Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Make libldns and libssh private.

Approved by: re (blanket)

Build lib/ with WARNS=6 by default.

Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.

I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.

pam_ssh needs roaming_dummy to link correctly against libssh.

Add a manual dependency on ssh_namespace.h.

Discussed with: ru

Introduce a namespace munging hack inspired by NetBSD to avoid polluting
the namespace of applications which inadvertantly link in libssh (usually
through pam_ssh)

Suggested by: lukem@netbsd.org
MFC after: 6 weeks

Commenting out WARNS actually brought it up to 4.

Comment out WARNS, the OpenSSL headers don't compile cleanly on some platforms.

Increase WARNS.

Revert the commits that made libssh an INTERNALLIB; they caused too much
trouble, especially on amd64.

Requested by: ru

Fix libssh dependency.

Join the 21st century: Cryptography is no longer an optional component
of releases. The -DNOCRYPT build option still exists for anyone who
really wants to build non-cryptographic binaries, but the "crypto"
release distribution is now part of "base", and anyone installing from a
release will get cryptographic binaries.

Approved by: re (scottl), markm
Discussed on: freebsd-current, in late April 2004

Deal better with the crypto version of the PAM library that goes
on the release media -- only put what is different in the crypto
version compared to the base version. This reduces PAM entries
in /usr/lib in the "crypto" distribution to:

libpam.a
libpam.so@
libpam.so.2
pam_krb5.so@
pam_krb5.so.2
pam_ksu.so@
pam_ksu.so.2
pam_ssh.so@
pam_ssh.so.2

The libpam.so* is still redundant (it is identical to the "base"
version), but we can't set DISTRIBUTION differently for libpam.a
and libpam.so.

(The removal of libpam.so* from the crypto distribution could be
addressed by the release/scripts/crypto-make.sh script, but then
we'd also need to remove redundant PAM headers, and I'm not sure
this is worth a hassle.)

This module is not WARNS-clean, due to brokenness in OpenSSL headers.

style.Makefile(5) police
(I've tried to keep to the spirit of the original formatting)

Reviewed by: des

Complete rewrite of pam_ssh(8). The previous version was becoming hard
to maintain, and had security issues which would have required a major
rewrite to address anyway.

This implementation currently starts a separate agent for each session
instead of connecting each new session to the agent started by the first
one. While this would be a Good Thing (and the old pam_ssh(8) tried to
do it), it's hard to get right. I'll revisit this issue when I've had a
chance to test some modifications to ssh-agent(1).

Moved SHLIB_NAME definition into one place.

Approved by: des

Switch to OpenPAM. Bump library version. Modules are now versioned, so
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.

Sponsored by: DARPA, NAI Labs

Now that cross-tools ld(1) has been fixed to look for dynamic
dependencies in the correct place, record the fact that -lssh
depends on -lcrypto and -lz.

Removed false dependencies on -lz (except ssh(1) and sshd(8)).
Removed false dependencies on -lcrypto and -lutil for scp(1).

Reviewed by: markm

Remove NO_WERROR, now that WARNS=n is gone.

Protect "make buildworld" against -Werror, as this module does not
build cleanly.

Add pam_ssh support to the static PAM library, libpam.a:

- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
dynamic linkage with -lssh.

Reviewed by: des, markm
Approved by: markm

Connect the man page to the build.

Sponsored by: DARPA, NAI Labs

Fix style/consistency in Makefile and repair static module building.

Submitted by: bde(partially)

(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module
from ports.

Big module cleanup.

Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.

Build new modules.

Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).

Use a unified libgcc rather than a seperate one for threaded and
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.

parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252

Make pam_ssh work. It had an undefined symbol when it was dlopen()ed.
I'm not quite sure about this, I think it should be using -lssh_pic since
it's being linked into a .so, but nothing seems to complain ahd it does
work. (well, it works for using the authorized_keys file, but I have not
figured out how to get it to start a ssh-agent and cache the key for me)

PR: 17191
Submitted by: Adrian Pavlykevych <pam@polynet.lviv.ua>

Use libcrypto instead of libdes.

Also - OpenSSH blesses us with a module for PAM.