summaryrefslogtreecommitdiffstats
path: root/ChangeLog
blob: 3e135be712f0bdc688e195193a948fe7b369f50c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
2018-05-18  Thorsten Kukuk  <kukuk@thkukuk.de>

	Release version 1.3.1.

	Add xz compression.

2018-05-16  Allison Karlitskaya  <allison.karlitskaya@redhat.com>

	pam_motd: add support for a motd.d directory (#48)
	Add a new feature to pam_motd to allow packages to install their own
	message files in a "motd.d" directory, to be displayed after the primary
	motd.
	
	Add an option motd_d= to specify the location of this directory.
	
	Modify the defaults, in the case where no options are given, to display
	both /etc/motd and /etc/motd.d.
	
	Fixes #47
	
	 * modules/pam_motd/pam_motd.c: add support for motd.d
	 * modules/pam_motd/pam_motd.8.xml: update the manpage

2018-05-02  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_umask: Fix documentation to align with order of loading umask.
	* modules/pam_umask/pam_umask.8.xml: Document the real order of loading
	umask.

2018-04-10  Joey Chagnon  <joeychagnon@users.noreply.github.com>

	Fix missing word in documentation.
	*  doc/man/pam_get_user.3.xml: Fix it.

2017-11-10  Dmitry V. Levin  <ldv@altlinux.org>

	pam_tally2 --reset: avoid creating a missing tallylog file.
	There is no need for pam_tally2 in --reset=0 mode to create a missing
	tallylog file because its absence has the same meaning as its existence
	with the appropriate entry reset.

	This was not a big deal until useradd(8) from shadow suite release 4.5
	started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
	configuration.

	The positive effect of this change is noticeable when using tools like
	cpio(1) that cannot archive huge sparse files efficiently.

	* modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
	cline_filename when cline_reset == 0, exit early if the file is missing.

2017-11-10  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_mkhomedir: Allow creating parent of homedir under /
	* modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not
	skip creating the directory if we are under /.

2017-10-09  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_tty_audit: Fix regression introduced by adding the uid range support.
	* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
	remove unneeded code carried from pam_limits.
	(pam_sm_open_session): When multiple enable/disable options are present do not
	stop after first match.

2017-09-06  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_access: Add note about spaces around ':' in access.conf(5)
	* modules/pam_access/access.conf.5.xml: Add note about spaces around ':'

	Workaround formatting problem in pam(8)
	* doc/man/pam.8.xml: Workaround formatting problem.

2017-07-12  Peter Urbanec  <peterurbanec@users.noreply.github.com>

	pam_unix: Check return value of malloc used for setcred data (#24)
	Check the return value of malloc and if it failed print debug info, send
	a syslog message and return an error code.
	
	The test in AUTH_RETURN for ret_data not being NULL becomes redundant.

2017-07-10  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_cracklib: Drop unused prompt macros.
	* modules/pam_cracklib/pam_cracklib.c: Drop the unused macros.

2017-06-28  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_tty_audit: Support matching users by uid range.
	* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
	parse the uid range.
	(pam_sm_open_session): Call parse_uid_range() and behave according to its result.
	* modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.

2017-05-31  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_access: support parsing files in /etc/security/access.d/*.conf.
	* modules/pam_access/pam_access.c (login_access): Return NOMATCH if
	there was no match in the parsed file.
	(pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
	subdirectory and call login_access() on the individual files matched.
	* modules/pam_access/pam_access.8.xml: Document the addition.
	* modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.

2017-04-11  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_localuser: Correct the example in documentation.
	* modules/pam_localuser/pam_localuser.8.xml: The example configuration
	  does something different.

	pam_localuser: Correct documentation of return value.
	* modules/pam_localuser/pam_localuser.8.xml: The module returns
	  PAM_PERM_DENIED when the user is not listed.

2017-03-10  Saul Johnson  <saul.a.johnson@gmail.com>

	Make maxclassrepeat=1 behavior consistent with docs (#9)
	* modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.

2017-02-09  Josef Moellers  <jmoellers@suse.de>

	Properly test for strtol() failure to find any digits.
	* modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set
	to beginning and not NULL.

2017-01-19  Daniel Abrecht  <daniel.abrecht@hotmail.com>

	pam_exec: fix a potential null pointer dereference.
	Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS
	but the response is set to NULL.

	* modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa
	with a null pointer.

	Closes: https://github.com/linux-pam/linux-pam/pull/2

2016-12-07  Antonio Ospite  <ao2@ao2.it>

	Add missing comma in the limits.conf.5 manpage.
	* modules/pam_limits/limits.conf.5.xml: add a missing comma

2016-11-14  Tomas Mraz  <tmraz@fedoraproject.org>

	Regular links doesn't work with -no-numbering -no-references.
	* configure.ac: Use elinks instead of links.

2016-11-01  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_access: First check for the (group) match.
	The (group) match is performed first to allow for groups
	containing '@'.

	* modules/pam_access/pam_access.c (user_match): First check for the (group) match.

2016-10-17  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_ftp: Properly use the first name from the supplied list.
	* modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
	of anonymous users if user name matches.
	(pam_sm_authenticate): Free the returned value allocated in lookup().

2016-09-12  Bartos-Elekes Zsolt  <muszi@kite.hu>

	pam_issue: Fix no prompting in parse escape codes mode.
	* modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().

2016-06-30  Maxin B. John  <maxin.john@intel.com>

	xtests: remove bash dependency.
	There are no bash specific syntax in the xtest scripts. So, remove
	the bash dependency.

2016-06-30  Tomas Mraz  <tmraz@fedoraproject.org>

	Unification and cleanup of syslog log levels.
	* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
	* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
	* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
	  with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
	  with LOG_ERR.
	* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
	  with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
	  LOG_ERR.
	* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
	  with LOG_NOTICE.
	* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
	  LOG_CRIT.
	* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
	  LOG_CRIT, other errors LOG_ERR.
	* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
	  with LOG_NOTICE, non-memory errors with LOG_ERR.
	* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
	  LOG_ERR.
	* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
	* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
	  LOG_CRIT.
	* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
	* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
	  other errors LOG_ERR.
	* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
	* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
	* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
	  max retries ignorance by application likewise.
	* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
	* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
	  with LOG_NOTICE.
	* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.

2016-06-15  Dmitry V. Levin  <ldv@altlinux.org>

	pam_timestamp: fix typo in strncmp usage.
	Before this fix, a typo in check_login_time resulted to ruser and
	struct utmp.ut_user being compared by the first character only,
	which in turn could lead to a too low timestamp value being assigned
	to oldest_login, effectively causing bypass of check_login_time.

	* modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
	in strncmp usage.

	Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>

2016-05-30  Tomas Mraz  <tmraz@fedoraproject.org>

	Correct the examples in pam_fail_delay(3) man page.
	doc/man/pam_fail_delay.3.xml: Correct the examples.

2016-05-11  Tomas Mraz  <tmraz@fedoraproject.org>

	Remove spaces in examples for access.conf.
	The spaces are ignored only with the default listsep. To remove confusion
	if non-default listsep is used they are removed from the examples.

	* modules/pam_access/access.conf: Remove all spaces around ':' in examples.
	* modules/pam_access/access.conf.5.xml: Likewise.

2016-05-05  Mike Frysinger  <vapier@gentoo.org>

	build: avoid non-portable == with "test" (ticket #60)
	POSIX says test only accepts =. Some shells (including bash) accept ==,
	but we should still stick to = for portability.

	* configure.ac: Replace == with = in "test" invocations.

2016-04-28  Thorsten Kukuk  <kukuk@thkukuk.de>

	Release version 1.3.0.
	* NEWS: add changes for 1.3.0.
	* configure.ac: bump version number.
	* libpam/Makefile.am: bump revision of libpam.so version.

2016-04-28  Tomas Mraz  <tmraz@fedoraproject.org>

	Updated translations from Zanata.
	* po/*.po: Updated translations from Zanata.

2016-04-19  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_wheel: Correct the documentation of the root_only option.
	* modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the
	root_only option.

	pam_unix: Document that MD5 password hash is used to store old passwords.
	modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
	to store the old passwords when remember option is set.

