+lib/pam_authenticate.c
+lib/pam_authenticate_secondary.c
+lib/pam_chauthtok.c
+lib/pam_close_session.c
+lib/pam_end.c
+lib/pam_error.c
+lib/pam_get_authtok.c
+lib/pam_get_data.c
+lib/pam_get_item.c
+lib/pam_get_mapped_authtok.c
+lib/pam_get_mapped_username.c
+lib/pam_get_user.c
+lib/pam_getenv.c
+lib/pam_getenvlist.c
+lib/pam_info.c
+lib/pam_open_session.c
+lib/pam_prompt.c
+lib/pam_putenv.c
+lib/pam_set_data.c
+lib/pam_set_item.c
+lib/pam_set_mapped_authtok.c
+lib/pam_set_mapped_username.c
+lib/pam_setcred.c
+lib/pam_setenv.c
+lib/pam_start.c
+lib/pam_strerror.c
+lib/pam_verror.c
+lib/pam_vinfo.c
+lib/pam_vprompt.c
+modules/Makefile
+modules/pam_deny/Makefile
+modules/pam_deny/pam_deny.c
+modules/pam_dummy/Makefile
+modules/pam_dummy/pam_dummy.c
+modules/pam_permit/Makefile
+modules/pam_permit/pam_permit.c
diff --git a/contrib/openpam/Makefile b/contrib/openpam/Makefile
new file mode 100644
index 000000000000..7fa0b8868894
--- /dev/null
+++ b/contrib/openpam/Makefile
@@ -0,0 +1,43 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+SUBDIR		 =
+SUBDIR		+= modules
+SUBDIR		+= lib
+SUBDIR		+= bin
+SUBDIR		+= doc
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openpam/README b/contrib/openpam/README
new file mode 100644
index 000000000000..f32c8dbfba0a
--- /dev/null
+++ b/contrib/openpam/README
@@ -0,0 +1,30 @@
+OpenPAM is an open source PAM library that focuses on simplicity,
+correctness, and cleanliness.
+
+OpenPAM aims to gather the best features of Solaris PAM, XSSO and
+Linux-PAM, plus some innovations of its own.  In areas where these
+implementations disagree, OpenPAM tries to remain compatible with
+Solaris, at the expense of XSSO conformance and Linux-PAM
+compatibility.
+
+These are some of OpenPAM's features:	 
+
+   - Implements the complete PAM API as described in the original PAM
+     paper and in OSF-RFC 86.0; this corresponds to the full XSSO API
+     except for mappings and secondary authentication.
+
+   - Extends the API with several useful and time-saving functions:
+     pam_error(), pam_get_authtok(), pam_info(), pam_prompt(),
+     pam_setenv(), pam_verror(), pam_vinfo(), pam_vprompt()
+
+   - Offers a number of time-saving convenience functions:
+     openpam_log(), openpam_ttyconv().
+
+   - Performs strict checking of return values from service modules.
+
+   - Reads configuration from /etc/pam.d/, /usr/local/etc/pam.d/ and
+     /etc/pam.conf, in that order; this will be made configurable in a
+     future release.Please direct bug reports and inquiries to
+     openpam@thinksec.com.
+
+$Id$
diff --git a/contrib/openpam/RELNOTES b/contrib/openpam/RELNOTES
new file mode 100644
index 000000000000..9309bc65fbbf
--- /dev/null
+++ b/contrib/openpam/RELNOTES
@@ -0,0 +1,16 @@
+
+		  Release notes for OpenPAM Calamite
+		  ==================================
+
+This is a beta release.
+
+The library itself is mostly complete.  Documentation exists in the
+form of skeletal man pages for the library itself, but no detailed
+documentation is provided in this release.
+
+This release is primarily intended for reviewers and developers
+interested in testing OpenPAM on FreeBSD.  It has not been tested on
+any other OS, though it should build and run with minimal tweaks on
+NetBSD and OpenBSD.
+
+$Id$
diff --git a/contrib/openpam/bin/Makefile b/contrib/openpam/bin/Makefile
new file mode 100644
index 000000000000..e12368de258d
--- /dev/null
+++ b/contrib/openpam/bin/Makefile
@@ -0,0 +1,40 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+SUBDIR		 =
+SUBDIR		+= su
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openpam/bin/su/Makefile b/contrib/openpam/bin/su/Makefile
new file mode 100644
index 000000000000..40533bb5c4d7
--- /dev/null
+++ b/contrib/openpam/bin/su/Makefile
@@ -0,0 +1,44 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+PROG		 = su
+WARNS		?= 4
+CFLAGS		+= -I${.CURDIR}/../../include
+DPADD		 = ${.OBJDIR}/../../lib/libpam.so
+LDADD		 = -L${.OBJDIR}/../../lib -R${.OBJDIR}/../../lib -lpam
+NOMAN		 = YES
+
+.include <bsd.prog.mk>
diff --git a/contrib/openpam/bin/su/su.c b/contrib/openpam/bin/su/su.c
new file mode 100644
index 000000000000..27b6002b575c
--- /dev/null
+++ b/contrib/openpam/bin/su/su.c
@@ -0,0 +1,144 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+#include <sys/wait.h>
+
+#include <err.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+static pam_handle_t *pamh;
+static struct pam_conv pamc;
+
+static void
+usage(void)
+{
+
+	fprintf(stderr, "Usage: su [login [args]]\n");
+	exit(1);
+}
+
+static int
+check(const char *func, int pam_err)
+{
+
+	if (pam_err == PAM_SUCCESS || pam_err == PAM_NEW_AUTHTOK_REQD)
+		return pam_err;
+	openlog("su", LOG_CONS, LOG_AUTH);
+	syslog(LOG_ERR, "%s(): %s", func, pam_strerror(pamh, pam_err));
+	errx(1, "Sorry.");
+}
+
+int
+main(int argc, char *argv[])
+{
+	char hostname[MAXHOSTNAMELEN];
+	const char *user, *tty;
+	struct passwd *pwd;
+	int o, status;
+	pid_t pid;
+
+	while ((o = getopt(argc, argv, "h")) != -1)
+		switch (o) {
+		case 'h':
+		default:
+			usage();
+		}
+
+	argc -= optind;
+	argv += optind;
+
+	/* initialize PAM */
+	pamc.conv = &openpam_ttyconv;
+	pam_start("su", argc ? *argv : "root", &pamc, &pamh);
+
+	/* set some items */
+	gethostname(hostname, sizeof(hostname));
+	check("pam_set_item", pam_set_item(pamh, PAM_RHOST, hostname));
+	user = getlogin();
+	check("pam_set_item", pam_set_item(pamh, PAM_RUSER, user));
+	tty = ttyname(STDERR_FILENO);
+	check("pam_set_item", pam_set_item(pamh, PAM_TTY, tty));
+
+	/* authenticate the applicant */
+	check("pam_authenticate", pam_authenticate(pamh, 0));
+	if (check("pam_acct_mgmt", pam_acct_mgmt(pamh, 0)) ==
+	    PAM_NEW_AUTHTOK_REQD)
+		check("pam_chauthtok",
+		    pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK));
+
+	/* establish the requested credentials */
+	check("pam_setcred", pam_setcred(pamh, PAM_ESTABLISH_CRED));
+
+	/* authentication succeeded; open a session */
+	check("pam_open_session", pam_open_session(pamh, 0));
+
+	if (initgroups(pwd->pw_name, pwd->pw_gid) == -1)
+		err(1, "initgroups()");
+	if (setuid(pwd->pw_uid) == -1)
+		err(1, "setuid()");
+
+	/* XXX export environment variables */
+
+	switch ((pid = fork())) {
+	case -1:
+		err(1, "fork()");
+	case 0:
+		/* child: start a shell */
+		*argv = pwd->pw_shell;
+		execvp(*argv, argv);
+		err(1, "execvp()");
+	default:
+		/* parent: wait for child to exit */
+		waitpid(pid, &status, 0);
+		if (WIFEXITED(status))
+			status = WEXITSTATUS(status);
+		else
+			status = 1;
+	}
+
+	/* close the session and release PAM resources */
+	check("pam_close_session", pam_close_session(pamh, 0));
+	check("pam_end", pam_end(pamh, 0));
+
+	exit(status);
+}
diff --git a/contrib/openpam/doc/Makefile b/contrib/openpam/doc/Makefile
new file mode 100644
index 000000000000..2e2b09bd1fec
--- /dev/null
+++ b/contrib/openpam/doc/Makefile
@@ -0,0 +1,40 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+SUBDIR		 =
+SUBDIR		+= man
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openpam/doc/man/Makefile b/contrib/openpam/doc/man/Makefile
new file mode 100644
index 000000000000..f63e24824575
--- /dev/null
+++ b/contrib/openpam/doc/man/Makefile
@@ -0,0 +1,65 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+MAN		 =
+MAN		+= pam.3
+MAN		+= pam_acct_mgmt.3
+MAN		+= pam_authenticate.3
+MAN		+= pam_chauthtok.3
+MAN		+= pam_close_session.3
+MAN		+= pam_end.3
+MAN		+= pam_error.3
+MAN		+= pam_get_authtok.3
+MAN		+= pam_get_data.3
+MAN		+= pam_get_item.3
+MAN		+= pam_get_user.3
+MAN		+= pam_getenv.3
+MAN		+= pam_getenvlist.3
+MAN		+= pam_info.3
+MAN		+= pam_open_session.3
+MAN		+= pam_prompt.3
+MAN		+= pam_putenv.3
+MAN		+= pam_set_data.3
+MAN		+= pam_set_item.3
+MAN		+= pam_setcred.3
+MAN		+= pam_setenv.3
+MAN		+= pam_start.3
+MAN		+= pam_strerror.3
+MAN		+= pam_verror.3
+MAN		+= pam_vinfo.3
+MAN		+= pam_vprompt.3
+
+.include <bsd.prog.mk>
diff --git a/contrib/openpam/doc/man/pam.3 b/contrib/openpam/doc/man/pam.3
new file mode 100644
index 000000000000..02141b1f418d
--- /dev/null
+++ b/contrib/openpam/doc/man/pam.3
@@ -0,0 +1,160 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM 3
+.Os
+.Sh NAME
+.Nm pam_acct_mgmt ,
+.Nm pam_authenticate ,
+.Nm pam_chauthtok ,
+.Nm pam_close_session ,
+.Nm pam_end ,
+.Nm pam_error ,
+.Nm pam_get_authtok ,
+.Nm pam_get_data ,
+.Nm pam_get_item ,
+.Nm pam_get_user ,
+.Nm pam_getenv ,
+.Nm pam_getenvlist ,
+.Nm pam_info ,
+.Nm pam_open_session ,
+.Nm pam_prompt ,
+.Nm pam_putenv ,
+.Nm pam_set_data ,
+.Nm pam_set_item ,
+.Nm pam_setcred ,
+.Nm pam_setenv ,
+.Nm pam_start ,
+.Nm pam_strerror ,
+.Nm pam_verror ,
+.Nm pam_vinfo ,
+.Nm pam_vprompt
+.Nd Pluggable Authentication Modules Library
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags"
+.Ft int
+.Fn pam_authenticate "pam_handle_t *pamh" "int flags"
+.Ft int
+.Fn pam_chauthtok "pam_handle_t *pamh" "int flags"
+.Ft int
+.Fn pam_close_session "pam_handle_t *pamh" "int flags"
+.Ft int
+.Fn pam_end "pam_handle_t *pamh" "int status"
+.Ft int
+.Fn pam_error "pam_handle_t *pamh" "const char *fmt" "..."
