Accepting request 1304812 from Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/1304812 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=149
pam_mkhomedir: building with vendordir option allows fetching skeleton directory from the vendor directory when creating the user home directory.
2025-09-16 16:18:03 +00:00 · 2025-09-15 12:00:47 +00:00 · 2025-08-28 15:18:24 +00:00 · 2025-08-27 14:27:29 +00:00 · 2025-08-21 14:57:31 +00:00 · 2025-08-20 14:40:36 +00:00
13 changed files with 1713 additions and 760 deletions
--- a/Linux-PAM-1.6.1.tar.xz
+++ b/Linux-PAM-1.6.1.tar.xz
--- a/Linux-PAM-1.6.1.tar.xz.asc
+++ b/Linux-PAM-1.6.1.tar.xz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
 sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
 47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
 RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
 mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
 cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
 fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
 PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
 o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
 0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
 9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
 UoUkHsbCWJU/ksn/9BIQ
 =Dbz2
 -----END PGP SIGNATURE-----
--- a/Linux-PAM-1.7.1.tar.xz
+++ b/Linux-PAM-1.7.1.tar.xz
--- a/Linux-PAM-1.7.1.tar.xz.asc
+++ b/Linux-PAM-1.7.1.tar.xz.asc
@@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJoUTDGAAoJEKgEH6g54W42RDQQAIKq+ltEn0g/lB0g+xU9SArO
 ItMiZDp6RaLDIRgOxbl1hnQyXvXcW5LYBT36u+e5PLKrtMzc8/S3kDtn2FRsS5KW
 aZaKmZI6UlEQVErMfX2F8/uPvcMRNmqHL7h3+BW8aIWp+WTBO3TIOZxVqNoDFbxj
 L/9G3KYTgcuKjb6XoDlicS68ImcLJC2BPjcaisaoqKRyK504jgYK6Wl6AFo7Fu8r
 PS134LM6gUUxMzdYCpISmO5tZh+uOqtCfbdeOY3bwBeupe2J4D6v7uASF7RqEXPX
 /imsmUkmqLmOOolvLflGDsiz1HaY05LW7CcJngXOV6WKU+HqBg9E5Xclnr0RyvBD
 tmFPeWlgPw+zg+BVUhGAUeLoFCknbtY/7TEB4Jh0Z/Tm+pOUVoQbhrUCI0rAgapN
 dA9i5DCUuEBXRul2YvG7EZGuYs77fzpf/J++b9XKB9kH1Bc3vaaZoaO+lbN8g6Ei
 CbZCmD0ct0UhUTX+FEUG9SkMTomyd9ihz6kuHcuo4eCVbVuDJpF+vEUjVb7no9Aw
 KlZ6/I45GRRjIYYk/vxpgNX05D8xeMxDkXEMcKAHsI/q4oOe7Hsuess47WioiVXL
 xNl6AHjJ4VMcz1xLPR8COA8L3uaZNtxuIGhazZFeJbrfJct5gsf9iv04pdAA73/B
 NtgHrE6GjGSmw+/xX22z
 =RQhR
 -----END PGP SIGNATURE-----
--- a/pam-bsc1194818-cursor-escape.patch
+++ b/pam-bsc1194818-cursor-escape.patch
@@ -1,36 +0,0 @@
 From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
 From: Stanislav Brabec <sbrabec@suse.cz>
 Date: Mon, 22 Jul 2024 23:18:16 +0200
 Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
 Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
 cursor escape from the login prompt using arrows or escape sequences.
 ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
 for example not on pty, allowing cursor to escape.
 Stanislav Brabec <sbrabec@suse.com>
 ---
 libpam_misc/misc_conv.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
 index 7410e929..6b839b48 100644
 --- a/libpam_misc/misc_conv.c
 +++ b/libpam_misc/misc_conv.c
@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
 	    return -1;
 	}
 	memcpy(&term_tmp, &term_before, sizeof(term_tmp));
 -	if (!echo) {
 +	if (echo)
 +	    term_tmp.c_lflag |= ICANON | ECHOCTL;
 +	else
 	    term_tmp.c_lflag &= ~(ECHO);
 -	}
 	have_term = 1;
 	/*
 -- 
 2.45.2
--- a/pam.changes
+++ b/pam.changes
@@ -1,3 +1,77 @@
 -------------------------------------------------------------------
 Mon Sep 15 07:53:29 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 - pam_mkhomedir: building with vendordir option allows fetching skeleton
  directory from the vendor directory when creating the user home directory.
  [+ pam_mkhomedir-Use-vendordir-when-defined.patch, bsc#1245524]
 -------------------------------------------------------------------
 Wed Aug 27 14:20:14 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
 - Update to 1.7.1+git (post-v1.7.1.patch)
  - disable unix_chkpwd by default, only used as fallback again
 - pam_modutil_get-overwrite-password-at-free.patch is included
 -------------------------------------------------------------------
 Tue Aug 19 10:12:13 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 - Make sure that the buffer containing encrypted passwords get's erased,
  before free.
  [pam_modutil_get-overwrite-password-at-free.patch, bsc#1232234,
   CVE-2024-10041]
 -------------------------------------------------------------------
 Wed Jun 18 12:01:57 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
 - hardcode disabling elogind, meson detection is unreliable in OBS
 -------------------------------------------------------------------
 Wed Jun 18 05:38:35 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 1.7.1
  - pam_access: do not resolve ttys or display variables as hostnames.
  - pam_access: added "nodns" option to disallow resolving of tokens
    as hostnames (CVE-2024-10963).
  - pam_limits: added support for rttime (RLIMIT_RTTIME).
  - pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
  - meson: added support of elogind as a logind provider.
  - Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.
 - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted
 -------------------------------------------------------------------
 Mon Mar 24 17:41:34 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
 - Remove unix2_chkpwd, no consumer left
 -------------------------------------------------------------------
 Thu Dec  5 12:44:33 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 - pam_access: rework resolving of tokens as hostname
  - separate resolving of IP addresses from hostnames. Don't resolve TTYs or
    display variables as hostname.
  - Add "nodns" option to disallow resolving of tokens as hostname.
  - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078,
   CVE-2024-10963]
 -------------------------------------------------------------------
 Thu Oct 24 11:57:20 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 1.7.0
  - build: changed build system from autotools to meson.
  - libpam_misc: use ECHOCTL in the terminal input
  - pam_access: support UID and GID in access.conf
  - pam_env: install environment file in vendordir if vendordir is enabled
  - pam_issue: only count class user if logind support is enabled
  - pam_limits: use systemd-logind instead of utmp if logind support is enabled
  - pam_unix: compare password hashes in constant time
  - Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.
 - Drop upstream patches:
  - pam-bsc1194818-cursor-escape.patch
  - pam_limits-systemd.patch
  - pam_issue-systemd.patch
 -------------------------------------------------------------------
 Thu Sep 12 07:50:55 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
@@ -1208,7 +1282,6 @@ Wed Feb 23 12:45:03 UTC 2011 - vcizek@novell.com
  * correct parsing of "quiet" option
 -------------------------------------------------------------------
 Wed Feb 23 10:00:22 UTC 2011 - vcizek@novell.com
 - fix for bnc#673826 (pam_listfile)
--- a/pam.spec
+++ b/pam.spec
@@ -36,10 +36,10 @@
 %endif
 %bcond_without selinux
 %bcond_with debug
 %define flavor @BUILD_FLAVOR@%{nil}
 # List of config files for migration to /usr/etc
 %define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
 	security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
 	security/namespace.conf security/namespace.init security/sepermit.conf
@@ -64,14 +64,13 @@
 %define libpamc_so_version 0.82.1
 %if ! %{defined _distconfdir}
  %define _distconfdir %{_sysconfdir}
  %define config_noreplace 1
 %endif
 #
 %{load:%{_sourcedir}/macros.pam}
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.6.1
+Version:        1.7.1
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@@ -86,8 +85,6 @@ Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Source13:       pam.tmpfiles
 Source20:       common-session-nonlogin.pamd
@@ -96,16 +93,14 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
-# https://github.com/linux-pam/linux-pam/pull/816
+# PATCH-FIX-UPSTREAM
-Patch2:         pam-bsc1194818-cursor-escape.patch
+Patch2:         post-v1.7.1.patch
-# https://github.com/linux-pam/linux-pam/pull/826
+# PATCH-FIX-UPSTREAM
-Patch3:         pam_limits-systemd.patch
+Patch3:         pam_mkhomedir-Use-vendordir-when-defined.patch
 # https://github.com/linux-pam/linux-pam/pull/825
 Patch4:         pam_issue-systemd.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
-BuildRequires:  libtool
+BuildRequires:  meson >= 0.62.0
 BuildRequires:  xz
 Requires(post): permissions
 # All login.defs variables require support from shadow side.
@@ -149,9 +144,7 @@ username/password pair against values stored in a Berkeley DB database.
 %package -n pam-extra
 Summary:        PAM module with extended dependencies
 Group:          System/Libraries
-#BuildRequires:  pkgconfig(systemd) 
+BuildRequires:  pkgconfig(libsystemd) >= 254
 # The systemd-mini package does not pass configure checks
 BuildRequires:  systemd-devel >= 254
 BuildRequires:  pam-devel
 Provides:	pam:%{_sbindir}/pam_timestamp_check
 Provides:       pam:%{_pam_moduledir}/pam_limits.so
@@ -217,32 +210,28 @@ cp -a %{SOURCE12} .
 %build
 bash ./pam-login_defs-check.sh
 export CFLAGS="%{optflags}"
 %if !%{with debug}
 CFLAGS="$CFLAGS -DNDEBUG"
 %endif
 %if %{livepatchable}
 CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
 %endif
 autoreconf
 %configure \
 	--includedir=%{_includedir}/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
 	--enable-isadir=../..%{_pam_moduledir} \
 	--enable-securedir=%{_pam_moduledir} \
 	--enable-vendordir=%{_prefix}/etc \
 %if "%{flavor}" == "full"
 	--enable-logind \
 %endif
        --disable-examples \
 	--disable-nis \
 %if %{with debug}
 	--enable-debug
 %endif
-%make_build
+%meson -Dvendordir=%{_distconfdir} \
       -Ddocdir=%{_docdir}/pam \
       -Dhtmldir=%{_docdir}/pam/html \
       -Dpdfdir=%{_docdir}/pam/pdf \
       -Dsecuredir=%{_pam_moduledir} \
       -Dpam_unix-try-getspnam=true \
 %if "%{flavor}" != "full"
       -Dlogind=disabled \
       -Dpam_userdb=disabled \
       -Ddocs=disabled \
 %else
       -Dlogind=enabled \
 %endif
       -Dpwaccess=disabled \
       -Delogind=disabled \
       -Dexamples=false \
       -Dnis=disabled
 %meson_build
 %if %{livepatchable}
@@ -270,29 +259,17 @@ cp %{tar_package_name} %{_other}
 %endif # livepatchable
 gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
 %if %{build_main}
 %check
-%make_build check
+%meson_test
 %endif
 %install
 %meson_install
 mkdir -p %{buildroot}%{_pam_confdir}
 mkdir -p %{buildroot}%{_pam_vendordir}
 mkdir -p %{buildroot}%{_includedir}/security
 mkdir -p %{buildroot}%{_pam_moduledir}