2016-04-14  Tomas Mraz  <tmraz@fedoraproject.org>

	Project registered at Zanata (fedora.zanata.org) for translations.
	* zanata.xml: Configuration file for zanata client.
	* po/LINGUAS: Update languages as supported by Zanata.
	* po/Linux-PAM.pot: Updated from sources.
	* po/*.po: Updated from sources.

2016-04-06  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.
	We have to drop support for not_set_pass option which is not much useful
	anyway. Instead we get proper support for authtok_type option.

	* modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
	pe
	option.
	* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
	sword()
	call with equivalent pam_get_authtok() call.
	* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
	support for not_set_pass.
	* modules/pam_unix/support.c (_unix_read_password): Remove.
	* modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.

	pam_get_authtok(): Add authtok_type support to current password prompt.
	* libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password,
	use different prompt for current password allowing for authtok_type to be
	displayed to the user.

2016-04-04  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_unix: Make password expiration messages more user-friendly.
	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
	expiration messages more user-friendly.

2016-04-04  Thorsten Kukuk  <kukuk@thkukuk.de>

	innetgr may not be there so make sure that when innetgr is not present then we inform about it and not use it. [ticket#46]
	* modules/pam_group/pam_group.c: ditto
	* modules/pam_succeed_if/pam_succeed_if.c: ditto
	* modules/pam_time/pam_time.c: ditto

	build: fix build when crypt() is not part of crypt_libs [ticket#46]
	* configure.ac: Don't set empty -l option in crypt check

	build: use $host_cpu for lib64 directory handling [ticket#46]
	* configure.ac: use $host_cpu for lib64 directory handling.

2016-04-01  Dmitry V. Levin  <ldv@altlinux.org>

	Fix whitespace issues.
	Remove blank lines at EOF introduced by commit
	a684595c0bbd88df71285f43fb27630e3829121e,
	making the project free of warnings reported by
	git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD

	* libpam/pam_dynamic.c: Remove blank line at EOF.
	* modules/pam_echo/pam_echo.c: Likewise.
	* modules/pam_keyinit/pam_keyinit.c: Likewise.
	* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
	* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
	* modules/pam_rhosts/pam_rhosts.c: Likewise.
	* modules/pam_sepermit/pam_sepermit.c: Likewise.
	* modules/pam_stress/pam_stress.c: Likewise.

2016-04-01  Thorsten Kukuk  <kukuk@thkukuk.de>

	Use TI-RPC functions if we compile and link against libtirpc. The old SunRPC functions don't work with IPv6.
	* configure.ac: Set and restore CPPFLAGS
	* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
	  rpcb_getaddr if available.

2016-03-29  Thorsten Kukuk  <kukuk@thkukuk.de>

	PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of external code using it.
	* libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility

	Remove "--enable-static-modules" option and support from  Linux-PAM. It was never official supported and was broken since years.
	* configure.ac: Remove --enable-static-modules option.
	* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
	* doc/man/pam_sm_authenticate.3.xml: Likewise.
	* doc/man/pam_sm_chauthtok.3.xml: Likewise.
	* doc/man/pam_sm_close_session.3.xml: Likewise.
	* doc/man/pam_sm_open_session.3.xml: Likewise.
	* doc/man/pam_sm_setcred.3.xml: Likewise.
	* libpam/Makefile.am: Remove STATIC_MODULES cases.
	* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
	* libpam/pam_dynamic.c: Likewise.
	* libpam/pam_handlers.c: Likewise.
	* libpam/pam_private.h: Likewise.
	* libpam/pam_static.c: Remove file.
	* libpam/pam_static_modules.h: Remove header file.
	* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
	* modules/pam_cracklib/pam_cracklib.c: Likewise.
	* modules/pam_debug/pam_debug.c: Likewise.
	* modules/pam_deny/pam_deny.c: Likewise.
	* modules/pam_echo/pam_echo.c: Likewise.
	* modules/pam_env/pam_env.c: Likewise.
	* modules/pam_exec/pam_exec.c: Likewise.
	* modules/pam_faildelay/pam_faildelay.c: Likewise.
	* modules/pam_filter/pam_filter.c: Likewise.
	* modules/pam_ftp/pam_ftp.c: Likewise.
	* modules/pam_group/pam_group.c: Likewise.
	* modules/pam_issue/pam_issue.c: Likewise.
	* modules/pam_keyinit/pam_keyinit.c: Likewise.
	* modules/pam_lastlog/pam_lastlog.c: Likewise.
	* modules/pam_limits/pam_limits.c: Likewise.
	* modules/pam_listfile/pam_listfile.c: Likewise.
	* modules/pam_localuser/pam_localuser.c: Likewise.
	* modules/pam_loginuid/pam_loginuid.c: Likewise.
	* modules/pam_mail/pam_mail.c: Likewise.
	* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
	* modules/pam_motd/pam_motd.c: Likewise.
	* modules/pam_namespace/pam_namespace.c: Likewise.
	* modules/pam_nologin/pam_nologin.c: Likewise.
	* modules/pam_permit/pam_permit.c: Likewise.
	* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
	* modules/pam_rhosts/pam_rhosts.c: Likewise.
	* modules/pam_rootok/pam_rootok.c: Likewise.
	* modules/pam_securetty/pam_securetty.c: Likewise.
	* modules/pam_selinux/pam_selinux.c: Likewise.
	* modules/pam_sepermit/pam_sepermit.c: Likewise.
	* modules/pam_shells/pam_shells.c: Likewise.
	* modules/pam_stress/pam_stress.c: Likewise.
	* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
	* modules/pam_tally/pam_tally.c: Likewise.
	* modules/pam_tally2/pam_tally2.c: Likewise.
	* modules/pam_time/pam_time.c: Likewise.
	* modules/pam_timestamp/pam_timestamp.c: Likewise.
	* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
	* modules/pam_umask/pam_umask.c: Likewise.
	* modules/pam_userdb/pam_userdb.c: Likewise.
	* modules/pam_warn/pam_warn.c: Likewise.
	* modules/pam_wheel/pam_wheel.c: Likewise.
	* modules/pam_xauth/pam_xauth.c: Likewise.
	* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
	* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
	* modules/pam_unix/pam_unix_auth.c: Likewise.
	* modules/pam_unix/pam_unix_passwd.c: Likewise.
	* modules/pam_unix/pam_unix_sess.c: Likewise.
	* modules/pam_unix/pam_unix_static.c: Removed.
	* modules/pam_unix/pam_unix_static.h: Removed.
	* po/POTFILES.in: Remove removed files.
	* tests/tst-dlopen.c: Remove PAM_STATIC part.

2016-03-24  Thorsten Kukuk  <kukuk@thkukuk.de>

	Fix check for libtirpc and enhance check for libnsl to include new libnsl.
	* configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
	* modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*

2016-03-23  Thorsten Kukuk  <kukuk@thkukuk.de>

	Remove YP dependencies from pam_access, they were never used and such not needed.
	* modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
	* modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
	  it will never be used.

2016-03-04  Tomas Mraz  <tmraz@fedoraproject.org>

	Add checks for localtime() returning NULL.
	* modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r
	returning NULL.
	* modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning
	NULL.

	pam_unix: Silence warnings and fix a minor bug.
	Fixes a minor bug in behavior when is_selinux_enabled()
	returned negative value.

	* modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
	(unix_update_shadow): Safe cast forwho to non-const char *.
	* modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.

2016-02-17  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_env: Document the /etc/environment file.
	* modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
	* modules/pam_env/pam_env.8.xml: Add environ(7) reference.
	* modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
	Add a paragraph about /etc/environment. Add environ(7) reference.

	pam_unix: Add no_pass_expiry option to ignore password expiration.
	* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
	is on and return value data is not set to PAM_SUCCESS then ignore
	PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
	* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
	return value data.
	(pam_sm_setcred): Test for likeauth option and use the return value data
	only if set.
	* modules/pam_unix/support.h: Add the no_pass_expiry option.

2016-01-25  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_unix: Change the salt length for new hashes to 16 characters.
	* modules/pam_unix/passverify.c (create_password_hash): Change the
	salt length for new hashes to 16 characters.

2015-12-17  Tomas Mraz  <tmraz@fedoraproject.org>

	Relax the conditions for fatal failure on auditing.
	The PAM library calls will not fail anymore for any uid if the return
	value from the libaudit call is -EPERM.

	* libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.

2015-12-16  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_tally2: Optionally log the tally count when checking.
	* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
	(tally_check): Always log the tally count with debug option.

