@@ -122,7 +122,7 @@ EXTRA_DIST = \

 	service-win32 \

 	contrib \

 	debug \

-	plugins \

+	plugin \

         management \

         pkcs11-headers \

 	cryptoki-win32.h

@@ -101,13 +101,13 @@ and portability to most major OS platforms.

 %__strip %{name}

 # Build down-root plugin

-pushd plugins/down-root

+pushd plugin/down-root

 %__make

 popd

 # Build auth-pam plugin

 %if %{build_auth_pam}

-pushd plugins/auth-pam

+pushd plugin/auth-pam

 %__make

 popd

 %endif

@@ -151,16 +151,16 @@ popd

 # Install the plugins

 #

-%__mkdir_p %{buildroot}%{_datadir}/%{name}/plugins/lib

+%__mkdir_p %{buildroot}%{_datadir}/%{name}/plugin/lib

 for pi in auth-pam down-root; do

-  %__mv -f plugins/$pi/README plugins/README.$pi

-  if [ -e plugins/$pi/openvpn-$pi.so ]; then

-    %__install -c -m 755 plugins/$pi/openvpn-$pi.so %{buildroot}%{_datadir}/openvpn/plugins/lib/openvpn-$pi.so

+  %__mv -f plugin/$pi/README plugin/README.$pi

+  if [ -e plugin/$pi/openvpn-$pi.so ]; then

+    %__install -c -m 755 plugin/$pi/openvpn-$pi.so %{buildroot}%{_datadir}/openvpn/plugin/lib/openvpn-$pi.so

   fi

 done

-%__mv -f plugins/README plugins/README.plugins

+%__mv -f plugin/README plugin/README.plugins

 #

 # Clean section

@@ -220,14 +220,10 @@ fi

 %endif

 # Install extra %doc stuff

-%doc contrib/ easy-rsa/ management/ sample-*/ plugins/README.*

+%doc contrib/ easy-rsa/ management/ sample-*/ plugin/README.*

 %changelog

-* Mon Oct 13 2005 James Yonan

-- Renamed plugin directory to plugins to

-  work around automake issue.

-

 * Mon Aug 2 2005 James Yonan

 - Fixed build problem with --define 'without_pam 1'

new file mode 100644

@@ -0,0 +1,47 @@

+OpenVPN Plugins

+---------------

+

+Starting with OpenVPN 2.0-beta17, compiled plugin modules are

+supported on any *nix OS which includes libdl or on Windows.

+One or more modules may be loaded into OpenVPN using

+the --plugin directive, and each plugin module is capable of

+intercepting any of the script callbacks which OpenVPN supports:

+

+(1) up

+(2) down

+(3) route-up

+(4) ipchange

+(5) tls-verify

+(6) auth-user-pass-verify

+(7) client-connect

+(8) client-disconnect

+(9) learn-address

+

+See the openvpn-plugin.h file in the top-level directory of the

+OpenVPN source distribution for more detailed information

+on the plugin interface.

+

+Included Plugins

+----------------

+

+auth-pam -- Authenticate using PAM and a split privilege

+            execution model which functions even if

+            root privileges or the execution environment

+            have been altered with --user/--group/--chroot.

+            Tested on Linux only.

+

+down-root -- Enable the running of down scripts with root privileges

+             even if --user/--group/--chroot have been used

+             to drop root privileges or change the execution

+             environment.  Not applicable on Windows.

+

+examples -- A simple example that demonstrates a portable

+            plugin, i.e. one which can be built for *nix

+            or Windows from the same source.

+

+Building Plugins

+----------------

+

+cd to the top-level directory of a plugin, and use the

+"make" command to build it.  The examples plugin is

+built using a build script, not a makefile.

new file mode 100644

@@ -0,0 +1 @@

+*.so

new file mode 100755

@@ -0,0 +1,30 @@

+#

+# Build the OpenVPN auth-pam plugin module.

+#

+

+# If PAM modules are not linked against libpam.so, set DLOPEN_PAM to 1. This

+# must be done on SUSE 9.1, at least.