 mkdir -p %{buildroot}/sbin
 mkdir -p -m 755 %{buildroot}%{_libdir}
 # For compat reasons
 mkdir -p %{buildroot}%{_distconfdir}/pam.d
 %make_install
 /sbin/ldconfig -n %{buildroot}%{_libdir}
 # Install documentation
 %make_install -C doc
 # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
 install -d %{buildroot}%{_pam_secconfdir}/namespace.d
 # install other.pamd and common-*.pamd
 install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
 install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
@@ -304,23 +281,14 @@ install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
 install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
 install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
 install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
 mkdir -p %{buildroot}%{_prefix}/lib/motd.d
 #
 # Remove crap
 #
 find %{buildroot} -type f -name "*.la" -delete -print
 #
 # Install READMEs of PAM modules
 #
 DOC=%{buildroot}%{_defaultdocdir}/pam
 %if "%{flavor}" == "full"
 mkdir -p $DOC/modules
-pushd modules
+cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
-for i in pam_*/README; do
+%endif
 	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
 done
 popd
 # Install unix2_chkpwd
 install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
 # rpm macros
 install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
@@ -328,13 +296,11 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
 mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
 mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment
 # Remove manual pages for main package
 %if !%{build_doc}
 rm -rf %{buildroot}%{_mandir}/man?/*
 %else
 install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # bsc#1188724
 echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
 %endif
@@ -357,12 +323,10 @@ rm -rf  %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limi
 %verifyscript
 %verify_permissions -e %{_sbindir}/unix_chkpwd
 %verify_permissions -e %{_sbindir}/unix2_chkpwd
 %post
 /sbin/ldconfig
 %set_permissions %{_sbindir}/unix_chkpwd
 %set_permissions %{_sbindir}/unix2_chkpwd
 %tmpfiles_create %{_tmpfilesdir}/pam.conf
 %postun -p /sbin/ldconfig
@@ -380,23 +344,13 @@ done
 %files -f Linux-PAM.lang
 %doc NEWS
 %license COPYING
 %exclude %{_defaultdocdir}/pam/html
 %exclude %{_defaultdocdir}/pam/modules
 %exclude %{_defaultdocdir}/pam/pdf
 %exclude %{_defaultdocdir}/pam/*.txt
 %dir %{_pam_confdir}
 %dir %{_pam_vendordir}
 %dir %{_pam_secconfdir}
 %dir %{_pam_secdistconfdir}
 %dir %{_prefix}/lib/motd.d
 %if %{defined config_noreplace}
 %config(noreplace) %{_pam_confdir}/other
 %config(noreplace) %{_pam_confdir}/common-*
 %else
 %{_pam_vendordir}/other
 %{_pam_vendordir}/common-*
 %{_pam_vendordir}/postlogin-*
 %endif
 %{_distconfdir}/environment
 %{_pam_secdistconfdir}/access.conf
 %{_pam_secdistconfdir}/group.conf
@@ -466,7 +420,6 @@ done
 %{_sbindir}/pam_namespace_helper
 %{_sbindir}/pwhistory_helper
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
 %attr(0700,root,root) %{_sbindir}/unix_update
 %{_unitdir}/pam_namespace.service
 %{_tmpfilesdir}/pam.conf
@@ -570,7 +523,6 @@ done
 %{_mandir}/man8/pam_wheel.8%{?ext_man}
 %{_mandir}/man8/pam_xauth.8%{?ext_man}
 %{_mandir}/man8/pwhistory_helper.8%{?ext_man}
 %{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_update.8%{?ext_man}
--- a/pam_issue-systemd.patch
+++ b/pam_issue-systemd.patch
@@ -1,51 +0,0 @@
 From 8401cef10cd5f62849c5fcfef4c82db92712296c Mon Sep 17 00:00:00 2001
 From: Thorsten Kukuk <kukuk@suse.com>
 Date: Wed, 4 Sep 2024 16:07:56 +0200
 Subject: [PATCH] pam_issue: only count class user
 Since systemd added new types of classes (e.g. manager*), we cannot
 use the count of all sessions anymore, but have to check which class
 this is.
 This is backward compatible, systemd v209 or newer is required.
 ---
 modules/pam_issue/pam_issue.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)
 diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c
 index aade642ec5..e2c555c405 100644
 --- a/modules/pam_issue/pam_issue.c
 +++ b/modules/pam_issue/pam_issue.c
@@ -165,13 +165,31 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt)
 		{
 		    unsigned int users = 0;
 #ifdef USE_LOGIND
 -		    int sessions = sd_get_sessions(NULL);
 +		    char **sessions_list;
 +		    int sessions = sd_get_sessions(&sessions_list);
 		    if (sessions < 0) {
 		      pam_syslog(pamh, LOG_ERR, "logind error: %s",
 				 strerror(-sessions));
 		      _pam_drop(issue);
 		      return PAM_SERVICE_ERR;
 +		    } else if (sessions > 0 && sessions_list != NULL) {
 +		      int i;
 +
 +		      for (i = 0; i < sessions; i++) {
 +			char *class;
 +
 +			if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
 +			  continue;
 +
 +			if (strncmp(class, "user", 4) == 0) // user, user-early, user-incomplete
 +			  users++;
 +			free(class);
 +		      }
 +
 +		      for (i = 0; i < sessions; i++)
 +			free(sessions_list[i]);
 +		      free(sessions_list);
 		    } else {
 		      users = sessions;
 		    }
--- a/pam_limits-systemd.patch
+++ b/pam_limits-systemd.patch
@@ -1,157 +0,0 @@
 From 12bb33b56dee6d6b05200d4b776c7e6de3d0df91 Mon Sep 17 00:00:00 2001
 From: Thorsten Kukuk <kukuk@suse.com>
 Date: Fri, 6 Sep 2024 11:55:46 +0200
 Subject: [PATCH] pam_limits: use systemd-logind instead of utmp (#822)
 The utmp database is unreliable for counting logged in users, since
 there is no standard which defines who should create an entry at which
 time for which reason. And it has a Y2038 problem with glibc/x86-64.