2015-10-02  Jakub Hrozek  <jakub.hrozek@posteo.se>

	Docfix: pam handle is const in pam_syslog() and pam_vsyslog()
	* doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().

2015-09-24  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_loginuid: Add syslog message if required auditd is not detected.
	* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
	if required auditd is not detected.

2015-09-04  Tomas Mraz  <tmraz@fedoraproject.org>

	Allow links to be used instead of w3m for documentation regeneration.
	* configure.ac: If w3m is not found check for links.

	Add missing space in pam_misc_setenv man page.
	* doc/man/pam_misc_setenv.3.xml: Add a missing space.

2015-08-12  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_rootok: use rootok permission instead of passwd permission in SELinux check.
	* modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
	passwd permission.

2015-08-05  Amarnath Valluri  <amarnath.valluri@intel.com>

	pam_timestamp: Avoid leaking file descriptor.
	* modules/pam_timestamp/hmacsha1.c(hmac_key_create):
	    close 'keyfd' when failed to own it.

2015-06-22  Thorsten Kukuk  <kukuk@thkukuk.de>

	Release version 1.2.1.
	Security fix: CVE-2015-3238

	If the process executing pam_sm_authenticate or pam_sm_chauthtok method
	of pam_unix is not privileged enough to check the password, e.g.
	if selinux is enabled, the _unix_run_helper_binary function is called.
	When a long enough password is supplied (16 pages or more, i.e. 65536+
	bytes on a system with 4K pages), this helper function hangs
	indefinitely, blocked in the write(2) call while writing to a blocking
	pipe that has a limited capacity.
	With this fix, the verifiable password length will be limited to
	PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.

	* NEWS: Update
	* configure.ac: Bump version
	* modules/pam_exec/pam_exec.8.xml: document limitation of password length
	* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
	* modules/pam_unix/pam_unix.8.xml: document limitation of password length
	* modules/pam_unix/pam_unix_passwd.c: limit password length
	* modules/pam_unix/passverify.c: Likewise
	* modules/pam_unix/passverify.h: Likewise
	* modules/pam_unix/support.c: Likewise

2015-04-27  Thorsten Kukuk  <kukuk@thkukuk.de>

	Update NEWS file.

	Release version 1.2.0.
	* NEWS: Update
	* configure.ac: Bump version
	* libpam/Makefile.am: Bump version of libpam
	* libpam_misc/Makefile.am: Bump version of libpam_misc
	* po/*: Regenerate po files

	Fix some grammatical errors in documentation. Patch by Louis Sautier.
	* doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
	* doc/man/pam.3.xml: Likewise.
	* doc/man/pam_acct_mgmt.3.xml: Likewise.
	* doc/man/pam_chauthtok.3.xml: Likewise.
	* doc/man/pam_sm_chauthtok.3.xml: Likewise.
	* modules/pam_limits/limits.conf.5.xml: Likewise.
	* modules/pam_mail/pam_mail.8.xml: Likewise.
	* modules/pam_rhosts/pam_rhosts.c: Likewise.
	* modules/pam_shells/pam_shells.8.xml: Likewise.
	* modules/pam_tally/pam_tally.8.xml: Likewise.
	* modules/pam_tally2/pam_tally2.8.xml: Likewise.
	* modules/pam_unix/pam_unix.8.xml: Likewise.

2015-04-23  Thorsten Kukuk  <kukuk@thkukuk.de>

	Add "quiet" option to pam_unix to suppress informential info messages from session.
	* modules/pam_unix/pam_unix.8.xml: Document new option.
	* modules/pam_unix/support.h: Add quiet option.
	* modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
	 'quiet' option is set.

2015-04-07  Tomas Mraz  <tmraz@fedoraproject.org>

	Use crypt_r if available in pam_userdb and in pam_unix.
	* modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
	instead of crypt() if available.
	* modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
	instead of crypt() if available.

2015-03-25  Thorsten Kukuk  <kukuk@thkukuk.de>

	Support alternative "vendor configuration" files as fallback to /etc (Ticket#34, patch from ay Sievers <kay@vrfy.org>)
	* doc/man/pam.8.xml: document additonal config directory
	* libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory
	* libpam/pam_private.h: adjust defines

	pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29)
	* modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
	* modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
	* modules/pam_env/pam_env.8.xml: Enhance documentation

2015-03-24  Thorsten Kukuk  <kukuk@thkukuk.de>

	Clarify pam_access docs re PAM service names and X $DISPLAY value testing. (Ticket #39)
	* modules/pam_access/access.conf.5.xml
	* modules/pam_access/pam_access.8.xml

	Don't use sudo directory, the timestamp format is different (Ticket#32)
	* modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.

	Enhance group.conf examples (Ticket#35)
	* modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.

	Document timestampdir option (Ticket#33)
	* modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.

	Adjust documentation (Ticket#36)
	* libpam/pam_delay.c: Change 25% in comment to 50% as used in code.
	* doc/man/pam_fail_delay.3.xml: Change 25% to 50%

2015-02-18  Tomas Mraz  <tmraz@fedoraproject.org>

	Updated translations from Transifex.
	* po/*.po: Updated translations from Transifex.

2015-01-07  Dmitry V. Levin  <ldv@altlinux.org>

	build: raise gettext version requirement.
	Raise gettext requirement to the latest oldstable version 0.18.3.
	This fixes the following automake warning:

	configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
	configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
	configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.

	* configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3.
	* po/Makevars: Update from gettext-0.18.3.

2015-01-07  Ronny Chevalier  <chevalier.ronny@gmail.com>

	build: adjust automake warning flags.
	Enable all automake warning flags except for the portability issues,
	since non portable features are used among the makefiles.

	* configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.

2015-01-07  Dmitry V. Levin  <ldv@altlinux.org>

	build: rename configure.in to configure.ac.
	This fixes the following automake warning:
	aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'

	* configure.in: Rename to configure.ac.

	Remove unmodified GNU gettext files installed by autopoint.
	These files are part of GNU gettext; we have not modified them, they are
	installed by autopoint which is called by autoreconf, so they had to be
	removed from this repository along with ABOUT-NLS, config.rpath, and
	mkinstalldirs files that were removed by commit
	Linux-PAM-1_1_5-7-g542ec8b.

	* po/Makefile.in.in: Remove.
	* po/Rules-quot: Likewise.
	* po/boldquot.sed: Likewise.
	* po/en@boldquot.header: Likewise.
	* po/en@quot.header: Likewise.
	* po/insert-header.sin: Likewise.
	* po/quot.sed: Likewise.
	* po/remove-potcdate.sin: Likewise.
	* po/.gitignore: Ignore these files.

2015-01-06  Ronny Chevalier  <chevalier.ronny@gmail.com>

	Update .gitignore.
	* .gitignore: Ignore *.log and *.trs files.

2015-01-02  Luke Shumaker  <lukeshu@sbcglobal.net>

	libpam: Only print "Password change aborted" when it's true.
	pam_get_authtok() may be used any time that a password needs to be entered,
	unlike pam_get_authtok_{no,}verify(), which may only be used when
	changing a password; yet when the user aborts, it prints "Password change
	aborted." whether or not that was the operation being performed.

	This bug was non-obvious because none of the modules distributed with
	Linux-PAM use it for anything but changing passwords; pam_unix has its
	own utility function that it uses instead.  As an example, the
	nss-pam-ldapd package uses it in pam_sm_authenticate().

	libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
	password is trying to be changed before printing a message about the
	password change being aborted.

2014-12-10  Dmitry V. Levin  <ldv@altlinux.org>

	build: extend cross compiling check to cover CPPFLAGS (ticket #21)
	Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in
	case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS,
	and BUILD_LDFLAGS variables introduced earlier to override CC,
	CFLAGS, and LDFLAGS, respectively.

	* configure.in (BUILD_CPPFLAGS): Define.
	* doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.

2014-12-09  Dmitry V. Levin  <ldv@altlinux.org>

	Do not use yywrap (ticket #42)
	Our scanners do not really use yywrap.  Explicitly disable yywrap
	so that no references to yywrap will be generated and no LEXLIB
	would be needed.

	* conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove.
	* conf/pam_conv1/pam_conv_l.l: Enable noyywrap option.
	* doc/specs/Makefile.am (padout_LDADD): Remove.
	* doc/specs/parse_l.l: Enable noyywrap option.