+DLOPEN_PAM=1

+

+ifeq ($(DLOPEN_PAM),1)

+	LIBPAM=-ldl

+else

+	LIBPAM=-lpam

+endif

+

+# This directory is where we will look for openvpn-plugin.h

+INCLUDE=-I../..

+

+CC_FLAGS=-O2 -Wall -DDLOPEN_PAM=$(DLOPEN_PAM)

+

+openvpn-auth-pam.so : auth-pam.o pamdl.o

+	gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)

+

+auth-pam.o : auth-pam.c pamdl.h

+	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} auth-pam.c

+

+pamdl.o : pamdl.c pamdl.h

+	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} pamdl.c

+

+clean :

+	rm -f *.o *.so

new file mode 100644

@@ -0,0 +1,74 @@

+openvpn-auth-pam

+

+SYNOPSIS

+

+The openvpn-auth-pam module implements username/password

+authentication via PAM, and essentially allows any authentication

+method supported by PAM (such as LDAP, RADIUS, or Linux Shadow

+passwords) to be used with OpenVPN.  While PAM supports

+username/password authentication, this can be combined with X509

+certificates to provide two indepedent levels of authentication.

+

+This module uses a split privilege execution model which will

+function even if you drop openvpn daemon privileges using the user,

+group, or chroot directives.

+

+BUILD

+

+To build openvpn-auth-pam, you will need to have the pam-devel

+package installed.

+

+Build with the "make" command.  The module will be named

+openvpn-auth-pam.so

+

+USAGE

+

+To use this plugin module, add to your OpenVPN config file:

+

+  plugin openvpn-auth-pam.so service-type

+

+The required service-type parameter corresponds to

+the PAM service definition file usually found

+in /etc/pam.d.

+

+This plugin also supports the usage of a list of name/value

+pairs to answer PAM module queries.

+

+For example:

+

+  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"

+

+tells auth-pam to (a) use the "login" PAM module, (b) answer a

+"login" query with the username given by the OpenVPN client, and

+(c) answer a "password" query with the password given by the

+OpenVPN client.  This provides flexibility in dealing with the different

+types of query strings which different PAM modules might generate.

+For example, suppose you were using a PAM module called

+"test" which queried for "name" rather than "login":

+

+  plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"

+

+While "USERNAME" and "PASSWORD" are special strings which substitute

+to client-supplied values, it is also possible to name literal values

+to use as PAM module query responses.  For example, suppose that the

+login module queried for a third parameter, "domain" which

+is to be answered with the constant value "mydomain.com":

+

+  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"

+

+The following OpenVPN directives can also influence

+the operation of this plugin:

+

+  client-cert-not-required

+  username-as-common-name

+

+Run OpenVPN with --verb 7 or higher to get debugging output from

+this plugin, including the list of queries presented by the

+underlying PAM module.  This is a useful debugging tool to figure

+out which queries a given PAM module is making, so that you can

+craft the appropriate plugin directive to answer it.

+

+CAVEATS

+

+This module will only work on *nix systems which support PAM,

+not Windows.

new file mode 100644

@@ -0,0 +1,761 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+

+/*

+ * OpenVPN plugin module to do PAM authentication using a split

+ * privilege model.

+ */

+

+#if DLOPEN_PAM

+#include <dlfcn.h>

+#include "pamdl.h"

+#else

+#include <security/pam_appl.h>

+#endif

+

+#include <stdio.h>

+#include <string.h>

+#include <ctype.h>

+#include <unistd.h>

+#include <stdlib.h>

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <sys/wait.h>

+#include <fcntl.h>

+#include <signal.h>

+#include <syslog.h>

+

+#include "openvpn-plugin.h"

+

+#define DEBUG(verb) ((verb) >= 4)

+

+/* Command codes for foreground -> background communication */

+#define COMMAND_VERIFY 0

+#define COMMAND_EXIT   1

+

+/* Response codes for background -> foreground communication */

+#define RESPONSE_INIT_SUCCEEDED   10

+#define RESPONSE_INIT_FAILED      11

+#define RESPONSE_VERIFY_SUCCEEDED 12

+#define RESPONSE_VERIFY_FAILED    13

+

+/*

+ * Plugin state, used by foreground

+ */

+struct auth_pam_context

+{

+  /* Foreground's socket to background process */

+  int foreground_fd;

+

+  /* Process ID of background process */

+  pid_t background_pid;

+

+  /* Verbosity level of OpenVPN */

+  int verb;

+};

+

+/*

+ * Name/Value pairs for conversation function.