 Query systemd-logind for the number of user sessions instead.
 ---
 modules/pam_limits/Makefile.am  |  4 +-
 modules/pam_limits/pam_limits.c | 81 +++++++++++++++++++++++++++++++--
 2 files changed, 80 insertions(+), 5 deletions(-)
 diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am
 index ab3cf33ed..3f64d79bb 100644
 --- a/modules/pam_limits/Makefile.am
 +++ b/modules/pam_limits/Makefile.am
@@ -24,7 +24,7 @@ limits_conf_dir = $(SCONFIGDIR)/limits.d
 AM_CFLAGS = -I$(top_srcdir)/libpam/include \
 	    -DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \
 -	    $(WARN_CFLAGS)
 +	    $(LOGIND_CFLAGS) $(WARN_CFLAGS)
 AM_LDFLAGS = -no-undefined -avoid-version -module
 if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
@@ -32,7 +32,7 @@ endif
 securelib_LTLIBRARIES = pam_limits.la
 pam_limits_la_LIBADD = $(top_builddir)/libpam_internal/libpam_internal.la \
 -		       $(top_builddir)/libpam/libpam.la
 +		       $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS)
 dist_secureconf_DATA = limits.conf
 diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
 index 75c584fca..1e4dfa3d0 100644
 --- a/modules/pam_limits/pam_limits.c
 +++ b/modules/pam_limits/pam_limits.c
@@ -36,7 +36,12 @@
 #include <sys/resource.h>
 #include <limits.h>
 #include <glob.h>
 +#ifdef USE_LOGIND
 +#include <systemd/sd-login.h>
 +#else
 #include <utmp.h>
 +#endif
 +
 #ifndef UT_USER  /* some systems have ut_name instead of ut_user */
 #define UT_USER ut_user
 #endif
@@ -240,7 +245,6 @@ static int
 check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
               struct pam_limit_s *pl)
 {
 -    struct utmp *ut;
     int count;
     if (ctrl & PAM_DEBUG_ARG) {
@@ -255,8 +259,6 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
         return LOGIN_ERR;
     }
 -    setutent();
 -
     /* Because there is no definition about when an application
        actually adds a utmp entry, some applications bizarrely do the
        utmp call before the have PAM authenticate them to the system:
@@ -273,6 +275,78 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
 	count = 1;
     }
 +#ifdef USE_LOGIND
 +    char **sessions_list;
 +    int sessions = sd_get_sessions(&sessions_list);
 +
 +    /* maxlogins needs to be 2 with systemd-logind because
 +       of the systemd --user process started with first login by
 +       pam_systemd.
 +       Which is also calling pam_limits, but in this very first special
 +       case the session does already exist and is counted twice.
 +       With start of the second session, session manager is already running
 +       and no longer counted. */
 +    if (limit == 1) {
 +        pam_syslog(pamh, LOG_WARNING, "Maxlogin limit needs to be 2 or higher with systemd-logind");
 +        return LIMIT_ERR;
 +    }
 +
 +    if (sessions < 0) {
 +      pam_syslog(pamh, LOG_ERR, "logind error getting session list: %s",
 +		 strerror(-sessions));
 +      return LIMIT_ERR;
 +    } else if (sessions > 0 && sessions_list != NULL && !pl->flag_numsyslogins) {
 +      int i;
 +
 +      for (i = 0; i < sessions; i++) {
 +	char *user = NULL;
 +	char *class = NULL;
 +
 +	if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
 +	  continue;
 +
 +	if (strncmp(class, "user", 4) != 0)  { /* user, user-early, user-incomplete */
 +	  free (class);
 +	  continue;
 +	}
 +	free (class);
 +
 +	if (sd_session_get_username(sessions_list[i], &user) < 0 || user == NULL) {
 +	  pam_syslog(pamh, LOG_ERR, "logind error getting username: %s",
 +		     strerror(-sessions));
 +	  return LIMIT_ERR;
 +	}
 +
 +	if (((pl->login_limit_def == LIMITS_DEF_USER)
 +	     || (pl->login_limit_def == LIMITS_DEF_GROUP)
 +	     || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
 +	    && strcmp(name, user) != 0) {
 +	  free(user);
 +	  continue;
 +	}
 +	if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
 +	    && pl->login_group != NULL
 +	    && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
 +	  free(user);
 +	  continue;
 +	}
 +	free(user);
 +
 +	if (++count > limit) {
 +	  break;
 +	}
 +      }
 +      for (i = 0; i < sessions; i++)
 +	free(sessions_list[i]);
 +      free(sessions_list);
 +    } else {
 +      count = sessions;
 +    }
 +#else
 +    struct utmp *ut;
 +
 +    setutent();
 +
     while((ut = getutent())) {
 #ifdef USER_PROCESS
         if (ut->ut_type != USER_PROCESS) {
@@ -311,6 +385,7 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
 	}
     }
     endutent();
 +#endif
     if (count > limit) {
 	if (name) {
 	    pam_syslog(pamh, LOG_NOTICE,
--- a/pam_mkhomedir-Use-vendordir-when-defined.patch
+++ b/pam_mkhomedir-Use-vendordir-when-defined.patch
@@ -0,0 +1,315 @@
 From c4a53492e1b7aebcf7a65a778d9e3a78f196d117 Mon Sep 17 00:00:00 2001
 From: vlefebvre <valentin.lefebvre@suse.com>
 Date: Tue, 15 Jul 2025 15:42:50 +0200
 Subject: [PATCH] pam_mkhomedir: Use vendordir when defined
 * When the configuration is split between /etc and vendordir,
  pam_mkhomedir now takes care of the distribution-provided
  skeleton directory.