+.Ft int
+.Fn pam_get_authtok "pam_handle_t *pamh" "const char **authtok" "const char *prompt"
+.Ft int
+.Fn pam_get_data "pam_handle_t *pamh" "const char *module_data_name" "void **data"
+.Ft int
+.Fn pam_get_item "pam_handle_t *pamh" "int item_type" "const void **item"
+.Ft int
+.Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt"
+.Ft char *
+.Fn pam_getenv "pam_handle_t *pamh" "const char *name"
+.Ft char **
+.Fn pam_getenvlist "pam_handle_t *pamh"
+.Ft int
+.Fn pam_info "pam_handle_t *pamh" "const char *fmt" "..."
+.Ft int
+.Fn pam_open_session "pam_handle_t *pamh" "int flags"
+.Ft int
+.Fn pam_prompt "pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "..."
+.Ft int
+.Fn pam_putenv "pam_handle_t *pamh" "const char *namevalue"
+.Ft int
+.Fn pam_set_data "pam_handle_t *pamh" "const char *module_data_name" "void *data" "void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)"
+.Ft int
+.Fn pam_set_item "pam_handle_t *pamh" "int item_type" "const void *item"
+.Ft int
+.Fn pam_setcred "pam_handle_t *pamh" "int flags"
+.Ft int
+.Fn pam_setenv "pam_handle_t *pamh" "const char *name" "const char *value" "int overwrite"
+.Ft int
+.Fn pam_start "const char *service" "const char *user" "const struct pam_conv *pam_conv" "pam_handle_t **pamh"
+.Ft const char *
+.Fn pam_strerror "pam_handle_t *pamh" "int error_number"
+.Ft int
+.Fn pam_verror "pam_handle_t *pamh" "const char *fmt" "va_list ap"
+.Ft int
+.Fn pam_vinfo "pam_handle_t *pamh" "const char *fmt" "va_list ap"
+.Ft int
+.Fn pam_vprompt "pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "va_list ap"
+.Sh DESCRIPTION
+.Sh RETURN VALUES
+.Sh SEE ALSO
+.Xr pam_acct_mgmt 3 ,
+.Xr pam_authenticate 3 ,
+.Xr pam_chauthtok 3 ,
+.Xr pam_close_session 3 ,
+.Xr pam_end 3 ,
+.Xr pam_error 3 ,
+.Xr pam_get_authtok 3 ,
+.Xr pam_get_data 3 ,
+.Xr pam_get_item 3 ,
+.Xr pam_get_user 3 ,
+.Xr pam_getenv 3 ,
+.Xr pam_getenvlist 3 ,
+.Xr pam_info 3 ,
+.Xr pam_open_session 3 ,
+.Xr pam_prompt 3 ,
+.Xr pam_putenv 3 ,
+.Xr pam_set_data 3 ,
+.Xr pam_set_item 3 ,
+.Xr pam_setcred 3 ,
+.Xr pam_setenv 3 ,
+.Xr pam_start 3 ,
+.Xr pam_strerror 3 ,
+.Xr pam_verror 3 ,
+.Xr pam_vinfo 3 ,
+.Xr pam_vprompt 3 ,
+.Xr pam.conf 5
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The OpenPAM library and this manual page were developed for the
+FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research
+Division of Network Associates, Inc.  under DARPA/SPAWAR contract
+N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_acct_mgmt.3 b/contrib/openpam/doc/man/pam_acct_mgmt.3
new file mode 100644
index 000000000000..88b54f6ad19e
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_acct_mgmt.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_ACCT_MGMT 3
+.Os
+.Sh NAME
+.Nm pam_acct_mgmt
+.Nd perform PAM account validation procedures
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_authenticate.3 b/contrib/openpam/doc/man/pam_authenticate.3
new file mode 100644
index 000000000000..1885376ca17d
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_authenticate.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_AUTHENTICATE 3
+.Os
+.Sh NAME
+.Nm pam_authenticate
+.Nd perform authentication within the PAM framework
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_authenticate "pam_handle_t *pamh" "int flags"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_chauthtok.3 b/contrib/openpam/doc/man/pam_chauthtok.3
new file mode 100644
index 000000000000..a287f3857ca3
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_chauthtok.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_CHAUTHTOK 3
+.Os
+.Sh NAME
+.Nm pam_chauthtok
+.Nd perform password related functions within the PAM framework
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_chauthtok "pam_handle_t *pamh" "int flags"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_close_session.3 b/contrib/openpam/doc/man/pam_close_session.3
new file mode 100644
index 000000000000..ba91ab3e10f4
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_close_session.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_CLOSE_SESSION 3
+.Os
+.Sh NAME
+.Nm pam_close_session
+.Nd close an existing user session
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_close_session "pam_handle_t *pamh" "int flags"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_end.3 b/contrib/openpam/doc/man/pam_end.3
new file mode 100644
index 000000000000..141aa8390f4d
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_end.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_END 3
+.Os
+.Sh NAME
+.Nm pam_end
+.Nd terminate the PAM transaction
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_end "pam_handle_t *pamh" "int status"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_error.3 b/contrib/openpam/doc/man/pam_error.3
new file mode 100644
index 000000000000..f0216f1ba20f
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_error.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_ERROR 3
+.Os
+.Sh NAME
+.Nm pam_error
+.Nd display an error message
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_error "pam_handle_t *pamh" "const char *fmt" "..."
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_get_authtok.3 b/contrib/openpam/doc/man/pam_get_authtok.3
new file mode 100644
index 000000000000..3bfb70d3a4ef
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_get_authtok.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_GET_AUTHTOK 3
+.Os
+.Sh NAME
+.Nm pam_get_authtok
+.Nd retrieve authentication token
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_get_authtok "pam_handle_t *pamh" "const char **authtok" "const char *prompt"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_get_data.3 b/contrib/openpam/doc/man/pam_get_data.3
new file mode 100644
index 000000000000..b622f383f743
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_get_data.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_GET_DATA 3
+.Os
+.Sh NAME
+.Nm pam_get_data
+.Nd get module information
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_get_data "pam_handle_t *pamh" "const char *module_data_name" "void **data"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_get_item.3 b/contrib/openpam/doc/man/pam_get_item.3
new file mode 100644
index 000000000000..3f337fd4ca46
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_get_item.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_GET_ITEM 3
+.Os
+.Sh NAME
+.Nm pam_get_item
+.Nd get PAM information
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_get_item "pam_handle_t *pamh" "int item_type" "const void **item"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_get_user.3 b/contrib/openpam/doc/man/pam_get_user.3
new file mode 100644
index 000000000000..8d8fa30b57dc
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_get_user.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_GET_USER 3
+.Os
+.Sh NAME
+.Nm pam_get_user
+.Nd retrieve user name
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_getenv.3 b/contrib/openpam/doc/man/pam_getenv.3
new file mode 100644
index 000000000000..dd0359ded611
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_getenv.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_GETENV 3
+.Os
+.Sh NAME
+.Nm pam_getenv
+.Nd retrieve the value of a PAM environment variable
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft char *
+.Fn pam_getenv "pam_handle_t *pamh" "const char *name"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_getenvlist.3 b/contrib/openpam/doc/man/pam_getenvlist.3
new file mode 100644
index 000000000000..2fc85e28d61c
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_getenvlist.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_GETENVLIST 3
+.Os
+.Sh NAME
+.Nm pam_getenvlist
+.Nd returns a list of all the PAM environment variables
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft char **
+.Fn pam_getenvlist "pam_handle_t *pamh"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_info.3 b/contrib/openpam/doc/man/pam_info.3
new file mode 100644
index 000000000000..573a8a1cb53c
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_info.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_INFO 3
+.Os
+.Sh NAME
+.Nm pam_info
+.Nd display an information message
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_info "pam_handle_t *pamh" "const char *fmt" "..."
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_open_session.3 b/contrib/openpam/doc/man/pam_open_session.3
new file mode 100644
index 000000000000..3db2b1663923
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_open_session.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_OPEN_SESSION 3
+.Os
+.Sh NAME
+.Nm pam_open_session
+.Nd open a user session
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_open_session "pam_handle_t *pamh" "int flags"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_prompt.3 b/contrib/openpam/doc/man/pam_prompt.3
new file mode 100644
index 000000000000..e3ebef896722
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_prompt.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_PROMPT 3
+.Os
+.Sh NAME
+.Nm pam_prompt
+.Nd call the conversation function
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_prompt "pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "..."
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_putenv.3 b/contrib/openpam/doc/man/pam_putenv.3
new file mode 100644
index 000000000000..7193b96512db
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_putenv.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_PUTENV 3
+.Os
+.Sh NAME
+.Nm pam_putenv
+.Nd set the value of an environment variable
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_putenv "pam_handle_t *pamh" "const char *namevalue"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_set_data.3 b/contrib/openpam/doc/man/pam_set_data.3
new file mode 100644
index 000000000000..b179cb98e579
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_set_data.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_SET_DATA 3
+.Os
+.Sh NAME
+.Nm pam_set_data
+.Nd set module information
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_set_data "pam_handle_t *pamh" "const char *module_data_name" "void *data" "void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_set_item.3 b/contrib/openpam/doc/man/pam_set_item.3
new file mode 100644
index 000000000000..eb4570514695
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_set_item.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_SET_ITEM 3
+.Os
+.Sh NAME
+.Nm pam_set_item
+.Nd set authentication information
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_set_item "pam_handle_t *pamh" "int item_type" "const void *item"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_setcred.3 b/contrib/openpam/doc/man/pam_setcred.3
new file mode 100644
index 000000000000..65913c55cb21
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_setcred.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_SETCRED 3
+.Os
+.Sh NAME
+.Nm pam_setcred
+.Nd modify / delete user credentials for an authentication service
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_setcred "pam_handle_t *pamh" "int flags"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_setenv.3 b/contrib/openpam/doc/man/pam_setenv.3
new file mode 100644
index 000000000000..c2425e355491
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_setenv.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_SETENV 3
+.Os
+.Sh NAME
+.Nm pam_setenv
+.Nd mirrors setenv(3)
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_setenv "pam_handle_t *pamh" "const char *name" "const char *value" "int overwrite"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_start.3 b/contrib/openpam/doc/man/pam_start.3
new file mode 100644
index 000000000000..3eb5212e94e1
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_start.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_START 3
+.Os
+.Sh NAME
+.Nm pam_start
+.Nd initiate a PAM transaction
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_start "const char *service" "const char *user" "const struct pam_conv *pam_conv" "pam_handle_t **pamh"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_strerror.3 b/contrib/openpam/doc/man/pam_strerror.3
new file mode 100644
index 000000000000..55e1e82f0c03
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_strerror.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_STRERROR 3
+.Os
+.Sh NAME
+.Nm pam_strerror
+.Nd get PAM standard error message string
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft const char *
+.Fn pam_strerror "pam_handle_t *pamh" "int error_number"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_verror.3 b/contrib/openpam/doc/man/pam_verror.3
new file mode 100644
index 000000000000..eb74d4db9863
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_verror.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_VERROR 3
+.Os
+.Sh NAME
+.Nm pam_verror
+.Nd display an error message
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_verror "pam_handle_t *pamh" "const char *fmt" "va_list ap"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_vinfo.3 b/contrib/openpam/doc/man/pam_vinfo.3
new file mode 100644
index 000000000000..bbd7efbc5bca
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_vinfo.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_VINFO 3
+.Os
+.Sh NAME
+.Nm pam_vinfo
+.Nd display an information message
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_vinfo "pam_handle_t *pamh" "const char *fmt" "va_list ap"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_vprompt.3 b/contrib/openpam/doc/man/pam_vprompt.3
new file mode 100644
index 000000000000..e6e29a37fdb7
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_vprompt.3
@@ -0,0 +1,73 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 9, 2002
+.Dt PAM_VPROMPT 3
+.Os
+.Sh NAME
+.Nm pam_vprompt
+.Nd call the conversation function
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn pam_vprompt "pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "va_list ap"
+.Sh DESCRIPTION
+The
+.Nm
+function is not yet documented.
