Vendor import of OpenPAM Cantaloupevendor/openpam/CANTALOUPE

94 files changed, 3860 insertions, 284 deletions

diff --git a/contrib/openpam/HISTORY b/contrib/openpam/HISTORY
index b09caa17ca6f..ed96088d26da 100644
--- a/contrib/openpam/HISTORY
+++ b/contrib/openpam/HISTORY
@@ -1,4 +1,34 @@
 ============================================================================
+OpenPAM	Cantaloupe						2002-02-22
+
+ - BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid
+   argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures.
+
+ - ENHANCE: Add in-line documentation in most source files, and a Perl
+   script that generates mdoc code from that.
+
+ - BUGFIX: The environment list was not properly NULL-terminated.
+
+ - ENHANCE: Allow the PAM_AUTHTOK_PROMPT item to override the prompt
+   specified by the module.
+
+ - BUGFIX: PAM_NUM_ITEMS was set too low.  It has been moved to
+   pam_constants.h to avoid it going stale again.
+
+ - ENHANCE: Move all code related to static modules into a separate
+   file.
+
+ - ENHANCE: openpam_ttyconv() now masks most signals while prompting the
+   user, and supports setting a timeout (which defaults to off).
+
+ - BUGFIX: Some manual pages referenced XSSO even though they
+   documented OpenPAM-specific functions.
+
+ - ENHANCE: Added openpam_get_option() and openpam_set_option().
+
+ - ENHANCE: openpam_get_authtok() now respects the echo_pass,
+   try_first_pass, and use_first_pass options.
+============================================================================
 OpenPAM	Caliopsis						2002-02-13
 
 Fixed a number of bugs in the previous release, including:
diff --git a/contrib/openpam/MANIFEST b/contrib/openpam/MANIFEST
index 9f973ddda0d1..13bf8105412d 100644
--- a/contrib/openpam/MANIFEST
+++ b/contrib/openpam/MANIFEST
@@ -10,6 +10,10 @@ bin/su/Makefile
 bin/su/su.c
 doc/Makefile
 doc/man/Makefile
+doc/man/openpam_get_option.3
+doc/man/openpam_log.3
+doc/man/openpam_set_option.3
+doc/man/openpam_ttyconv.3
 doc/man/pam.3
 doc/man/pam_acct_mgmt.3
 doc/man/pam_authenticate.3
@@ -31,6 +35,12 @@ doc/man/pam_set_data.3
 doc/man/pam_set_item.3
 doc/man/pam_setcred.3
 doc/man/pam_setenv.3
+doc/man/pam_sm_acct_mgmt.3
+doc/man/pam_sm_authenticate.3
+doc/man/pam_sm_chauthtok.3
+doc/man/pam_sm_close_session.3
+doc/man/pam_sm_open_session.3
+doc/man/pam_sm_setcred.3
 doc/man/pam_start.3
 doc/man/pam_strerror.3
 doc/man/pam_verror.3
@@ -44,9 +54,12 @@ include/security/pam_types.h
 lib/Makefile
 lib/openpam_dispatch.c
 lib/openpam_findenv.c
+lib/openpam_get_option.c
 lib/openpam_impl.h
 lib/openpam_load.c
 lib/openpam_log.c
+lib/openpam_set_option.c
+lib/openpam_static.c
 lib/openpam_ttyconv.c
 lib/pam_acct_mgmt.c
 lib/pam_authenticate.c
@@ -73,11 +86,23 @@ lib/pam_set_mapped_authtok.c
 lib/pam_set_mapped_username.c
 lib/pam_setcred.c
 lib/pam_setenv.c
+lib/pam_sm_acct_mgmt.c
+lib/pam_sm_authenticate.c
+lib/pam_sm_authenticate_secondary.c
+lib/pam_sm_chauthtok.c
+lib/pam_sm_close_session.c
+lib/pam_sm_get_mapped_authtok.c
+lib/pam_sm_get_mapped_username.c
+lib/pam_sm_open_session.c
+lib/pam_sm_set_mapped_authtok.c
+lib/pam_sm_set_mapped_username.c
+lib/pam_sm_setcred.c
 lib/pam_start.c
 lib/pam_strerror.c
 lib/pam_verror.c
 lib/pam_vinfo.c
 lib/pam_vprompt.c
+misc/gendoc.pl
 modules/Makefile
 modules/pam_deny/Makefile
 modules/pam_deny/pam_deny.c
diff --git a/contrib/openpam/RELNOTES b/contrib/openpam/RELNOTES
index a1eebccc1ff4..2b5923285945 100644
--- a/contrib/openpam/RELNOTES
+++ b/contrib/openpam/RELNOTES
@@ -1,12 +1,12 @@
 
-		 Release notes for OpenPAM Caliopsis
-		 ===================================
+		 Release notes for OpenPAM Cantaloupe
+		 ====================================
 
 This is a beta release.
 
 The library itself is mostly complete.  Documentation exists in the
-form of skeletal man pages for the library itself, but no detailed
-documentation is provided in this release.
+form of man pages for the library functions, though some pages are
+still incomplete.
 
 This release is primarily intended for reviewers and developers
 interested in testing OpenPAM on FreeBSD.  It has not been tested on
@@ -15,14 +15,9 @@ NetBSD and OpenBSD.
 
 Known issues:
 
-  - The pam_get_user() and pam_get_authtok() functions do not check
-    for commonly used options such as {use,try}_first_pass or
-    auth_as_self.  In fact, pam_get_authtok() behaves as if
-    try_first_pass was always specified.
+  - The documentation is still incomplete.
 
-  - The provided conversation function, openpam_ttyconv(), should
-    block signals, and support some sort of timeout.
-
-  - The documentation is far from complete.
+Oh, and the previous release's code name was misspelled - egg on my
+face!  It should have been "Calliopsis".
 
 $Id$
diff --git a/contrib/openpam/doc/man/Makefile b/contrib/openpam/doc/man/Makefile
index f63e24824575..4003d2c845ca 100644
--- a/contrib/openpam/doc/man/Makefile
+++ b/contrib/openpam/doc/man/Makefile
@@ -35,6 +35,10 @@
 #
 
 MAN		 =
+MAN		+= openpam_get_option.3
+MAN		+= openpam_log.3
+MAN		+= openpam_set_option.3
+MAN		+= openpam_ttyconv.3
 MAN		+= pam.3
 MAN		+= pam_acct_mgmt.3
 MAN		+= pam_authenticate.3
@@ -56,10 +60,19 @@ MAN		+= pam_set_data.3
 MAN		+= pam_set_item.3
 MAN		+= pam_setcred.3
 MAN		+= pam_setenv.3
+MAN		+= pam_sm_acct_mgmt.3
+MAN		+= pam_sm_authenticate.3
+MAN		+= pam_sm_chauthtok.3
+MAN		+= pam_sm_close_session.3
+MAN		+= pam_sm_open_session.3
+MAN		+= pam_sm_setcred.3
 MAN		+= pam_start.3
 MAN		+= pam_strerror.3
 MAN		+= pam_verror.3
 MAN		+= pam_vinfo.3
 MAN		+= pam_vprompt.3
 