 * mkhomedir_helper gets a new optional argument: vendordir.
  If specified, the home directory will be populated by contents of
  the directory specified by skeldir argument, followed by contents
  of the directory specified by vendordir argument.
 Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
 ---
 modules/pam_mkhomedir/mkhomedir_helper.8.xml | 12 ++-
 modules/pam_mkhomedir/mkhomedir_helper.c     | 91 +++++++++++++-------
 modules/pam_mkhomedir/pam_mkhomedir.8.xml    |  8 +-
 modules/pam_mkhomedir/pam_mkhomedir.c        | 14 ++-
 4 files changed, 88 insertions(+), 37 deletions(-)
 diff --git a/modules/pam_mkhomedir/mkhomedir_helper.8.xml b/modules/pam_mkhomedir/mkhomedir_helper.8.xml
 index 0f4c4b40..87b83a40 100644
 --- a/modules/pam_mkhomedir/mkhomedir_helper.8.xml
 +++ b/modules/pam_mkhomedir/mkhomedir_helper.8.xml
@@ -24,6 +24,9 @@
         <replaceable>path-to-skel</replaceable>
       <arg choice="opt" rep="norepeat">
         <replaceable>home_mode</replaceable>
 +      <arg choice="opt" rep="norepeat">
 +        <replaceable>path-to-vendor-skel</replaceable>
 +      </arg>
       </arg>
       </arg>
       </arg>
@@ -48,6 +51,13 @@
       <replaceable>umask</replaceable>.
     </para>
 +    <para>
 +      <replaceable>path-to-vendor-skel</replaceable> doesn't have default
 +      value. When set to a <emphasis>path</emphasis>, home directory will be
 +      populated by contents of <replaceable>path-to-skel</replaceable> first,
 +      and then by contents of <emphasis>path</emphasis>.
 +    </para>
 +
     <para>
       The helper is separated from the module to not require direct access from
       login SELinux domains to the contents of user home directories. The
@@ -77,4 +87,4 @@
       </para>
   </refsect1>
 -</refentry>
 \ No newline at end of file
 +</refentry>
 diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
 index 0c05ee9c..1d741c5d 100644
 --- a/modules/pam_mkhomedir/mkhomedir_helper.c
 +++ b/modules/pam_mkhomedir/mkhomedir_helper.c
@@ -36,7 +36,7 @@ static unsigned long u_mask = 0022;
 static const char *skeldir = "/etc/skel";
 static int create_homedir(struct dir_spec *, const struct passwd *, mode_t,
 -			  const char *, const char *);
 +			  const char *, const char *, const char *);
 static int
 dir_spec_open(struct dir_spec *spec, const char *path)
@@ -88,7 +88,7 @@ dir_spec_close(struct dir_spec *spec)
 static int
 copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
 -	   const char *source, struct dirent *dent)
 +	   const char *source, struct dirent *dent, const char *vendordir)
 {
    char remark[BUFSIZ];
    int srcfd = -1, destfd = -1;
@@ -96,6 +96,7 @@ copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
    int retval = PAM_SESSION_ERR;
    struct stat st;
    char *newsource;
 +   char *newvendordir = NULL;
    /* Determine what kind of file it is. */
    if ((newsource = pam_asprintf("%s/%s", source, dent->d_name)) == NULL)
@@ -114,8 +115,23 @@ copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
    /* If it's a directory, recurse. */
    if (S_ISDIR(st.st_mode))
    {
 +      if (vendordir != NULL)
 +      {
 +         if ((newvendordir = pam_asprintf("%s/%s", vendordir, dent->d_name)) == NULL)
 +         {
 +            pam_syslog(NULL, LOG_CRIT, "asprintf failed for 'newvendordir'");
 +            retval = PAM_BUF_ERR;
 +            goto go_out;
 +         }
 +         if (lstat(newvendordir, &st) != 0)
 +         {
 +            free(newvendordir);
 +            newvendordir = NULL;
 +         }
 +      }
 +
       retval = create_homedir(parent, pwd, dir_mode & (~u_mask), newsource,
 -			      dent->d_name);
 +			      dent->d_name, newvendordir);
       goto go_out;
    }
@@ -259,19 +275,22 @@ copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
       close(destfd);
    free(newsource);
 -
 +   free(newvendordir);
    return retval;
 }
 /* Do the actual work of creating a home dir */
 static int
 create_homedir(struct dir_spec *parent, const struct passwd *pwd,
 -	       mode_t dir_mode, const char *source, const char *dest)
 +	       mode_t dir_mode, const char *source, const char *dest,
 +	       const char *vendordir)
 {
    DIR *d = NULL;
    struct dirent *dent;
    struct dir_spec base;
    int retval = PAM_SESSION_ERR;
 +   const char *sourcedirs[] = {source, vendordir};
 +   unsigned int idx = 0;
    /* Create the new directory */
    if (mkdirat(parent->fd, dest, 0700))
@@ -289,32 +308,35 @@ create_homedir(struct dir_spec *parent, const struct passwd *pwd,
       goto go_out;
    }
 -   /* See if we need to copy the skel dir over. */
 -   if ((source == NULL) || (strlen(source) == 0))
 -   {
 -      retval = PAM_SUCCESS;
 -      goto go_out;
 -   }
 -
 -   /* Scan the directory */
 -   d = opendir(source);
 -   if (d == NULL)
 -   {
 -      pam_syslog(NULL, LOG_DEBUG, "unable to read directory %s: %m", source);
 -      retval = PAM_PERM_DENIED;
 -      goto go_out;
 -   }
 -
 -   for (dent = readdir(d); dent != NULL; dent = readdir(d))
 +   /* Scan source directories */
 +   for (idx = 0; idx < PAM_ARRAY_SIZE(sourcedirs); idx++)
    {
 -      /* Skip some files.. */
 -      if (strcmp(dent->d_name,".") == 0 ||