+.Sh RETURN VALUES
+The
+.Fn
+function returns one of the following values:
+.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.El
+.Sh SEE ALSO
+.Xr pam_strerror 3 ,
+.Xr pam 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/include/security/openpam.h b/contrib/openpam/include/security/openpam.h
new file mode 100644
index 000000000000..5b5497f0f2ea
--- /dev/null
+++ b/contrib/openpam/include/security/openpam.h
@@ -0,0 +1,210 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef _SECURITY_OPENPAM_H_INCLUDED
+#define _SECURITY_OPENPAM_H_INCLUDED
+
+/*
+ * Annoying but necessary header pollution
+ */
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * API extensions
+ */
+int
+pam_error(pam_handle_t *_pamh,
+	const char *_fmt,
+	...);
+
+int
+pam_get_authtok(pam_handle_t *_pamh,
+	const char **_authtok,
+	const char *_prompt);
+
+int
+pam_info(pam_handle_t *_pamh,
+	const char *_fmt,
+	...);
+
+int
+pam_prompt(pam_handle_t *_pamh,
+	int _style,
+	char **_resp,
+	const char *_fmt,
+	...);
+
+int
+pam_setenv(pam_handle_t *_pamh,
+	const char *_name,
+	const char *_value,
+	int _overwrite);
+
+int
+pam_vinfo(pam_handle_t *_pamh,
+	const char *_fmt,
+	va_list _ap);
+
+int
+pam_verror(pam_handle_t *_pamh,
+	const char *_fmt,
+	va_list _ap);
+
+int
+pam_vprompt(pam_handle_t *_pamh,
+	int _style,
+	char **_resp,
+	const char *_fmt,
+	va_list _ap);
+
+/*
+ * Log levels
+ */
+enum {
+	PAM_LOG_DEBUG,
+	PAM_LOG_VERBOSE,
+	PAM_LOG_NOTICE,
+	PAM_LOG_ERROR
+};
+
+/*
+ * Log to syslog
+ */
+void _openpam_log(int _level,
+	const char *_func,
+	const char *_fmt,
+	...);
+
+#if defined(__STDC__) && (__STDC_VERSION__ > 199901L)
+#define openpam_log(lvl, fmt, ...) \
+	_openpam_log((lvl), __func__, fmt, __VA_ARGS__)
+#elif defined(__GNUC__)
+#define openpam_log(lvl, fmt...) \
+	_openpam_log((lvl), __func__, ##fmt)
+#else
+extern openpam_log(int _level, const char *_format, ...);
+#endif
+
+/*
+ * Generic conversation function
+ */
+struct pam_message;
+struct pam_response;
+int openpam_ttyconv(int _n,
+	const struct pam_message **_msg,
+	struct pam_response **_resp,
+	void *_data);
+
+/*
+ * PAM primitives
+ */
+enum {
+	PAM_SM_AUTHENTICATE,
+	PAM_SM_SETCRED,
+	PAM_SM_ACCT_MGMT,
+	PAM_SM_OPEN_SESSION,
+	PAM_SM_CLOSE_SESSION,
+	PAM_SM_CHAUTHTOK,
+	/* keep this last */
+	PAM_NUM_PRIMITIVES
+};
+
+/*
+ * Dummy service module function
+ */
+#define PAM_SM_DUMMY(type)						\
+PAM_EXTERN int								\
+pam_sm_##type(pam_handle_t *pamh, int flags,				\
+    int argc, const char *argv[])					\
+{									\
+	return (PAM_IGNORE);						\
+}
+
+/*
+ * PAM service module functions match this typedef
+ */
+struct pam_handle;
+typedef int (*pam_func_t)(struct pam_handle *, int, int, const char **);
+
+/*
+ * A struct that describes a module.
+ */
+typedef struct pam_module pam_module_t;
+struct pam_module {
+	const char	*path;
+	pam_func_t	 func[PAM_NUM_PRIMITIVES];
+	void		*dlh;
+	int		 refcount;
+	pam_module_t	*prev;
+	pam_module_t	*next;
+};
+
+/*
+ * Infrastructure for static modules using GCC linker sets.
+ * You are not expected to understand this.
+ */
+#if defined(__GNUC__) && !defined(__PIC__)
+#if defined(__FreeBSD__)
+#define PAM_SOEXT ".so"
+#else
+#error Static linking is not supported on your platform
+#endif
+/* gcc, static linking */
+#include <sys/cdefs.h>
+#include <linker_set.h>
+#define OPENPAM_STATIC_MODULES
+#define PAM_EXTERN static
+#define PAM_MODULE_ENTRY(name)						\
+static struct pam_module _pam_module = { name PAM_SOEXT, {		\
+    pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt,		\
+    pam_sm_open_session, pam_sm_close_session, pam_sm_chauthtok },	\
+    NULL, 0, NULL, NULL };						\
+DATA_SET(_openpam_modules, _pam_module)
+#else
+/* normal case */
+#define PAM_EXTERN
+#define PAM_MODULE_ENTRY(name)
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/contrib/openpam/include/security/pam_appl.h b/contrib/openpam/include/security/pam_appl.h
new file mode 100644
index 000000000000..f3e7e600ab09
--- /dev/null
+++ b/contrib/openpam/include/security/pam_appl.h
@@ -0,0 +1,180 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef _PAM_APPL_H_INCLUDED
+#define _PAM_APPL_H_INCLUDED
+
+#include <security/pam_types.h>
+#include <security/pam_constants.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * XSSO 4.2.1, 6
+ */
+
+int
+pam_acct_mgmt(pam_handle_t *_pamh,
+	int _flags);
+
+int
+pam_authenticate(pam_handle_t *_pamh,
+	int _flags);
+
+int
+pam_chauthtok(pam_handle_t *_pamh,
+	int _flags);
+
+int
+pam_close_session(pam_handle_t *_pamh,
+	int _flags);
+
+int
+pam_end(pam_handle_t *_pamh,
+	int _status);
+
+int
+pam_get_data(pam_handle_t *_pamh,
+	const char *_module_data_name,
+	void **_data);
+
+int
+pam_get_item(pam_handle_t *_pamh,
+	int _item_type,
+	const void **_item);
+
+int
+pam_get_user(pam_handle_t *_pamh,
+	const char **_user,
+	const char *_prompt);
+
+char *
+pam_getenv(pam_handle_t *_pamh,
+	const char *_name);
+
+char **
+pam_getenvlist(pam_handle_t *_pamh);
+
+int
+pam_open_session(pam_handle_t *_pamh,
+	int _flags);
+
+int
+pam_putenv(pam_handle_t *_pamh,
+	const char *_namevalue);
+
+int
+pam_set_data(pam_handle_t *_pamh,
+	const char *_module_data_name,
+	void *_data,
+	void (*_cleanup)(pam_handle_t *_pamh,
+		void *_data,
+		int _pam_end_status));
+
+int
+pam_set_item(pam_handle_t *_pamh,
+	int _item_type,
+	const void *_item);
+
+int
+pam_setcred(pam_handle_t *_pamh,
+	int _flags);
+
+int
+pam_start(const char *_service,
+	const char *_user,
+	const struct pam_conv *_pam_conv,
+	pam_handle_t **_pamh);
+
+const char *
+pam_strerror(pam_handle_t *_pamh,
+	int _error_number);
+
+/*
+ * Single Sign-On extensions
+ */
+#if 0
+int
+pam_authenticate_secondary(pam_handle_t *_pamh,
+	char *_target_username,
+	char *_target_module_type,
+	char *_target_authn_domain,
+	char *_target_supp_data,
+	char *_target_module_authtok,
+	int _flags);
+
+int
+pam_get_mapped_authtok(pam_handle_t *_pamh,
+	const char *_target_module_username,
+	const char *_target_module_type,
+	const char *_target_authn_domain,
+	size_t *_target_authtok_len,
+	unsigned char **_target_module_authtok);
+
+int
+pam_get_mapped_username(pam_handle_t *_pamh,
+	const char *_src_username,
+	const char *_src_module_type,
+	const char *_src_authn_domain,
+	const char *_target_module_type,
+	const char *_target_authn_domain,
+	char **_target_module_username);
+
+int
+pam_set_mapped_authtok(pam_handle_t *_pamh,
+	const char *_target_module_username,
+	size_t _target_authtok_len,
+	unsigned char *_target_module_authtok,
+	const char *_target_module_type,
+	const char *_target_authn_domain);
+
+int
+pam_set_mapped_username(pam_handle_t *_pamh,
+	char *_src_username,
+	char *_src_module_type,
+	char *_src_authn_domain,
+	char *_target_module_username,
+	char *_target_module_type,
+	char *_target_authn_domain);
+#endif /* 0 */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/contrib/openpam/include/security/pam_constants.h b/contrib/openpam/include/security/pam_constants.h
new file mode 100644
index 000000000000..71d6ba8f0e57
--- /dev/null
+++ b/contrib/openpam/include/security/pam_constants.h
@@ -0,0 +1,128 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef _PAM_CONSTANTS_H_INCLUDED
+#define _PAM_CONSTANTS_H_INCLUDED
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * XSSO 5.2
+ */
+enum {
+	PAM_SUCCESS			=   0,
+	PAM_OPEN_ERR			=   1,
+	PAM_SYMBOL_ERR			=   2,
+	PAM_SERVICE_ERR			=   3,
+	PAM_SYSTEM_ERR			=   4,
+	PAM_BUF_ERR			=   5,
+	PAM_CONV_ERR			=   6,
+	PAM_PERM_DENIED			=   7,
+	PAM_MAXTRIES			=   8,
+	PAM_AUTH_ERR			=   9,
+	PAM_NEW_AUTHTOK_REQD		=  10,
+	PAM_CRED_INSUFFICIENT		=  11,
+	PAM_AUTHINFO_UNAVAIL		=  12,
+	PAM_USER_UNKNOWN		=  13,
+	PAM_CRED_UNAVAIL		=  14,
+	PAM_CRED_EXPIRED		=  15,
+	PAM_CRED_ERR			=  16,
+	PAM_ACCT_EXPIRED		=  17,
+	PAM_AUTHTOK_EXPIRED		=  18,
+	PAM_SESSION_ERR			=  19,
+	PAM_AUTHTOK_ERR			=  20,
+	PAM_AUTHTOK_RECOVERY_ERR	=  21,
+	PAM_AUTHTOK_LOCK_BUSY		=  22,
+	PAM_AUTHTOK_DISABLE_AGING	=  23,
+	PAM_NO_MODULE_DATA		=  24,
+	PAM_IGNORE			=  25,
+	PAM_ABORT			=  26,
+	PAM_TRY_AGAIN			=  27,
+	PAM_MODULE_UNKNOWN		=  28,
+	PAM_DOMAIN_UNKNOWN		=  29
+};
+
+/*
+ * XSSO 5.3
+ */
+enum {