+generate:
+	(cd ${.CURDIR} && perl -w ../../misc/gendoc.pl ../../lib/*.c >pam.3)
+
 .include <bsd.prog.mk>
diff --git a/contrib/openpam/doc/man/openpam_get_option.3 b/contrib/openpam/doc/man/openpam_get_option.3
new file mode 100644
index 000000000000..2fd26b5d6688
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_get_option.3
@@ -0,0 +1,74 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt OPENPAM_GET_OPTION 3
+.Os
+.Sh NAME
+.Nm openpam_get_option
+.Nd returns the value of a module option
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft const char *
+.Fn openpam_get_option "pam_handle_t *pamh" "const char *option"
+.Sh DESCRIPTION
+The
+.Nm
+function returns the value of the specified
+option in the context of the currently executing service module, or
+.Dv NULL
+if the option is not set or no module is currently executing.
+.Sh RETURN VALUES
+The
+.Nm
+function returns
+.Dv NULL
+on failure.
+.Sh SEE ALSO
+.Xr pam 3
+.Sh STANDARDS
+The
+.Nm
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/openpam_log.3 b/contrib/openpam/doc/man/openpam_log.3
new file mode 100644
index 000000000000..c5f07e69a3da
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_log.3
@@ -0,0 +1,63 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt OPENPAM_LOG 3
+.Os
+.Sh NAME
+.Nm openpam_log
+.Nd it).  Do the next best thing
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft void
+.Fn openpam_log "int level" "const char *fmt" "..."
+.Sh DESCRIPTION
+No description available.
+.Sh SEE ALSO
+.Xr pam 3
+.Sh STANDARDS
+The
+.Nm
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/openpam_set_option.3 b/contrib/openpam/doc/man/openpam_set_option.3
new file mode 100644
index 000000000000..5cb501bdeae9
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_set_option.3
@@ -0,0 +1,77 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt OPENPAM_SET_OPTION 3
+.Os
+.Sh NAME
+.Nm openpam_set_option
+.Nd sets the value of a module option
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value"
+.Sh DESCRIPTION
+The
+.Nm
+function sets the specified option in the
+context of the currently executing service module.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+The
+.Nm
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/openpam_ttyconv.3 b/contrib/openpam/doc/man/openpam_ttyconv.3
new file mode 100644
index 000000000000..275e0ad50a16
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_ttyconv.3
@@ -0,0 +1,76 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt OPENPAM_TTYCONV 3
+.Os
+.Sh NAME
+.Nm openpam_ttyconv
+.Nd simple tty-based conversation function
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.Ft int
+.Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
+.Sh DESCRIPTION
+No description available.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+The
+.Nm
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam.3 b/contrib/openpam/doc/man/pam.3
index 02141b1f418d..9d4580d56ce6 100644
--- a/contrib/openpam/doc/man/pam.3
+++ b/contrib/openpam/doc/man/pam.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM 3
 .Os
 .Sh NAME
@@ -82,7 +82,7 @@
 .Ft int
 .Fn pam_get_authtok "pam_handle_t *pamh" "const char **authtok" "const char *prompt"
 .Ft int
-.Fn pam_get_data "pam_handle_t *pamh" "const char *module_data_name" "void **data"
+.Fn pam_get_data "pam_handle_t *pamh" "const char *module_data_name" "const void **data"
 .Ft int
 .Fn pam_get_item "pam_handle_t *pamh" "int item_type" "const void **item"
 .Ft int
@@ -119,6 +119,71 @@
 .Fn pam_vprompt "pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
 .Sh RETURN VALUES
+The following return codes are defined in the
+.In security/pam_constants.h
+header:
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_ACCT_EXPIRED
+User accound has expired.
+.It Bq Er PAM_AUTHINFO_UNAVAIL
+Authentication information is unavailable.
+.It Bq Er PAM_AUTHTOK_DISABLE_AGING
+Authentication token aging disabled.
+.It Bq Er PAM_AUTHTOK_ERR
+Authentication token failure.
+.It Bq Er PAM_AUTHTOK_EXPIRED
+Password has expired.
+.It Bq Er PAM_AUTHTOK_LOCK_BUSY
+Authentication token lock busy.
+.It Bq Er PAM_AUTHTOK_RECOVERY_ERR
+Failed to recover old authentication token.
+.It Bq Er PAM_AUTH_ERR
+Authentication error.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_CRED_ERR
+Failed to set user credentials.
+.It Bq Er PAM_CRED_EXPIRED
+User credentials have expired.
+.It Bq Er PAM_CRED_INSUFFICIENT
+Insufficient credentials.
+.It Bq Er PAM_CRED_UNAVAIL
+Failed to retrieve user credentials.
+.It Bq Er PAM_DOMAIN_UNKNOWN
+Unknown authentication domain.
+.It Bq Er PAM_IGNORE
+Ignore this module.
+.It Bq Er PAM_MAXTRIES
+Maximum number of tries exceeded.
+.It Bq Er PAM_MODULE_UNKNOWN
+Unknown module type.
+.It Bq Er PAM_NEW_AUTHTOK_REQD
+New authentication token required.
+.It Bq Er PAM_NO_MODULE_DATA
+Module data not found.
+.It Bq Er PAM_OPEN_ERR
+Failed to load module.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SESSION_ERR
+Session failure.
+.It Bq Er PAM_SUCCESS
+Success.
+.It Bq Er PAM_SYMBOL_ERR
+Invalid symbol.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.It Bq Er PAM_TRY_AGAIN
+Try again.
+.It Bq Er PAM_USER_UNKNOWN
+Unknown user.
+.El
 .Sh SEE ALSO
 .Xr pam_acct_mgmt 3 ,
 .Xr pam_authenticate 3 ,
diff --git a/contrib/openpam/doc/man/pam_acct_mgmt.3 b/contrib/openpam/doc/man/pam_acct_mgmt.3
index 88b54f6ad19e..3ec445a5217f 100644
--- a/contrib/openpam/doc/man/pam_acct_mgmt.3
+++ b/contrib/openpam/doc/man/pam_acct_mgmt.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_ACCT_MGMT 3
 .Os
 .Sh NAME
@@ -46,18 +46,36 @@
 .Ft int
 .Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
-The
-.Nm
-function is not yet documented.
+No description available.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_ACCT_EXPIRED
+User accound has expired.
+.It Bq Er PAM_AUTH_ERR
+Authentication error.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_NEW_AUTHTOK_REQD
+New authentication token required.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.It Bq Er PAM_USER_UNKNOWN
+Unknown user.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_authenticate.3 b/contrib/openpam/doc/man/pam_authenticate.3
index 1885376ca17d..137bf05acc4f 100644
--- a/contrib/openpam/doc/man/pam_authenticate.3
+++ b/contrib/openpam/doc/man/pam_authenticate.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_AUTHENTICATE 3
 .Os
 .Sh NAME
@@ -46,18 +46,38 @@
 .Ft int
 .Fn pam_authenticate "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
-The
-.Nm
-function is not yet documented.
+No description available.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_AUTHINFO_UNAVAIL
+Authentication information is unavailable.
+.It Bq Er PAM_AUTH_ERR
+Authentication error.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_CRED_INSUFFICIENT
+Insufficient credentials.
+.It Bq Er PAM_MAXTRIES
+Maximum number of tries exceeded.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.It Bq Er PAM_USER_UNKNOWN
+Unknown user.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_chauthtok.3 b/contrib/openpam/doc/man/pam_chauthtok.3
index a287f3857ca3..9566f01dc971 100644
--- a/contrib/openpam/doc/man/pam_chauthtok.3
+++ b/contrib/openpam/doc/man/pam_chauthtok.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_CHAUTHTOK 3
 .Os
 .Sh NAME
@@ -46,18 +46,36 @@
 .Ft int
 .Fn pam_chauthtok "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
-The
-.Nm
-function is not yet documented.
+No description available.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_AUTHTOK_DISABLE_AGING
+Authentication token aging disabled.
+.It Bq Er PAM_AUTHTOK_ERR
+Authentication token failure.
+.It Bq Er PAM_AUTHTOK_LOCK_BUSY
+Authentication token lock busy.
+.It Bq Er PAM_AUTHTOK_RECOVERY_ERR
+Failed to recover old authentication token.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_close_session.3 b/contrib/openpam/doc/man/pam_close_session.3
index ba91ab3e10f4..ea689b71d683 100644
--- a/contrib/openpam/doc/man/pam_close_session.3
+++ b/contrib/openpam/doc/man/pam_close_session.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_CLOSE_SESSION 3
 .Os
 .Sh NAME
@@ -46,18 +46,30 @@
 .Ft int
 .Fn pam_close_session "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
-The
-.Nm
-function is not yet documented.
+No description available.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SESSION_ERR
+Session failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_end.3 b/contrib/openpam/doc/man/pam_end.3
index 141aa8390f4d..e500697b2878 100644
--- a/contrib/openpam/doc/man/pam_end.3
+++ b/contrib/openpam/doc/man/pam_end.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_END 3
 .Os
 .Sh NAME
@@ -48,16 +48,26 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function terminates a PAM transaction and destroys the
+corresponding PAM context, releasing all resources allocated to it.
+.Pp
+The
+.Va status
+argument should be set to the error code returned by the
+last API call before the call to
+.Nm
+.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_error.3 b/contrib/openpam/doc/man/pam_error.3
index f0216f1ba20f..8b514aba6fc5 100644
--- a/contrib/openpam/doc/man/pam_error.3
+++ b/contrib/openpam/doc/man/pam_error.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_ERROR 3
 .Os
 .Sh NAME
@@ -47,22 +47,32 @@
 .Fn pam_error "pam_handle_t *pamh" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
-function is not yet documented.
+.Xr pam_info 3
+function displays an error message through the
+intermediary of the given PAM context's conversation function.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_info 3 ,
+.Xr pam_prompt 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam_verror 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/doc/man/pam_get_authtok.3 b/contrib/openpam/doc/man/pam_get_authtok.3
index 3bfb70d3a4ef..e965173cadb1 100644
--- a/contrib/openpam/doc/man/pam_get_authtok.3
+++ b/contrib/openpam/doc/man/pam_get_authtok.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_GET_AUTHTOK 3
 .Os
 .Sh NAME
@@ -46,23 +46,26 @@
 .Ft int
 .Fn pam_get_authtok "pam_handle_t *pamh" "const char **authtok" "const char *prompt"
 .Sh DESCRIPTION
-The
-.Nm
-function is not yet documented.
+No description available.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/doc/man/pam_get_data.3 b/contrib/openpam/doc/man/pam_get_data.3
index b622f383f743..779806584305 100644
--- a/contrib/openpam/doc/man/pam_get_data.3
+++ b/contrib/openpam/doc/man/pam_get_data.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_GET_DATA 3
 .Os
 .Sh NAME
@@ -44,20 +44,39 @@
 .Sh SYNOPSIS
 .In security/pam_appl.h
 .Ft int
-.Fn pam_get_data "pam_handle_t *pamh" "const char *module_data_name" "void **data"
+.Fn pam_get_data "pam_handle_t *pamh" "const char *module_data_name" "const void **data"
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function looks up the opaque object associated with
+the string specified by the
+.Va module_data_name
+argument, in the PAM
+context specified by the
+.Va pamh
+argument.
+A pointer to the object is stored in the location pointed to by the
+.Va data
+argument.
+.Pp
+This function and its counterpart
+.Xr pam_set_data 3
+are useful for managing
+data that are meaningful only to a particular service module.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_NO_MODULE_DATA
+Module data not found.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_set_data 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_get_item.3 b/contrib/openpam/doc/man/pam_get_item.3
index 3f337fd4ca46..2ea942e0873d 100644
--- a/contrib/openpam/doc/man/pam_get_item.3
+++ b/contrib/openpam/doc/man/pam_get_item.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_GET_ITEM 3
 .Os
 .Sh NAME
@@ -48,16 +48,64 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function stores a pointer to the item specified by
+the
+.Va item_type
+argument in the location specified by the
+.Va item
+argument.
+The item is retrieved from the PAM context specified by the
+.Va pamh
+argument.
+The following item types are recognized:
+.Bl -tag -width 18n
+.It Dv PAM_SERVICE
+The name of the requesting service.
+.It Dv PAM_USER
+The name of the user the application is trying to
+authenticate.
+.It Dv PAM_TTY
+The name of the current terminal.
+.It Dv PAM_RHOST
+The name of the applicant's host.
+.It Dv PAM_CONV
+A
+.Vt struct pam_conv
+describing the current conversation
+function.
+.It Dv PAM_AUTHTOK
+The current authentication token.
+.It Dv PAM_OLDAUTHTOK
+The expired authentication token.
+.It Dv PAM_RUSER
+The name of the applicant.
+.It Dv PAM_USER_PROMPT
+The prompt to use when asking the applicant for a user
+name to authenticate as.
+.It Dv PAM_AUTHTOK_PROMPT
+The prompt to use when asking the applicant for an
+authentication token.
+.El
+See
+.Xr pam_start 3
+for a description of
+.Vt struct pam_conv .
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_SYMBOL_ERR
+Invalid symbol.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_set_item 3 ,
+.Xr pam_start 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_get_user.3 b/contrib/openpam/doc/man/pam_get_user.3
index 8d8fa30b57dc..fc2c54f83a47 100644
--- a/contrib/openpam/doc/man/pam_get_user.3
+++ b/contrib/openpam/doc/man/pam_get_user.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_GET_USER 3
 .Os
 .Sh NAME
@@ -46,18 +46,22 @@
 .Ft int
 .Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt"
 .Sh DESCRIPTION
-The
-.Nm
-function is not yet documented.
+No description available.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_getenv.3 b/contrib/openpam/doc/man/pam_getenv.3
index dd0359ded611..9d58af13460d 100644
--- a/contrib/openpam/doc/man/pam_getenv.3
+++ b/contrib/openpam/doc/man/pam_getenv.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_GETENV 3
 .Os
 .Sh NAME
@@ -48,16 +48,24 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function returns the value of an environment variable.
+Its semantics are similar to those of
+.Xr getenv 3 ,
+but it accesses the PAM
+context's environment list instead of the application's.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
-function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
-.El
+.Nm
+function returns
+.Dv NULL
+on failure.
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr getenv 3 ,
+.Xr pam 3 ,
+.Xr pam_getenvlist 3 ,
+.Xr pam_putenv 3 ,
+.Xr pam_setenv 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_getenvlist.3 b/contrib/openpam/doc/man/pam_getenvlist.3
index 2fc85e28d61c..cafa10084769 100644
--- a/contrib/openpam/doc/man/pam_getenvlist.3
+++ b/contrib/openpam/doc/man/pam_getenvlist.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_GETENVLIST 3
 .Os
 .Sh NAME
@@ -48,16 +48,45 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function returns a copy of the given PAM context's
+environment list as a pointer to an array of strings.
+The last element in the array is
+.Dv NULL .
+The pointer is suitable for assignment to
+.Va environ .
+.Pp
+The array and the strings it lists are allocated using
+.Xr malloc 3 ,
+and
+should be released using
+.Xr free 3
+after use:
+.Pp
+.Bd -literal
+    char **envlist, **env;
+
+    envlist = environ;
+    environ = pam_getenvlist(pamh);
+    /* do something nifty */
+    for (env = environ; *env != NULL; env++)
+        free(*env);
+    free(environ);
+    environ = envlist;
+
 .Sh RETURN VALUES
 The
-.Fn
-function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
-.El
+.Nm
+function returns
+.Dv NULL
+on failure.
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr environ 7 ,
+.Xr free 3 ,
+.Xr malloc 3 ,
+.Xr pam 3 ,
+.Xr pam_getenv 3 ,
+.Xr pam_putenv 3 ,
+.Xr pam_setenv 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_info.3 b/contrib/openpam/doc/man/pam_info.3
index 573a8a1cb53c..4ea37a7655e3 100644
--- a/contrib/openpam/doc/man/pam_info.3
+++ b/contrib/openpam/doc/man/pam_info.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_INFO 3
 .Os
 .Sh NAME
@@ -48,21 +48,31 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function displays an informational message through the
+intermediary of the given PAM context's conversation function.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_error 3 ,
+.Xr pam_prompt 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam_vinfo 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/doc/man/pam_open_session.3 b/contrib/openpam/doc/man/pam_open_session.3
index 3db2b1663923..130ead24212d 100644
--- a/contrib/openpam/doc/man/pam_open_session.3
+++ b/contrib/openpam/doc/man/pam_open_session.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_OPEN_SESSION 3
 .Os
 .Sh NAME
@@ -46,18 +46,30 @@
 .Ft int
 .Fn pam_open_session "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
-The
-.Nm
-function is not yet documented.
+No description available.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SESSION_ERR
+Session failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_prompt.3 b/contrib/openpam/doc/man/pam_prompt.3
index e3ebef896722..177af78f1e70 100644
--- a/contrib/openpam/doc/man/pam_prompt.3
+++ b/contrib/openpam/doc/man/pam_prompt.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_PROMPT 3
 .Os
 .Sh NAME
@@ -48,21 +48,43 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function constructs a message from the specified format
+string and arguments and passes it to the given PAM context's
+conversation function.
+.Pp
+A pointer to the response, or
+.Dv NULL
+if the conversation function did
+not return one, is stored in the location pointed to by the
+.Va resp
+argument.
+.Pp
+See
+.Xr pam_vprompt 3
+for further details.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_error 3 ,
+.Xr pam_info 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam_vprompt 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/doc/man/pam_putenv.3 b/contrib/openpam/doc/man/pam_putenv.3
index 7193b96512db..33ba9924ce31 100644
--- a/contrib/openpam/doc/man/pam_putenv.3
