From 2e1b082dfbc5dcdae80957a3d889abe9fa480d77 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 25 Dec 1999 10:11:29 +1100
Subject: [PATCH] - Prepare for 1.2.1pre20

19991225
 - More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
 - Cleanup of auth-passwd.c for shadow and MD5 passwords
 - Cleanup and bugfix of PAM authentication code

19991223
 - Merged later HPUX patch from Andre Lucas
   <andre.lucas@dial.pipex.com>
 - Above patch included better utmpx support from Ben Taylor
   <bent@clark.net>:
---
 ChangeLog                    | 11 +++++++
 acconfig.h                   | 62 +++++++++++++++++------------------
 auth-passwd.c                | 63 +++++++++++++++---------------------
 bsd-login.c                  | 46 +++++++++++++++-----------
 bsd-login.h                  | 21 ++++++++----
 configure.in                 | 47 ++++++++++++++++++++-------
 includes.h                   |  1 +
 login.c                      | 40 ++++++++++++++++-------
 packages/redhat/openssh.spec |  2 +-
 packages/redhat/sshd.pam     |  2 +-
 packages/suse/openssh.spec   |  2 +-
 sshd.c                       | 43 +++++++++++++-----------
 sshd.pam.generic             |  2 +-
 13 files changed, 205 insertions(+), 137 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 256711ebd..394ebc899 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+19991225
+ - More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
+ - Cleanup of auth-passwd.c for shadow and MD5 passwords
+ - Cleanup and bugfix of PAM authentication code
+
+19991223
+ - Merged later HPUX patch from Andre Lucas 
+   <andre.lucas@dial.pipex.com>
+ - Above patch included better utmpx support from Ben Taylor
+   <bent@clark.net>:
+
 19991222
  - Fix undefined fd_set type in ssh.h from Povl H. Pedersen 
    <pope@netguide.dk>
diff --git a/acconfig.h b/acconfig.h
index b02abbafe..1e706ff58 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -30,6 +30,9 @@
 /* Define is utmpx.h has a ut_host field */
 #undef HAVE_HOST_IN_UTMPX
 
+/* Define is utmpx.h has a syslen field */
+#undef HAVE_SYSLEN_IN_UTMPX
+
 /* Define if you want to use utmpx */
 #undef USE_UTMPX
 
@@ -63,6 +66,9 @@
 /* Define if xauth is found in your path */
 #undef XAUTH_PATH
 
+/* Define if rsh is found in your path */
+#undef RSH_PATH
+
 /* Define if you want to allow MD5 passwords */
 #undef HAVE_MD5_PASSWORDS
 
@@ -76,6 +82,9 @@
 /* to pam_strerror */
 #undef HAVE_OLD_PAM
 
+/* Set this to your mail directory if you don't have maillock.h */
+#undef MAIL_DIRECTORY
+
 /* Data types */
 #undef HAVE_QUAD_T
 #undef HAVE_INTXX_T
@@ -197,36 +206,19 @@ enum
 # endif
 #endif
 
-/* Use utmpx if supported */
-#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
-# define UTMP_STR utmpx
-#else 
-# ifdef HAVE_UTMP_H
-#  define UTMP_STR utmp
-# endif
-#endif
-
 #ifndef _PATH_UTMP
-# if defined(UTMPX_FILE) && defined(USE_UTMPX)
-#  define _PATH_UTMP UTMPX_FILE
+# ifdef UTMP_FILE
+#  define _PATH_UTMP UTMP_FILE
 # else
-#  ifdef UTMP_FILE
-#   define _PATH_UTMP UTMP_FILE
-#  else
-#   define _PATH_UTMP "/var/adm/utmp"
-#  endif
+#  define _PATH_UTMP "/var/adm/utmp"
 # endif
 #endif
 