+	PAM_PROMPT_ECHO_OFF		=   1,
+	PAM_PROMPT_ECHO_ON		=   2,
+	PAM_ERROR_MSG			=   3,
+	PAM_TEXT_INFO			=   4,
+	PAM_MAX_NUM_MSG			=  32,
+	PAM_MAX_MSG_SIZE		= 512,
+	PAM_MAX_RESP_SIZE		= 512
+};
+
+/*
+ * XSSO 5.4
+ */
+enum {
+	PAM_SILENT			= 0x80000000,
+	PAM_DISALLOW_NULL_AUTHTOK	= 0x1,
+	PAM_ESTABLISH_CRED		= 0x1,
+	PAM_DELETE_CRED			= 0x2,
+	PAM_REINITIALISE_CRED		= 0x4,
+	PAM_REFRESH_CRED		= 0x8,
+	PAM_PRELIM_CHECK		= 0x1,
+	PAM_UPDATE_AUTHTOK		= 0x2,
+	PAM_CHANGE_EXPIRED_AUTHTOK	= 0x4
+};
+
+/*
+ * XSSO 5.5
+ */
+enum {
+	PAM_SERVICE			=   1,
+	PAM_USER			=   2,
+	PAM_TTY				=   3,
+	PAM_RHOST			=   4,
+	PAM_CONV			=   5,
+	PAM_AUTHTOK			=   6,
+	PAM_OLDAUTHTOK			=   7,
+	PAM_RUSER			=   8,
+	PAM_USER_PROMPT			=   9,
+	PAM_AUTHTOK_PROMPT		=  10		/* OpenPAM extension */
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/contrib/openpam/include/security/pam_modules.h b/contrib/openpam/include/security/pam_modules.h
new file mode 100644
index 000000000000..35c8eb96766c
--- /dev/null
+++ b/contrib/openpam/include/security/pam_modules.h
@@ -0,0 +1,148 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef _PAM_MODULES_H_INCLUDED
+#define _PAM_MODULES_H_INCLUDED
+
+#include <security/pam_types.h>
+#include <security/pam_constants.h>
+#include <security/openpam.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * XSSO 4.2.2, 6
+ */
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *_pamh,
+	int _flags,
+	int _argc,
+	const char **_argv);
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *_pamh,
+	int _flags,
+	int _argc,
+	const char **_argv);
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *_pamh,
+	int _flags,
+	int _argc,
+	const char **_argv);
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *_pamh,
+	int _flags,
+	int _args,
+	const char **_argv);
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *_pamh,
+	int _flags,
+	int _argc,
+	const char **_argv);
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *_pamh,
+	int _flags,
+	int _argc,
+	const char **_argv);
+
+/*
+ * Single Sign-On extensions
+ */
+#if 0
+PAM_EXTERN int
+pam_sm_authenticate_secondary(pam_handle_t *_pamh,
+	char *_target_username,
+	char *_target_module_type,
+	char *_target_authn_domain,
+	char *_target_supp_data,
+	unsigned char *_target_module_authtok,
+	int _flags,
+	int _argc,
+	const char **_argv);
+
+PAM_EXTERN int
+pam_sm_get_mapped_authtok(pam_handle_t *_pamh,
+	char *_target_module_username,
+	char *_target_module_type,
+	char *_target_authn_domain,
+	size_t *_target_authtok_len,
+	unsigned char **_target_module_authtok,
+	int _argc,
+	char *_argv);
+
+PAM_EXTERN int
+pam_sm_get_mapped_username(pam_handle_t *_pamh,
+	char *_src_username,
+	char *_src_module_type,
+	char *_src_authn_domain,
+	char *_target_module_type,
+	char *_target_authn_domain,
+	char **_target_module_username,
+	int _argc,
+	const char **_argv);
+
+PAM_EXTERN int
+pam_sm_set_mapped_authtok(pam_handle_t *_pamh,
+	char *_target_module_username,
+	size_t _target_authtok_len,
+	unsigned char *_target_module_authtok,
+	char *_target_module_type,
+	char *_target_authn_domain,
+	int _argc,
+	const char *_argv);
+
+PAM_EXTERN int
+pam_sm_set_mapped_username(pam_handle_t *_pamh,
+	char *_target_module_username,
+	char *_target_module_type,
+	char *_target_authn_domain,
+	int _argc,
+	const char **_argv);
+
+#endif /* 0 */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/contrib/openpam/include/security/pam_types.h b/contrib/openpam/include/security/pam_types.h
new file mode 100644
index 000000000000..d8ba80b04aed
--- /dev/null
+++ b/contrib/openpam/include/security/pam_types.h
@@ -0,0 +1,76 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef _PAM_TYPES_H_INCLUDED
+#define _PAM_TYPES_H_INCLUDED
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * XSSO 5.1.1
+ */
+struct pam_message {
+	int	 msg_style;
+	char	*msg;
+};
+
+struct pam_response {
+	char	*resp;
+	int	 resp_retcode;
+};
+
+/*
+ * XSSO 5.1.2
+ */
+struct pam_conv {
+	int	(*conv)(int, const struct pam_message **,
+	    struct pam_response **, void *);
+	void	*appdata_ptr;
+};
+
+/*
+ * XSSO 5.1.3
+ */
+struct pam_handle;
+typedef struct pam_handle pam_handle_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/contrib/openpam/lib/Makefile b/contrib/openpam/lib/Makefile
new file mode 100644
index 000000000000..1fd90410f290
--- /dev/null
+++ b/contrib/openpam/lib/Makefile
@@ -0,0 +1,85 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+LIB		 = pam
+SHLIB_MAJOR	 = 2
+SHLIB_MINOR	 = 0
+
+WARNS		?= 4
+NO_WERROR	 = yes
+CFLAGS		+= -I${.CURDIR}/../include
+
+SRCS		 =
+SRCS		+= openpam_dispatch.c
+SRCS		+= openpam_findenv.c
+SRCS		+= openpam_load.c
+SRCS		+= openpam_log.c
+SRCS		+= openpam_ttyconv.c
+SRCS		+= pam_acct_mgmt.c
+SRCS		+= pam_authenticate.c
+SRCS		+= pam_chauthtok.c
+SRCS		+= pam_close_session.c
+SRCS		+= pam_end.c
+SRCS		+= pam_error.c
+SRCS		+= pam_get_authtok.c
+SRCS		+= pam_get_data.c
+SRCS		+= pam_get_item.c
+SRCS		+= pam_get_user.c
+SRCS		+= pam_getenv.c
+SRCS		+= pam_getenvlist.c
+SRCS		+= pam_info.c
+SRCS		+= pam_open_session.c
+SRCS		+= pam_prompt.c
+SRCS		+= pam_putenv.c
+SRCS		+= pam_set_data.c
+SRCS		+= pam_set_item.c
+SRCS		+= pam_setcred.c
+SRCS		+= pam_setenv.c
+SRCS		+= pam_start.c
+SRCS		+= pam_strerror.c
+SRCS		+= pam_verror.c
+SRCS		+= pam_vinfo.c
+SRCS		+= pam_vprompt.c
+
+.if 0
+SRCS		+= pam_authenticate_secondary.c
+SRCS		+= pam_get_mapped_authtok.c
+SRCS		+= pam_get_mapped_username.c
+SRCS		+= pam_set_mapped_authtok.c
+SRCS		+= pam_set_mapped_username.c
+.endif
+
+.include <bsd.lib.mk>
diff --git a/contrib/openpam/lib/openpam_dispatch.c b/contrib/openpam/lib/openpam_dispatch.c
new file mode 100644
index 000000000000..9c7c2879cbb2
--- /dev/null
+++ b/contrib/openpam/lib/openpam_dispatch.c
@@ -0,0 +1,203 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#if !defined(OPENPAM_RELAX_CHECKS)
+static void _openpam_check_error_code(int, int);
+#else
+#define _openpam_check_error_code(a, b)
+#endif /* !defined(OPENPAM_RELAX_CHECKS) */
+
+/*
+ * Execute a module chain
+ */
+
+int
+openpam_dispatch(pam_handle_t *pamh,
+	int primitive,
+	int flags)
+{
+	pam_chain_t *chain;
+	int err, fail, r;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* prevent recursion */
+	if (pamh->current != NULL) {
+		openpam_log(PAM_LOG_ERROR, "indirect recursion");
+		return (PAM_ABORT);
+	}
+
+	/* pick a chain */
+	switch (primitive) {
+	case PAM_SM_AUTHENTICATE:
+	case PAM_SM_SETCRED:
+		chain = pamh->chains[PAM_AUTH];
+		break;
+	case PAM_SM_ACCT_MGMT:
+		chain = pamh->chains[PAM_ACCOUNT];
+		break;
+	case PAM_SM_OPEN_SESSION:
+	case PAM_SM_CLOSE_SESSION:
+		chain = pamh->chains[PAM_SESSION];
+		break;
+	case PAM_SM_CHAUTHTOK:
+		chain = pamh->chains[PAM_PASSWORD];
+		break;
+	default:
+		return (PAM_SYSTEM_ERR);
+	}
+
+	/* execute */
+	for (err = fail = 0; chain != NULL; chain = chain->next) {
+		if (chain->module->func[primitive] == NULL) {
+			openpam_log(PAM_LOG_ERROR, "%s: no %s()",
+			    chain->module->path, _pam_sm_func_name[primitive]);
+			continue;
+		} else {
+			pamh->current = chain;
+			r = (chain->module->func[primitive])(pamh, flags,
+			    chain->optc, (const char **)chain->optv);
+			pamh->current = NULL;
+			openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
+			    chain->module->path, _pam_sm_func_name[primitive],
+			    pam_strerror(pamh, r));
+		}
+
+		if (r == PAM_IGNORE)
+			continue;
+		if (r == PAM_SUCCESS) {
+			/*
+			 * For pam_setcred(), treat "sufficient" as
+			 * "optional".
+			 *
+			 * Note that Solaris libpam does not terminate
+			 * the chain here if a required module has
+			 * previously failed.  I'm not sure why.
+			 */
+			if (chain->flag == PAM_SUFFICIENT &&
+			    primitive != PAM_SM_SETCRED)
+				break;
+		}
+
+		_openpam_check_error_code(primitive, r);
+
+		/*
+		 * Record the return code from the first module to
+		 * fail.  If a required module fails, record the
+		 * return code from the first required module to fail.
+		 */
+		if (err == 0)
+			err = r;
+		if (chain->flag == PAM_REQUIRED && !fail) {
+			fail = 1;
+			err = r;
+		}
+
+		/*
+		 * If a requisite module fails, terminate the chain
+		 * immediately.