 -	  strcmp(dent->d_name,"..") == 0)
 -	 continue;
 +      /* See if we need to copy the source skel dir over. */
 +      if ((sourcedirs[idx] == NULL) || strlen(sourcedirs[idx]) == 0)
 +            continue;
 +      d = opendir(sourcedirs[idx]);
 +      if (d == NULL)
 +      {
 +         pam_syslog(NULL, LOG_DEBUG, "unable to read directory %s: %m",
 +                    sourcedirs[idx]);
 +         retval = PAM_PERM_DENIED;
 +         goto go_out;
 +      }
 -      retval = copy_entry(&base, pwd, dir_mode, source, dent);
 -      if (retval != PAM_SUCCESS)
 -	 goto go_out;
 +      for (dent = readdir(d); dent != NULL; dent = readdir(d))
 +      {
 +         /* Skip some files.. */
 +         if (strcmp(dent->d_name,".") == 0 ||
 +             strcmp(dent->d_name,"..") == 0)
 +            continue;
 +
 +         retval = copy_entry(&base, pwd, dir_mode, sourcedirs[idx], dent,
 +                             sourcedirs[idx] == vendordir ? NULL : vendordir);
 +         if (retval != PAM_SUCCESS)
 +            goto go_out;
 +      }
 +      closedir(d);
 +      d = NULL;
    }
    retval = PAM_SUCCESS;
@@ -340,7 +362,8 @@ create_homedir(struct dir_spec *parent, const struct passwd *pwd,
 static int
 create_homedir_helper(const struct passwd *_pwd, mode_t home_mode,
 -		      const char *_skeldir, const char *_homedir)
 +		      const char *_skeldir, const char *_homedir,
 +		      const char *_vendordir)
 {
    int retval = PAM_SESSION_ERR;
    struct dir_spec base;
@@ -357,7 +380,7 @@ create_homedir_helper(const struct passwd *_pwd, mode_t home_mode,
    }
    *cp = '/';
 -   retval = create_homedir(&base, _pwd, home_mode, _skeldir, cp + 1);
 +   retval = create_homedir(&base, _pwd, home_mode, _skeldir, cp + 1, _vendordir);
  go_out:
    dir_spec_close(&base);
@@ -399,6 +422,7 @@ main(int argc, char *argv[])
    struct stat st;
    char *eptr;
    unsigned long home_mode = 0;
 +   const char *vendordir = NULL;
    if (argc < 2) {
 	fprintf(stderr, "Usage: %s <username> [<umask> [<skeldir> [<home_mode>]]]\n", argv[0]);
@@ -433,6 +457,9 @@ main(int argc, char *argv[])
        }
    }
 +   if (argc >= 6)
 +      vendordir = argv[5];
 +
    if (home_mode == 0)
       home_mode = 0777 & ~u_mask;
@@ -449,5 +476,5 @@ main(int argc, char *argv[])
    if (make_parent_dirs(pwd->pw_dir, 0) != PAM_SUCCESS)
 	return PAM_PERM_DENIED;
 -   return create_homedir_helper(pwd, home_mode, skeldir, pwd->pw_dir);
 +   return create_homedir_helper(pwd, home_mode, skeldir, pwd->pw_dir, vendordir);
 }
 diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8.xml b/modules/pam_mkhomedir/pam_mkhomedir.8.xml
 index ad957248..42f42c58 100644
 --- a/modules/pam_mkhomedir/pam_mkhomedir.8.xml
 +++ b/modules/pam_mkhomedir/pam_mkhomedir.8.xml
@@ -46,6 +46,12 @@
       <filename>/etc/skel/</filename>) is used to copy default files
       and also sets a umask for the creation.
     </para>
 +
 +    <para condition="with_vendordir">
 +      <emphasis>%vendordir%/skel</emphasis> will also be used unless
 +      <replaceable>skel</replaceable> option is specified.
 +    </para>
 +
     <para>
       The new users home directory will not be removed after logout
       of the user.
@@ -213,4 +219,4 @@
       pam_mkhomedir was written by Jason Gunthorpe &lt;jgg@debian.org&gt;.
     </para>
   </refsect1>
 -</refentry>
 \ No newline at end of file
 +</refentry>
 diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c
 index f090deee..5b08b6fd 100644
 --- a/modules/pam_mkhomedir/pam_mkhomedir.c
 +++ b/modules/pam_mkhomedir/pam_mkhomedir.c
@@ -60,6 +60,11 @@
 #define LOGIN_DEFS           "/etc/login.defs"
 #define UMASK_DEFAULT        "0022"
 +#define SKELDIR "/etc/skel"
 +#ifdef VENDORDIR
 +#define VENDOR_SKELDIR (VENDORDIR "/skel")
 +#endif
 +
 struct options_t {
   int ctrl;
   const char *umask;
@@ -73,7 +78,7 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv,
 {
    opt->ctrl = 0;
    opt->umask = NULL;
 -   opt->skeldir = "/etc/skel";
 +   opt->skeldir = NULL;
    /* does the application require quiet? */
    if ((flags & PAM_SILENT) == PAM_SILENT)
@@ -154,7 +159,7 @@ create_homedir (pam_handle_t *pamh, options_t *opt,
    child = fork();
    if (child == 0) {
 	static char *envp[] = { NULL };
 -	const char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
 +	const char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
 	if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_PIPE_FD,
 					    PAM_MODUTIL_PIPE_FD,
@@ -165,8 +170,11 @@ create_homedir (pam_handle_t *pamh, options_t *opt,
 	args[0] = MKHOMEDIR_HELPER;
 	args[1] = user;
 	args[2] = opt->umask ? opt->umask : UMASK_DEFAULT;
 -	args[3] = opt->skeldir;
 +	args[3] = opt->skeldir ? opt->skeldir : SKELDIR;
 	args[4] = login_homemode;
 +#ifdef VENDORDIR
 +	args[5] = opt->skeldir ? NULL : VENDOR_SKELDIR;
 +#endif
 	DIAG_PUSH_IGNORE_CAST_QUAL;
 	execve(MKHOMEDIR_HELPER, (char **)args, envp);
 -- 
 2.51.0
--- a/post-v1.7.1.patch
+++ b/post-v1.7.1.patch
--- a/unix2_chkpwd.8
+++ b/unix2_chkpwd.8
@@ -1,79 +0,0 @@
 .\" Copyright (C) 2003 International Business Machines Corporation
 .\" This file is distributed according to the GNU General Public License.