+++ b/contrib/openpam/doc/man/pam_putenv.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_PUTENV 3
 .Os
 .Sh NAME
@@ -48,16 +48,29 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function sets a environment variable.
+Its semantics are similar to those of
+.Xr putenv 3 ,
+but it modifies the PAM
+context's environment list instead of the application's.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_getenv 3 ,
+.Xr pam_getenvlist 3 ,
+.Xr pam_setenv 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr putenv 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_set_data.3 b/contrib/openpam/doc/man/pam_set_data.3
index b179cb98e579..811b59a0e1c3 100644
--- a/contrib/openpam/doc/man/pam_set_data.3
+++ b/contrib/openpam/doc/man/pam_set_data.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_SET_DATA 3
 .Os
 .Sh NAME
@@ -48,16 +48,40 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function associates a pointer to an opaque object
+with an arbitrary string specified by the
+.Va module_data_name
+argument,
+in the PAM context specified by the
+.Va pamh
+argument.
+.Pp
+If not
+.Dv NULL ,
+the
+.Xr cleanup 3
+argument should point to a function
+responsible for releasing the resources associated with the object.
+.Pp
+This function and its counterpart
+.Xr pam_get_data 3
+are useful for managing
+data that are meaningful only to a particular service module.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr cleanup 3 ,
+.Xr pam 3 ,
+.Xr pam_get_data 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_set_item.3 b/contrib/openpam/doc/man/pam_set_item.3
index eb4570514695..b6b08e758f68 100644
--- a/contrib/openpam/doc/man/pam_set_item.3
+++ b/contrib/openpam/doc/man/pam_set_item.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_SET_ITEM 3
 .Os
 .Sh NAME
@@ -48,16 +48,33 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function sets the item specified by the
+.Va item_type
+argument to a copy of the object pointed to by the
+.Va item
+argument.
+The item is stored in the PAM context specified by the
+.Va pamh
+argument.
+See
+.Xr pam_get_item 3
+for a list of recognized item types.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_SYMBOL_ERR
+Invalid symbol.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_get_item 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_setcred.3 b/contrib/openpam/doc/man/pam_setcred.3
index 65913c55cb21..b41b62bb8322 100644
--- a/contrib/openpam/doc/man/pam_setcred.3
+++ b/contrib/openpam/doc/man/pam_setcred.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_SETCRED 3
 .Os
 .Sh NAME
@@ -48,16 +48,48 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function manages the application's credentials.
+The operation to perform is specified by the
+.Va flags
+argument:
+.Bl -tag -width 18n
+.It PAM_ESTABLISH_CRED
+Establish the credentials of the target user.
+.It PAM_DELETE_CRED
+Revoke all established credentials.
+.It PAM_REINITIALISE_CRED
+Fully reinitialise credentials.
+.It PAM_REFRESH_CRED
+Refresh credentials.
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_CRED_ERR
+Failed to set user credentials.
+.It Bq Er PAM_CRED_EXPIRED
+User credentials have expired.
+.It Bq Er PAM_CRED_UNAVAIL
+Failed to retrieve user credentials.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.It Bq Er PAM_USER_UNKNOWN
+Unknown user.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_setenv.3 b/contrib/openpam/doc/man/pam_setenv.3
index c2425e355491..f2bbf2cf59c2 100644
--- a/contrib/openpam/doc/man/pam_setenv.3
+++ b/contrib/openpam/doc/man/pam_setenv.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_SETENV 3
 .Os
 .Sh NAME
@@ -48,21 +48,33 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function sets a environment variable.
+Its semantics are similar to those of
+.Xr setenv 3 ,
+but it modifies the PAM
+context's environment list instead of the application's.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_getenv 3 ,
+.Xr pam_getenvlist 3 ,
+.Xr pam_putenv 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr setenv 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3
new file mode 100644
index 000000000000..0dcaabab21a0
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3
@@ -0,0 +1,100 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt PAM_SM_ACCT_MGMT 3
+.Os
+.Sh NAME
+.Nm pam_sm_acct_mgmt
+.Nd service module implementation for pam_acct_mgmt
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.In security/pam_modules.h
+.Ft int
+.Fn pam_sm_acct_mgmt "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
+.Sh DESCRIPTION
+The
+.Nm
+function is the service module's implementation
+of the
+.Xr pam_acct_mgmt 3
+API function.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_ACCT_EXPIRED
+User accound has expired.
+.It Bq Er PAM_AUTH_ERR
+Authentication error.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_IGNORE
+Ignore this module.
+.It Bq Er PAM_NEW_AUTHTOK_REQD
+New authentication token required.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.It Bq Er PAM_USER_UNKNOWN
+Unknown user.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_acct_mgmt 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_sm_authenticate.3 b/contrib/openpam/doc/man/pam_sm_authenticate.3
new file mode 100644
index 000000000000..f97f49fe57de
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_sm_authenticate.3
@@ -0,0 +1,102 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt PAM_SM_AUTHENTICATE 3
+.Os
+.Sh NAME
+.Nm pam_sm_authenticate
+.Nd service module implementation for pam_authenticate
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.In security/pam_modules.h
+.Ft int
+.Fn pam_sm_authenticate "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
+.Sh DESCRIPTION
+The
+.Nm
+function is the service module's
+implementation of the
+.Xr pam_authenticate 3
+API function.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_AUTHINFO_UNAVAIL
+Authentication information is unavailable.
+.It Bq Er PAM_AUTH_ERR
+Authentication error.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_CRED_INSUFFICIENT
+Insufficient credentials.
+.It Bq Er PAM_IGNORE
+Ignore this module.
+.It Bq Er PAM_MAXTRIES
+Maximum number of tries exceeded.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.It Bq Er PAM_USER_UNKNOWN
+Unknown user.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_authenticate 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_sm_chauthtok.3 b/contrib/openpam/doc/man/pam_sm_chauthtok.3
new file mode 100644
index 000000000000..fe580784ad49
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_sm_chauthtok.3
@@ -0,0 +1,100 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt PAM_SM_CHAUTHTOK 3
+.Os
+.Sh NAME
+.Nm pam_sm_chauthtok
+.Nd service module implementation for pam_chauthtok
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.In security/pam_modules.h
+.Ft int
+.Fn pam_sm_chauthtok "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
+.Sh DESCRIPTION
+The
+.Nm
+function is the service module's implementation
+of the
+.Xr pam_chauthtok 3
+API function.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_AUTHTOK_DISABLE_AGING
+Authentication token aging disabled.
+.It Bq Er PAM_AUTHTOK_ERR
+Authentication token failure.
+.It Bq Er PAM_AUTHTOK_LOCK_BUSY
+Authentication token lock busy.
+.It Bq Er PAM_AUTHTOK_RECOVERY_ERR
+Failed to recover old authentication token.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_IGNORE
+Ignore this module.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_chauthtok 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_sm_close_session.3 b/contrib/openpam/doc/man/pam_sm_close_session.3
new file mode 100644
index 000000000000..4e12e390737d
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_sm_close_session.3
@@ -0,0 +1,94 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt PAM_SM_CLOSE_SESSION 3
+.Os
+.Sh NAME
+.Nm pam_sm_close_session
+.Nd service module implementation for pam_close_session
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.In security/pam_modules.h
+.Ft int
+.Fn pam_sm_close_session "pam_handle_t *pamh" "int flags" "int args" "const char **argv"
+.Sh DESCRIPTION
+The
+.Nm
+function is the service module's
+implementation of the
+.Xr pam_close_session 3
+API function.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_IGNORE
+Ignore this module.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SESSION_ERR
+Session failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_close_session 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_sm_open_session.3 b/contrib/openpam/doc/man/pam_sm_open_session.3
new file mode 100644
index 000000000000..507ce5039ff7
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_sm_open_session.3
@@ -0,0 +1,94 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt PAM_SM_OPEN_SESSION 3
+.Os
+.Sh NAME
+.Nm pam_sm_open_session
+.Nd service module implementation for pam_open_session
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.In security/pam_modules.h
+.Ft int
+.Fn pam_sm_open_session "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
+.Sh DESCRIPTION
+The
+.Nm
+function is the service module's
+implementation of the
+.Xr pam_open_session 3
+API function.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_IGNORE
+Ignore this module.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SESSION_ERR
+Session failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_open_session 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_sm_setcred.3 b/contrib/openpam/doc/man/pam_sm_setcred.3
new file mode 100644
index 000000000000..9cd4650aa8ab
--- /dev/null
+++ b/contrib/openpam/doc/man/pam_sm_setcred.3
@@ -0,0 +1,100 @@
+.\"-
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" NAI Labs, the Security Research Division of Network Associates, Inc.
+.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2002
+.Dt PAM_SM_SETCRED 3
+.Os
+.Sh NAME
+.Nm pam_sm_setcred
+.Nd service module implementation for pam_setcred
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+.In security/pam_modules.h
+.Ft int
+.Fn pam_sm_setcred "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
+.Sh DESCRIPTION
+The
+.Nm
+function is the service module's implementation of
+the
+.Xr pam_setcred 3
+API function.
+.Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_ABORT
+General failure.
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_CRED_ERR
+Failed to set user credentials.
+.It Bq Er PAM_CRED_EXPIRED
+User credentials have expired.
+.It Bq Er PAM_CRED_UNAVAIL
+Failed to retrieve user credentials.
+.It Bq Er PAM_IGNORE
+Ignore this module.
+.It Bq Er PAM_PERM_DENIED
+Permission denied.
+.It Bq Er PAM_SERVICE_ERR
+Error in service module.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
+.It Bq Er PAM_USER_UNKNOWN
+Unknown user.
+.El
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_setcred 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+.Rs
+.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
+.%D "June 1997"
+.Re
+.Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/contrib/openpam/doc/man/pam_start.3 b/contrib/openpam/doc/man/pam_start.3
index 3eb5212e94e1..74a230603708 100644
--- a/contrib/openpam/doc/man/pam_start.3
+++ b/contrib/openpam/doc/man/pam_start.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_START 3
 .Os
 .Sh NAME
@@ -48,16 +48,54 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function creates and initializes a PAM context.
+.Pp
+The
+.Va service
+argument specifies the name of the policy to apply, and is
+stored in the
+.Dv PAM_SERVICE
+item in the created context.
+.Pp
+The
+.Va user
+argument specifies the name of the target user - the user the
+created context will serve to authenticate.
+It is stored in the
+.Dv PAM_USER
+item in the created context.
+.Pp
+The
+.Va pam_conv
+argument points to a
+.Vt struct pam_conv
+describing the
+conversation function to use.
+This structure is defined as follows:
+.Pp
+.Bd -literal
+    struct pam_conv {
+         int   (*conv)(int, const struct pam_message **,
+             struct pam_response **, void *);
+         void   *appdata_ptr;
+    };
+
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam 3 ,
+.Xr pam_end 3 ,
+.Xr pam_get_item 3 ,
+.Xr pam_set_item 3 ,
+.Xr pam_strerror 3
 .Sh STANDARDS
 .Rs
 .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
diff --git a/contrib/openpam/doc/man/pam_strerror.3 b/contrib/openpam/doc/man/pam_strerror.3
index 55e1e82f0c03..74445fd5813b 100644
--- a/contrib/openpam/doc/man/pam_strerror.3
+++ b/contrib/openpam/doc/man/pam_strerror.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_STRERROR 3
 .Os
 .Sh NAME
@@ -48,15 +48,19 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function returns a pointer to a string containing a
+textual description of the error indicated by the
+.Va error_number
+argument, in the context of the PAM transaction described by the
+.Va pamh
+argument.
 .Sh RETURN VALUES
 The
-.Fn
-function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
-.El
+.Nm
+function returns
+.Dv NULL
+on failure.
 .Sh SEE ALSO
-.Xr pam_strerror 3 ,
 .Xr pam 3
 .Sh STANDARDS
 .Rs
diff --git a/contrib/openpam/doc/man/pam_verror.3 b/contrib/openpam/doc/man/pam_verror.3
index eb74d4db9863..6b0b791f6c80 100644
--- a/contrib/openpam/doc/man/pam_verror.3
+++ b/contrib/openpam/doc/man/pam_verror.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_VERROR 3
 .Os
 .Sh NAME
@@ -48,21 +48,37 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function passes its arguments to
+.Xr pam_vprompt 3
+with a
+.Xr style 3
+argument of
+.Dv PAM_ERROR_MSG ,
+and discards the response.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr  3 ,
+.Xr pam 3 ,
+.Xr pam_error 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam_vinfo 3 ,
+.Xr pam_vprompt 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/doc/man/pam_vinfo.3 b/contrib/openpam/doc/man/pam_vinfo.3
index bbd7efbc5bca..7a5a61db4123 100644
--- a/contrib/openpam/doc/man/pam_vinfo.3
+++ b/contrib/openpam/doc/man/pam_vinfo.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_VINFO 3
 .Os
 .Sh NAME
@@ -48,21 +48,37 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function passes its arguments to
+.Xr pam_vprompt 3
+with a
+.Xr style 3
+argument of
+.Dv PAM_TEXT_INFO ,
+and discards the response.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr  3 ,
+.Xr pam 3 ,
+.Xr pam_info 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam_verror 3 ,
+.Xr pam_vprompt 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/doc/man/pam_vprompt.3 b/contrib/openpam/doc/man/pam_vprompt.3
index e6e29a37fdb7..1f6e59a5e92e 100644
--- a/contrib/openpam/doc/man/pam_vprompt.3
+++ b/contrib/openpam/doc/man/pam_vprompt.3
@@ -33,7 +33,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd February 9, 2002
+.Dd February 22, 2002
 .Dt PAM_VPROMPT 3
 .Os
 .Sh NAME
@@ -48,21 +48,71 @@
 .Sh DESCRIPTION
 The
 .Nm
-function is not yet documented.
+function constructs a string from the
+.Va fmt
+and
+.Va ap
+arguments using
+.Xr vsnprintf 3 ,
+and passes it to the given PAM context's
+conversation function.
+.Pp
+The
+.Va style
+argument specifies the type of interaction requested, and
+must be one of the following:
+.Bl -tag -width 18n
+.It Dv PAM_PROMPT_ECHO_OFF
+Display the message and obtain the user's response without
+displaying it.
+.It Dv PAM_PROMPT_ECHO_ON
+Display the message and obtain the user's response.
+.It Dv PAM_ERROR_MSG
+Display the message as an error message, and do not wait
+for a response.
+.It Dv PAM_TEXT_INFO
+Display the message as an informational message, and do
+not wait for a response.
+.El
+A pointer to the response, or
+.Dv NULL
+if the conversation function did
+not return one, is stored in the location pointed to by the
+.Va resp
+argument.
+.Pp
+The message and response should not exceed
+.Dv PAM_MAX_MSG_SIZE
+or
+.Dv PAM_MAX_RESP_SIZE ,
+respectively.
+If they do, they may be truncated.
+.Pp
 .Sh RETURN VALUES
 The
-.Fn
+.Nm
 function returns one of the following values:
-.Bl -tag -width PAM_AUTHTOK_DISABLE_AGING
+.Bl -tag -width 18n
+.It Bq Er PAM_BUF_ERR
+Memory buffer error.
+.It Bq Er PAM_CONV_ERR
+Conversation failure.
+.It Bq Er PAM_SYSTEM_ERR
+System error.
 .El
 .Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_error 3 ,
+.Xr pam_info 3 ,
+.Xr pam_prompt 3 ,
 .Xr pam_strerror 3 ,
-.Xr pam 3
+.Xr pam_verror 3 ,
+.Xr pam_vinfo 3 ,
+.Xr vsnprintf 3
 .Sh STANDARDS
-.Rs
-.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
-.%D "June 1997"
-.Re
+The
+.Nm
+function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Nm
diff --git a/contrib/openpam/include/security/openpam.h b/contrib/openpam/include/security/openpam.h
index 5b5497f0f2ea..8aaaa30a63bd 100644
--- a/contrib/openpam/include/security/openpam.h
+++ b/contrib/openpam/include/security/openpam.h
@@ -49,6 +49,15 @@ extern "C" {
 /*
  * API extensions
  */
+const char *
+openpam_get_option(pam_handle_t *_pamh,
+	const char *_option);
+
+int
+openpam_set_option(pam_handle_t *_pamh,
+	const char *_option,
+	const char *_value);
+
 int
 pam_error(pam_handle_t *_pamh,
 	const char *_fmt,
@@ -196,7 +205,7 @@ static struct pam_module _pam_module = { name PAM_SOEXT, {		\
     pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt,		\
     pam_sm_open_session, pam_sm_close_session, pam_sm_chauthtok },	\
     NULL, 0, NULL, NULL };						\
-DATA_SET(_openpam_modules, _pam_module)
+DATA_SET(_openpam_static_modules, _pam_module)
 #else
 /* normal case */
 #define PAM_EXTERN
diff --git a/contrib/openpam/include/security/pam_constants.h b/contrib/openpam/include/security/pam_constants.h
index 71d6ba8f0e57..568d42c809f4 100644
--- a/contrib/openpam/include/security/pam_constants.h
+++ b/contrib/openpam/include/security/pam_constants.h
@@ -118,7 +118,8 @@ enum {
 	PAM_OLDAUTHTOK			=   7,
 	PAM_RUSER			=   8,
 	PAM_USER_PROMPT			=   9,
-	PAM_AUTHTOK_PROMPT		=  10		/* OpenPAM extension */
+	PAM_AUTHTOK_PROMPT		=  10,		/* OpenPAM extension */
+	PAM_NUM_ITEMS					/* OpenPAM extension */
 };
 