+		 */
+		if (chain->flag == PAM_REQUISITE) {
+			fail = 1;
+			break;
+		}
+	}
+
+	return (fail ? err : PAM_SUCCESS);
+}
+
+#if !defined(OPENPAM_RELAX_CHECKS)
+static void
+_openpam_check_error_code(int primitive, int r)
+{
+	/* common error codes */
+	if (r == PAM_SERVICE_ERR ||
+	    r == PAM_BUF_ERR ||
+	    r == PAM_BUF_ERR ||
+	    r == PAM_CONV_ERR ||
+	    r == PAM_PERM_DENIED)
+		return;
+
+	/* specific error codes */
+	switch (primitive) {
+	case PAM_SM_AUTHENTICATE:
+		if (r == PAM_AUTH_ERR ||
+		    r == PAM_CRED_INSUFFICIENT ||
+		    r == PAM_AUTHINFO_UNAVAIL ||
+		    r == PAM_USER_UNKNOWN ||
+		    r == PAM_MAXTRIES)
+			return;
+		break;
+	case PAM_SM_SETCRED:
+		if (r == PAM_CRED_UNAVAIL ||
+		    r == PAM_CRED_EXPIRED ||
+		    r == PAM_USER_UNKNOWN ||
+		    r == PAM_CRED_ERR)
+			return;
+		break;
+	case PAM_SM_ACCT_MGMT:
+		if (r == PAM_USER_UNKNOWN ||
+		    r == PAM_AUTH_ERR ||
+		    r == PAM_NEW_AUTHTOK_REQD ||
+		    r == PAM_ACCT_EXPIRED)
+			return;
+		break;
+	case PAM_SM_OPEN_SESSION:
+	case PAM_SM_CLOSE_SESSION:
+		if (r == PAM_SESSION_ERR)
+			return;
+		break;
+	case PAM_SM_CHAUTHTOK:
+		if (r == PAM_PERM_DENIED ||
+		    r == PAM_AUTHTOK_ERR ||
+		    r == PAM_AUTHTOK_RECOVERY_ERR ||
+		    r == PAM_AUTHTOK_LOCK_BUSY ||
+		    r == PAM_AUTHTOK_DISABLE_AGING)
+			return;
+		break;
+	}
+
+	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
+	    _pam_sm_func_name[primitive], r);
+}
+#endif /* !defined(OPENPAM_RELAX_CHECKS) */
diff --git a/contrib/openpam/lib/openpam_findenv.c b/contrib/openpam/lib/openpam_findenv.c
new file mode 100644
index 000000000000..c32dd272f32b
--- /dev/null
+++ b/contrib/openpam/lib/openpam_findenv.c
@@ -0,0 +1,62 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * Locate an environment variable
+ */
+
+int
+openpam_findenv(pam_handle_t *pamh,
+	const char *name,
+	size_t len)
+{
+	int i;
+
+	if (pamh == NULL)
+		return (-1);
+
+	for (i = 0; i < pamh->env_count; ++i)
+		if (strncmp(pamh->env[i], name, len) == 0 &&
+		    pamh->env[i][len] == '=')
+			return (i);
+	return (-1);
+}
diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h
new file mode 100644
index 000000000000..59886288e549
--- /dev/null
+++ b/contrib/openpam/lib/openpam_impl.h
@@ -0,0 +1,106 @@
+/*-
+ * Copyright (c) 2001 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef _OPENPAM_IMPL_H_INCLUDED
+#define _OPENPAM_IMPL_H_INCLUDED
+
+#include <security/openpam.h>
+
+extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES];
+
+/*
+ * Control flags
+ */
+#define PAM_REQUIRED		1
+#define PAM_REQUISITE		2
+#define PAM_SUFFICIENT		3
+#define PAM_OPTIONAL		4
+#define PAM_NUM_CONTROLFLAGS	5
+
+/*
+ * Chains
+ */
+#define PAM_AUTH		0
+#define PAM_ACCOUNT		1
+#define PAM_SESSION		2
+#define PAM_PASSWORD		3
+#define PAM_NUM_CHAINS		4
+
+typedef struct pam_chain pam_chain_t;
+struct pam_chain {
+	pam_module_t	*module;
+	int		 flag;
+	int		 optc;
+	char	       **optv;
+	pam_chain_t	*next;
+};
+
+#define PAM_NUM_ITEMS	       10
+
+typedef struct pam_data pam_data_t;
+struct pam_data {
+	char		*name;
+	void		*data;
+	void		(*cleanup)(pam_handle_t *, void *, int);
+	pam_data_t	*next;
+};
+
+struct pam_handle {
+	char		*service;
+
+	/* chains */
+	pam_chain_t	*chains[PAM_NUM_CHAINS];
+	pam_chain_t	*current;
+
+	/* items and data */
+	void		*item[PAM_NUM_ITEMS];
+	pam_data_t	*module_data;
+
+	/* environment list */
+	char	       **env;
+	int		 env_count;
+	int		 env_size;
+};
+
+#define PAM_OTHER	"other"
+
+int		openpam_dispatch(pam_handle_t *, int, int);
+int		openpam_findenv(pam_handle_t *, const char *, size_t);
+int		openpam_add_module(pam_handle_t *, int, int,
+				   const char *, int, const char **);
+void		openpam_clear_chains(pam_handle_t *);
+
+#endif
diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_load.c
new file mode 100644
index 000000000000..d93895989469
--- /dev/null
+++ b/contrib/openpam/lib/openpam_load.c
@@ -0,0 +1,227 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#ifdef OPENPAM_STATIC_MODULES
+SET_DECLARE(_openpam_modules, pam_module_t);
+#endif
+
+const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
+	"pam_sm_acct_mgmt",
+	"pam_sm_authenticate",
+	"pam_sm_chauthtok",
+	"pam_sm_close_session",
+	"pam_sm_open_session",
+	"pam_sm_setcred"
+};
+
+static pam_module_t *modules;
+
+/*
+ * Load a dynamic module, or locate a static one.  Keep a list of
+ * previously found modules to speed up the process.
+ */
+
+static pam_module_t *
+openpam_load_module(const char *path)
+{
+	pam_module_t *module;
+	void *dlh;
+	int i;
+
+	/* check cache first */
+	for (module = modules; module != NULL; module = module->next)
+		if (strcmp(module->path, path) == 0)
+			goto found;
+
+	/* nope; try to load */
+	if ((dlh = dlopen(path, RTLD_NOW)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "dlopen(): %s", dlerror());
+	} else {
+		if ((module = calloc(1, sizeof *module)) == NULL)
+			goto buf_err;
+		if ((module->path = strdup(path)) == NULL)
+			goto buf_err;
+		module->dlh = dlh;
+		for (i = 0; i < PAM_NUM_PRIMITIVES; ++i)
+			module->func[i] = dlsym(dlh, _pam_sm_func_name[i]);
+	}
+	openpam_log(PAM_LOG_DEBUG, "%s dynamic %s",
+	    (module == NULL) ? "no" : "using", path);
+
+#ifdef OPENPAM_STATIC_MODULES
+	/* look for a static module */
+	if (module == NULL && strchr(path, '/') == NULL) {
+		pam_module_t **modp;
+		
+		SET_FOREACH(modp, _openpam_modules) {
+			if (strcmp((*modp)->path, path) == 0) {
+				module = *modp;
+				break;
+			}
+		}
+		openpam_log(PAM_LOG_DEBUG, "%s static %s",
+		    (module == NULL) ? "no" : "using", path);
+	}
+#endif
+	if (module == NULL)
+		return (NULL);
+	module->next = modules;
+	module->prev = NULL;
+	modules = module;
+ found:
+	++module->refcount;
+	return (module);
+ buf_err:
+	openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+	dlclose(dlh);
+	free(module);
+	return (NULL);
+}
+
+
+/*
+ * Release a module.
+ * XXX highly thread-unsafe
+ */
+
+static void
+openpam_release_module(pam_module_t *module)
+{
+	if (module == NULL)
+		return;
+	--module->refcount;
+	if (module->refcount > 0)
+		/* still in use */
+		return;
+	if (module->refcount < 0) {
+		openpam_log(PAM_LOG_ERROR, "module %s has negative refcount",
+		    module->path);
+		module->refcount = 0;
+	}
+	if (module->dlh == NULL)
+		/* static module */
+		return;
+	dlclose(module->dlh);
+	if (module->prev != NULL)
+		module->prev->next = module->next;
+	if (module->next != NULL)
+		module->next->prev = module->prev;
+	free(module);
+}
+
+
+/*
+ * Destroy a chain, freeing all its links and releasing the modules
+ * they point to.
+ */
+
+static void
+openpam_destroy_chain(pam_chain_t *chain)
+{
+	if (chain == NULL)
+		return;
+	openpam_destroy_chain(chain->next);
+	chain->next = NULL;
+	while (chain->optc--)
+		free(chain->optv[chain->optc]);
+	free(chain->optv);
+	openpam_release_module(chain->module);
+	free(chain);
+}
+
+/*
+ * Add a module to a chain.
+ */
+
+int
+openpam_add_module(pam_handle_t *pamh,
+	int chain,
+	int flag,
+	const char *modpath,
+	int optc,
+	const char *optv[])
+{
+	pam_chain_t *new, *iterator;
+
+	if ((new = calloc(1, sizeof *new)) == NULL)
+		goto buf_err;
+	if ((new->optv = malloc(sizeof(char *) * (optc + 1))) == NULL)
+		goto buf_err;
+	while (optc--)
+		if ((new->optv[new->optc++] = strdup(*optv++)) == NULL)
+			goto buf_err;
+	new->optv[new->optc] = NULL;
+	new->flag = flag;
+	if ((new->module = openpam_load_module(modpath)) == NULL) {
+		openpam_destroy_chain(new);
+		return (PAM_OPEN_ERR);
+	}
+	if ((iterator = pamh->chains[chain]) != NULL) {
+		while (iterator->next != NULL)
+			iterator = iterator->next;
+		iterator->next = new;
+	} else {
+		pamh->chains[chain] = new;
+	}
+	return (PAM_SUCCESS);
+
+ buf_err:
+	openpam_log(PAM_LOG_ERROR, "%m");
+	openpam_destroy_chain(new);
+	return (PAM_BUF_ERR);
+}
+
+
+/*
+ * Clear the chains and release the modules
+ */
+
+void
+openpam_clear_chains(pam_handle_t *pamh)
+{
+	int i;
+
+	for (i = 0; i < PAM_NUM_CHAINS; ++i)
+		openpam_destroy_chain(pamh->chains[i]);
+}
diff --git a/contrib/openpam/lib/openpam_log.c b/contrib/openpam/lib/openpam_log.c
new file mode 100644
index 000000000000..d733b690da7b
--- /dev/null
+++ b/contrib/openpam/lib/openpam_log.c
@@ -0,0 +1,117 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#if defined(openpam_log)
+
+/*
+ * Log a message through syslog(3)
+ */
+
+void
+_openpam_log(int level, const char *func, const char *fmt, ...)
+{
+	va_list ap;
+	char *format;
+	int priority;
+
+	switch (level) {
+	case PAM_LOG_DEBUG:
+		priority = LOG_DEBUG;
+		break;
+	case PAM_LOG_VERBOSE:
+		priority = LOG_INFO;
+		break;
+	case PAM_LOG_NOTICE:
+		priority = LOG_NOTICE;
+		break;
+	case PAM_LOG_ERROR:
+		priority = LOG_ERR;
+		break;
+	}
+	va_start(ap, fmt);
+	if ((format = malloc(strlen(func) + strlen(fmt) + 8)) != NULL) {
+		sprintf(format, "in %s(): %s", func, fmt);
+		vsyslog(priority, format, ap);
+		free(format);
+	} else {
+		vsyslog(priority, fmt, ap);
+	}
+	va_end(ap);
+}
+
+#else
+
+/*
+ * If openpam_log isn't defined as a macro, we're on a platform that
+ * doesn't support varadic macros (or it does but we aren't aware of
+ * it).  Do the next best thing.
+ */
+
+void
+openpam_log(int level, const char *fmt, ...)
+{
+	va_list ap;
+	int priority;
+
+	switch (level) {
+	case PAM_LOG_DEBUG:
+		priority = LOG_DEBUG;
+		break;
+	case PAM_LOG_VERBOSE:
+		priority = LOG_INFO;
+		break;
+	case PAM_LOG_NOTICE:
+		priority = LOG_NOTICE;
+		break;
+	case PAM_LOG_ERROR:
+		priority = LOG_ERR;
+		break;
+	}
+	va_start(ap, fmt);
+	vsyslog(priority, fmt, ap);
+	va_end(ap);
+}
+
+#endif
diff --git a/contrib/openpam/lib/openpam_ttyconv.c b/contrib/openpam/lib/openpam_ttyconv.c
new file mode 100644
index 000000000000..ac7eecd66fd0
--- /dev/null
+++ b/contrib/openpam/lib/openpam_ttyconv.c
@@ -0,0 +1,131 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <termios.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * Simple tty-based conversation function.