 #ifndef _PATH_WTMP
-# if defined(WTMPX_FILE) && defined(USE_UTMPX)
-#  define _PATH_WTMP WTMPX_FILE
+# ifdef WTMP_FILE
+#  define _PATH_WTMP WTMP_FILE
 # else
-#  ifdef WTMP_FILE
-#   define _PATH_WTMP WTMP_FILE
-#  else
-#   define _PATH_WTMP "/var/adm/wtmp"
-#  endif
+#  define _PATH_WTMP "/var/adm/wtmp"
 # endif
 #endif
 
@@ -242,16 +234,14 @@ enum
 # define _PATH_DEVNULL "/dev/null"
 #endif
 
-#ifndef _PATH_MAILDIR
-# ifdef MAILDIR
-#  define _PATH_MAILDIR MAILDIR
-# else
-#  ifdef MAIL_DIRECTORY
-#   define _PATH_MAILDIR MAIL_DIRECTORY
-#  endif
-# endif
+#ifndef MAILDIR
+# define MAILDIR MAIL_DIRECTORY
 #endif
 
+#if !defined(_PATH_MAILDIR) && defined(MAILDIR)
+# define _PATH_MAILDIR MAILDIR
+#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */
+
 #ifndef MAX
 # define MAX(a,b) (((a)>(b))?(a):(b))
 # define MIN(a,b) (((a)<(b))?(a):(b))
@@ -287,3 +277,13 @@ enum
 #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
 # define seteuid(a) setreuid(-1,a)
 #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
+
+#ifndef HAVE_INNETGR
+# define innetgr(a,b,c,d) (0)
+#endif /* HAVE_INNETGR */
+
+#ifndef _PATH_RSH
+# ifdef RSH_PATH
+#  define _PATH_RSH RSH_PATH
+# endif /* RSH_PATH */
+#endif /* _PATH_RSH */
diff --git a/auth-passwd.c b/auth-passwd.c
index fc0809e16..058dde82b 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -9,9 +9,9 @@
 
 #include "includes.h"
 
-#ifndef HAVE_PAM
+#ifndef HAVE_LIBPAM
 
-RCSID("$Id: auth-passwd.c,v 1.10 1999/12/21 10:03:09 damien Exp $");
+RCSID("$Id: auth-passwd.c,v 1.11 1999/12/24 23:11:29 damien Exp $");
 
 #include "packet.h"
 #include "ssh.h"
@@ -35,6 +35,8 @@ auth_password(struct passwd * pw, const char *password)
 {
 	extern ServerOptions options;
 	char *encrypted_password;
+	char *pw_password;
+	char *salt;
 #ifdef HAVE_SHADOW_H
 	struct spwd *spw;
 #endif
@@ -68,48 +70,35 @@ auth_password(struct passwd * pw, const char *password)
 	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
 		return 1;
 
+	pw_password = pw->pw_passwd;
+
 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
 	spw = getspnam(pw->pw_name);
-	if (spw == NULL)
+	if (spw == NULL) 
 		return(0);
 
-	if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0))
-		fatal("Shadow lookup returned garbage.");
-
 	/* Check for users with no password. */
 	if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0)
 		return 1;
 