2014-12-09  Kyle Manna  <kyle@kylemanna.com>

	doc: fix a trivial typo in pam_authenticate return values (ticket #38)
	* doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL.

2014-12-09  Ronny Chevalier  <chevalier.ronny@gmail.com>

	doc: fix typo in pam_authenticate.3.xml.
	* doc/man/pam_authenticate.3.xml: Fix typo.

2014-10-17  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_succeed_if: Fix copy&paste error in rhost and tty values.
	modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST
	and PAM_TTY properly for the rhost and tty values.

	pam_succeed_if: Use long long type for numeric values.
	The currently used long with additional conversion to int is
	too small for uids and gids.

	modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace
	strtol() with strtoll() and int with long long in the parameters
	of comparison functions.

2014-09-05  Tomas Mraz  <tmraz@fedoraproject.org>

	Add grantor field to audit records of libpam.
	The grantor field gives audit trail of PAM modules which granted access
	for successful return from libpam calls. In case of failed return
	the grantor field is set to '?'.
	libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
	libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
	libpam/pam_password.c (pam_chauthtok): Likewise.
	libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
	libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
	add grantor= field to the message if grantors is set.
	(_pam_list_grantors): New function creating the string with grantors list.
	(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
	to list the grantors from the handler list.
	(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
	(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
	libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
	(_pam_clear_grantors): New function to clear grantor field of handler.
	(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
	Call _pam_auditlog() when appropriate.
	libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
	or just "?" to avoid confusing audit trail.
	(_pam_add_handler): Test for NULL return from extract_modulename().
	Clear grantor field of handler.
	libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
	parameter to _pam_auditlog().

2014-08-26  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_mkhomedir: Drop superfluous stat() call.
	modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous
	stat() call.

	pam_exec: Do not depend on open() returning STDOUT_FILENO.
	modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to
	STDOUT_FILENO if needed.

2014-08-25  Robin Hack  <rhack@redhat.com>

	pam_keyinit: Check return value of setregid.
	modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.

	pam_filter: Avoid leaking descriptors when fork() fails.
	modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.

2014-08-14  Robin Hack  <rhack@redhat.com>

	pam_echo: Avoid leaking file descriptor.
	modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.

2014-08-13  Robin Hack  <rhack@redhat.com>

	pam_tty_audit: Silence Coverity reporting uninitialized use.
	modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also
	msg_flags.

2014-08-13  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_tally2: Avoid uninitialized use of fileinfo.
	Problem found by Robin Hack <rhack@redhat.com>.
	modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size
	just try to read it.

	pam_access: Avoid uninitialized access of line.
	* modules/pam_access/pam_access.c (login_access): Reorder condition
	so line is not accessed when uninitialized.

2014-08-05  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_lastlog: Properly clean up last_login structure before use.
	modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login
	structure before use.

2014-07-21  Tomas Mraz  <tmraz@fedoraproject.org>

	Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.
	* modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields
	in opasswd entry and return error.
	* modules/pam_unix/passverify.c (save_old_password): Test for missing fields
	in opasswd entry and skip it.

2014-07-01  Dmitry V. Levin  <ldv@altlinux.org>

	doc: add missing build dependencies for soelim stubs.
	* doc/man/Makefile.am [ENABLE_REGENERATE_MAN]: Add dependencies for
	pam_verror.3, pam_vinfo.3, pam_vprompt.3, and pam_vsyslog.3 soelim stubs.

2014-06-23  Dmitry V. Levin  <ldv@altlinux.org>

	doc: fix install in case of out of tree build (ticket #31)
	* doc/adg/Makefile.am (install-data-local, releasedocs): Fall back
	to srcdir if documentation files haven't been found in builddir.
	(releasedocs): Treat missing documentation files as an error.
	* doc/mwg/Makefile.am: Likewise.
	* doc/sag/Makefile.am: Likewise.

2014-06-19  Dmitry V. Levin  <ldv@altlinux.org>

	doc: fix installation of adg-*.html and mwg-*.html files (ticket #31)
	Fix a typo due to which sag-*.html files might be installed instead of
	adg-*.html and mwg-*.html files.

	* doc/adg/Makefile.am (install-data-local): Install adg-*.html instead
	of sag-*.html.
	* doc/mwg/Makefile.am (install-data-local): Install mwg-*.html instead
	of sag-*.html.

	Patch-by: Mike Frysinger <vapier@gentoo.org>

2014-06-19  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_limits: nofile refers to file descriptors not files.
	modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit.
	modules/pam_limits/limits.conf: Likewise.

	pam_limits: clarify documentation of maxlogins and maxsyslogins limits.
	modules/pam_limits/limits.conf.5.xml: clarify documentation of
	maxlogins and maxsyslogins limits.

	pam_unix: Check for NULL return from Goodcrypt_md5().
	modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for
	NULL return from Goodcrypt_md5().

	pam_unix: check for NULL return from malloc()
	* modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().

2014-05-22  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_loginuid: Document one more possible case of PAM_IGNORE return.
	modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case
	of PAM_IGNORE return value.

	pam_loginuid: Document other possible return values.
	modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return
	values.

2014-03-26  Dmitry V. Levin  <ldv@altlinux.org>

	pam_timestamp: fix potential directory traversal issue (ticket #27)
	pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
	the timestamp pathname it creates, so extra care should be taken to
	avoid potential directory traversal issues.

	* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
	"." and ".." tty values as invalid.
	(get_ruser): Treat "." and ".." ruser values, as well as any ruser
	value containing '/', as invalid.

	Fixes CVE-2014-2583.

	Reported-by: Sebastian Krahmer <krahmer@suse.de>

2014-03-20  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_userdb: document that .db suffix should not be used.
	modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix
	should not be used and correct the example.

2014-03-11  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_selinux: canonicalize user name.
	SELinux expects canonical user name for example without domain component.

	* modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().

2014-01-28  Dmitry V. Levin  <ldv@altlinux.org>

	Change tarball name back to "Linux-PAM"
	As a side effect of commit Linux-PAM-1_1_8-11-g3fa23ce, tarball name
	changed accidentally from "Linux-PAM" to "linux-pam".
	This change brings it back to "Linux-PAM".

	* configure.in (AC_INIT): Explicitly specify TARNAME argument.

2014-01-27  Dmitry V. Levin  <ldv@altlinux.org>

	Introduce pam_modutil_sanitize_helper_fds.
	This change introduces pam_modutil_sanitize_helper_fds - a new function
	that redirects standard descriptors and closes all other descriptors.

	pam_modutil_sanitize_helper_fds supports three types of input and output
	redirection:
	- PAM_MODUTIL_IGNORE_FD: do not redirect at all.
	- PAM_MODUTIL_PIPE_FD: redirect to a pipe.  For stdin, it is implemented
	  by creating a pipe, closing its write end, and redirecting stdin to
	  its read end.  Likewise, for stdout/stderr it is implemented by
	  creating a pipe, closing its read end, and redirecting to its write
	  end.  Unlike stdin redirection, stdout/stderr redirection to a pipe
	  has a side effect that a process writing to such descriptor should be
	  prepared to handle SIGPIPE appropriately.
	- PAM_MODUTIL_NULL_FD: redirect to /dev/null.  For stdin, it is
	  implemented via PAM_MODUTIL_PIPE_FD because there is no functional
	  difference.  For stdout/stderr, it is classic redirection to
	  /dev/null.

	PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel
	security restrictions, but when the helper process might be writing to
	the corresponding descriptor and termination of the helper process by
	SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD.

	* libpam/pam_modutil_sanitize.c: New file.
	* libpam/Makefile.am (libpam_la_SOURCES): Add it.
	* libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd,
	pam_modutil_sanitize_helper_fds): New declarations.
	* libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface.
	* modules/pam_exec/pam_exec.c (call_exec): Use
	pam_modutil_sanitize_helper_fds.
	* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
	* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
	* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
	Likewise.
	* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
	* modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
	* modules/pam_unix/support.h (MAX_FD_NO): Remove.

	pam_xauth: avoid potential SIGPIPE when writing to xauth process.
	Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.

	* modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
	close the read end of input pipe after writing to its write end.

	pam_loginuid: log significant loginuid write errors.
	* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
	during /proc/self/loginuid update that are not ignored.