+ */
+
+int
+openpam_ttyconv(int n,
+	 const struct pam_message **msg,
+	 struct pam_response **resp,
+	 void *data)
+{
+	char buf[PAM_MAX_RESP_SIZE];
+	struct termios tattr;
+	tcflag_t lflag;
+	int fd, err, i;
+	size_t len;
+
+	data = data;
+	if (n <= 0 || n > PAM_MAX_NUM_MSG)
+		return (PAM_CONV_ERR);
+	if ((*resp = calloc(n, sizeof **resp)) == NULL)
+		return (PAM_BUF_ERR);
+	fd = fileno(stdin);
+	for (i = 0; i < n; ++i) {
+		resp[i]->resp_retcode = 0;
+		resp[i]->resp = NULL;
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_OFF:
+		case PAM_PROMPT_ECHO_ON:
+			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+				if (tcgetattr(fd, &tattr) != 0) {
+					openpam_log(PAM_LOG_ERROR,
+					    "tcgetattr(): %m");
+					err = PAM_CONV_ERR;
+					goto fail;
+				}
+				lflag = tattr.c_lflag;
+				tattr.c_lflag &= ~ECHO;
+				if (tcsetattr(fd, TCSAFLUSH, &tattr) != 0) {
+					openpam_log(PAM_LOG_ERROR,
+					    "tcsetattr(): %m");
+					err = PAM_CONV_ERR;
+					goto fail;
+				}
+			}
+			fputs(msg[i]->msg, stderr);
+			buf[0] = '\0';
+			fgets(buf, sizeof buf, stdin);
+			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+				tattr.c_lflag = lflag;
+				(void)tcsetattr(fd, TCSANOW, &tattr);
+				fputs("\n", stderr);
+			}
+			if (ferror(stdin)) {
+				err = PAM_CONV_ERR;
+				goto fail;
+			}
+			for (len = strlen(buf); len > 0; --len)
+				if (!isspace(buf[len - 1]))
+					break;
+			buf[len] = '\0';
+			if ((resp[i]->resp = strdup(buf)) == NULL) {
+				err = PAM_BUF_ERR;
+				goto fail;
+			}
+			break;
+		case PAM_ERROR_MSG:
+			fputs(msg[i]->msg, stderr);
+			break;
+		case PAM_TEXT_INFO:
+			fputs(msg[i]->msg, stdout);
+			break;
+		default:
+			err = PAM_BUF_ERR;
+			goto fail;
+		}
+	}
+	return (PAM_SUCCESS);
+ fail:
+	while (i)
+		free(resp[--i]);
+	free(*resp);
+	*resp = NULL;
+	return (err);
+}
diff --git a/contrib/openpam/lib/pam_acct_mgmt.c b/contrib/openpam/lib/pam_acct_mgmt.c
new file mode 100644
index 000000000000..d88a24e70962
--- /dev/null
+++ b/contrib/openpam/lib/pam_acct_mgmt.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 32
+ *
+ * Perform PAM account validation procedures
+ */
+
+int
+pam_acct_mgmt(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_ACCT_MGMT, flags));
+}
diff --git a/contrib/openpam/lib/pam_authenticate.c b/contrib/openpam/lib/pam_authenticate.c
new file mode 100644
index 000000000000..d98d1dfa01fe
--- /dev/null
+++ b/contrib/openpam/lib/pam_authenticate.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 34
+ *
+ * Perform authentication within the PAM framework
+ */
+
+int
+pam_authenticate(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags));
+}
diff --git a/contrib/openpam/lib/pam_authenticate_secondary.c b/contrib/openpam/lib/pam_authenticate_secondary.c
new file mode 100644
index 000000000000..37a57fe9c0ca
--- /dev/null
+++ b/contrib/openpam/lib/pam_authenticate_secondary.c
@@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_authenticate_secondary(pam_handle_t *pamh,
+	char *target_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	char *target_supp_data,
+	char *target_module_authtok,
+	int flags)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_chauthtok.c b/contrib/openpam/lib/pam_chauthtok.c
new file mode 100644
index 000000000000..c35ed4994c5e
--- /dev/null
+++ b/contrib/openpam/lib/pam_chauthtok.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 38
+ *
+ * Perform password related functions within the PAM framework
+ */
+
+int
+pam_chauthtok(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags));
+}
diff --git a/contrib/openpam/lib/pam_close_session.c b/contrib/openpam/lib/pam_close_session.c
new file mode 100644
index 000000000000..9b2a1aef3a08
--- /dev/null
+++ b/contrib/openpam/lib/pam_close_session.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 40
+ *
+ * Close an existing user session
+ */
+
+int
+pam_close_session(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags));
+}
diff --git a/contrib/openpam/lib/pam_end.c b/contrib/openpam/lib/pam_end.c
new file mode 100644
index 000000000000..0fbfdf872a3f
--- /dev/null
+++ b/contrib/openpam/lib/pam_end.c
@@ -0,0 +1,84 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 42
+ *
+ * Terminate the PAM transaction
+ */
+
+int
+pam_end(pam_handle_t *pamh,
+	int status)
+{
+	pam_data_t *dp;
+	int i;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* clear module data */
+	while ((dp = pamh->module_data) != NULL) {
+		if (dp->cleanup)
+			(dp->cleanup)(pamh, dp->data, status);
+		pamh->module_data = dp->next;
+		free(dp->name);
+		free(dp);
+	}
+
+	/* clear environment */
+	while (pamh->env_count)
+		free(pamh->env[--pamh->env_count]);
+	free(pamh->env);
+
+	/* clear chains */
+	openpam_clear_chains(pamh);
+
+	/* clear items */
+	for (i = 0; i < PAM_NUM_ITEMS; ++i)
+		pam_set_item(pamh, i, NULL);
+
+	free(pamh);
+
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_error.c b/contrib/openpam/lib/pam_error.c
new file mode 100644
index 000000000000..aded8f188759
--- /dev/null
+++ b/contrib/openpam/lib/pam_error.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an error message
+ */
+
+int
+pam_error(pam_handle_t *pamh,
+	const char *fmt,
+	...)
+{
+	va_list ap;
+	char *rsp;
+	int r;
+
+	va_start(ap, fmt);
+	r = pam_vprompt(pamh, PAM_ERROR_MSG, &rsp, fmt, ap);
+	va_end(ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c
new file mode 100644
index 000000000000..741b02d784ba
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_authtok.c
@@ -0,0 +1,75 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Retrieve authentication token
+ */
+
+int
+pam_get_authtok(pam_handle_t *pamh,
+	const char **authtok,
+	const char *prompt)
+{
+	char *p, *resp;
+	int r;
+
+	if (pamh == NULL || authtok == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+	if (r == PAM_SUCCESS)
+		return (PAM_SUCCESS);
+	if (prompt == NULL) {
+		if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
+		    (const void **)&p) != PAM_SUCCESS || p == NULL)
+			prompt = "Password:";
+	}
+	r = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp,
+	    "%s", prompt ? prompt : p);
+	if (r != PAM_SUCCESS)
+		return (r);
+	*authtok = resp;
+	return (pam_set_item(pamh, PAM_AUTHTOK, *authtok));
+}
diff --git a/contrib/openpam/lib/pam_get_data.c b/contrib/openpam/lib/pam_get_data.c
new file mode 100644
index 000000000000..8b2b09058b92
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_data.c
@@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 43
+ *
+ * Get module information
+ */
+
+int
+pam_get_data(pam_handle_t *pamh,
+	const char *module_data_name,
+	void **data)
+{
+	pam_data_t *dp;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	for (dp = pamh->module_data; dp != NULL; dp = dp->next)
+		if (strcmp(dp->name, module_data_name) == 0) {
+			*data = dp->data;
+			return (PAM_SUCCESS);
+		}
+
+	return (PAM_NO_MODULE_DATA);
+}
diff --git a/contrib/openpam/lib/pam_get_item.c b/contrib/openpam/lib/pam_get_item.c
new file mode 100644
index 000000000000..7369c48ef8e4
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_item.c
@@ -0,0 +1,74 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 46
+ *
+ * Get PAM information
+ */
+
+int
+pam_get_item(pam_handle_t *pamh,
+	int item_type,
+	const void **item)
+{
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	switch (item_type) {
+	case PAM_SERVICE:
+	case PAM_USER:
+	case PAM_AUTHTOK:
+	case PAM_OLDAUTHTOK:
+	case PAM_TTY:
+	case PAM_RHOST:
+	case PAM_RUSER:
+	case PAM_CONV:
+	case PAM_USER_PROMPT:
+	case PAM_AUTHTOK_PROMPT:
+		*item = pamh->item[item_type];
+		return (PAM_SUCCESS);
+	default:
+		return (PAM_SYSTEM_ERR);
+	}
+}
diff --git a/contrib/openpam/lib/pam_get_mapped_authtok.c b/contrib/openpam/lib/pam_get_mapped_authtok.c
new file mode 100644
index 000000000000..0050c0e32acd
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_mapped_authtok.c
@@ -0,0 +1,49 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_get_mapped_authtok(pam_handle_t *pamh,
+	const char *target_module_username,
+	const char *target_module_type,
+	const char *target_authn_domain,
+	size_t *target_authtok_len,
+	unsigned char **target_module_authtok)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_get_mapped_username.c b/contrib/openpam/lib/pam_get_mapped_username.c
new file mode 100644
index 000000000000..faa78bbeefb1
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_mapped_username.c
@@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_get_mapped_username(pam_handle_t *pamh,
+	const char *src_username,
+	const char *src_module_type,
+	const char *src_authn_domain,
+	const char *target_module_type,
+	const char *target_authn_domain,
+	char **target_module_username)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_get_user.c b/contrib/openpam/lib/pam_get_user.c
new file mode 100644
index 000000000000..17572c46b080
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_user.c
@@ -0,0 +1,76 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 52
+ *
+ * Retrieve user name
+ */
+
+int
+pam_get_user(pam_handle_t *pamh,
+	const char **user,
+	const char *prompt)
+{
+	char *p, *resp;
+	int r;
+
+	if (pamh == NULL || user == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	r = pam_get_item(pamh, PAM_USER, (const void **)user);
+	if (r == PAM_SUCCESS)
+		return (PAM_SUCCESS);
+	if (prompt == NULL) {
+		if (pam_get_item(pamh, PAM_USER_PROMPT,
+		    (const void **)&p) != PAM_SUCCESS || p == NULL)
+			prompt = "Login: ";
+	}
+	r = pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &resp,
+	    "%s", prompt ? prompt : p);
+	if (r != PAM_SUCCESS)
+		return (r);
+	*user = resp;
+	return (pam_set_item(pamh, PAM_USER, *user));
+}
diff --git a/contrib/openpam/lib/pam_getenv.c b/contrib/openpam/lib/pam_getenv.c
new file mode 100644
index 000000000000..d6bf2194a9e0
--- /dev/null
+++ b/contrib/openpam/lib/pam_getenv.c
@@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 44
+ *
+ * Retrieve the value of a PAM environment variable
+ */
+
+char *
+pam_getenv(pam_handle_t *pamh,
+	const char *name)
+{
+	int i;
+
+	if (pamh == NULL)
+		return (NULL);
+
+	/* sanity checks */
+	if (name == NULL || strchr(name, '=') != NULL)
+		return (NULL);
+
+	if ((i = openpam_findenv(pamh, name, strlen(name))) == -1)
+		return (NULL);
+	return (strdup(pamh->env[i]));
+}
diff --git a/contrib/openpam/lib/pam_getenvlist.c b/contrib/openpam/lib/pam_getenvlist.c
new file mode 100644
index 000000000000..4409a891ac82
--- /dev/null
+++ b/contrib/openpam/lib/pam_getenvlist.c
@@ -0,0 +1,70 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 45
+ *
+ * Returns a list of all the PAM environment variables
+ */
+
+char **
+pam_getenvlist(pam_handle_t *pamh)
+{
+	char **envlist;
+	int i;
+
+	if (pamh == NULL)
+		return (NULL);
+
+	if ((envlist = malloc(sizeof(char *) * (pamh->env_count + 1))) == NULL)
+		return (NULL);
+	for (i = 0; i < pamh->env_count; ++i) {
+		if ((envlist[i] = strdup(pamh->env[i])) == NULL) {
+			while (i)
+				free(envlist[--i]);
+			free(envlist);
+			return (NULL);
+		}
+	}
+	return (envlist);
+}
diff --git a/contrib/openpam/lib/pam_info.c b/contrib/openpam/lib/pam_info.c
new file mode 100644
index 000000000000..ce1d2b8fb55d
--- /dev/null
+++ b/contrib/openpam/lib/pam_info.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an information message
+ */
+
+int
+pam_info(pam_handle_t *pamh,
+	const char *fmt,
+	...)