+ * Special Values:

+ *

+ *  "USERNAME" -- substitute client-supplied username

+ *  "PASSWORD" -- substitute client-specified password

+ */

+

+#define N_NAME_VALUE 16

+

+struct name_value {

+  const char *name;

+  const char *value;

+};

+

+struct name_value_list {

+  int len;

+  struct name_value data[N_NAME_VALUE];

+};

+

+/*

+ * Used to pass the username/password

+ * to the PAM conversation function.

+ */

+struct user_pass {

+  int verb;

+

+  char username[128];

+  char password[128];

+

+  const struct name_value_list *name_value_list;

+};

+

+/* Background process function */

+static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list);

+

+/*

+ * Given an environmental variable name, search

+ * the envp array for its value, returning it

+ * if found or NULL otherwise.

+ */

+static const char *

+get_env (const char *name, const char *envp[])

+{

+  if (envp)

+    {

+      int i;

+      const int namelen = strlen (name);

+      for (i = 0; envp[i]; ++i)

+	{

+	  if (!strncmp (envp[i], name, namelen))

+	    {

+	      const char *cp = envp[i] + namelen;

+	      if (*cp == '=')

+		return cp + 1;

+	    }

+	}

+    }

+  return NULL;

+}

+

+/*

+ * Return the length of a string array

+ */

+static int

+string_array_len (const char *array[])

+{

+  int i = 0;

+  if (array)

+    {

+      while (array[i])

+	++i;

+    }

+  return i;

+}

+

+/*

+ * Socket read/write functions.

+ */

+

+static int

+recv_control (int fd)

+{

+  unsigned char c;

+  const ssize_t size = read (fd, &c, sizeof (c));

+  if (size == sizeof (c))

+    return c;

+  else

+    {

+      /*fprintf (stderr, "AUTH-PAM: DEBUG recv_control.read=%d\n", (int)size);*/

+      return -1;

+    }

+}

+

+static int

+send_control (int fd, int code)

+{

+  unsigned char c = (unsigned char) code;

+  const ssize_t size = write (fd, &c, sizeof (c));

+  if (size == sizeof (c))

+    return (int) size;

+  else

+    return -1;

+}

+

+static int

+recv_string (int fd, char *buffer, int len)

+{

+  if (len > 0)

+    {

+      ssize_t size;

+      memset (buffer, 0, len);

+      size = read (fd, buffer, len);

+      buffer[len-1] = 0;

+      if (size >= 1)

+	return (int)size;

+    }

+  return -1;

+}

+

+static int

+send_string (int fd, const char *string)

+{

+  const int len = strlen (string) + 1;

+  const ssize_t size = write (fd, string, len);

+  if (size == len)

+    return (int) size;

+  else

+    return -1;

+}

+

+#ifdef DO_DAEMONIZE

+

+/*

+ * Daemonize if "daemon" env var is true.

+ * Preserve stderr across daemonization if

+ * "daemon_log_redirect" env var is true.

+ */

+static void

+daemonize (const char *envp[])

+{

+  const char *daemon_string = get_env ("daemon", envp);

+  if (daemon_string && daemon_string[0] == '1')

+    {

+      const char *log_redirect = get_env ("daemon_log_redirect", envp);

+      int fd = -1;

+      if (log_redirect && log_redirect[0] == '1')

+	fd = dup (2);

+      if (daemon (0, 0) < 0)

+	{

+	  fprintf (stderr, "AUTH-PAM: daemonization failed\n");

+	}

+      else if (fd >= 3)

+	{

+	  dup2 (fd, 2);

+	  close (fd);

+	}

+    }

+}

+

+#endif

+

+/*

+ * Close most of parent's fds.