	Fix gratuitous use of strdup and x_strdup.
	There is no need to copy strings passed as arguments to execve,
	the only potentially noticeable effect of using strdup/x_strdup
	would be a malformed argument list in case of memory allocation error.

	Also, x_strdup, being a thin wrapper around strdup, is of no benefit
	when its argument is known to be non-NULL, and should not be used in
	such cases.

	* modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup
	instead of x_strdup, the latter is of no benefit in this case.
	* modules/pam_ftp/pam_ftp.c (lookup): Likewise.
	* modules/pam_userdb/pam_userdb.c (user_lookup): Likewise.
	* modules/pam_userdb/pam_userdb.h (x_strdup): Remove.
	* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use
	x_strdup for strings passed as arguments to execve.
	* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
	* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise.
	* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
	(_unix_verify_password): Use strdup instead of x_strdup, the latter
	is of no benefit in this case.
	* modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for
	strings passed as arguments to execv.

	pam_userdb: fix password hash comparison.
	Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
	passwords support in pam_userdb, hashes are compared case-insensitively.
	This bug leads to accepting hashes for completely different passwords in
	addition to those that should be accepted.

	Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
	modern password hashes with different lengths and settings, did not
	update the hash comparison accordingly, which leads to accepting
	computed hashes longer than stored hashes when the latter is a prefix
	of the former.

	* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
	hash whose length differs from the stored hash length.
	Compare computed and stored hashes case-sensitively.
	Fixes CVE-2013-7041.

	Bug-Debian: http://bugs.debian.org/731368

2014-01-24  Dmitry V. Levin  <ldv@altlinux.org>

	pam_xauth: log fatal errors preventing xauth process execution.
	* modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe()
	and fork() calls.

2014-01-22  Dmitry V. Levin  <ldv@altlinux.org>

	pam_loginuid: cleanup loginuid buffer initialization.
	* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid
	buffer initialization closer to its first use.

	libpam_misc: fix an inconsistency in handling memory allocation errors.
	When misc_conv fails to allocate memory for pam_response array, it
	returns PAM_CONV_ERR.  However, when read_string fails to allocate
	memory for a response string, it loses the response string and silently
	ignores the error, with net result as if EOF has been read.

	* libpam_misc/misc_conv.c (read_string): Use strdup instead of x_strdup,
	the latter is of no benefit in this case.
	Do not ignore potential memory allocation errors returned by strdup,
	forward them to misc_conv.

2014-01-20  Dmitry V. Levin  <ldv@altlinux.org>

	pam_limits: fix utmp->ut_user handling.
	ut_user member of struct utmp is a string that is not necessarily
	null-terminated, so extra care should be taken when using it.

	* modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to
	a null-terminated string and consistently use it where a null-terminated
	string is expected.

	pam_mkhomedir: check and create home directory for the same user (ticket #22)
	Before pam_mkhomedir helper was introduced in commit
	7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for
	existance and creating the same directory - the home directory of the
	user NAME returned by pam_get_item(PAM_USER).

	The change in behaviour accidentally introduced along with
	mkhomedir_helper is not consistent: while the module still checks for
	getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is
	getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily
	the same as the directory being checked.

	This change brings check and creation back in sync, both handling
	getpwnam(NAME)->pw_dir.

	* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace
	"struct passwd *" argument with user's name and home directory.
	Pass user's name to MKHOMEDIR_HELPER.
	(pam_sm_open_session): Update create_homedir call.

2014-01-20  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_limits: detect and ignore stale utmp entries.
	Original idea by Christopher Hailey

	* modules/pam_limits/pam_limits.c (check_logins): Use kill() to
	detect if pid of the utmp entry is still running and ignore the entry
	if it is not.

2014-01-19  Stéphane Graber  <stgraber@ubuntu.com>

	pam_loginuid: Always return PAM_IGNORE in userns.
	The previous patch to support user namespaces works fine with containers
	that are started from a desktop/terminal session but fails when dealing
	with containers that were started from a remote session such as ssh.

	I haven't looked at the exact reason for that in the kernel but on the
	userspace side of things, the difference is that containers started from
	an ssh session will happily let pam open /proc/self/loginuid read-write,
	will let it read its content but will then fail with EPERM when trying
	to write to it.

	So to make the userns support bullet proof, this commit moves the userns
	check earlier in the function (which means a small performance impact as
	it'll now happen everytime on kernels that have userns support) and will
	set rc = PAM_IGNORE instead of rc = PAM_ERROR.

	The rest of the code is still executed in the event that PAM is run on a
	future kernel where we have some kind of audit namespace that includes a
	working loginuid.

2014-01-15  Steve Langasek  <vorlon@debian.org>

	pam_namespace: don't use bashisms in default namespace.init script.
	* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
	namespace init script, so that scripts run with maximum privilege regardless
	of the shell implementation.
	* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
	shebang line

	This is not a POSIX standard option, it's a bashism.  The bash manpage says
	that it's used to prevent the effective user id from being reset to the real
	user id on startup, and to ignore certain unsafe variables from the
	environment.

	In the case of pam_namespace, the -p is not necessary for environment
	sanitizing because the PAM module (properly) sanitizes the environment
	before execing the script.

	The stated reason given in CVS history for passing -p is to "preserve euid
	when called from setuid apps (su, newrole)."  This should be done more
	portably, by calling setuid() before spawning the shell.

	Bug-Debian: http://bugs.debian.org/624842
	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323

2014-01-10  Stéphane Graber  <stgraber@ubuntu.com>

	pam_loginuid: Ignore failure in user namespaces.
	When running pam_loginuid in a container using the user namespaces, even
	uid 0 isn't allowed to set the loginuid property.

	This change catches the EACCES from opening loginuid, checks if the user
	is in the host namespace (by comparing the uid_map with the host's one)
	and only if that's the case, sets rc to 1.

	Should uid_map not exist or be unreadable for some reason, it'll be
	assumed that the process is running on the host's namespace.

	The initial reason behind this change was failure to ssh into an
	unprivileged container (using a 3.13 kernel and current LXC) when using
	a standard pam profile for sshd (which requires success from
	pam_loginuid).

	I believe this solution doesn't have any drawback and will allow people
	to use unprivileged containers normally. An alternative would be to have
	all distros set pam_loginuid as optional but that'd be bad for any of
	the other potential failure case which people may care about.

	There has also been some discussions to get some of the audit features
	tied with the user namespaces but currently none of that has been merged
	upstream and the currently proposed implementation doesn't cover
	loginuid (nor is it clear how this should even work when loginuid is set
	as immutable after initial write).

2014-01-10  Dmitry V. Levin  <ldv@altlinux.org>

	pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist.
	When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
	PAM_SUCCESS, so that we can distinguish between "loginuid set
	successfully" and "loginuid not set, but this is expected".

	Suggested by Steve Langasek.

	* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
	code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
	does not exist, PAM_SESSION_ERR in case of any other error.
	(_pam_loginuid): Forward the PAM error code returned by set_loginuid.

2013-11-20  Dmitry V. Levin  <ldv@altlinux.org>

	pam_access: fix debug level logging (ticket #19)
	* modules/pam_access/pam_access.c (group_match): Log the group token
	passed to the function, not an uninitialized data on the stack.

	pam_warn: log flags passed to the module (ticket #25)
	* modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and
	log it using pam_syslog.
	(pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok,
	pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass
	"flags" argument to log_items.

	Modernize AM_INIT_AUTOMAKE invocation.
	Before this change, automake complained that two- and three-arguments
	forms of AM_INIT_AUTOMAKE are deprecated.

	* configure.in: Pass PACKAGE and VERSION arguments to AC_INIT instead
	of AM_INIT_AUTOMAKE.

	Fix autoconf warnings.
	Before this change, autoconf complained that AC_COMPILE_IFELSE
	and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS.

	* configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT.

	pam_securetty: check return value of fgets.
	Checking return value of fgets not only silences the warning from glibc
	but also leads to a cleaner code.

	* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
	Check return value of fgets.

	pam_lastlog: fix format string.
	gcc -Wformat justly complains:
	format '%d' expects argument of type 'int', but argument 5 has type 'time_t'

	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format
	string.

2013-11-20  Darren Tucker  <dtucker@zip.com.au>

	If the correct loginuid is set already, skip writing it.
	modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid
	and skip writing if already correctly set.