+{
+	va_list ap;
+	char *rsp;
+	int r;
+
+	va_start(ap, fmt);
+	r = pam_vprompt(pamh, PAM_TEXT_INFO, &rsp, fmt, ap);
+	va_end(ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_open_session.c b/contrib/openpam/lib/pam_open_session.c
new file mode 100644
index 000000000000..dcbf2b8fa580
--- /dev/null
+++ b/contrib/openpam/lib/pam_open_session.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 54
+ *
+ * Open a user session
+ */
+
+int
+pam_open_session(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags));
+}
diff --git a/contrib/openpam/lib/pam_prompt.c b/contrib/openpam/lib/pam_prompt.c
new file mode 100644
index 000000000000..afc416961096
--- /dev/null
+++ b/contrib/openpam/lib/pam_prompt.c
@@ -0,0 +1,62 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Call the conversation function
+ */
+
+int
+pam_prompt(pam_handle_t *pamh,
+	int style,
+	char **resp,
+	const char *fmt,
+	...)
+{
+	va_list ap;
+	int r;
+
+	va_start(ap, fmt);
+	r = pam_vprompt(pamh, style, resp, fmt, ap);
+	va_end(ap);
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_putenv.c b/contrib/openpam/lib/pam_putenv.c
new file mode 100644
index 000000000000..c8701f3e8ef9
--- /dev/null
+++ b/contrib/openpam/lib/pam_putenv.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 56
+ *
+ * Set the value of an environment variable
+ */
+
+int
+pam_putenv(pam_handle_t *pamh,
+	const char *namevalue)
+{
+	char **env, *p;
+	int i;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* sanity checks */
+	if (namevalue == NULL || (p = strchr(namevalue, '=')) == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* see if the variable is already in the environment */
+	if ((i = openpam_findenv(pamh, namevalue, p - namevalue)) != -1) {
+		if ((p = strdup(namevalue)) == NULL)
+			return (PAM_BUF_ERR);
+		free(pamh->env[i]);
+		pamh->env[i] = p;
+		return (PAM_SUCCESS);
+	}
+
+	/* grow the environment list if necessary */
+	if (pamh->env_count == pamh->env_size) {
+		env = realloc(pamh->env, pamh->env_size * 2 + 1);
+		if (env == NULL)
+			return (PAM_BUF_ERR);
+		pamh->env = env;
+		pamh->env_size = pamh->env_size * 2 + 1;
+	}
+
+	/* add the variable at the end */
+	if ((pamh->env[pamh->env_count] = strdup(namevalue)) == NULL)
+		return (PAM_BUF_ERR);
+	++pamh->env_count;
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_set_data.c b/contrib/openpam/lib/pam_set_data.c
new file mode 100644
index 000000000000..59d57510be70
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_data.c
@@ -0,0 +1,83 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 59
+ *
+ * Set module information
+ */
+
+int
+pam_set_data(pam_handle_t *pamh,
+	const char *module_data_name,
+	void *data,
+	void (*cleanup)(pam_handle_t *pamh,
+		void *data,
+		int pam_end_status))
+{
+	pam_data_t *dp;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	for (dp = pamh->module_data; dp != NULL; dp = dp->next) {
+		if (strcmp(dp->name, module_data_name) == 0) {
+			if (dp->cleanup)
+				(dp->cleanup)(pamh, dp->data, PAM_SUCCESS);
+			dp->data = data;
+			dp->cleanup = cleanup;
+			return (PAM_SUCCESS);
+		}
+	}
+
+	if ((dp = malloc(sizeof *dp)) == NULL)
+		return (PAM_BUF_ERR);
+	if ((dp->name = strdup(module_data_name)) == NULL) {
+		free(data);
+		return (PAM_BUF_ERR);
+	}
+	dp->next = pamh->module_data;
+	pamh->module_data = data;
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_set_item.c b/contrib/openpam/lib/pam_set_item.c
new file mode 100644
index 000000000000..1cebfd55aadd
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_item.c
@@ -0,0 +1,95 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 60
+ *
+ * Set authentication information
+ */
+
+int
+pam_set_item(pam_handle_t *pamh,
+	int item_type,
+	const void *item)
+{
+	void **slot, *tmp;
+	size_t size;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	slot = &pamh->item[item_type];
+	switch (item_type) {
+	case PAM_SERVICE:
+	case PAM_USER:
+	case PAM_AUTHTOK:
+	case PAM_OLDAUTHTOK:
+	case PAM_TTY:
+	case PAM_RHOST:
+	case PAM_RUSER:
+	case PAM_USER_PROMPT:
+	case PAM_AUTHTOK_PROMPT:
+		size = strlen(*slot) + 1;
+		if (item != NULL)
+			tmp = strdup(item);
+		break;
+	case PAM_CONV:
+		size = sizeof(struct pam_conv);
+		if (item != NULL)
+			tmp = malloc(size);
+		break;
+	default:
+		return (PAM_SYSTEM_ERR);
+	}
+	if (item != NULL && tmp == NULL)
+		return (PAM_BUF_ERR);
+	if (*slot != NULL) {
+		memset(*slot, 0xd0, size);
+		free(*slot);
+	}
+	*slot = tmp;
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_set_mapped_authtok.c b/contrib/openpam/lib/pam_set_mapped_authtok.c
new file mode 100644
index 000000000000..ad066df65a11
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_mapped_authtok.c
@@ -0,0 +1,49 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_set_mapped_authtok(pam_handle_t *pamh,
+	const char *target_module_username,
+	size_t target_authtok_len,
+	unsigned char *target_module_authtok,
+	const char *target_module_type,
+	const char *target_authn_domain)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_set_mapped_username.c b/contrib/openpam/lib/pam_set_mapped_username.c
new file mode 100644
index 000000000000..fc1298948e3e
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_mapped_username.c
@@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_set_mapped_username(pam_handle_t *pamh,
+	char *src_username,
+	char *src_module_type,
+	char *src_authn_domain,
+	char *target_module_username,
+	char *target_module_type,
+	char *target_authn_domain)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_setcred.c b/contrib/openpam/lib/pam_setcred.c
new file mode 100644
index 000000000000..0ea10ff799d4
--- /dev/null
+++ b/contrib/openpam/lib/pam_setcred.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 57
+ *
+ * Modify / delete user credentials for an authentication service
+ */
+
+int
+pam_setcred(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags));
+}
diff --git a/contrib/openpam/lib/pam_setenv.c b/contrib/openpam/lib/pam_setenv.c
new file mode 100644
index 000000000000..6165b7cb00df
--- /dev/null
+++ b/contrib/openpam/lib/pam_setenv.c
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Set the value of an environment variable
+ * Mirrors setenv(3)
+ */
+
+int
+pam_setenv(pam_handle_t *pamh,
+	const char *name,
+	const char *value,
+	int overwrite)
+{
+	char *env;
+	int r;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* sanity checks */
+	if (name == NULL || value == NULL || strchr(name, '=') != NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* is it already there? */
+	if (!overwrite && openpam_findenv(pamh, name, strlen(name)) != -1)
+		return (PAM_SUCCESS);
+
+	/* set it... */
+	if ((env = malloc(strlen(name) + strlen(value) + 2)) == NULL)
+		return (PAM_BUF_ERR);
+	sprintf(env, "%s=%s", name, value);
+	r = pam_putenv(pamh, env);
+	free(env);
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_start.c b/contrib/openpam/lib/pam_start.c
new file mode 100644
index 000000000000..ff9cc32ec5a5
--- /dev/null
+++ b/contrib/openpam/lib/pam_start.c
@@ -0,0 +1,292 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+static int _pam_configure_service(pam_handle_t *pamh, const char *service);
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 89
+ *
+ * Initiate a PAM transaction
+ */
+
+int
+pam_start(const char *service,
+	const char *user,
+	const struct pam_conv *pam_conv,
+	pam_handle_t **pamh)
+{
+	struct pam_handle *ph;
+	int r;
+
+	if ((ph = calloc(1, sizeof *ph)) == NULL)
+		return (PAM_BUF_ERR);
+	if ((r = pam_set_item(ph, PAM_SERVICE, service)) != PAM_SUCCESS)
+		goto fail;
+	if ((r = pam_set_item(ph, PAM_USER, user)) != PAM_SUCCESS)
+		goto fail;
+	if ((r = pam_set_item(ph, PAM_CONV, pam_conv)) != PAM_SUCCESS)
+		goto fail;
+
+	if ((r = _pam_configure_service(ph, service)) != PAM_SUCCESS &&
+	    r != PAM_BUF_ERR)
+		r = _pam_configure_service(ph, PAM_OTHER);
+	if (r != PAM_SUCCESS)
+		goto fail;
+
+	*pamh = ph;
+	openpam_log(PAM_LOG_DEBUG, "pam_start(\"%s\") succeeded", service);
+	return (PAM_SUCCESS);
+
+ fail:
+	pam_end(ph, r);
+	return (r);
+}
+
+#define PAM_CONF_STYLE	0
+#define PAM_D_STYLE	1
+#define MAX_LINE_LEN	1024
+#define MAX_OPTIONS	256
+
+static int
+_pam_read_policy_file(pam_handle_t *pamh,
+	const char *service,
+	const char *filename,
+	int style)
+{
+	char buf[MAX_LINE_LEN], *p, *q;
+	const char *optv[MAX_OPTIONS + 1];
+	int ch, chain, flag, line, optc, n, r;
+	size_t len;
+	FILE *f;
+
+	n = 0;
+
+	if ((f = fopen(filename, "r")) == NULL) {
+		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE,
+		    "%s: %m", filename);
+		return (0);
+	}
+	openpam_log(PAM_LOG_DEBUG, "looking for '%s' in %s",
+	    service, filename);
+
+	for (line = 1; fgets(buf, MAX_LINE_LEN, f) != NULL; ++line) {
+		if ((len = strlen(buf)) == 0)
+			continue;
+
+		/* check for overflow */
+		if (buf[--len] != '\n' && !feof(f)) {
+			openpam_log(PAM_LOG_ERROR, "%s: line %d too long",
+			    filename, line);
+			openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
+			    filename, line);
+			while ((ch = fgetc(f)) != EOF)
+				if (ch == '\n')
+					break;
+			continue;
+		}
+
+		/* strip comments and trailing whitespace */
+		if ((p = strchr(buf, '#')) != NULL)
+			len = p - buf ? p - buf - 1 : p - buf;
+		while (len > 0 && isspace(buf[len]))
+			--len;
+		if (len == 0)
+			continue;
+		buf[len] = '\0';
+		p = q = buf;
+
+		/* check service name */
+		if (style == PAM_CONF_STYLE) {
+			for (q = p = buf; *q != '\0' && !isspace(*q); ++q)
+				/* nothing */;
+			if (*q == '\0')
+				goto syntax_error;
+			*q++ = '\0';
+			if (strcmp(p, service) != 0)
+				continue;
+			openpam_log(PAM_LOG_DEBUG, "%s: line %d matches '%s'",
+			    filename, line, service);
+		}
+
+
+		/* get module type */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p || *q == '\0')
+			goto syntax_error;
+		*q++ = '\0';
+		if (strcmp(p, "auth") == 0) {
+			chain = PAM_AUTH;
+		} else if (strcmp(p, "account") == 0) {
+			chain = PAM_ACCOUNT;
+		} else if (strcmp(p, "session") == 0) {
+			chain = PAM_SESSION;
+		} else if (strcmp(p, "password") == 0) {
+			chain = PAM_PASSWORD;
+		} else {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: invalid module type on line %d: '%s'",
+			    filename, line, p);
+			continue;
+		}
+
+		/* get control flag */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p || *q == '\0')
+			goto syntax_error;
+		*q++ = '\0';
+		if (strcmp(p, "required") == 0) {
+			flag = PAM_REQUIRED;
+		} else if (strcmp(p, "requisite") == 0) {
+			flag = PAM_REQUISITE;
+		} else if (strcmp(p, "sufficient") == 0) {
+			flag = PAM_SUFFICIENT;
+		} else if (strcmp(p, "optional") == 0) {
+			flag = PAM_OPTIONAL;
+		} else {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: invalid control flag on line %d: '%s'",
+			    filename, line, p);
+			continue;
+		}
+
+		/* get module name */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p)
+			goto syntax_error;
+
+		/* get options */
+		for (optc = 0; *q != '\0' && optc < MAX_OPTIONS; ++optc) {
+			*q++ = '\0';
+			while (isspace(*q))
+				++q;
+			optv[optc] = q;
+			while (*q != '\0' && !isspace(*q))
+				++q;
+		}
+		optv[optc] = NULL;
+		if (*q != '\0') {
+			*q = '\0';
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: too many options on line %d",
+			    filename, line);
+		}
+
+		/*
+		 * Finally, add the module at the end of the
+		 * appropriate chain and bump the counter.