-	if (strlen(spw->sp_pwdp) < 3)
-		return(0);
-
-	/* Encrypt the candidate password using the proper salt. */
-#ifdef HAVE_MD5_PASSWORDS
-	if (is_md5_salt(spw->sp_pwdp))
-		encrypted_password = md5_crypt(password, spw->sp_pwdp);
-	else
-		encrypted_password = crypt(password, spw->sp_pwdp);
-#else /* HAVE_MD5_PASSWORDS */    
-	encrypted_password = crypt(password, spw->sp_pwdp);
-#endif /* HAVE_MD5_PASSWORDS */    
-	/* Authentication is accepted if the encrypted passwords are identical. */
-	return (strcmp(encrypted_password, spw->sp_pwdp) == 0);
-#else /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
-
-	if (strlen(pw->pw_passwd) < 3)
-		return(0);
-
-#ifdef HAVE_MD5_PASSWORDS
-	if (is_md5_salt(pw->pw_passwd))
-		encrypted_password = md5_crypt(password, pw->pw_passwd);
-	else
-		encrypted_password = crypt(password, pw->pw_passwd);
-#else /* HAVE_MD5_PASSWORDS */    
-	encrypted_password = crypt(password, pw->pw_passwd);
-#endif /* HAVE_MD5_PASSWORDS */    
-
-	/* Authentication is accepted if the encrypted passwords are identical. */
-	return (strcmp(encrypted_password, pw->pw_passwd) == 0);
+	pw_password = spw->sp_pwdp;
 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+
+	if (pw_password[0] != '\0')
+		salt = pw_password;
+	else
+		salt = "xx";
+
+#ifdef HAVE_MD5_PASSWORDS
+	if (is_md5_salt(salt))
+		encrypted_password = md5_crypt(password, salt);
+	else
+		encrypted_password = crypt(password, salt);
+#else /* HAVE_MD5_PASSWORDS */    
+	encrypted_password = crypt(password, salt);
+#endif /* HAVE_MD5_PASSWORDS */    
+
+	/* Authentication is accepted if the encrypted passwords are identical. */
+	return (strcmp(encrypted_password, pw_password) == 0);
 }
-#endif /* !HAVE_PAM */
+#endif /* !HAVE_LIBPAM */
diff --git a/bsd-login.c b/bsd-login.c
index c0f4c1ab0..d81e46914 100644
--- a/bsd-login.c
+++ b/bsd-login.c
@@ -54,53 +54,63 @@ static char *rcsid = "$OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $"
 #include <stdio.h>
 #include <string.h>
 
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+void
+login(utp,utx)
+	struct utmp *utp;
+	struct utmpx *utx;
+#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 void
 login(utp)
-	struct UTMP_STR *utp;
+	struct utmp *utp;
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 {
-	struct UTMP_STR old_ut;
+	struct utmp old_ut;
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+	struct utmpx *old_utx;
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 	register int fd;
 	int tty;
 
 #ifndef UT_LINESIZE
 # define UT_LINESIZE (sizeof(old_ut.ut_line))
-# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
-#  define UT_NAMESIZE (sizeof(old_ut.ut_user))
-# else
-#  define UT_NAMESIZE (sizeof(old_ut.ut_name))
-# endif
+# define UT_NAMESIZE (sizeof(old_ut.ut_name))
 # ifdef HAVE_HOST_IN_UTMP
 #  define UT_HOSTSIZE (sizeof(old_ut.ut_host))
 # endif
-# if defined(HAVE_HOST_IN_UTMPX) && defined(USE_UTMPX)
-#  define UT_HOSTSIZE (sizeof(old_ut.ut_host))
-# endif
 #endif
 
 	tty = ttyslot();
 	if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) {
-#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX)
-		(void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET);
+#if defined(HAVE_HOST_IN_UTMP)
+		(void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
 		/*
 		 * Prevent luser from zero'ing out ut_host.
 		 * If the new ut_line is empty but the old one is not
 		 * and ut_line and ut_name match, preserve the old ut_line.
 		 */
-		if (read(fd, &old_ut, sizeof(struct UTMP_STR)) ==
-		    sizeof(struct UTMP_STR) && utp->ut_host[0] == '\0' &&
+		if (read(fd, &old_ut, sizeof(struct utmp)) ==
+		    sizeof(struct utmp) && utp->ut_host[0] == '\0' &&
 		    old_ut.ut_host[0] != '\0' &&
 		    strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 &&
 		    strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0)
 			(void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE);
-#endif /* defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) */
-		(void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET);
-		(void)write(fd, utp, sizeof(struct UTMP_STR));
+#endif /* defined(HAVE_HOST_IN_UTMP) */
+		(void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
+		(void)write(fd, utp, sizeof(struct utmp));
 		(void)close(fd);
 	}
 	if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
-		(void)write(fd, utp, sizeof(struct UTMP_STR));
+		(void)write(fd, utp, sizeof(struct utmp));
 		(void)close(fd);
 	}
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+	old_utx = pututxline(utx);
+# ifdef HAVE_UPDWTMPX
+	updwtmpx(_PATH_WTMPX, utx);
+# endif /* HAVE_UPDWTMPX */
+	endutxent();
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 }
 