+ * Keep stdin/stdout/stderr, plus one

+ * other fd which is presumed to be

+ * our pipe back to parent.

+ * Admittedly, a bit of a kludge,

+ * but posix doesn't give us a kind

+ * of FD_CLOEXEC which will stop

+ * fds from crossing a fork().

+ */

+static void

+close_fds_except (int keep)

+{

+  int i;

+  closelog ();

+  for (i = 3; i <= 100; ++i)

+    {

+      if (i != keep)

+	close (i);

+    }

+}

+

+/*

+ * Usually we ignore signals, because our parent will

+ * deal with them.

+ */

+static void

+set_signals (void)

+{

+  signal (SIGTERM, SIG_DFL);

+

+  signal (SIGINT, SIG_IGN);

+  signal (SIGHUP, SIG_IGN);

+  signal (SIGUSR1, SIG_IGN);

+  signal (SIGUSR2, SIG_IGN);

+  signal (SIGPIPE, SIG_IGN);

+}

+

+/*

+ * Return 1 if query matches match.

+ */

+static int

+name_value_match (const char *query, const char *match)

+{

+  while (!isalnum (*query))

+    {

+      if (*query == '\0')

+	return 0;

+      ++query;

+    }

+  return strncasecmp (match, query, strlen (match)) == 0;

+}

+

+OPENVPN_EXPORT openvpn_plugin_handle_t

+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])

+{

+  pid_t pid;

+  int fd[2];

+

+  struct auth_pam_context *context;

+  struct name_value_list name_value_list;

+

+  const int base_parms = 2;

+

+  /*

+   * Allocate our context

+   */

+  context = (struct auth_pam_context *) calloc (1, sizeof (struct auth_pam_context));

+  context->foreground_fd = -1;

+

+  /*

+   * Intercept the --auth-user-pass-verify callback.

+   */

+  *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);

+

+  /*

+   * Make sure we have two string arguments: the first is the .so name,

+   * the second is the PAM service type.

+   */

+  if (string_array_len (argv) < base_parms)

+    {

+      fprintf (stderr, "AUTH-PAM: need PAM service parameter\n");

+      goto error;

+    }

+

+  /*

+   * See if we have optional name/value pairs to match against

+   * PAM module queried fields in the conversation function.

+   */

+  name_value_list.len = 0;

+  if (string_array_len (argv) > base_parms)

+    {

+      const int nv_len = string_array_len (argv) - base_parms;

+      int i;

+

+      if ((nv_len & 1) == 1 || (nv_len / 2) > N_NAME_VALUE)

+	{

+	  fprintf (stderr, "AUTH-PAM: bad name/value list length\n");

+	  goto error;

+	}

+

+      name_value_list.len = nv_len / 2;

+      for (i = 0; i < name_value_list.len; ++i)

+	{

+	  const int base = base_parms + i * 2;

+	  name_value_list.data[i].name = argv[base];

+	  name_value_list.data[i].value = argv[base+1];

+	}

+    }

+

+  /*

+   * Get verbosity level from environment

+   */

+  {

+    const char *verb_string = get_env ("verb", envp);

+    if (verb_string)

+      context->verb = atoi (verb_string);

+  }

+

+  /*

+   * Make a socket for foreground and background processes

+   * to communicate.

+   */

+  if (socketpair (PF_UNIX, SOCK_DGRAM, 0, fd) == -1)

+    {

+      fprintf (stderr, "AUTH-PAM: socketpair call failed\n");

+      goto error;

+    }

+

+  /*

+   * Fork off the privileged process.  It will remain privileged

+   * even after the foreground process drops its privileges.