2013-11-11  Thorsten Kukuk  <kukuk@thkukuk.de>

		Always ask for old password if changing NIS account.
		* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask
		for old password if NIS account.

2013-11-08  Thorsten Kukuk  <kukuk@thkukuk.de>

	Allow DES as compatibility option for /etc/login.defs.
	* modules/pam_unix/support.h: Add UNIX_DES

2013-10-14  Tomas Mraz  <tmraz@fedoraproject.org>

	Docfix: pam_prompt() and pam_vprompt() return int.
	doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int.

	Make pam_tty_audit work with old kernels not supporting log_passwd.
	modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros
	if message is short from older kernel.

2013-09-25  Tomas Mraz  <tmraz@fedoraproject.org>

	Fix pam_tty_audit log_passwd support and regression.
	modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include.
	(pam_sm_open_session): Always copy the old status as initialization of new.

2013-09-19  Thorsten Kukuk  <kukuk@thkukuk.de>

	Release version 1.1.8.

2013-09-16  Thorsten Kukuk  <kukuk@thkukuk.de>

	Check return value of setuid to remove glibc warnings.
	* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
	* modules/pam_unix/support.c: Likewise.

2013-09-13  Tomas Mraz  <tmraz@fedoraproject.org>

	Write to *rounds only if non-NULL.
	modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.

	Add missing ')'
	modules/pam_unix/pam_unix_passwd.c: Add missing ')'..

2013-09-11  Thorsten Kukuk  <kukuk@thkukuk.de>

	Release version 1.1.7.

2013-09-11  Tomas Mraz  <tmraz@fedoraproject.org>

	Updated translations from Transifex.
	po/*.po: Updated translations from Transifex.

2013-09-04  Thorsten Kukuk  <kukuk@thkukuk.de>

	Extend pam_exec by stdout and type= options (ticket #8):
	* modules/pam_exec/pam_exec.c: Add stdout and type= option
	* modules/pam_exec/pam_exec.8.xml: Document new options

2013-08-30  Thorsten Kukuk  <kukuk@thkukuk.de>

	Fix compile error.
	* modules/pam_unix/pam_unix_acct.c: fix last change

2013-08-29  Thorsten Kukuk  <kukuk@thkukuk.de>

	Restart waitpid if it returns with EINTR (ticket #17)
	* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
	* modules/pam_unix/pam_unix_passwd.c: Likewise.
	* modules/pam_unix/support.c: Likewise.

2013-08-28  Thorsten Kukuk  <kukuk@thkukuk.de>

	misc_conv.3: Fix documentation of misc_conv.
	doc/man/misc_conv.3.xml: Fix return value of misc_conv

2013-08-23  Tomas Mraz  <tmraz@fedoraproject.org>

	Apply the exclusive check in pam_sepermit only when loginuid not set.
	* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
	/proc
	(sepermit_match): Apply the exclusive check only when loginuid not set.

2013-08-22  Tomas Mraz  <tmraz@fedoraproject.org>

	Updated translations from Transifex.
	* po/*.po: Updated translations from Transifex.

2013-07-02  Dmitry V. Levin  <ldv@altlinux.org>

	pam_rootok: fix linking in --enable-audit mode.
	pam_rootok.c explicitly uses functions from libaudit, so the module has
	to be linked with the library.

	* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.

2013-07-01  Richard Guy Briggs  <rgb@redhat.com>

	pam_tty_audit: fix a typo that crept in during patch review.
	* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
	all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
	HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
	* configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.

2013-06-21  Richard Guy Briggs  <rgb@redhat.com>

	pam_tty_audit: add an option to control logging of passwords: log_passwd
	Most commands are entered one line at a time and processed as complete lines
	in non-canonical mode.  Commands that interactively require a password, enter
	canonical mode with echo set to off to do this.  This feature (icanon and
	!echo) can be used to avoid logging passwords by audit while still logging the
	rest of the command.  Adding a member to the struct audit_tty_status passed in
	by pam_tty_audit allows control of logging passwords per task.

	* configure.in: autoconf bits to conditionally add support at compile time
	depending on struct audit_tty_status kernel header version.
	* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
	log_passwd option.
	* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
	"log_passwd" option parsing.

2013-06-20  Tomas Mraz  <tmraz@fedoraproject.org>

	Man page fix - unix_update runs in the permissive mode as well.
	modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
	permissive mode as well.

2013-06-18  Thorsten Kukuk  <kukuk@orinoco.thkukuk.de>

	Use hash from /etc/login.defs as default if no other one is specified as argument.
	* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
	* modules/pam_unix/support.h: Add define for /etc/login.defs
	* modules/pam_unix/pam_unix.8.xml: Document new behavior.
	* modules/pam_umask/pam_umask.c: Add missing NULL pointer check

2013-04-12  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_access: better not change the default function used to get domain name.
	modules/pam_access/pam_access.c (netgroup_match): As we did not use
	yp_get_default_domain() in the 1.1 branch due to typo in ifdef
	we should use it only as fallback.

2013-03-28  Tomas Mraz  <tmraz@fedoraproject.org>

	Fix strict aliasing issue in MD5 implementations.
	modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
	modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.

2013-03-22  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_lastlog: Do not fail on short read if btmp is corrupted.
	modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
	on short read or read error.

	pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux
	modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
	(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.

2013-02-08  Tomas Mraz  <tmraz@fedoraproject.org>

	Add checks for crypt() returning NULL.
	modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
	modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.

2013-02-07  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_userdb: Allow also modern password hashes supported by crypt().
	modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
	longer than 13 characters and long salt.

2013-01-18  Walter de Jong  <walter.dejong@surfsara.nl>

	pam_access: fix typo in ifdef.
	modules/pam_access/pam_access.c (netgroup_match): Fix typo
	in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.

2012-12-20  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_cracklib: Mention checks that are not run for root.
	modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
	when run as root.

	Update also the POT file.
	po/Linux-PAM.pot: Update to reflect current sources.

2012-12-12  Tomas Mraz  <tmraz@fedoraproject.org>

	Updated translations from Transifex, added new languages.
	po/LINGUAS: Added new languages.
	po/*.po: Updated translations from Transifex including new languages.

2012-11-30  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_selinux: Drop obsolete and unsupported manual context selection.
	modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
	(compute_exec_context): Drop manual_context() call.

2012-11-23  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_limits: fix grammatical mistake.
	modules/pam_limits/limits.conf: Fix grammatical mistake.

2012-11-13  Tomas Mraz  <tmraz@fedoraproject.org>

	Reflect the enforce_for_root semantics change in pam_pwhistory xtest.
	xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
	running with real uid == 0.

2012-10-10  Dmitry V. Levin  <ldv@altlinux.org>

	pam_unix: fix build in --enable-selinux mode.
	glibc's <sys/wait.h> starting with commit
	http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
	does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
	when pam is being built with SELinux support enabled, pam_unix_passwd.c
	uses getrlimit(2) and therefore should include <sys/resource.h> without
	relying on other headers.

	* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.

	Reported-by: Guido Trentalancia <guido@trentalancia.com>
	Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
	Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>

2012-10-10  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_namespace: add mntopts flag for tmpfs mount options.
	modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
	structure.
	modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
	(parse_method): Parse the mntopts flag.
	(ns_setup): Pass the mount_opts to mount().
	modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.

2012-09-06  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_selinux, pam_tally2: Add tty and rhost to audit data.
	modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
	rhost from PAM items and pass them to audit.
	modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
	rhost from PAM items and pass them to audit.
	(main): Obtain tty name of stdin and pass it to audit.

	Update configure.in to use more recent interfaces.
	configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead
	of AC_HELP_STRING.

2012-08-17  Tomas Mraz  <tmraz@fedoraproject.org>

	Add missing $(DESTDIR) when making directories on install.
	modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
	$(namespaceddir) on install.
	modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
	$(sepermitlockdir) on install.

2012-08-17  Thorsten Kukuk  <kukuk@orinoco.thkukuk.de>

	release version 1.1.6.
	configure.in: Bump version to 1.1.6
	NEWS: Document changes
	po/*.po: Regenerate *.po files

2012-08-16  Thorsten Kukuk  <kukuk@thkukuk.de>

	Small documentation and define fixes.
	modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
	modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
	modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
	modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]

2012-08-13  Tomas Mraz  <tmraz@fedoraproject.org>

	Respect PAM_AUTHTOK_TYPE in pam_get_authtok_verify().
	libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE
	item when obtained from module options.
	(pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting.