 .\" See the file COPYING in the top level source directory for details.
 .\"
 .de Sh \" Subsection
 .br
 .if t .Sp
 .ne 5
 .PP
 \fB\\$1\fR
 .PP
 ..
 .de Sp \" Vertical space (when we can't use .PP)
 .if t .sp .5v
 .if n .sp
 ..
 .de Ip \" List item
 .br
 .ie \\n(.$>=3 .ne \\$3
 .el .ne 3
 .IP "\\$1" \\$2
 ..
 .TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
 .SH NAME
 unix2_chkpwd \- helper binary that verifies the password of the current user
 .SH "SYNOPSIS"
 .ad l
 .hy 0
 /sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
 .sp
 .ad
 .hy
 .SH "DESCRIPTION"
 .PP
 \fBunix2_chkpwd\fR is a helper program for applications that verifies 
 the password of the current user.  It is not intended to be run directly from 
 the command line and logs a security violation if done so. 
 It is typically installed setuid root or setgid shadow and called by
 applications, which only wishes to do an user authentification and
 nothing more.
 .SH "OPTIONS"
 .PP
 unix2_chkpwd requires the following arguments:
 .TP
 \fIpam_service\fR
 The name of the service using unix2_chkpwd. This is required to be one of
 the services in /etc/pam.d
 .TP
 \fIusername\fR
 The name of the user whose password you want to verify.
 .SH "INPUTS"
 .PP
 unix2_chkpwd expects the password via stdin.
 .SH "RETURN CODES"
 .PP
 \fBunix2_chkpwd\fR has the following return codes:
 .TP
 1
 unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
 .TP
 0
 The password is correct.
 .SH "HISTORY"
 Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
 .SH "SEE ALSO"
 .PP
 \fBpam\fR(8)
 .SH AUTHOR
 Emily Ratliff.
--- a/unix2_chkpwd.c
+++ b/unix2_chkpwd.c
@@ -1,337 +0,0 @@
 /*
 * Set*id helper program for PAM authentication.
 *
 * It is supposed to be called from pam_unix2's
 * pam_sm_authenticate function if the function notices
 * that it's unable to get the password from the shadow file
 * because it doesn't have sufficient permissions.
 *
 * Copyright (C) 2002 SuSE Linux AG
 *
 * Written by okir@suse.de, loosely based on unix_chkpwd
 * by Andrew Morgan.
 */
 #include <security/pam_appl.h>
 #include <security/_pam_macros.h>
 #include <sys/types.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
 #include <pwd.h>
 #include <signal.h>
 #include <fcntl.h>
 #include <ctype.h>
 #include <errno.h>
 #define BUFLEN	1024
 #ifndef LOGINDEFS
 #define LOGINDEFS	"/etc/login.defs"
 #endif
 #define LOGINDEFS_FAIL_DELAY_KEY	"FAIL_DELAY"
 #define DEFAULT_FAIL_DELAY_S	10
 #define PASSWD_CRACKER_DELAY_MS	100
 enum {
 	UNIX_PASSED = 0,
 	UNIX_FAILED = 1
 };
 static char *	program_name;
 static char	pass[64];
 static int	npass = -1;
 /*
 * Log error messages
 */
 static void
 _log_err(int err, const char *format,...)