 #endif /* HAVE_LOGIN */
diff --git a/bsd-login.h b/bsd-login.h
index 8891ae342..f26f47084 100644
--- a/bsd-login.h
+++ b/bsd-login.h
@@ -1,13 +1,22 @@
 #ifndef _BSD_LOGIN_H
-#define _BSD_LOGIN_H
+# define _BSD_LOGIN_H
 
-#include "config.h"
-#ifndef HAVE_LOGIN
+# include "config.h"
+# ifndef HAVE_LOGIN
 
-#include <utmp.h>
+#  include <utmp.h>
 
-void login(struct UTMP_STR *utp);
+#  if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+#   include <utmpx.h>
 
-#endif /* !HAVE_LOGIN */
+void login(struct utmp *utp, struct utmpx *utx);
+
+#   else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
+
+void login(struct utmp *utp);
+
+#  endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
+
+# endif /* !HAVE_LOGIN */
 
 #endif /* _BSD_LOGIN_H */
diff --git a/configure.in b/configure.in
index b5ffee79e..7bb96270a 100644
--- a/configure.in
+++ b/configure.in
@@ -9,10 +9,25 @@ AC_PROG_CPP
 AC_PROG_RANLIB
 AC_PROG_INSTALL
 AC_CHECK_PROG(AR, ar, ar)
-
-dnl Check for the path to xauth
 AC_PATH_PROG(xauth_path, xauth)
-AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path")
+
+dnl Use ip address instead of hostname in $DISPLAY
+AC_ARG_WITH(rsh,
+	[  --with-rsh=PATH         Specify path to remote shell program ],
+	[
+		AC_DEFINE_UNQUOTED(RSH_PATH, "$withval")
+	],
+	[
+		AC_PATH_PROG(rsh_path, rsh)
+	]
+)
+
+if test ! -z "$xauth_path" ; then
+	AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path")
+fi
+if test ! -z "$rsh_path" ; then
+	AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path")
+fi
 
 dnl Checks for compiler characteristics
 if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi
@@ -27,6 +42,7 @@ case "$host" in
 	fi
 	CFLAGS="$CFLAGS -D_HPUX_SOURCE"
 	AC_DEFINE(IPADDR_IN_DISPLAY)
+	AC_DEFINE(USE_UTMPX)
 	AC_MSG_CHECKING(for HPUX trusted system password database)
 	if test -f /tcb/files/auth/system/default; then
 		AC_MSG_RESULT(yes)
@@ -80,15 +96,22 @@ AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil")
 AC_CHECK_LIB(nsl, yp_match, , )
 AC_CHECK_LIB(socket, main, , )
 
-dnl libdl is needed by PAM on Redhat systems
-AC_CHECK_LIB(dl, dlopen, , )
-AC_CHECK_LIB(pam, pam_authenticate, , )
+dnl Use ip address instead of hostname in $DISPLAY
+AC_ARG_WITH(pam,
+	[  --without-pam           Disable PAM support ],
+	[
+		if test "x$withval" != "xno" ; then
+			AC_CHECK_LIB(dl, dlopen, , )
+			AC_CHECK_LIB(pam, pam_authenticate, , )
+		fi
+	]
+)
 
 dnl Checks for header files.
-AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow_h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h)
+AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow.h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h)
 
 dnl Checks for library functions.
-AC_CHECK_FUNCS(arc4random mkdtemp openpty _getpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf)
+AC_CHECK_FUNCS(arc4random updwtmpx mkdtemp openpty _getpty innetgr setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf)
 
 AC_CHECK_FUNC(login, 
 	[AC_DEFINE(HAVE_LOGIN)],
@@ -220,19 +243,21 @@ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then
 	AC_MSG_ERROR([No random device found, and no EGD random pool specified])
 fi
 