+		 */
+		r = openpam_add_module(pamh, chain, flag, p, optc, optv);
+		if (r != PAM_SUCCESS)
+			return (-r);
+		++n;
+		continue;
+ syntax_error:
+		openpam_log(PAM_LOG_ERROR, "%s: syntax error on line %d",
+		    filename, line);
+		openpam_log(PAM_LOG_DEBUG, "%s: line %d: [%s]",
+		    filename, line, q);
+		openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
+		    filename, line);
+	}
+
+	if (ferror(f))
+		openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
+
+	fclose(f);
+	return (n);
+}
+
+static const char *_pam_policy_path[] = {
+	"/etc/pam.d/",
+	"/etc/pam.conf",
+	"/usr/local/etc/pam.d/",
+	NULL
+};
+
+static int
+_pam_configure_service(pam_handle_t *pamh,
+	const char *service)
+{
+	const char **path;
+	char *filename;
+	size_t len;
+	int r;
+
+	for (path = _pam_policy_path; *path != NULL; ++path) {
+		len = strlen(*path);
+		if ((*path)[len - 1] == '/') {
+			filename = malloc(len + strlen(service) + 1);
+			if (filename == NULL) {
+				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+				return (PAM_BUF_ERR);
+			}
+			strcpy(filename, *path);
+			strcat(filename, service);
+			r = _pam_read_policy_file(pamh,
+			    service, filename, PAM_D_STYLE);
+			free(filename);
+		} else {
+			r = _pam_read_policy_file(pamh,
+			    service, *path, PAM_CONF_STYLE);
+		}
+		if (r < 0)
+			return (-r);
+		if (r > 0)
+			return (PAM_SUCCESS);
+	}
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_strerror.c b/contrib/openpam/lib/pam_strerror.c
new file mode 100644
index 000000000000..516374c7346b
--- /dev/null
+++ b/contrib/openpam/lib/pam_strerror.c
@@ -0,0 +1,123 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 92
+ *
+ * Get PAM standard error message string
+ */
+
+const char *
+pam_strerror(pam_handle_t *pamh,
+	int error_number)
+{
+	static char unknown[16];
+
+	pamh = pamh;
+
+	switch (error_number) {
+	case PAM_SUCCESS:
+		return ("success");
+	case PAM_OPEN_ERR:
+		return ("failed to load module");
+	case PAM_SYMBOL_ERR:
+		return ("symbol not found in module");
+	case PAM_SERVICE_ERR:
+		return ("error in service module");
+	case PAM_SYSTEM_ERR:
+		return ("system error");
+	case PAM_BUF_ERR:
+		return ("memory buffer error");
+	case PAM_CONV_ERR:
+		return ("conversation failure");
+	case PAM_PERM_DENIED:
+		return ("permission denied");
+	case PAM_MAXTRIES:
+		return ("maximum number of tries exceeded");
+	case PAM_AUTH_ERR:
+		return ("authentication error");
+	case PAM_NEW_AUTHTOK_REQD:
+		return ("new authentication token required");
+	case PAM_CRED_INSUFFICIENT:
+		return ("insufficient credentials");
+	case PAM_AUTHINFO_UNAVAIL:
+		return ("authentication information is unavailable");
+	case PAM_USER_UNKNOWN:
+		return ("unknown user");
+	case PAM_CRED_UNAVAIL:
+		return ("failed to retrieve user credentials");
+	case PAM_CRED_EXPIRED:
+		return ("user credentials have expired");
+	case PAM_CRED_ERR:
+		return ("failed to set user credentials");
+	case PAM_ACCT_EXPIRED:
+		return ("user accound has expired");
+	case PAM_AUTHTOK_EXPIRED:
+		return ("password has expired");
+	case PAM_SESSION_ERR:
+		return ("session failure");
+	case PAM_AUTHTOK_ERR:
+		return ("authentication token failure");
+	case PAM_AUTHTOK_RECOVERY_ERR:
+		return ("failed to recover old authentication token");
+	case PAM_AUTHTOK_LOCK_BUSY:
+		return ("authentication token lock busy");
+	case PAM_AUTHTOK_DISABLE_AGING:
+		return ("authentication token ageing disabled");
+	case PAM_NO_MODULE_DATA:
+		return ("module data not found");
+	case PAM_IGNORE:
+		return ("ignore this module");
+	case PAM_ABORT:
+		return ("general failure");
+	case PAM_TRY_AGAIN:
+		return ("try again");
+	case PAM_MODULE_UNKNOWN:
+		return ("unknown module type");
+	case PAM_DOMAIN_UNKNOWN:
+		return ("unknown authentication domain");
+	default:
+		snprintf(unknown, sizeof unknown, "#%d", error_number);
+		return (unknown);
+	}
+}
diff --git a/contrib/openpam/lib/pam_verror.c b/contrib/openpam/lib/pam_verror.c
new file mode 100644
index 000000000000..feeaa6ebfcf3
--- /dev/null
+++ b/contrib/openpam/lib/pam_verror.c
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an error message
+ */
+
+int
+pam_verror(pam_handle_t *pamh,
+	const char *fmt,
+	va_list ap)
+{
+	char *rsp;
+	int r;
+
+	r = pam_vprompt(pamh, PAM_ERROR_MSG, &rsp, fmt, ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_vinfo.c b/contrib/openpam/lib/pam_vinfo.c
new file mode 100644
index 000000000000..24849985ff13
--- /dev/null
+++ b/contrib/openpam/lib/pam_vinfo.c
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an information message
+ */
+
+int
+pam_vinfo(pam_handle_t *pamh,
+	const char *fmt,
+        va_list ap)
+{
+	char *rsp;
+	int r;
+
+	r = pam_vprompt(pamh, PAM_TEXT_INFO, &rsp, fmt, ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_vprompt.c b/contrib/openpam/lib/pam_vprompt.c
new file mode 100644
index 000000000000..f090b23653fa
--- /dev/null
+++ b/contrib/openpam/lib/pam_vprompt.c
@@ -0,0 +1,74 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Call the conversation function
+ */
+
+int
+pam_vprompt(pam_handle_t *pamh,
+	int style,
+	char **resp,
+	const char *fmt,
+	va_list ap)
+{
+	char msgbuf[PAM_MAX_MSG_SIZE];
+	struct pam_message msg;
+	const struct pam_message *msgp;
+	struct pam_response *rsp;
+	struct pam_conv conv;
+	int r;
+
+	if ((r = pam_get_item(pamh, PAM_CONV, (void *)&conv)) != PAM_SUCCESS)
+		return (r);
+	vsnprintf(msgbuf, PAM_MAX_MSG_SIZE, fmt, ap);
+	msg.msg_style = style;
+	msg.msg = msgbuf;
+	msgp = &msg;
+	r = (conv.conv)(1, &msgp, &rsp, conv.appdata_ptr);
+	*resp = rsp == NULL ? NULL : rsp->resp;
+	free(rsp);
+	return (r);
+}
diff --git a/contrib/openpam/modules/Makefile b/contrib/openpam/modules/Makefile
new file mode 100644
index 000000000000..006a229df4c3
--- /dev/null
+++ b/contrib/openpam/modules/Makefile
@@ -0,0 +1,42 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+SUBDIR		 =
+SUBDIR		+= pam_deny
+SUBDIR		+= pam_dummy
+SUBDIR		+= pam_permit
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openpam/modules/pam_deny/Makefile b/contrib/openpam/modules/pam_deny/Makefile
new file mode 100644
index 000000000000..acbd994659da
--- /dev/null
+++ b/contrib/openpam/modules/pam_deny/Makefile
@@ -0,0 +1,42 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+LIB		 = pam_deny
+SHLIB_NAME	 = pam_deny.so
+SRCS		 = pam_deny.c
+CFLAGS		+= -I${.CURDIR}/../../include
+
+.include <bsd.lib.mk>
diff --git a/contrib/openpam/modules/pam_deny/pam_deny.c b/contrib/openpam/modules/pam_deny/pam_deny.c
new file mode 100644
index 000000000000..2a219de14411
--- /dev/null
+++ b/contrib/openpam/modules/pam_deny/pam_deny.c
@@ -0,0 +1,89 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_modules.h>
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_PERM_DENIED);
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SESSION_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SESSION_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_PERM_DENIED);
+}
+
+PAM_MODULE_ENTRY("pam_deny");
diff --git a/contrib/openpam/modules/pam_dummy/Makefile b/contrib/openpam/modules/pam_dummy/Makefile
new file mode 100644
index 000000000000..144828c4cba9
--- /dev/null
+++ b/contrib/openpam/modules/pam_dummy/Makefile
@@ -0,0 +1,42 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+LIB		 = pam_dummy
+SHLIB_NAME	 = pam_dummy.so
+SRCS		 = pam_dummy.c
+CFLAGS		+= -I${.CURDIR}/../../include
+
+.include <bsd.lib.mk>
diff --git a/contrib/openpam/modules/pam_dummy/pam_dummy.c b/contrib/openpam/modules/pam_dummy/pam_dummy.c
new file mode 100644
index 000000000000..9d98f37558ac
--- /dev/null
+++ b/contrib/openpam/modules/pam_dummy/pam_dummy.c
@@ -0,0 +1,48 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_modules.h>
+
+PAM_SM_DUMMY(authenticate);
+PAM_SM_DUMMY(setcred);
+PAM_SM_DUMMY(acct_mgmt);
+PAM_SM_DUMMY(open_session);
+PAM_SM_DUMMY(close_session);
+PAM_SM_DUMMY(chauthtok);
+
+PAM_MODULE_ENTRY("pam_deny");
diff --git a/contrib/openpam/modules/pam_permit/Makefile b/contrib/openpam/modules/pam_permit/Makefile
new file mode 100644
index 000000000000..93ae3d9a497d
--- /dev/null
+++ b/contrib/openpam/modules/pam_permit/Makefile
@@ -0,0 +1,42 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+LIB		 = pam_permit
+SHLIB_NAME	 = pam_permit.so
+SRCS		 = pam_permit.c
+CFLAGS		+= -I${.CURDIR}/../../include
+
+.include <bsd.lib.mk>
diff --git a/contrib/openpam/modules/pam_permit/pam_permit.c b/contrib/openpam/modules/pam_permit/pam_permit.c
new file mode 100644
index 000000000000..856fb4508e00
--- /dev/null
+++ b/contrib/openpam/modules/pam_permit/pam_permit.c
@@ -0,0 +1,89 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_modules.h>
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags,
+	int argc, const char *argv[])
+{
+
+	return (PAM_SUCCESS);
+}
+
+PAM_MODULE_ENTRY("pam_permit");