 {
 	va_list args;
 	va_start(args, format);
 	openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
 	vsyslog(err, format, args);
 	va_end(args);
 	closelog();
 }
 static void
 su_sighandler(int sig)
 {
 	if (sig > 0) {
 		_log_err(LOG_NOTICE, "caught signal %d.", sig);
 		exit(sig);
 	}
 }
 /*
 * Setup signal handlers
 */
 static void
 setup_signals(void)
 {
 	struct sigaction action;
 	memset((void *) &action, 0, sizeof(action));
 	action.sa_handler = su_sighandler;
 	action.sa_flags = SA_RESETHAND;
 	sigaction(SIGILL, &action, NULL);
 	sigaction(SIGTRAP, &action, NULL);
 	sigaction(SIGBUS, &action, NULL);
 	sigaction(SIGSEGV, &action, NULL);
 	action.sa_handler = SIG_IGN;
 	action.sa_flags = 0;
 	sigaction(SIGTERM, &action, NULL);
 	sigaction(SIGHUP, &action, NULL);
 	sigaction(SIGINT, &action, NULL);
 	sigaction(SIGQUIT, &action, NULL);
 	sigaction(SIGALRM, &action, NULL);
 }
 static int
 _converse(int num_msg, const struct pam_message **msg,
 		struct pam_response **resp, void *appdata_ptr)
 {
 	struct	pam_response *reply;
 	int	num;
 	if (!(reply = malloc(sizeof(*reply) * num_msg)))
 		return PAM_CONV_ERR;
 	for (num = 0; num < num_msg; num++) {
 		reply[num].resp_retcode = PAM_SUCCESS;
 		reply[num].resp = NULL;
 		switch (msg[num]->msg_style) {
 		case PAM_PROMPT_ECHO_ON:
 			return PAM_CONV_ERR;
 		case PAM_PROMPT_ECHO_OFF:
 			/* read the password from stdin */
 			if (npass < 0) {
 				npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
 				if (npass < 0) {
 					_log_err(LOG_DEBUG, "error reading password");
 					return UNIX_FAILED;
 				}
 				pass[npass] = '\0';
 			}
 			reply[num].resp = strdup(pass);
 			break;
 		case PAM_TEXT_INFO:
 		case PAM_ERROR_MSG:
 			/* ignored */
 			break;
 		default:
 			/* Must be an error of some sort... */
 			return PAM_CONV_ERR;
 		}
 	}
 	*resp = reply;
 	return PAM_SUCCESS;
 }
 static int
 _authenticate(const char *service, const char *user)
 {
 	struct pam_conv conv = { _converse, NULL };
 	pam_handle_t	*pamh;
 	int		err;
 	err = pam_start(service, user, &conv, &pamh);
 	if (err != PAM_SUCCESS) {
 		_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
 				service, user, err);
 		return UNIX_FAILED;
 	}
 	err = pam_authenticate(pamh, 0);
 	if (err != PAM_SUCCESS)
 		_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
 				service, user,
 				pam_strerror(pamh, err));
 	if (err == PAM_SUCCESS)
 	{
 		err = pam_acct_mgmt(pamh, 0);
 		if (err == PAM_SUCCESS)
 		{
 			int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
 			if (err2 != PAM_SUCCESS)
 				_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
 					service, user,
 					pam_strerror(pamh, err2));
 				/*
 				 * ignore errors on refresh credentials.
 				 * If this did not work we use the old once.
 				 */
 		} else {
 			_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
 				service, user,
 				pam_strerror(pamh, err));
 		}
 	}
 	pam_end(pamh, err);
 	if (err != PAM_SUCCESS)
 		return UNIX_FAILED;
 	return UNIX_PASSED;
 }
 static char *
 getuidname(uid_t uid)
 {
 	struct passwd *pw;
 	static char username[32];
 	pw = getpwuid(uid);
 	if (pw == NULL)
 		return NULL;
 	strncpy(username, pw->pw_name, sizeof(username));
 	username[sizeof(username) - 1] = '\0';
 	endpwent();
 	return username;
 }
 static int
 sane_pam_service(const char *name)
 {
 	const char *sp;
 	char	path[128];
 	if (strlen(name) > 32)
 		return 0;
 	for (sp = name; *sp; sp++) {
 		if (!isalnum(*sp) && *sp != '_' && *sp != '-')
 			return 0;
 	}
 	snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
 	return access(path, R_OK) == 0;
 }
 static int
 get_system_fail_delay (void)
 {
 	FILE *fs;
 	char buf[BUFLEN];
 	long int delay = -1;
 	char *s;
 	int l;
 	fs = fopen(LOGINDEFS, "r");
 	if (NULL == fs) {
 		goto bail_out;
 	}
 	while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
 		if  (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
 			continue;
 		}
 		s = buf + strspn(buf, " \t");
 		l = strcspn(s, " \t");
 		if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
 			continue;
 		}
 		s += l;
 		s += strspn(s, " \t");
 		errno = 0;
 		delay = strtol(s, NULL, 10);
 		if (errno) {
 			delay = -1;
 		}
 		break;
 	}
 	fclose (fs);
 bail_out:
 	delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
 	return (int)delay;
 }
 int
 main(int argc, char *argv[])
 {
 	const char *program_name;
 	char	*service, *user;
 	int	fd;
 	int result = UNIX_FAILED;
 	uid_t	uid;
 	uid = getuid();
 	/*
 	 * Make sure standard file descriptors are connected.
 	 */
 	while ((fd = open("/dev/null", O_RDWR)) <= 2)
 		;
 	close(fd);
 	/*
 	 * Get the program name
 	 */
 	if (argc == 0)
 		program_name = "unix2_chkpwd";
 	else if ((program_name = strrchr(argv[0], '/')) != NULL)
 		program_name++;
 	else
 		program_name = argv[0];
 	/*
 	 * Catch or ignore as many signal as possible.
 	 */
 	setup_signals();
 	/*
 	 * Check argument list
 	 */
 	if (argc < 2 || argc > 3) {
 		_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
 		return UNIX_FAILED;
 	}
 	/*
 	 * Get the service name and do some sanity checks on it
 	 */
 	service = argv[1];
 	if (!sane_pam_service(service)) {
 		_log_err(LOG_ERR, "Illegal service name '%s'", service);
 		return UNIX_FAILED;
 	}
 	/*
 	 * Discourage users messing around (fat chance)
 	 */
 	if (isatty(STDIN_FILENO) && uid != 0) {
 		_log_err(LOG_NOTICE,
 			"Inappropriate use of Unix helper binary [UID=%d]",
 			 uid);
 		fprintf(stderr,
 			"This binary is not designed for running in this way\n"
 			"-- the system administrator has been informed\n");
 		sleep(10);	/* this should discourage/annoy the user */
 		return UNIX_FAILED;
 	}
 	/*
 	 * determine the caller's user name
 	 */
 	user = getuidname(uid);
 	if (argc == 3 && strcmp(user, argv[2])) {
 		user = argv[2];
 	}
 	result = _authenticate(service, user);
 	/* Discourage use of this program as a
 	 * password cracker */
 	usleep(PASSWD_CRACKER_DELAY_MS * 1000);
 	if (result != UNIX_PASSED && uid != 0)
 		sleep(get_system_fail_delay());
 	return result;
 }