+   */

+  pid = fork ();

+

+  if (pid)

+    {

+      int status;

+

+      /*

+       * Foreground Process

+       */

+

+      context->background_pid = pid;

+

+      /* close our copy of child's socket */

+      close (fd[1]);

+

+      /* don't let future subprocesses inherit child socket */

+      if (fcntl (fd[0], F_SETFD, FD_CLOEXEC) < 0)

+	fprintf (stderr, "AUTH-PAM: Set FD_CLOEXEC flag on socket file descriptor failed\n");

+

+      /* wait for background child process to initialize */

+      status = recv_control (fd[0]);

+      if (status == RESPONSE_INIT_SUCCEEDED)

+	{

+	  context->foreground_fd = fd[0];

+	  return (openvpn_plugin_handle_t) context;

+	}

+    }

+  else

+    {

+      /*

+       * Background Process

+       */

+

+      /* close all parent fds except our socket back to parent */

+      close_fds_except (fd[1]);

+

+      /* Ignore most signals (the parent will receive them) */

+      set_signals ();

+

+#ifdef DO_DAEMONIZE

+      /* Daemonize if --daemon option is set. */

+      daemonize (envp);

+#endif

+

+      /* execute the event loop */

+      pam_server (fd[1], argv[1], context->verb, &name_value_list);

+

+      close (fd[1]);

+

+      exit (0);

+      return 0; /* NOTREACHED */

+    }

+

+ error:

+  if (context)

+    free (context);

+  return NULL;

+}

+

+OPENVPN_EXPORT int

+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])

+{

+  struct auth_pam_context *context = (struct auth_pam_context *) handle;

+

+  if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0)

+    {

+      /* get username/password from envp string array */

+      const char *username = get_env ("username", envp);

+      const char *password = get_env ("password", envp);

+

+      if (username && strlen (username) > 0 && password)

+	{

+	  if (send_control (context->foreground_fd, COMMAND_VERIFY) == -1

+	      || send_string (context->foreground_fd, username) == -1

+	      || send_string (context->foreground_fd, password) == -1)

+	    {

+	      fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");

+	    }

+	  else

+	    {

+	      const int status = recv_control (context->foreground_fd);

+	      if (status == RESPONSE_VERIFY_SUCCEEDED)

+		return OPENVPN_PLUGIN_FUNC_SUCCESS;

+	      if (status == -1)

+		fprintf (stderr, "AUTH-PAM: Error receiving auth confirmation from background process\n");

+	    }

+	}

+    }

+  return OPENVPN_PLUGIN_FUNC_ERROR;

+}

+

+OPENVPN_EXPORT void

+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)

+{

+  struct auth_pam_context *context = (struct auth_pam_context *) handle;

+

+  if (DEBUG (context->verb))

+    fprintf (stderr, "AUTH-PAM: close\n");

+

+  if (context->foreground_fd >= 0)

+    {

+      /* tell background process to exit */

+      if (send_control (context->foreground_fd, COMMAND_EXIT) == -1)

+	fprintf (stderr, "AUTH-PAM: Error signaling background process to exit\n");

+

+      /* wait for background process to exit */

+      if (context->background_pid > 0)

+	waitpid (context->background_pid, NULL, 0);

+

+      close (context->foreground_fd);

+      context->foreground_fd = -1;

+    }

+

+  free (context);

+}

+

+OPENVPN_EXPORT void

+openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)

+{

+  struct auth_pam_context *context = (struct auth_pam_context *) handle;

+

+  /* tell background process to exit */

+  if (context->foreground_fd >= 0)

+    {

+      send_control (context->foreground_fd, COMMAND_EXIT);

+      close (context->foreground_fd);

+      context->foreground_fd = -1;

+    }

+}

+

+/*

+ * PAM conversation function

+ */

+static int

+my_conv (int n, const struct pam_message **msg_array,

+	 struct pam_response **response_array, void *appdata_ptr)

+{

+  const struct user_pass *up = ( const struct user_pass *) appdata_ptr;

+  struct pam_response *aresp;

+  int i;

+  int ret = PAM_SUCCESS;

+

+  *response_array = NULL;