 #ifdef __cplusplus
diff --git a/contrib/openpam/lib/Makefile b/contrib/openpam/lib/Makefile
index 1fd90410f290..01817c11fbb7 100644
--- a/contrib/openpam/lib/Makefile
+++ b/contrib/openpam/lib/Makefile
@@ -45,8 +45,11 @@ CFLAGS		+= -I${.CURDIR}/../include
 SRCS		 =
 SRCS		+= openpam_dispatch.c
 SRCS		+= openpam_findenv.c
+SRCS		+= openpam_get_option.c
 SRCS		+= openpam_load.c
 SRCS		+= openpam_log.c
+SRCS		+= openpam_set_option.c
+SRCS		+= openpam_static.c
 SRCS		+= openpam_ttyconv.c
 SRCS		+= pam_acct_mgmt.c
 SRCS		+= pam_authenticate.c
diff --git a/contrib/openpam/lib/openpam_dispatch.c b/contrib/openpam/lib/openpam_dispatch.c
index 1582edb8ce09..b663d5ab9332 100644
--- a/contrib/openpam/lib/openpam_dispatch.c
+++ b/contrib/openpam/lib/openpam_dispatch.c
@@ -47,6 +47,8 @@ static void _openpam_check_error_code(int, int);
 #endif /* !defined(OPENPAM_RELAX_CHECKS) */
 