2012-08-09  Tomas Mraz  <tmraz@fedoraproject.org>

	Document limits.d also in the limits.conf manpage.
	modules/pam_limits/limits.conf.5.xml: Document the limits.d existence.

2012-07-23  Tomas Mraz  <tmraz@fedoraproject.org>

	New autotools do not create empty directories on install.
	modules/pam_namespace/Makefile.am: Add install-data-local target to create
	namespaceddir.
	modules/pam_sepermit/Makefile.am: Add install-data-local target to create
	sepermitlockdir.

2012-07-09  Stevan Bajić  <stevan@bajic.ch>

	RLIMIT_* variables are no longer defined unless you explicitly include sys/resource.h.

	modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.

2012-06-27  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_umask: correct the documentation of GECOS field parsing.
	modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field
	parsing.

2012-06-22  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_cracklib: Add monotonic character sequence checking.
	modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option.
	(sequence): New function to check for too long monotonic sequence of characters.
	(password_check): Call the sequence().
	modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check.

2012-06-01  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_timestamp: Fix copy&paste error in manpage.
	modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section.

2012-05-28  Tomas Mraz  <tmraz@fedoraproject.org>

	Pulled new translations from Transifex.
	po/*.po: Updated translations.

	pam_pwhistory: Always record the old password even when root changes it.
	modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of
	the process instead of the target user UID (same as in pam_cracklib) to
	check for root. Always record old password.

2012-05-24  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_cracklib: Add enforce_for_root option.
	modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
	(pam_sm_chauthtok): Enforce errors for root with the option.
	modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.

2012-04-30  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore.
	modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
	(simple): Add the check for the same class repetition.
	(usercheck): Refactor into wordcheck().
	(gecoscheck): New test for words from the GECOS field.
	(password_check): Call the gecoscheck().
	(pam_sm_chauthtok): Drop the diff_ignore from options struct.
	modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.

	pam_lastlog: Never lock out the root account.
	modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
	uid==0.
	modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.

2012-04-17  Tomas Mraz  <tmraz@fedoraproject.org>

	pam_lastlog: add possibility to lock out inactive users in auth or account
	* modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and
	option.
	* modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out.
	(_pam_session_parse): Renamed from _pam_parse.
	(_pam_auth_parse): New function to parse auth arguments.
	(_last_login_open): Factor out opening of the lastlog file.
	(_last_login_read): Factor out opening of the lastlog file.
	(pam_sm_authenticate): Implement the lockout functionality.
	(pam_sm_setcred): Just return PAM_SUCCESS.
	(pam_sm_acct_mgmt): Call pam_sm_authenticate().

2012-04-11  Paul Wouters  <pwouters@redhat.com>

	Check for crypt() failure returning NULL.
	* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
	* modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
	returning NULL.

2012-02-03  Dmitry V. Levin  <ldv@altlinux.org>

	pam_unix: make configuration consistent in --enable-static-modules mode.
	In --enable-static-modules mode, it was not possible to use "pam_unix"
	in PAM config files.  Instead, different names had to be used for each
	management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
	pam_unix_session.  This change makes pam_unix configuration consistent
	with other PAM modules.

	* README: Remove the paragraph describing pam_unix distinctions in
	--enable-static-modules mode.
	* libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
	_pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
	_pam_unix_session_modstruct): Remove.
	(_pam_unix_modstruct): New pam_module declaration.
	* modules/pam_unix/pam_unix_static.h: New file.
	* modules/pam_unix/pam_unix_static.c: Likewise.
	* modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
	(pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
	* modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
	pam_unix_static.h
	[PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
	* modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
	pam_unix_static.h
	[PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
	* modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
	pam_unix_static.h
	[PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
	* modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
	pam_unix_static.h
	[PAM_STATIC] (_pam_unix_session_modstruct): Remove.

	Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>

2012-01-27  Dmitry V. Levin  <ldv@altlinux.org>

	Make --disable-cracklib compatible with --enable-static-modules mode.
	* configure.in: Define HAVE_LIBCRACK when cracklib is enabled.
	* libpam/pam_static_modules.h (static_modules): Guard the use of
	_pam_cracklib_modstruct by HAVE_LIBCRACK macro.

2012-02-10  Tomas Mraz  <tmraz@fedoraproject.org>

	Add missing includes for types used in the pam_modutil.h.
	* libpam/include/security/pam_modutil.h: Add missing includes for used types.

2012-01-27  Matveychikov Ilya  <i.matveychikov@securitycode.ru>

	Fix compile time errors in --enable-static-modules mode.
	* libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove
	obsolete declaration.
	(static_modules): Remove undefined reference to
	_pam_rhosts_auth_modstruct.
	* modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to
	{save,check}_old_pass in order to avoid conflicts with pam_unix.
	* modules/pam_pwhistory/opasswd.c: Likewise.
	* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
	* modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to
	_pam_tally2_modstruct.

2012-01-26  Dmitry V. Levin  <ldv@altlinux.org>

	Fix SUBDIRS for --enable-static-modules mode.
	There is no way to build "modules" subdirectory before "libpam" anyway.
	In STATIC_MODULES mode, "libpam" subdirectory must be built twice to
	produce a usable libpam.a without undefined references to multiple
	_pam_*_modstruct symbols.

	* Makefile.am: Use default SUBDIRS in STATIC_MODULES mode.

2012-01-26  Matveychikov Ilya  <i.matveychikov@securitycode.ru>

	configure: fix typo in --disable-nis help string.
	* configure.in: Change '-disable-nis' to '--disable-nis'.

2012-01-26  Tomas Mraz  <tmraz@fedoraproject.org>

	Do not unmount anything by default in pam_namespace close session call.
	* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
	the unmount_on_close option and make the default to be to not unmount.
	* modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
	PAMNS_UNMOUNT_ON_CLOSE.
	* modules/pam_namespace/pam_namespace.8.xml: Document the change.

2012-01-24  Tomas Mraz  <tmraz@fedoraproject.org>

	Make / mount as rslave instead of bind mounting polydirs.
	* modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
	(check_inst_parent): Drop the always argument from protect_dir().
	(create_polydir): Likewise.
	(ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
	(setup_namespace): Mark the / with MS_SLAVE|MS_REC.
	* modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.

2012-01-13  Tomas Mraz  <tmraz@fedoraproject.org>

	Add possibility to match ruser, rhost, and tty in pam_succeed_if.
	* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
	rhost, and tty as left operand.
	* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
	possible left operands.

2012-01-03  Tomas Mraz  <tmraz@fedoraproject.org>

	Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam.

	Fix matching of usernames in the pam_unix remember feature.
	* modules/pam_unix/pam_unix_passwd.c (check_old_password): Make
	sure we match only the whole username in opasswd entry.
	* modules/pam_unix/passverify.c (save_old_password): Likewise make
	sure we match only the whole username in opasswd entry.

2011-12-26  Dmitry V. Levin  <ldv@altlinux.org>

	pam_start: fix memory leak on error path.
	* libpam/pam_start.c (pam_start): If _pam_make_env() or
	_pam_init_handlers() returned an error, release the memory allocated
	for pam_conv structure.

	Patch-by: cancel <suntsu@yandex.ru>.

2011-11-03  Dmitry V. Levin  <ldv@altlinux.org>

	pam_selinux.8.xml: update.
	* modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis):
	Reorder options, add new "restore" option.
	pam_selinux-description): Rewrite.
	(pam_selinux-options): Reorder options, describe new "restore" option.
	(pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR
	and PAM_BUF_ERR.
	(pam_selinux-see_also): Remove pam.conf(5).  Add execve(2), tty(4)
	and selinux(8).

	pam_selinux.c: add "restore" option.
	* modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new
	"restore" option.

	pam_selinux.c: rewrite using pam_get_data/pam_set_data.
	* modules/pam_selinux/pam_selinux.c (security_restorelabel_tty,
	security_label_tty): Remove old functions.
	(module_data_t): New structure.
	(free_module_data, cleanup, get_module_data, get_item,
	set_exec_context, set_file_context, compute_exec_context,
	compute_tty_context, restore_context, set_context,
	create_context): New functions.
	(pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session,
	pam_sm_close_session): Use them.