-dnl Check for ut_host field in utmp
 AC_MSG_CHECKING([whether utmp.h has ut_host field])
 AC_EGREP_HEADER(ut_host, utmp.h, 
 	[AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], 
 	[AC_MSG_RESULT(no)]
 )
-
-dnl Check for ut_host field in utmpx
 AC_MSG_CHECKING([whether utmpx.h has ut_host field])
 AC_EGREP_HEADER(ut_host, utmpx.h, 
 	[AC_DEFINE(HAVE_HOST_IN_UTMPX) AC_MSG_RESULT(yes); ], 
 	[AC_MSG_RESULT(no)]
 )
+AC_MSG_CHECKING([whether utmpx.h has syslen field])
+AC_EGREP_HEADER(syslen, utmpx.h, 
+	[AC_DEFINE(HAVE_SYSLEN_IN_UTMPX) AC_MSG_RESULT(yes); ], 
+	[AC_MSG_RESULT(no)]
+)
 
 dnl Look for lastlog location
 AC_ARG_WITH(lastlog,
diff --git a/includes.h b/includes.h
index 308e674c0..0538bfbc3 100644
--- a/includes.h
+++ b/includes.h
@@ -81,6 +81,7 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #include "bsd-mktemp.h"
 #include "bsd-snprintf.h"
 #include "bsd-daemon.h"
+#include "bsd-login.h"
 
 /* Define this to be the path of the xauth program. */
 #ifndef XAUTH_PATH
diff --git a/login.c b/login.c
index fb9c8f871..c551da898 100644
--- a/login.c
+++ b/login.c
@@ -18,7 +18,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: login.c,v 1.10 1999/12/22 05:09:48 damien Exp $");
+RCSID("$Id: login.c,v 1.11 1999/12/24 23:11:29 damien Exp $");
 
 #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
 # include <utmpx.h>
@@ -133,28 +133,44 @@ record_login(int pid, const char *ttyname, const char *user, uid_t uid,
 	struct lastlog ll;
 	char *lastlog;
 #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
-	struct UTMP_STR u;
-	const char *utmp, *wtmp;
+	struct utmp u;
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+	struct utmpx utx;
+#endif
 
 	/* Construct an utmp/wtmp entry. */
 	memset(&u, 0, sizeof(u));
 	strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line));
-#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
-	u.ut_tv.tv_sec = time(NULL);
-	strncpy(u.ut_user, user, sizeof(u.ut_name));
-#else
+	u.ut_pid = (pid_t)pid;
 	u.ut_time = time(NULL);
 	strncpy(u.ut_name, user, sizeof(u.ut_name));
-#endif
-#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX)
+ 	u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS;
+#if defined(HAVE_HOST_IN_UTMP)
 	strncpy(u.ut_host, host, sizeof(u.ut_host));
 #endif
 
-	/* Figure out the file names. */
-	utmp = _PATH_UTMP;
-	wtmp = _PATH_WTMP;
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+	memset(&utx, 0, sizeof(utx));
+	strncpy(utx.ut_user, user, sizeof(utx.ut_name));
+	strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line));
+	utx.ut_pid = (pid_t)pid;
+	utx.ut_tv.tv_sec = time(NULL);
+ 	u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS;
+#ifdef HAVE_HOST_IN_UTMPX
+#ifdef HAVE_SYSLEN_IN_UTMPX
+	utx.ut_syslen = strlen(host);
+	strncpy(utx.ut_host, host, utx.ut_syslen );
+#else
+	strncpy(utx.ut_host, host, sizeof(utx.ut_host));
+#endif /* HAVE_SYSLEN_IN_UTMPX */
+#endif
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN)
+	login(&u, &utx);
+#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 	login(&u);
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
 