 /*
+ * OpenPAM internal
+ *
  * Execute a module chain
  */
 
@@ -210,3 +212,9 @@ _openpam_check_error_code(int primitive, int r)
 	    _pam_sm_func_name[primitive], r);
 }
 #endif /* !defined(OPENPAM_RELAX_CHECKS) */
+
+/*
+ * NODOC
+ *
+ * Error codes:
+ */
diff --git a/contrib/openpam/lib/openpam_findenv.c b/contrib/openpam/lib/openpam_findenv.c
index c32dd272f32b..a9fb3337968d 100644
--- a/contrib/openpam/lib/openpam_findenv.c
+++ b/contrib/openpam/lib/openpam_findenv.c
@@ -41,6 +41,8 @@
 #include "openpam_impl.h"
 
 /*
+ * OpenPAM internal
+ *
  * Locate an environment variable
  */
 
@@ -60,3 +62,7 @@ openpam_findenv(pam_handle_t *pamh,
 			return (i);
 	return (-1);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_option.c
new file mode 100644
index 000000000000..c4eeab20e22f
--- /dev/null
+++ b/contrib/openpam/lib/openpam_get_option.c
@@ -0,0 +1,83 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Returns the value of a module option
+ */
+
+const char *
+openpam_get_option(pam_handle_t *pamh,
+	const char *option)
+{
+	pam_chain_t *cur;
+	size_t len;
+	int i;
+
+	if (pamh == NULL || pamh->current == NULL || option == NULL)
+		return (NULL);
+	cur = pamh->current;
+	len = strlen(option);
+	for (i = 0; i < cur->optc; ++i) {
+		if (strncmp(cur->optv[i], option, len) == 0) {
+			if (cur->optv[i][len] == '\0')
+				return (&cur->optv[i][len]);
+			else if (cur->optv[i][len] == '=')
+				return (&cur->optv[i][len + 1]);
+		}
+	}
+	return (NULL);
+}
+
+/*
+ * NOLIST
+ */
+
+/**
+ * The =openpam_get_option function returns the value of the specified
+ * option in the context of the currently executing service module, or
+ * =NULL if the option is not set or no module is currently executing.
+ */
diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h
index 59886288e549..6978f544f308 100644
--- a/contrib/openpam/lib/openpam_impl.h
+++ b/contrib/openpam/lib/openpam_impl.h
@@ -68,8 +68,6 @@ struct pam_chain {
 	pam_chain_t	*next;
 };
 
-#define PAM_NUM_ITEMS	       10
-
 typedef struct pam_data pam_data_t;
 struct pam_data {
 	char		*name;
@@ -103,4 +101,8 @@ int		openpam_add_module(pam_handle_t *, int, int,
 				   const char *, int, const char **);
 void		openpam_clear_chains(pam_handle_t *);
 
+#ifdef OPENPAM_STATIC_MODULES
+pam_module_t   *openpam_static(const char *);
+#endif
+
 #endif
diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_load.c
index 1a345ec272bc..057e38fef70f 100644
--- a/contrib/openpam/lib/openpam_load.c
+++ b/contrib/openpam/lib/openpam_load.c
@@ -42,10 +42,6 @@
 
 #include "openpam_impl.h"
 
-#ifdef OPENPAM_STATIC_MODULES
-SET_DECLARE(_openpam_modules, pam_module_t);
-#endif
-
 const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
 	"pam_sm_authenticate",
 	"pam_sm_setcred",
@@ -92,14 +88,7 @@ openpam_load_module(const char *path)
 #ifdef OPENPAM_STATIC_MODULES
 	/* look for a static module */
 	if (module == NULL && strchr(path, '/') == NULL) {
-		pam_module_t **modp;
-		
-		SET_FOREACH(modp, _openpam_modules) {
-			if (strcmp((*modp)->path, path) == 0) {
-				module = *modp;
-				break;
-			}
-		}
+		module = openpam_static(path);
 		openpam_log(PAM_LOG_DEBUG, "%s static %s",
 		    (module == NULL) ? "no" : "using", path);
 	}
@@ -225,3 +214,7 @@ openpam_clear_chains(pam_handle_t *pamh)
 	for (i = 0; i < PAM_NUM_CHAINS; ++i)
 		openpam_destroy_chain(pamh->chains[i]);
 }
+
+/*
+ * NOPARSE
+ */
diff --git a/contrib/openpam/lib/openpam_log.c b/contrib/openpam/lib/openpam_log.c
index b15c6e35c728..493ea330ce2c 100644
--- a/contrib/openpam/lib/openpam_log.c
+++ b/contrib/openpam/lib/openpam_log.c
@@ -47,6 +47,8 @@
 #if defined(openpam_log)
 
 /*
+ * OpenPAM extension
+ *
  * Log a message through syslog(3)
  */
 
@@ -121,3 +123,7 @@ openpam_log(int level, const char *fmt, ...)
 }
 
 #endif
+
+/*
+ * NOLIST
+ */
diff --git a/contrib/openpam/lib/openpam_set_option.c b/contrib/openpam/lib/openpam_set_option.c
new file mode 100644
index 000000000000..4e2033bf9f93
--- /dev/null
+++ b/contrib/openpam/lib/openpam_set_option.c
@@ -0,0 +1,104 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Sets the value of a module option
+ */
+
+int
+openpam_set_option(pam_handle_t *pamh,
+	const char *option,
+	const char *value)
+{
+	pam_chain_t *cur;
+	char *opt, **optv;
+	size_t len;
+	int i;
+
+	if (pamh == NULL || pamh->current == NULL || option == NULL)
+		return (PAM_SYSTEM_ERR);
+	cur = pamh->current;
+	for (len = 0; option[len] != '\0'; ++len)
+		if (option[len] == '=')
+			break;
+	for (i = 0; i < cur->optc; ++i) {
+		if (strncmp(cur->optv[i], option, len) == 0 &&
+		    (cur->optv[i][len] == '\0' || cur->optv[i][len] == '='))
+			break;
+	}
+	if ((opt = malloc(len + strlen(value) + 2)) == NULL)
+		return (PAM_BUF_ERR);
+	sprintf(opt, "%.*s=%s", (int)len, option, value);
+	if (i == cur->optc) {
+		optv = realloc(cur->optv, sizeof(char *) * (cur->optc + 2));
+		if (optv == NULL) {
+			free(opt);
+			return (PAM_BUF_ERR);
+		}
+		optv[i] = opt;
+		optv[i + 1] = NULL;
+		cur->optv = optv;
+		++cur->optc;
+	}
+	return (PAM_SUCCESS);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =openpam_set_option function sets the specified option in the
+ * context of the currently executing service module.
+ */
diff --git a/contrib/openpam/lib/openpam_static.c b/contrib/openpam/lib/openpam_static.c
new file mode 100644
index 000000000000..907de2ff6fdf
--- /dev/null
+++ b/contrib/openpam/lib/openpam_static.c
@@ -0,0 +1,69 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#ifdef OPENPAM_STATIC_MODULES
+
+SET_DECLARE(_openpam_static_modules, pam_module_t);
+
+/*
+ * OpenPAM internal
+ *
+ * Locate a statically linked module
+ */
+
+pam_module_t *
+openpam_static(const char *path)
+{
+	pam_module_t **module;
+
+	SET_FOREACH(module, _openpam_static_modules) {
+		if (strcmp((*module)->path, path) == 0)
+			return (*module);
+	}
+	return (NULL);
+}
+
+#endif
+
+/*
+ * NOPARSE
+ */
diff --git a/contrib/openpam/lib/openpam_ttyconv.c b/contrib/openpam/lib/openpam_ttyconv.c
index ac7eecd66fd0..261c2d24639f 100644
--- a/contrib/openpam/lib/openpam_ttyconv.c
+++ b/contrib/openpam/lib/openpam_ttyconv.c
@@ -37,16 +37,98 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <setjmp.h>
+#include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <termios.h>
+#include <unistd.h>
 