+

+  if (n <= 0 || n > PAM_MAX_NUM_MSG)

+    return (PAM_CONV_ERR);

+  if ((aresp = calloc (n, sizeof *aresp)) == NULL)

+    return (PAM_BUF_ERR);

+

+  /* loop through each PAM-module query */

+  for (i = 0; i < n; ++i)

+    {

+      const struct pam_message *msg = msg_array[i];

+      aresp[i].resp_retcode = 0;

+      aresp[i].resp = NULL;

+

+      if (DEBUG (up->verb))

+	{

+	  fprintf (stderr, "AUTH-PAM: BACKGROUND: my_conv[%d] query='%s' style=%d\n",

+		   i,

+		   msg->msg ? msg->msg : "NULL",

+		   msg->msg_style);

+	}

+

+      if (up->name_value_list && up->name_value_list->len > 0)

+	{

+	  /* use name/value list match method */

+	  const struct name_value_list *list = up->name_value_list;

+	  int j;

+

+	  /* loop through name/value pairs */

+	  for (j = 0; j < list->len; ++j)

+	    {

+	      const char *match_name = list->data[j].name;

+	      const char *match_value = list->data[j].value;

+

+	      if (name_value_match (msg->msg, match_name))

+		{

+		  /* found name/value match */

+		  const char *return_value = NULL;

+

+		  if (DEBUG (up->verb))

+		    fprintf (stderr, "AUTH-PAM: BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'\n",

+			     msg->msg,

+			     match_name,

+			     match_value);

+

+		  if (!strcmp (match_value, "USERNAME"))

+		    return_value = up->username;

+		  else if (!strcmp (match_value, "PASSWORD"))

+		    return_value = up->password;

+		  else

+		    return_value = match_value;

+

+		  aresp[i].resp = strdup (return_value);

+		  if (aresp[i].resp == NULL)

+		    ret = PAM_CONV_ERR;

+		  break;

+		}

+	    }

+

+	  if (j == list->len)

+	    ret = PAM_CONV_ERR;

+	}

+      else

+	{

+	  /* use PAM_PROMPT_ECHO_x hints */

+	  switch (msg->msg_style)

+	    {

+	    case PAM_PROMPT_ECHO_OFF:

+	      aresp[i].resp = strdup (up->password);

+	      if (aresp[i].resp == NULL)

+		ret = PAM_CONV_ERR;

+	      break;

+

+	    case PAM_PROMPT_ECHO_ON:

+	      aresp[i].resp = strdup (up->username);

+	      if (aresp[i].resp == NULL)

+		ret = PAM_CONV_ERR;

+	      break;

+

+	    case PAM_ERROR_MSG:

+	    case PAM_TEXT_INFO:

+	      break;

+

+	    default:

+	      ret = PAM_CONV_ERR;

+	      break;

+	    }

+	}

+    }

+

+  if (ret == PAM_SUCCESS)

+    *response_array = aresp;

+  return ret;

+}

+

+/*

+ * Return 1 if authenticated and 0 if failed.

+ * Called once for every username/password

+ * to be authenticated.

+ */

+static int

+pam_auth (const char *service, const struct user_pass *up)

+{

+  struct pam_conv conv;

+  pam_handle_t *pamh = NULL;

+  int status = PAM_SUCCESS;

+  int ret = 0;

+  const int name_value_list_provided = (up->name_value_list && up->name_value_list->len > 0);

+

+  /* Initialize PAM */

+  conv.conv = my_conv;

+  conv.appdata_ptr = (void *)up;

+  status = pam_start (service, name_value_list_provided ? NULL : up->username, &conv, &pamh);

+  if (status == PAM_SUCCESS)

+    {

+      /* Call PAM to verify username/password */

+      status = pam_authenticate(pamh, 0);

+      if (status == PAM_SUCCESS)

+	status = pam_acct_mgmt (pamh, 0);

+      if (status == PAM_SUCCESS)

+	ret = 1;

+

+      /* Output error message if failed */

+      if (!ret)

+	{