 #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
 	lastlog = _PATH_LASTLOG;
diff --git a/packages/redhat/openssh.spec b/packages/redhat/openssh.spec
index d036f5c37..a3e51bb81 100644
--- a/packages/redhat/openssh.spec
+++ b/packages/redhat/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH free Secure Shell (SSH) implementation
 Name: openssh
-Version: 1.2.1pre19
+Version: 1.2.1pre20
 Release: 1
 Packager: Damien Miller <djm@ibs.com.au>
 Source0: openssh-%{version}.tar.gz
diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam
index f466f9ba3..f01055022 100644
--- a/packages/redhat/sshd.pam
+++ b/packages/redhat/sshd.pam
@@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_pwdb.so shadow
+auth       required     /lib/security/pam_pwdb.so shadow nowait
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_pwdb.so
 password   required     /lib/security/pam_cracklib.so
diff --git a/packages/suse/openssh.spec b/packages/suse/openssh.spec
index 4632763c6..c649ef235 100644
--- a/packages/suse/openssh.spec
+++ b/packages/suse/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) implementation
 Name: openssh
-Version: 1.2.1pre19
+Version: 1.2.1pre20
 Release: 1
 Source0: openssh-%{version}.tar.gz
 Copyright: BSD
diff --git a/sshd.c b/sshd.c
index 448ca5968..9c570ab8a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.39 1999/12/14 04:43:03 damien Exp $");
+RCSID("$Id: sshd.c,v 1.40 1999/12/24 23:11:29 damien Exp $");
 
 #ifdef HAVE_POLL_H
 # include <poll.h>
@@ -146,6 +146,7 @@ void do_child(const char *command, struct passwd * pw, const char *term,
 #ifdef HAVE_LIBPAM
 static int pamconv(int num_msg, const struct pam_message **msg,
 	  struct pam_response **resp, void *appdata_ptr);
+int do_pam_auth(const char *user, const char *password);
 void do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, char *ttyname);
 void pam_cleanup_proc(void *context);
@@ -237,6 +238,23 @@ void pam_cleanup_proc(void *context)
 	}
 }
 
+int do_pam_auth(const char *user, const char *password)
+{
+	int pam_retval;
+	
+	pampasswd = password;
+	
+	pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
+	if (pam_retval == PAM_SUCCESS) {
+		log("PAM Password authentication accepted for user \"%.100s\"", user);
+		return 1;
+	} else {
+		log("PAM Password authentication for \"%.100s\" failed: %s", 
+			user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+		return 0;
+	}
+}
+
 void do_pam_account(char *username, char *remote_user)
 {
 	int pam_retval;
@@ -1292,7 +1310,11 @@ do_authentication(char *user)
 #ifdef KRB4
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif /* KRB4 */
+#ifdef HAVE_LIBPAM
+	    do_pam_auth(pw->pw_name, "")) {
+#else /* HAVE_LIBPAM */
 	    auth_password(pw, "")) {
+#endif /* HAVE_LIBPAM */
 		/* Authentication with empty password succeeded. */
 		log("Login for user %s from %.100s, accepted without authentication.",
 		    pw->pw_name, get_remote_ipaddr());
@@ -1503,29 +1525,14 @@ do_authloop(struct passwd * pw)
 
 #ifdef HAVE_LIBPAM
 			/* Do PAM auth with password */
-			pampasswd = password;
-			pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
-			if (pam_retval == PAM_SUCCESS) {
-				log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name);
-				memset(password, 0, strlen(password));
-				xfree(password);
-				authenticated = 1;
-				break;
-			}
-
-			log("PAM Password authentication for \"%.100s\" failed: %s", 
-				pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
-			memset(password, 0, strlen(password));
-			xfree(password);
-			break;
+			authenticated = do_pam_auth(pw->pw_name, password);
 #else /* HAVE_LIBPAM */
 			/* Try authentication with the password. */
 			authenticated = auth_password(pw, password);
-
+#endif /* HAVE_LIBPAM */
 			memset(password, 0, strlen(password));
 			xfree(password);
 			break;
-#endif /* HAVE_LIBPAM */
 
 #ifdef SKEY
 		case SSH_CMSG_AUTH_TIS:
diff --git a/sshd.pam.generic b/sshd.pam.generic
index 4ec2a2a00..8c4f32daf 100644
--- a/sshd.pam.generic
+++ b/sshd.pam.generic
@@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_unix.so shadow
+auth       required     /lib/security/pam_unix.so shadow nowait
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_unix.so
 password   required     /lib/security/pam_cracklib.so