 #include <security/pam_appl.h>
 #include <security/openpam.h>
 
+int openpam_ttyconv_timeout = 0;
+static jmp_buf jmpenv;
+static int timed_out;
+
+static void
+timeout(int sig)
+{
+	timed_out = 1;
+	longjmp(jmpenv, sig);
+}
+
+static char *
+prompt(const char *msg)
+{
+	char buf[PAM_MAX_RESP_SIZE];
+	struct sigaction action, saved_action;
+	sigset_t saved_sigset, sigset;
+	unsigned int saved_alarm;
+	size_t len;
+
+	sigemptyset(&sigset);
+	sigaddset(&sigset, SIGINT);
+	sigaddset(&sigset, SIGTSTP);
+	sigprocmask(SIG_SETMASK, &sigset, &saved_sigset);
+	action.sa_handler = &timeout;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaction(SIGALRM, &action, &saved_action);
+	fputs(msg, stderr);
+	buf[0] = '\0';
+	timed_out = 0;
+	saved_alarm = alarm(openpam_ttyconv_timeout);
+	if (setjmp(jmpenv) == 0)
+		fgets(buf, sizeof buf, stdin);
+	else
+		fputs(" timeout!\n", stderr);
+	alarm(0);
+	sigaction(SIGALRM, &saved_action, NULL);
+	sigprocmask(SIG_SETMASK, &saved_sigset, NULL);
+	alarm(saved_alarm);
+	if (timed_out || ferror(stdin))
+		return (NULL);
+	/* trim trailing whitespace */
+	for (len = strlen(buf); len > 0; --len)
+		if (!isspace(buf[len - 1]))
+			break;
+	buf[len] = '\0';
+	return (strdup(buf));
+}
+
+static char *
+prompt_echo_off(const char *msg)
+{
+	struct termios tattr;
+	tcflag_t lflag;
+	char *ret;
+	int fd;
+
+	fd = fileno(stdin);
+	if (tcgetattr(fd, &tattr) != 0) {
+		openpam_log(PAM_LOG_ERROR, "tcgetattr(): %m");
+		return (NULL);
+	}
+	lflag = tattr.c_lflag;
+	tattr.c_lflag &= ~ECHO;
+	if (tcsetattr(fd, TCSAFLUSH, &tattr) != 0) {
+		openpam_log(PAM_LOG_ERROR, "tcsetattr(): %m");
+		return (NULL);
+	}
+	ret = prompt(msg);
+	tattr.c_lflag = lflag;
+	(void)tcsetattr(fd, TCSANOW, &tattr);
+	if (ret != NULL)
+		fputs("\n", stdout);
+	return (ret);
+}
+
 /*
- * Simple tty-based conversation function.
+ * OpenPAM extension
+ *
+ * Simple tty-based conversation function
  */
 
 int
@@ -55,60 +137,26 @@ openpam_ttyconv(int n,
 	 struct pam_response **resp,
 	 void *data)
 {
-	char buf[PAM_MAX_RESP_SIZE];
-	struct termios tattr;
-	tcflag_t lflag;
-	int fd, err, i;
-	size_t len;
+	int i;
 
 	data = data;
 	if (n <= 0 || n > PAM_MAX_NUM_MSG)
 		return (PAM_CONV_ERR);
 	if ((*resp = calloc(n, sizeof **resp)) == NULL)
 		return (PAM_BUF_ERR);
-	fd = fileno(stdin);
 	for (i = 0; i < n; ++i) {
 		resp[i]->resp_retcode = 0;
 		resp[i]->resp = NULL;
 		switch (msg[i]->msg_style) {
 		case PAM_PROMPT_ECHO_OFF:
-		case PAM_PROMPT_ECHO_ON:
-			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-				if (tcgetattr(fd, &tattr) != 0) {
-					openpam_log(PAM_LOG_ERROR,
-					    "tcgetattr(): %m");
-					err = PAM_CONV_ERR;
-					goto fail;
-				}
-				lflag = tattr.c_lflag;
-				tattr.c_lflag &= ~ECHO;
-				if (tcsetattr(fd, TCSAFLUSH, &tattr) != 0) {
-					openpam_log(PAM_LOG_ERROR,
-					    "tcsetattr(): %m");
-					err = PAM_CONV_ERR;
-					goto fail;
-				}
-			}
-			fputs(msg[i]->msg, stderr);
-			buf[0] = '\0';
-			fgets(buf, sizeof buf, stdin);
-			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-				tattr.c_lflag = lflag;
-				(void)tcsetattr(fd, TCSANOW, &tattr);
-				fputs("\n", stderr);
-			}
-			if (ferror(stdin)) {
-				err = PAM_CONV_ERR;
+			resp[i]->resp = prompt_echo_off(msg[i]->msg);
+			if (resp[i]->resp == NULL)
 				goto fail;
-			}
-			for (len = strlen(buf); len > 0; --len)
-				if (!isspace(buf[len - 1]))
-					break;
-			buf[len] = '\0';
-			if ((resp[i]->resp = strdup(buf)) == NULL) {
-				err = PAM_BUF_ERR;
+			break;
+		case PAM_PROMPT_ECHO_ON:
+			resp[i]->resp = prompt(msg[i]->msg);
+			if (resp[i]->resp == NULL)
 				goto fail;
-			}
 			break;
 		case PAM_ERROR_MSG:
 			fputs(msg[i]->msg, stderr);
@@ -117,7 +165,6 @@ openpam_ttyconv(int n,
 			fputs(msg[i]->msg, stdout);
 			break;
 		default:
-			err = PAM_BUF_ERR;
 			goto fail;
 		}
 	}
@@ -127,5 +174,15 @@ openpam_ttyconv(int n,
 		free(resp[--i]);
 	free(*resp);
 	*resp = NULL;
-	return (err);
+	return (PAM_CONV_ERR);
 }
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
diff --git a/contrib/openpam/lib/pam_acct_mgmt.c b/contrib/openpam/lib/pam_acct_mgmt.c
index d88a24e70962..3187e8d4eb4f 100644
--- a/contrib/openpam/lib/pam_acct_mgmt.c
+++ b/contrib/openpam/lib/pam_acct_mgmt.c
@@ -54,3 +54,11 @@ pam_acct_mgmt(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_ACCT_MGMT, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_acct_mgmt
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_authenticate.c b/contrib/openpam/lib/pam_authenticate.c
index d98d1dfa01fe..3524f4eac2ad 100644
--- a/contrib/openpam/lib/pam_authenticate.c
+++ b/contrib/openpam/lib/pam_authenticate.c
@@ -54,3 +54,11 @@ pam_authenticate(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_authenticate
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_authenticate_secondary.c b/contrib/openpam/lib/pam_authenticate_secondary.c
index 37a57fe9c0ca..e1380d24ebc9 100644
--- a/contrib/openpam/lib/pam_authenticate_secondary.c
+++ b/contrib/openpam/lib/pam_authenticate_secondary.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 36
+ *
+ * Perform authentication to a secondary domain within the PAM framework
+ */
+
 int
 pam_authenticate_secondary(pam_handle_t *pamh,
 	char *target_username,
@@ -48,3 +55,7 @@ pam_authenticate_secondary(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_chauthtok.c b/contrib/openpam/lib/pam_chauthtok.c
index c35ed4994c5e..3248febbf45b 100644
--- a/contrib/openpam/lib/pam_chauthtok.c
+++ b/contrib/openpam/lib/pam_chauthtok.c
@@ -54,3 +54,11 @@ pam_chauthtok(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_chauthtok
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_close_session.c b/contrib/openpam/lib/pam_close_session.c
index 9b2a1aef3a08..5d292f2d7a1e 100644
--- a/contrib/openpam/lib/pam_close_session.c
+++ b/contrib/openpam/lib/pam_close_session.c
@@ -54,3 +54,11 @@ pam_close_session(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_close_session
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_end.c b/contrib/openpam/lib/pam_end.c
index 0fbfdf872a3f..b7c170f32a38 100644
--- a/contrib/openpam/lib/pam_end.c
+++ b/contrib/openpam/lib/pam_end.c
@@ -82,3 +82,17 @@ pam_end(pam_handle_t *pamh,
 
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ */
+
+/**
+ * The =pam_end function terminates a PAM transaction and destroys the
+ * corresponding PAM context, releasing all resources allocated to it.
+ *
+ * The =status argument should be set to the error code returned by the
+ * last API call before the call to =pam_end.
+ */
diff --git a/contrib/openpam/lib/pam_error.c b/contrib/openpam/lib/pam_error.c
index aded8f188759..cbee427302ad 100644
--- a/contrib/openpam/lib/pam_error.c
+++ b/contrib/openpam/lib/pam_error.c
@@ -62,3 +62,21 @@ pam_error(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_info function displays an error message through the
+ * intermediary of the given PAM context's conversation function.
+ *
+ * >pam_info
+ * >pam_prompt
+ * >pam_verror
+ */
diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c
index 9776fffddfa1..c2a933f9d47d 100644
--- a/contrib/openpam/lib/pam_get_authtok.c
+++ b/contrib/openpam/lib/pam_get_authtok.c
@@ -53,23 +53,37 @@ pam_get_authtok(pam_handle_t *pamh,
 	const char *prompt)
 {
 	char *p, *resp;
-	int r;
+	int r, style;
 
 	if (pamh == NULL || authtok == NULL)
 		return (PAM_SYSTEM_ERR);
 
-	r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
-	if (r == PAM_SUCCESS && *authtok != NULL)
-		return (PAM_SUCCESS);
-	if (prompt == NULL) {
-		if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
-		    (const void **)&p) != PAM_SUCCESS || p == NULL)
-			prompt = "Password:";
+	if (openpam_get_option(pamh, "try_first_pass") ||
+	    openpam_get_option(pamh, "use_first_pass")) {
+		r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+		if (r == PAM_SUCCESS && *authtok != NULL)
+			return (PAM_SUCCESS);
+		else if (openpam_get_option(pamh, "use_first_pass"))
+			return (r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
 	}
-	r = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp,
-	    "%s", prompt ? prompt : p);
+	if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
+	    (const void **)&p) != PAM_SUCCESS || p == NULL)
+		if (prompt == NULL)
+			prompt = "Password:";
+	style = openpam_get_option(pamh, "echo_pass") ?
+	    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
+	r = pam_prompt(pamh, style, &resp, "%s", p ? p : prompt);
 	if (r != PAM_SUCCESS)
 		return (r);
 	*authtok = resp;
 	return (pam_set_item(pamh, PAM_AUTHTOK, *authtok));
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_get_item
+ *	=pam_prompt
+ *	=pam_set_item
+ *	!PAM_SYMBOL_ERR
+ */
diff --git a/contrib/openpam/lib/pam_get_data.c b/contrib/openpam/lib/pam_get_data.c
index f258de8386cc..b1f8ab370c13 100644
--- a/contrib/openpam/lib/pam_get_data.c
+++ b/contrib/openpam/lib/pam_get_data.c
@@ -65,3 +65,21 @@ pam_get_data(pam_handle_t *pamh,
 