2011-10-28  Dmitry V. Levin  <ldv@altlinux.org>

	Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc.
	GNU automake documentation recommends to avoid using -l options in
	LDADD or LIBADD when referring to libraries built by the package.
	Instead, it recommends to write the file name of the library explicitly,
	and use -l option only to list third-party libraries.  As result, the
	default value of *_DEPENDENCIES will list all local libraries and omit
	the other ones.
	* modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace
	"-L$(top_builddir)/libpam -lpam" with
	"$(top_builddir)/libpam/libpam.la", to follow GNU automake
	recommendations.
	* modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise.
	* modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise.
	* modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise.
	* modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise.
	* modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise.
	* modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise.
	* modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise.
	* modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise.
	* modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise.
	* modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise.
	* modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise.
	* modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise.
	* modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise.
	* modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise.
	* modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise.
	* modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise.
	* modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise.
	* modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise.
	* modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise.
	* modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD,
	mkhomedir_helper_LDADD): Likewise.
	* modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise.
	* modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise.
	* modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise.
	* modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise.
	* modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise.
	* modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise.
	* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise.
	* modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise.
	* modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise.
	* modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise.
	* modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise.
	* modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD):
	Likewise.
	* modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise.
	* modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD,
	pam_tally2_LDADD): Likewise.
	* modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise.
	* modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD,
	pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise.
	* modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise.
	* modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise.
	* modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise.
	* modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise.
	* modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise.
	* modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise.
	* modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise.
	* tests/Makefile.am (LDADD): Likewise.
	* examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam"
	with "$(top_builddir)/libpam/libpam.la", and
	"-L$(top_builddir)/libpam_misc -lpam_misc" with
	"$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake
	recommendations.
	* xtests/Makefile.am (LDADD): Likewise.
	* modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise.

	Fix usage of LIBADD, LDADD and LDFLAGS.
	* modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to
	pam_selinux_check_LDADD.
	* modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from
	AM_LDFLAGS.
	* modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from
	AM_LDFLAGS.
	* modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from
	AM_LDFLAGS.
	* modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from
	AM_LDFLAGS.
	* xtests/Makefile.am: Rename AM_LDFLAGS to LDADD.

2011-10-27  Dmitry V. Levin  <ldv@altlinux.org>

	Update .gitignore files.
	* .gitignore: Add common ignore patterns.
	* m4/.gitignore: Unignore local m4 files.
	* dynamic/.gitignore: Unignore Makefile.
	* libpamc/test/modules/.gitignore: Likewise.
	* libpamc/test/regress/.gitignore: Likewise.
	* po/.gitignore: Add Makevars.template.
	* conf/.gitignore: Remove common ignore patterns.
	* conf/pam_conv1/.gitignore: Likewise.
	* doc/.gitignore: Likewise.
	* doc/specs/.gitignore: Likewise.
	* doc/specs/formatter/.gitignore: Likewise.
	* examples/.gitignore: Likewise.
	* modules/pam_filter/upperLOWER/.gitignore: Likewise.
	* modules/pam_mkhomedir/.gitignore: Likewise.
	* modules/pam_selinux/.gitignore: Likewise.
	* modules/pam_stress/.gitignore: Likewise.
	* modules/pam_tally/.gitignore: Likewise.
	* modules/pam_tally2/.gitignore: Likewise.
	* modules/pam_timestamp/.gitignore: Likewise.
	* modules/pam_unix/.gitignore: Likewise.
	* tests/.gitignore: Likewise.
	* xtests/.gitignore: Likewise.
	* doc/adg/.gitignore: Remove.
	* doc/man/.gitignore: Remove.
	* doc/mwg/.gitignore: Remove.
	* doc/sag/.gitignore: Remove.
	* libpamc/.gitignore: Remove.
	* libpamc/test/.gitignore: Remove.
	* libpam/.gitignore: Remove.
	* libpam_misc/.gitignore: Remove.
	* modules/.gitignore: Remove.
	* modules/pam_access/.gitignore: Remove.
	* modules/pam_cracklib/.gitignore: Remove.
	* modules/pam_debug/.gitignore: Remove.
	* modules/pam_deny/.gitignore: Remove.
	* modules/pam_echo/.gitignore: Remove.
	* modules/pam_env/.gitignore: Remove.
	* modules/pam_exec/.gitignore: Remove.
	* modules/pam_faildelay/.gitignore: Remove.
	* modules/pam_filter/.gitignore: Remove.
	* modules/pam_ftp/.gitignore: Remove.
	* modules/pam_group/.gitignore: Remove.
	* modules/pam_issue/.gitignore: Remove.
	* modules/pam_keyinit/.gitignore: Remove.
	* modules/pam_lastlog/.gitignore: Remove.
	* modules/pam_limits/.gitignore: Remove.
	* modules/pam_listfile/.gitignore: Remove.
	* modules/pam_localuser/.gitignore: Remove.
	* modules/pam_loginuid/.gitignore: Remove.
	* modules/pam_mail/.gitignore: Remove.
	* modules/pam_motd/.gitignore: Remove.
	* modules/pam_namespace/.gitignore: Remove.
	* modules/pam_nologin/.gitignore: Remove.
	* modules/pam_permit/.gitignore: Remove.
	* modules/pam_pwhistory/.gitignore: Remove.
	* modules/pam_rhosts/.gitignore: Remove.
	* modules/pam_rootok/.gitignore: Remove.
	* modules/pam_securetty/.gitignore: Remove.
	* modules/pam_sepermit/.gitignore: Remove.
	* modules/pam_shells/.gitignore: Remove.
	* modules/pam_succeed_if/.gitignore: Remove.
	* modules/pam_time/.gitignore: Remove.
	* modules/pam_tty_audit/.gitignore: Remove.
	* modules/pam_umask/.gitignore: Remove.
	* modules/pam_userdb/.gitignore: Remove.
	* modules/pam_warn/.gitignore: Remove.
	* modules/pam_wheel/.gitignore: Remove.
	* modules/pam_xauth/.gitignore: Remove.

	Move generated auxiliary files to build-aux directory.
	* configure.in: Add AC_CONFIG_AUX_DIR([build-aux]).

	Remove generated files.
	* ABOUT-NLS: Remove.
	* INSTALL: Remove.
	* config.rpath: Remove.
	* install-sh: Remove.
	* mkinstalldirs: Remove.
	* Makefile.am (EXTRA_DIST): Remove config.rpath and mkinstalldirs.
	* .gitignore: Add ABOUT-NLS and INSTALL.

	Create release tarballs using safe ownership and permissions.
	* Makefile.am: Define and export TAR_OPTIONS.

	Generate ChangeLog from git log.
	* .gitignore: Add ChangeLog
	* ChangeLog: Rename to ChangeLog-CVS.
	* Makefile.am (gen-changelog): New rule.
	(dist-hook, .PHONY): Depend on it.
	(EXTRA_DIST): Add ChangeLog-CVS.
	* README-hacking: New file.
	* gitlog-to-changelog: Import from gnulib.
	* autogen.sh: Create empty ChangeLog file to make automake strictness
	check happy.  Use automated "autoreconf -fiv" instead of manual
	invocations of various autotools.

	Fix "make distcheck"
	There is no use to distribute m4 files manually, because automake does
	the right thing, while manual distribution is not only redundant but
	also very fragile.
	* Makefile.am (M4_FILES): Remove.
	(EXTRA_DIST): Remove M4_FILES.

	Remove modules/pam_timestamp/hmacfile from distribution.
	* modules/pam_timestamp/Makefile.am (dist_TESTS): Add tst-pam_timestamp.
	(nodist_TESTS): Add hmacfile.
	(EXTRA_DIST): Replace TESTS with dist_TESTS.

	Rename all .cvsignore files to .gitignore.

	Fix whitespace issues.
	Cleanup trailing whitespaces, indentation that uses spaces before tabs,
	and blank lines at EOF.  Make the project free of warnings reported by
	git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD


See ChangeLog-CVS for earlier changes.