 	return (PAM_NO_MODULE_DATA);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_NO_MODULE_DATA
+ */
+
+/**
+ * The =pam_get_data function looks up the opaque object associated with
+ * the string specified by the =module_data_name argument, in the PAM
+ * context specified by the =pamh argument.
+ * A pointer to the object is stored in the location pointed to by the
+ * =data argument.
+ *
+ * This function and its counterpart =pam_set_data are useful for managing
+ * data that are meaningful only to a particular service module.
+ */
diff --git a/contrib/openpam/lib/pam_get_item.c b/contrib/openpam/lib/pam_get_item.c
index 7369c48ef8e4..5767652adda3 100644
--- a/contrib/openpam/lib/pam_get_item.c
+++ b/contrib/openpam/lib/pam_get_item.c
@@ -69,6 +69,51 @@ pam_get_item(pam_handle_t *pamh,
 		*item = pamh->item[item_type];
 		return (PAM_SUCCESS);
 	default:
-		return (PAM_SYSTEM_ERR);
+		return (PAM_SYMBOL_ERR);
 	}
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ */
+
+/**
+ * The =pam_get_item function stores a pointer to the item specified by
+ * the =item_type argument in the location specified by the =item
+ * argument.
+ * The item is retrieved from the PAM context specified by the =pamh
+ * argument.
+ * The following item types are recognized:
+ *
+ *	=PAM_SERVICE:
+ *		The name of the requesting service.
+ *	=PAM_USER:
+ *		The name of the user the application is trying to
+ *		authenticate.
+ *	=PAM_TTY:
+ *		The name of the current terminal.
+ *	=PAM_RHOST:
+ *		The name of the applicant's host.
+ *	=PAM_CONV:
+ *		A =struct pam_conv describing the current conversation
+ *		function.
+ *	=PAM_AUTHTOK:
+ *		The current authentication token.
+ *	=PAM_OLDAUTHTOK:
+ *		The expired authentication token.
+ *	=PAM_RUSER:
+ *		The name of the applicant.
+ *	=PAM_USER_PROMPT:
+ *		The prompt to use when asking the applicant for a user
+ *		name to authenticate as.
+ *	=PAM_AUTHTOK_PROMPT:
+ *		The prompt to use when asking the applicant for an
+ *		authentication token.
+ *
+ * See =pam_start for a description of =struct pam_conv.
+ *
+ * >pam_set_item
+ */
diff --git a/contrib/openpam/lib/pam_get_mapped_authtok.c b/contrib/openpam/lib/pam_get_mapped_authtok.c
index 0050c0e32acd..5d6b0b08ad6b 100644
--- a/contrib/openpam/lib/pam_get_mapped_authtok.c
+++ b/contrib/openpam/lib/pam_get_mapped_authtok.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 48
+ *
+ * Get mapped password for the user
+ */
+
 int
 pam_get_mapped_authtok(pam_handle_t *pamh,
 	const char *target_module_username,
@@ -47,3 +54,7 @@ pam_get_mapped_authtok(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_get_mapped_username.c b/contrib/openpam/lib/pam_get_mapped_username.c
index faa78bbeefb1..038193feb1ee 100644
--- a/contrib/openpam/lib/pam_get_mapped_username.c
+++ b/contrib/openpam/lib/pam_get_mapped_username.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 50
+ *
+ * Get valid matched identity in new domain
+ */
+
 int
 pam_get_mapped_username(pam_handle_t *pamh,
 	const char *src_username,
@@ -48,3 +55,7 @@ pam_get_mapped_username(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_get_user.c b/contrib/openpam/lib/pam_get_user.c
index 17572c46b080..e8fe0bc9841d 100644
--- a/contrib/openpam/lib/pam_get_user.c
+++ b/contrib/openpam/lib/pam_get_user.c
@@ -74,3 +74,12 @@ pam_get_user(pam_handle_t *pamh,
 	*user = resp;
 	return (pam_set_item(pamh, PAM_USER, *user));
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_get_item
+ *	=pam_prompt
+ *	=pam_set_item
+ *	!PAM_SYMBOL_ERR
+ */
diff --git a/contrib/openpam/lib/pam_getenv.c b/contrib/openpam/lib/pam_getenv.c
index d6bf2194a9e0..05deb541f418 100644
--- a/contrib/openpam/lib/pam_getenv.c
+++ b/contrib/openpam/lib/pam_getenv.c
@@ -65,3 +65,13 @@ pam_getenv(pam_handle_t *pamh,
 		return (NULL);
 	return (strdup(pamh->env[i]));
 }
+
+/**
+ * The =pam_getenv function returns the value of an environment variable.
+ * Its semantics are similar to those of =getenv, but it accesses the PAM
+ * context's environment list instead of the application's.
+ *
+ * >pam_getenvlist
+ * >pam_putenv
+ * >pam_setenv
+ */
diff --git a/contrib/openpam/lib/pam_getenvlist.c b/contrib/openpam/lib/pam_getenvlist.c
index 4409a891ac82..fd21faa0ee9d 100644
--- a/contrib/openpam/lib/pam_getenvlist.c
+++ b/contrib/openpam/lib/pam_getenvlist.c
@@ -40,6 +40,7 @@
 #include <security/pam_appl.h>
 
 #include "openpam_impl.h"
+
 /*
  * XSSO 4.2.1
  * XSSO 6 page 45
@@ -56,15 +57,48 @@ pam_getenvlist(pam_handle_t *pamh)
 	if (pamh == NULL)
 		return (NULL);
 
-	if ((envlist = malloc(sizeof(char *) * (pamh->env_count + 1))) == NULL)
+	envlist = malloc(sizeof(char *) * (pamh->env_count + 1));
+	if (envlist == NULL) {
+		openpam_log(PAM_LOG_ERROR, "%s",
+			pam_strerror(pamh, PAM_BUF_ERR));
 		return (NULL);
+	}
 	for (i = 0; i < pamh->env_count; ++i) {
 		if ((envlist[i] = strdup(pamh->env[i])) == NULL) {
 			while (i)
 				free(envlist[--i]);
 			free(envlist);
+			openpam_log(PAM_LOG_ERROR, "%s",
+				pam_strerror(pamh, PAM_BUF_ERR));
 			return (NULL);
 		}
 	}
+	envlist[i] = NULL;
+	openpam_log(PAM_LOG_DEBUG, "returning %d variables\n", pamh->env_count);
 	return (envlist);
 }
+
+/**
+ * The =pam_getenvlist function returns a copy of the given PAM context's
+ * environment list as a pointer to an array of strings.
+ * The last element in the array is =NULL.
+ * The pointer is suitable for assignment to {Va environ}.
+ *
+ * The array and the strings it lists are allocated using =malloc, and
+ * should be released using =free after use:
+ *
+ *     char **envlist, **env;
+ *     
+ *     envlist = environ;
+ *     environ = pam_getenvlist(pamh);
+ *     \/\* do something nifty \*\/
+ *     for (env = environ; *env != NULL; env++)
+ *         free(*env);
+ *     free(environ);
+ *     environ = envlist;
+ *
+ * >environ 7
+ * >pam_getenv
+ * >pam_putenv
+ * >pam_setenv
+ */
diff --git a/contrib/openpam/lib/pam_info.c b/contrib/openpam/lib/pam_info.c
index ce1d2b8fb55d..87523914a257 100644
--- a/contrib/openpam/lib/pam_info.c
+++ b/contrib/openpam/lib/pam_info.c
@@ -62,3 +62,21 @@ pam_info(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_info function displays an informational message through the
+ * intermediary of the given PAM context's conversation function.
+ *
+ * >pam_error
+ * >pam_prompt
+ * >pam_vinfo
+ */
diff --git a/contrib/openpam/lib/pam_open_session.c b/contrib/openpam/lib/pam_open_session.c
index dcbf2b8fa580..0f8f981800ab 100644
--- a/contrib/openpam/lib/pam_open_session.c
+++ b/contrib/openpam/lib/pam_open_session.c
@@ -54,3 +54,11 @@ pam_open_session(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_open_session
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_prompt.c b/contrib/openpam/lib/pam_prompt.c
index afc416961096..5dbde6c95c76 100644
--- a/contrib/openpam/lib/pam_prompt.c
+++ b/contrib/openpam/lib/pam_prompt.c
@@ -60,3 +60,28 @@ pam_prompt(pam_handle_t *pamh,
 	va_end(ap);
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_prompt function constructs a message from the specified format
+ * string and arguments and passes it to the given PAM context's
+ * conversation function.
+ *
+ * A pointer to the response, or =NULL if the conversation function did
+ * not return one, is stored in the location pointed to by the =resp
+ * argument.
+ *
+ * See =pam_vprompt for further details.
+ *
+ * >pam_error
+ * >pam_info
+ * >pam_vprompt
+ */
diff --git a/contrib/openpam/lib/pam_putenv.c b/contrib/openpam/lib/pam_putenv.c
index c8701f3e8ef9..e1b497efc3b6 100644
--- a/contrib/openpam/lib/pam_putenv.c
+++ b/contrib/openpam/lib/pam_putenv.c
@@ -86,3 +86,20 @@ pam_putenv(pam_handle_t *pamh,
 	++pamh->env_count;
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_putenv function sets a environment variable.
+ * Its semantics are similar to those of =putenv, but it modifies the PAM
+ * context's environment list instead of the application's.
+ *
+ * >pam_getenv
+ * >pam_getenvlist
+ * >pam_setenv
+ */
diff --git a/contrib/openpam/lib/pam_set_data.c b/contrib/openpam/lib/pam_set_data.c
index 59d57510be70..e04de73182bf 100644
--- a/contrib/openpam/lib/pam_set_data.c
+++ b/contrib/openpam/lib/pam_set_data.c
@@ -81,3 +81,22 @@ pam_set_data(pam_handle_t *pamh,
 	pamh->module_data = data;
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_set_data function associates a pointer to an opaque object
+ * with an arbitrary string specified by the =module_data_name argument,
+ * in the PAM context specified by the =pamh argument.
+ *
+ * If not =NULL, the =cleanup argument should point to a function
+ * responsible for releasing the resources associated with the object.
+ *
+ * This function and its counterpart =pam_get_data are useful for managing
+ * data that are meaningful only to a particular service module.
+ */
diff --git a/contrib/openpam/lib/pam_set_item.c b/contrib/openpam/lib/pam_set_item.c
index 5405a4e722cd..038971dec40e 100644
--- a/contrib/openpam/lib/pam_set_item.c
+++ b/contrib/openpam/lib/pam_set_item.c
@@ -88,7 +88,7 @@ pam_set_item(pam_handle_t *pamh,
 		}
 		break;
 	default:
-		return (PAM_SYSTEM_ERR);
+		return (PAM_SYMBOL_ERR);
 	}
 	if (*slot != NULL) {
 		memset(*slot, 0xd0, size);
@@ -97,3 +97,18 @@ pam_set_item(pam_handle_t *pamh,
 	*slot = tmp;
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_set_item function sets the item specified by the =item_type
+ * argument to a copy of the object pointed to by the =item argument.
+ * The item is stored in the PAM context specified by the =pamh argument.
+ * See =pam_get_item for a list of recognized item types.
+ */
diff --git a/contrib/openpam/lib/pam_set_mapped_authtok.c b/contrib/openpam/lib/pam_set_mapped_authtok.c
index ad066df65a11..36383e6e21ae 100644
--- a/contrib/openpam/lib/pam_set_mapped_authtok.c
+++ b/contrib/openpam/lib/pam_set_mapped_authtok.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 62
+ *
+ * Store the password for the username supplied
+ */
+
 int
 pam_set_mapped_authtok(pam_handle_t *pamh,
 	const char *target_module_username,
@@ -47,3 +54,7 @@ pam_set_mapped_authtok(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_set_mapped_username.c b/contrib/openpam/lib/pam_set_mapped_username.c
index fc1298948e3e..6ca011f29acf 100644
--- a/contrib/openpam/lib/pam_set_mapped_username.c
+++ b/contrib/openpam/lib/pam_set_mapped_username.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 64
+ *
+ * Set a username
+ */
+
 int
 pam_set_mapped_username(pam_handle_t *pamh,
 	char *src_username,
@@ -48,3 +55,7 @@ pam_set_mapped_username(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_setcred.c b/contrib/openpam/lib/pam_setcred.c
index 0ea10ff799d4..1a7849874ef0 100644
--- a/contrib/openpam/lib/pam_setcred.c
+++ b/contrib/openpam/lib/pam_setcred.c
@@ -54,3 +54,25 @@ pam_setcred(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_setcred
+ *	!PAM_IGNORE
+ */
+
+/**
+ * The =pam_setcred function manages the application's credentials.
+ * The operation to perform is specified by the =flags argument:
+ *
+ *	PAM_ESTABLISH_CRED:
+ *		Establish the credentials of the target user.
+ *	PAM_DELETE_CRED:
+ *		Revoke all established credentials.
+ *	PAM_REINITIALISE_CRED:
+ *		Fully reinitialise credentials.
+ *	PAM_REFRESH_CRED:
+ *		Refresh credentials.
+ */
diff --git a/contrib/openpam/lib/pam_setenv.c b/contrib/openpam/lib/pam_setenv.c
index 6165b7cb00df..155835e0a1b5 100644
--- a/contrib/openpam/lib/pam_setenv.c
+++ b/contrib/openpam/lib/pam_setenv.c
@@ -77,3 +77,21 @@ pam_setenv(pam_handle_t *pamh,
 	free(env);
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_putenv
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_setenv function sets a environment variable.
+ * Its semantics are similar to those of =setenv, but it modifies the PAM
+ * context's environment list instead of the application's.
+ *
+ * >pam_getenv
+ * >pam_getenvlist
+ * >pam_putenv
+ */
diff --git a/contrib/openpam/lib/pam_sm_acct_mgmt.c b/contrib/openpam/lib/pam_sm_acct_mgmt.c
new file mode 100644
index 000000000000..692d52e10a93
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_acct_mgmt.c
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 66
+ *
+ * Service module implementation for pam_acct_mgmt
+ */
+
+int
+pam_sm_acct_mgmt(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_USER_UNKNOWN
+ *	PAM_AUTH_ERR
+ *	PAM_NEW_AUTHTOK_REQD
+ *	PAM_ACCT_EXPIRED
+ */
+
+/**
+ * The =pam_sm_acct_mgmt function is the service module's implementation
+ * of the =pam_acct_mgmt API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_authenticate.c b/contrib/openpam/lib/pam_sm_authenticate.c
new file mode 100644
index 000000000000..17c8a7638dc7
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_authenticate.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 68
+ *
+ * Service module implementation for pam_authenticate
+ */
+
+int
+pam_sm_authenticate(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_AUTH_ERR
+ *	PAM_CRED_INSUFFICIENT
+ *	PAM_AUTHINFO_UNAVAIL
+ *	PAM_USER_UNKNOWN
+ *	PAM_MAXTRIES
+ */
+
+/**
+ * The =pam_sm_authenticate function is the service module's
+ * implementation of the =pam_authenticate API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_authenticate_secondary.c b/contrib/openpam/lib/pam_sm_authenticate_secondary.c
new file mode 100644
index 000000000000..ec56f47b2771
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_authenticate_secondary.c
@@ -0,0 +1,66 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 70
+ *
+ * Service module implementation for pam_authenticate_secondary
+ */
+
+int
+pam_sm_authenticate_secondary(pam_handle_t *pamh,
+	char *target_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	char *target_supp_data,
+	unsigned char *target_module_authtok,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_chauthtok.c b/contrib/openpam/lib/pam_sm_chauthtok.c
new file mode 100644
index 000000000000..2edf0d7e043b
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_chauthtok.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 72
+ *
+ * Service module implementation for pam_chauthtok
+ */
+
+int
+pam_sm_chauthtok(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_PERM_DENIED
+ *	PAM_AUTHTOK_ERR
+ *	PAM_AUTHTOK_RECOVERY_ERR
+ *	PAM_AUTHTOK_LOCK_BUSY
+ *	PAM_AUTHTOK_DISABLE_AGING
+ */
+
+/**
+ * The =pam_sm_chauthtok function is the service module's implementation
+ * of the =pam_chauthtok API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_close_session.c b/contrib/openpam/lib/pam_sm_close_session.c
new file mode 100644
index 000000000000..7ff7a83a8efc
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_close_session.c
@@ -0,0 +1,78 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 75
+ *
+ * Service module implementation for pam_close_session
+ */
+
+int
+pam_sm_close_session(pam_handle_t *pamh,
+	int flags,
+	int args,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_SESSION_ERR
+ */
+
+/**
+ * The =pam_sm_close_session function is the service module's
+ * implementation of the =pam_close_session API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_get_mapped_authtok.c b/contrib/openpam/lib/pam_sm_get_mapped_authtok.c
new file mode 100644
index 000000000000..c6a911210758
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_get_mapped_authtok.c
@@ -0,0 +1,65 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 77
+ *
+ * Service module implementation for pam_get_mapped_authtok
+ */
+
+int
+pam_sm_get_mapped_authtok(pam_handle_t *pamh,
+	char *target_module_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	size_t *target_authtok_len,
+	unsigned char **target_module_authtok,
+	int argc,
+	char *argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_get_mapped_username.c b/contrib/openpam/lib/pam_sm_get_mapped_username.c
new file mode 100644
index 000000000000..0aed26c14c57
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_get_mapped_username.c
@@ -0,0 +1,66 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 79
+ *
+ * Service module implementation for pam_get_mapped_username
+ */
+
+int
+pam_sm_get_mapped_username(pam_handle_t *pamh,
+	char *src_username,
+	char *src_module_type,
+	char *src_authn_domain,
+	char *target_module_type,
+	char *target_authn_domain,
+	char **target_module_username,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_open_session.c b/contrib/openpam/lib/pam_sm_open_session.c
new file mode 100644
index 000000000000..7ed7401ca955
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_open_session.c
@@ -0,0 +1,78 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 81
+ *
+ * Service module implementation for pam_open_session
+ */
+
+int
+pam_sm_open_session(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_SESSION_ERR
+ */
+
+/**
+ * The =pam_sm_open_session function is the service module's
+ * implementation of the =pam_open_session API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_set_mapped_authtok.c b/contrib/openpam/lib/pam_sm_set_mapped_authtok.c
new file mode 100644
index 000000000000..35cecaabf950
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_set_mapped_authtok.c
@@ -0,0 +1,65 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 83
+ *
+ * Service module implementation for pam_set_mapped_authtok
+ */
+
+int
+pam_sm_set_mapped_authtok(pam_handle_t *pamh,
+	char *target_module_username,
+	size_t target_authtok_len,
+	unsigned char *target_module_authtok,
+	char *target_module_type,
+	char *target_authn_domain,
+	int argc,
+	const char *argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_set_mapped_username.c b/contrib/openpam/lib/pam_sm_set_mapped_username.c
new file mode 100644
index 000000000000..1911fd80161c
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_set_mapped_username.c
@@ -0,0 +1,63 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 85
+ *
+ * Service module implementation for pam_set_mapped_username
+ */
+
+int
+pam_sm_set_mapped_username(pam_handle_t *pamh,
+	char *target_module_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_setcred.c b/contrib/openpam/lib/pam_sm_setcred.c
new file mode 100644
index 000000000000..20777ad0f7e0
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_setcred.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 87
+ *
+ * Service module implementation for pam_setcred
+ */
+
+int
+pam_sm_setcred(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_CRED_UNAVAIL
+ *	PAM_CRED_EXPIRED
+ *	PAM_USER_UNKNOWN
+ *	PAM_CRED_ERR
+ */
+
+/**
+ * The =pam_sm_setcred function is the service module's implementation of
+ * the =pam_setcred API function.
+ */
diff --git a/contrib/openpam/lib/pam_start.c b/contrib/openpam/lib/pam_start.c
index a059661595ab..15782581424c 100644
--- a/contrib/openpam/lib/pam_start.c
+++ b/contrib/openpam/lib/pam_start.c
@@ -290,3 +290,37 @@ _pam_configure_service(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_set_item
+ *	!PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_start function creates and initializes a PAM context.
+ *
+ * The =service argument specifies the name of the policy to apply, and is
+ * stored in the =PAM_SERVICE item in the created context.
+ *
+ * The =user argument specifies the name of the target user - the user the
+ * created context will serve to authenticate.
+ * It is stored in the =PAM_USER item in the created context.
+ *
+ * The =pam_conv argument points to a =struct pam_conv describing the
+ * conversation function to use.
+ * This structure is defined as follows:
+ *
+ *     struct pam_conv {
+ *          int   (*conv)(int, const struct pam_message **,
+ *              struct pam_response **, void *);
+ *          void   *appdata_ptr;
+ *     };
+ *
+ * >pam_get_item
+ * >pam_set_item
+ * >pam_end
+ */
diff --git a/contrib/openpam/lib/pam_strerror.c b/contrib/openpam/lib/pam_strerror.c
index 516374c7346b..2503e4f9814a 100644
--- a/contrib/openpam/lib/pam_strerror.c
+++ b/contrib/openpam/lib/pam_strerror.c
@@ -61,7 +61,7 @@ pam_strerror(pam_handle_t *pamh,
 	case PAM_OPEN_ERR:
 		return ("failed to load module");
 	case PAM_SYMBOL_ERR:
-		return ("symbol not found in module");
+		return ("invalid symbol");
 	case PAM_SERVICE_ERR:
 		return ("error in service module");
 	case PAM_SYSTEM_ERR:
@@ -103,7 +103,7 @@ pam_strerror(pam_handle_t *pamh,
 	case PAM_AUTHTOK_LOCK_BUSY:
 		return ("authentication token lock busy");
 	case PAM_AUTHTOK_DISABLE_AGING:
-		return ("authentication token ageing disabled");
+		return ("authentication token aging disabled");
 	case PAM_NO_MODULE_DATA:
 		return ("module data not found");
 	case PAM_IGNORE:
@@ -121,3 +121,10 @@ pam_strerror(pam_handle_t *pamh,
 		return (unknown);
 	}
 }
+
+/**
+ * The =pam_strerror function returns a pointer to a string containing a
+ * textual description of the error indicated by the =error_number
+ * argument, in the context of the PAM transaction described by the =pamh
+ * argument.
+ */
diff --git a/contrib/openpam/lib/pam_verror.c b/contrib/openpam/lib/pam_verror.c
index feeaa6ebfcf3..2d8e2ca421da 100644
--- a/contrib/openpam/lib/pam_verror.c
+++ b/contrib/openpam/lib/pam_verror.c
@@ -58,3 +58,20 @@ pam_verror(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_verror function passes its arguments to =pam_vprompt with a
+ * =style argument of =PAM_ERROR_MSG, and discards the response.
+ *
+ * >pam_error
+ * >pam_vinfo
+ */
diff --git a/contrib/openpam/lib/pam_vinfo.c b/contrib/openpam/lib/pam_vinfo.c
index 24849985ff13..6cd418859c42 100644
--- a/contrib/openpam/lib/pam_vinfo.c
+++ b/contrib/openpam/lib/pam_vinfo.c
@@ -58,3 +58,20 @@ pam_vinfo(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_vinfo function passes its arguments to =pam_vprompt with a
+ * =style argument of =PAM_TEXT_INFO, and discards the response.
+ *
+ * >pam_info
+ * >pam_verror
+ */
diff --git a/contrib/openpam/lib/pam_vprompt.c b/contrib/openpam/lib/pam_vprompt.c
index cea56c7c06f9..e5eba2eced8c 100644
--- a/contrib/openpam/lib/pam_vprompt.c
+++ b/contrib/openpam/lib/pam_vprompt.c
@@ -77,3 +77,47 @@ pam_vprompt(pam_handle_t *pamh,
 	free(rsp);
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_vprompt function constructs a string from the =fmt and =ap
+ * arguments using =vsnprintf, and passes it to the given PAM context's
+ * conversation function.
+ *
+ * The =style argument specifies the type of interaction requested, and
+ * must be one of the following:
+ *
+ *	=PAM_PROMPT_ECHO_OFF:
+ *		Display the message and obtain the user's response without
+ *		displaying it.
+ *	=PAM_PROMPT_ECHO_ON:
+ *		Display the message and obtain the user's response.
+ *	=PAM_ERROR_MSG:
+ *		Display the message as an error message, and do not wait
+ *		for a response.
+ *	=PAM_TEXT_INFO:
+ *		Display the message as an informational message, and do
+ *		not wait for a response.
+ *
+ * A pointer to the response, or =NULL if the conversation function did
+ * not return one, is stored in the location pointed to by the =resp
+ * argument.
+ *
+ * The message and response should not exceed =PAM_MAX_MSG_SIZE or
+ * =PAM_MAX_RESP_SIZE, respectively.
+ * If they do, they may be truncated.
+ *
+ * >pam_error
+ * >pam_info
+ * >pam_prompt
+ * >pam_verror
+ * >pam_vinfo
+ */
diff --git a/contrib/openpam/misc/gendoc.pl b/contrib/openpam/misc/gendoc.pl
new file mode 100644
index 000000000000..99440c8b3df0
--- /dev/null
+++ b/contrib/openpam/misc/gendoc.pl
@@ -0,0 +1,444 @@
+#!/usr/bin/perl -w
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+use strict;
+use Fcntl;
+use POSIX qw(strftime);
+use vars qw($COPYRIGHT $TODAY %FUNCTIONS %PAMERR);
+
+%PAMERR = (
+    PAM_SUCCESS			=> "Success",
+    PAM_OPEN_ERR		=> "Failed to load module",
+    PAM_SYMBOL_ERR		=> "Invalid symbol",
+    PAM_SERVICE_ERR		=> "Error in service module",
+    PAM_SYSTEM_ERR		=> "System error",
+    PAM_BUF_ERR			=> "Memory buffer error",
+    PAM_CONV_ERR		=> "Conversation failure",
+    PAM_PERM_DENIED		=> "Permission denied",
+    PAM_MAXTRIES		=> "Maximum number of tries exceeded",
+    PAM_AUTH_ERR		=> "Authentication error",
+    PAM_NEW_AUTHTOK_REQD	=> "New authentication token required",
+    PAM_CRED_INSUFFICIENT	=> "Insufficient credentials",
+    PAM_AUTHINFO_UNAVAIL	=> "Authentication information is unavailable",
+    PAM_USER_UNKNOWN		=> "Unknown user",
+    PAM_CRED_UNAVAIL		=> "Failed to retrieve user credentials",
+    PAM_CRED_EXPIRED		=> "User credentials have expired",
+    PAM_CRED_ERR		=> "Failed to set user credentials",
+    PAM_ACCT_EXPIRED		=> "User accound has expired",
+    PAM_AUTHTOK_EXPIRED		=> "Password has expired",
+    PAM_SESSION_ERR		=> "Session failure",
+    PAM_AUTHTOK_ERR		=> "Authentication token failure",
+    PAM_AUTHTOK_RECOVERY_ERR	=> "Failed to recover old authentication token",
+    PAM_AUTHTOK_LOCK_BUSY	=> "Authentication token lock busy",
+    PAM_AUTHTOK_DISABLE_AGING	=> "Authentication token aging disabled",
+    PAM_NO_MODULE_DATA		=> "Module data not found",
+    PAM_IGNORE			=> "Ignore this module",
+    PAM_ABORT			=> "General failure",
+    PAM_TRY_AGAIN		=> "Try again",
+    PAM_MODULE_UNKNOWN		=> "Unknown module type",
+    PAM_DOMAIN_UNKNOWN		=> "Unknown authentication domain",
+);
+
+sub parse_source($) {
+    my $fn = shift;
+
+    local *FILE;
+    my $source;
+    my $func;
+    my $descr;
+    my $type;
+    my $args;
+    my $argnames;
+    my $man;
+    my $inlist;
+    my $inliteral;
+    my %xref;
+    my @errors;
+
+    if ($fn !~ m,\.c$,) {
+	warn("$fn: not C source, ignoring\n");
+	return;
+    }
+
+    sysopen(FILE, $fn, O_RDONLY)
+	or die("$fn: open(): $!\n");
+    $source = join('', <FILE>);
+    close(FILE);
+
+    return if ($source =~ m/^ \* NOPARSE\s*$/m);
+
+    if (!defined($COPYRIGHT) && $source =~ m,^(/\*-\n.*?)\s*\*/,s) {
+	$COPYRIGHT = $1;
+	$COPYRIGHT =~ s,^.\*,.\\\",gm;
+	$COPYRIGHT =~ s,(\$Id).*?\$,$1\$,;
+	$COPYRIGHT .= "\n.\\\"";
+    }
+    $func = $fn;
+    $func =~ s,^(?:.*/)?([^/]+)\.c$,$1,;
+    if ($source !~ m,\n \* ([\S ]+)\n \*/\n\n([\S ]+)\n$func\((.*?)\)\n\{,s) {
+	warn("$fn: can't find $func\n");
+	return;
+    }
+    ($descr, $type, $args) = ($1, $2, $3);
+    $descr =~ s,^([A-Z][a-z]),lc($1),e;
+    $descr =~ s,[\.\s]*$,,;
+    while ($args =~ s/^((?:[^\(]|\([^\)]*\))*),\s*/$1\" \"/g) {
+	# nothing
+    }
+    $args =~ s/,\s+/, /gs;
+    $args = "\"$args\"";
+
+    %xref = (
+	"pam 3" => 1
+    );
+
+    if ($type eq "int") {
+	foreach (split("\n", $source)) {
+	    next unless (m/^ \*\s+(!?PAM_[A-Z_]+|=[a-z_]+)\s*$/);
+	    push(@errors, $1);
+	}
+	$xref{"pam_strerror 3"} = 1;
+    }
+
+    $argnames = $args;
+    $argnames =~ s/\"[^\"]+\*?\b(\w+)\"/\"$1\"/g;
+    $argnames =~ s/([\|\[\]\(\)\.\*\+\?])/\\$1/g;
+    $argnames =~ s/\" \"/|/g;
+    $argnames =~ s/^\"(.*)\"$/($1)/;
+    foreach (split("\n", $source)) {
+	s/\s*$//;
+	if (!defined($man)) {
+	    if (m/^\/\*\*$/) {
+		$man = "";
+	    }
+	    next;
+	}
+	last if (m/^ \*\/$/);
+	s/^ \* ?//;
+	s/\\(.)/$1/gs;
+	if (m/^$/) {
+	    if ($man ne "" && $man !~ m/\.Pp\n$/s) {
+		if ($inliteral) {
+		    $man .= "\0\n";
+		} elsif ($inlist) {
+		    $man .= ".El\n";
+		    $inlist = 0;
+		} else {
+		    $man .= ".Pp\n";
+		}
+	    }
+	    next;
+	}
+	if (m/^>(\w+)(?:\s+(\d))?$/) {
+	    ++$xref{$2 ? "$1 $2" : "$1 3"};
+	    next;
+	}
+	if (s/^\s+(=?\w+):\s*/.It $1/) {
+	    if ($inliteral) {
+		$man .= ".Ed\n";
+		$inliteral = 0;
+	    }
+	    if (!$inlist) {
+		$man =~ s/\.Pp\n$//s;
+		$man .= ".Bl -tag -width 18n\n";
+		$inlist = 1;
+	    }
+	    s/^\.It =([A-Z][A-Z_]+)$/.It Dv $1/gs;
+	    $man .= "$_\n";
+	    next;
+	} elsif ($inlist && m/^\S/) {
+	    $man .= ".El\n";
+	    $inlist = 0;
+	} elsif ($inliteral && m/^\S/) {
+	    $man .= ".Ed\n";
+	    $inlist = 0;
+	} elsif ($inliteral) {
+	    $man .= "$_\n";
+	    next;
+	} elsif ($inlist) {
+	    s/^\s+//;
+	} elsif (m/^\s+/) {
+	    $man .= ".Bd -literal\n";
+	    $inliteral = 1;
+	    $man .= "$_\n";
+	    next;
+	}
+	s/\s*=$func\b\s*/\n.Nm\n/gs;
+	s/\s*=$argnames\b\s*/\n.Va $1\n/gs;
+	s/\s*=(struct \w+(?: \*)?)\b\s*/\n.Vt $1\n/gs;
+	if (s/\s*=([a-z_]+)\b\s*/\n.Xr $1 3\n/gs) {
+	    ++$xref{"$1 3"};
+	}
+	s/\s*\"(?=\w)/\n.Do\n/gs;
+	s/\"(?!\w)\s*/\n.Dc\n/gs;
+	s/\s*=([A-Z][A-Z_]+)\b\s*(?![\.,:;])/\n.Dv $1\n/gs;
+	s/\s*=([A-Z][A-Z_]+)\b([\.,:;]+)\s*/\n.Dv $1 $2\n/gs;
+	s/\s*{([A-Z][a-z] .*?)}\s*/\n.$1\n/gs;
+	$man .= "$_\n";
+    }
+    if (defined($man)) {
+	$man =~ s/(\n\.[A-Z][a-z] [\w ]+)\n([\.,:;-]\S*)\s*/$1 $2\n/gs;
+	$man =~ s/\s*$/\n/gm;
+	$man =~ s/\n+/\n/gs;
+	$man =~ s/\0//gs;
+	chomp($man);
+    } else {
+	$man = "No description available.";
+    }
+
+    $FUNCTIONS{$func} = {
+	'name'		=> $func,
+	'descr'		=> $descr,
+	'type'		=> $type,
+	'args'		=> $args,
+	'man'		=> $man,
+	'xref'		=> \%xref,
+	'errors'	=> \@errors,
+    };
+    if ($source =~ m/^ \* NODOC\s*$/m) {
+	$FUNCTIONS{$func}->{'nodoc'} = 1;
+	$FUNCTIONS{$func}->{'nolist'} = 1;
+    }
+    if ($source =~ m/^ \* NOLIST\s*$/m) {
+	$FUNCTIONS{$func}->{'nolist'} = 1;
+    }
+    if ($source !~ m/^ \* XSSO \d/m) {
+	$FUNCTIONS{$func}->{'openpam'} = 1;
+    }
+}
+
+sub expand_errors($);
+sub expand_errors($) {
+    my $func = shift;		# Ref to function hash
+
+    my %errors;
+
+    if (defined($func->{'recursed'})) {
+	warn("$func->{'name'}(): loop in error spec\n");
+	return qw();
+    }
+    $func->{'recursed'} = 1;
+
+    foreach (@{$func->{'errors'}}) {
+	if (m/^(PAM_[A-Z_]+)$/) {
+	    if (!defined($PAMERR{$1})) {
+		warn("$func->{'name'}(): unrecognized error: $1\n");
+		next;
+	    }
+	    $errors{$1} = 1;
+	} elsif (m/^!(PAM_[A-Z_]+)$/) {
+	    # treat negations separately
+	} elsif (m/^=([a-z_]+)$/) {
+	    if (!defined($FUNCTIONS{$1})) {
+		warn("$func->{'name'}(): reference to unknown $1()\n");
+		next;
+	    }
+	    foreach (expand_errors($FUNCTIONS{$1})) {
+		$errors{$_} = 1;
+	    }
+	} else {
+	    warn("$func->{'name'}(): invalid error specification: $_\n");
+	}
+    }
+    foreach (@{$func->{'errors'}}) {
+	if (m/^!(PAM_[A-Z_]+)$/) {
+	    delete($errors{$1});
+	}
+    }
+    delete($func->{'recursed'});
+    return (sort(keys(%errors)));
+}
+
+sub gendoc($) {
+    my $func = shift;		# Ref to function hash
+
+    local *FILE;
+    my $mdoc;
+    my $fn;
+
+    return if defined($func->{'nodoc'});
+
+    $mdoc = "$COPYRIGHT
+.Dd $TODAY
+.Dt " . uc($func->{'name'}) . " 3
+.Os
+.Sh NAME
+.Nm $func->{'name'}
+.Nd $func->{'descr'}
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+";
+    if ($func->{'name'} =~ m/_sm_/) {
+	$mdoc .= ".In security/pam_modules.h\n"
+    }
+    $mdoc .= ".Ft $func->{'type'}
+.Fn $func->{'name'} $func->{'args'}
+.Sh DESCRIPTION
+$func->{'man'}
+";
+    if ($func->{'type'} eq "int") {
+	$mdoc .= ".Sh RETURN VALUES
+The
+.Nm
+function returns one of the following values:
+.Bl -tag -width 18n
+";
+	my @errors = expand_errors($func);
+	warn("$func->{'name'}(): no error specification\n")
+	    unless(@errors);
+	foreach (@errors) {
+	    $mdoc .= ".It Bq Er $_\n$PAMERR{$_}.\n";
+	}
+	$mdoc .= ".El\n";
+    } else {
+	if ($func->{'type'} =~ m/\*$/) {
+	    $mdoc .= ".Sh RETURN VALUES
+The
+.Nm
+function returns
+.Dv NULL
+on failure.
+";
+	}
+    }
+    $mdoc .= ".Sh SEE ALSO\n";
+    my @xref = sort(keys(%{$func->{'xref'}}));
+    while (@xref) {
+	$mdoc .= ".Xr " . shift(@xref) . (@xref ? " ,\n" : "\n");
+    }
+    $mdoc .= ".Sh STANDARDS\n";
+    if ($func->{'openpam'}) {
+	$mdoc .= "The
+.Nm
+function is an OpenPAM extension.
+";
+    } else {
+	$mdoc .= ".Rs
+.%T \"X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules\"
+.%D \"June 1997\"
+.Re
+";
+    }
+    $mdoc .= ".Sh AUTHORS
+The
+.Nm
+function and this manual page were developed for the FreeBSD Project
+by ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
+";
+
+    $fn = "$func->{'name'}.3";
+    sysopen(FILE, $fn, O_RDWR|O_CREAT|O_TRUNC)
+	or die("$fn: open(): $!\n");
+    print(FILE $mdoc);
+    close(FILE);
+}
+
+sub gensummary() {
+
+    my $func;
+
+    print "$COPYRIGHT
+.Dd $TODAY
+.Dt PAM 3
+.Os
+.Sh NAME
+";
+    my @funcs = sort(keys(%FUNCTIONS));
+    while ($func = shift(@funcs)) {
+	next if (defined($FUNCTIONS{$func}->{'nolist'}));
+	print ".Nm $func". (@funcs ? " ,\n" : "\n");
+    }
+    print ".Nd Pluggable Authentication Modules Library
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In security/pam_appl.h
+";
+    foreach $func (sort(keys(%FUNCTIONS))) {
+	next if (defined($FUNCTIONS{$func}->{'nolist'}));
+	print ".Ft $FUNCTIONS{$func}->{'type'}\n";
+	print ".Fn $func $FUNCTIONS{$func}->{'args'}\n";
+    }
+    print ".Sh DESCRIPTION
+.Sh RETURN VALUES
+The following return codes are defined in the
+.In security/pam_constants.h
+header:
+.Bl -tag -width 18n
+";
+    foreach (sort(keys(%PAMERR))) {
+	print ".It Bq Er $_\n$PAMERR{$_}.\n";
+    }
+    print ".El
+.Sh SEE ALSO
+";
+    foreach $func (sort(keys(%FUNCTIONS))) {
+	next if (defined($FUNCTIONS{$func}->{'nolist'}));
+	print ".Xr $func 3 ,\n";
+    }
+    print ".Xr pam.conf 5
+.Sh STANDARDS
+.Rs
+.%T \"X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules\"
+.%D \"June 1997\"
+.Re
+.Sh AUTHORS
+The OpenPAM library and this manual page were developed for the
+FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research
+Division of Network Associates, Inc.  under DARPA/SPAWAR contract
+N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
+"
+}
+
+MAIN:{
+    $TODAY = strftime("%B %e, %Y", localtime(time()));
+    $TODAY =~ s,\s+, ,g;
+    foreach my $fn (@ARGV) {
+	parse_source($fn);
+    }
+    foreach my $func (values(%FUNCTIONS)) {
+	gendoc($func);
+    }
+    gensummary();
+}