Add changes to allow VRF, and mapped users (no local accounts)

Add changes allow admins to set up RADIUS clients with no local
knowledge of the RADIUS accounts (no adduser required, nor LDAP, etc.)

This is done by using the nss-mapuser package.   The only real change
to this package is to set up the SUDO prompt, so it's the RADIUS login
name, in the pam_sm_acct_mgmt entry point.

Bumped the version to 1.4.1

Change the PACKAGE info in configure to reflect Cumulus, and also
a few related fields.   Changed maintiner to dev-support

Also incorporated changes to make debuging builds easier under debian.

Added comment and description of src_ip to the config file (author of
the src_ip changes hadn't yet done that), and removed the location of
config file from comments, since debian installs to a different
location.

Quieted config complaints; can't move to current because current is
GPLv3, and this doesn't use autoconf.

Tried to capture the 5 years of changes between 1.3.17 and 1.4.0

Added lintian overrides.  Fixed up debian/copyright file to be standard
format, and match (approximately) the source files.  overrides don't
quite work, because source vs binary confusion, but documents them

Added debian install files

Added man page for the plugin, and for the RADIUS client config file

18 files changed, 444 insertions, 139 deletions

diff --git a/Changelog b/Changelog
index d7a3d2d..a8740bb 100644
--- a/Changelog
+++ b/Changelog
@@ -1,7 +1,17 @@
 1.4.0
 -----
 
-   Many changes.  See USAGE for details.
+   Many changes over 5 years:
+    src_ip in config file
+    ipv6 support
+    configure can use poll or select
+    Add Calling-Station-Id to accounting requests
+    mostly thread safe
+    add force_prompt option to enforce new password prompt for use with Tok
+    NetBSD fixes
+    new parameter max_challenge limits number of Access-Challenges
+    build: do not force flags, add to them instead.
+    build: use GCC for build, and ensure that unneeded symbols are not exported.
 
 1.3.17
 ------
diff --git a/Makefile b/Makefile
index 8fee0e8..8ff3482 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,7 @@
 # $Id: Makefile,v 1.13 2007/03/26 04:22:11 fcusack Exp $
 #
 #############################################################################
-VERSION=1.4.0
+VERSION=1.4.1
 
 ######################################################################
 #
diff --git a/USAGE b/USAGE
index 21b742a..0fce66b 100644
--- a/USAGE
+++ b/USAGE
@@ -1,4 +1,4 @@
-  The module takes a number of configuration options.  Password changing
+This PAM module takes a number of configuration options.  Password changing
 is not implemented, as the RADIUS protocol does not support it.
 
   The pam configuration can be:
@@ -13,14 +13,17 @@ account    sufficient   pam_radius_auth.so
 the following strings.  Note that not all of these options are
 relevant in for all uses of the module.
 
+At a minimum, one server must be listed in the radius client configuration
+file
+
 debug          - print out extensive debugging information via pam_log.
                  These messages generally end up being handled by
                  sylog(), and go to /var/log/messages.  Depending on
                  your host operating system, the log messages may be
                  elsewhere.
-		 You should generally use the debug option when first
-		 trying to install the module, as it will help
-		 enormously in tracking down problems.
+                 You should generally use the debug option when first
+                 trying to install the module, as it will help
+                 enormously in tracking down problems.
 
 use_first_pass - Instead of prompting the user for a password, retrieve
                  the password from the previous authentication module.
@@ -54,7 +57,8 @@ skip_passwd    - Do not prompt for a password, even if there was none
                  Otherwise, no password is sent to the next module.
 
 conf=foo       - set the configuration filename to 'foo'.
-                 Default is /etc/raddb/server
+                 Default is /etc/raddb/server (/etc/pam_radius_auth.conf
+                 on Debian systems).
 
 client_id=bar  - send a NAS-Identifier RADIUS attribute with string
                  'bar'.  If the client_id is not specified, the PAM_SERVICE
@@ -63,8 +67,8 @@ client_id=bar  - send a NAS-Identifier RADIUS attribute with string
                  i.e. A blank client ID.
 
 retry = #      - How many times to re-send a packet if there is no
-		 response.  Once the retry count has been reached,
-		 the module fails, and PAM continues to the next module.
+                 response.  Once the retry count has been reached,
+                 the module fails, and PAM continues to the next module.
 
 use_authtok    - force the use of a previously entered password.
                  This is  needed for pluggable password strength checking
diff --git a/configure b/configure
index 8dd54aa..7b62400 100755
--- a/configure
+++ b/configure
@@ -578,12 +578,12 @@ MFLAGS=
 MAKEFLAGS=
 
 # Identity of this package.
-PACKAGE_NAME='pam_radius'
-PACKAGE_TARNAME='pam_radius'
-PACKAGE_VERSION='1.5'
-PACKAGE_STRING='pam_radius 1.5'
-PACKAGE_BUGREPORT='http://bugs.freeradius.org'
-PACKAGE_URL='http://www.freeradius.org'
+PACKAGE_NAME='libpam-radius-auth'
+PACKAGE_TARNAME='libpam-radius-auth'
+PACKAGE_VERSION='1.4.1'
+PACKAGE_STRING='pam_radius 1.4.1'
+PACKAGE_BUGREPORT='http://support.cumulusnetworks.com'
+PACKAGE_URL='http://www.cumulusnetworks.com'
 
 ac_unique_file="src/pam_radius_auth.c"
 # Factoring default headers for most tests.
@@ -1339,7 +1339,7 @@ Some influential environment variables:
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
-Report bugs to <http://bugs.freeradius.org>.
+Report bugs to <http://www.cumulusnetworks.com>.
 pam_radius home page: <http://www.freeradius.org>.
 _ACEOF
 ac_status=$?
@@ -1601,7 +1601,7 @@ $as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >
     { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
 ( $as_echo "## ----------------------------------------- ##
-## Report this to http://bugs.freeradius.org ##
+## Report this to http://www.cumulusnetworks.com ##
 ## ----------------------------------------- ##"
      ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
@@ -5831,7 +5831,7 @@ Usage: $0 [OPTION]... [TAG]...
 Configuration headers:
 $config_headers
 
-Report bugs to <http://bugs.freeradius.org>.
+Report bugs to <http://www.cumulusnetworks.com>.
 pam_radius home page: <http://www.freeradius.org>."
 
 _ACEOF
diff --git a/configure.ac b/configure.ac
index 3767085..ec1913f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -23,7 +23,7 @@ dnl #############################################################
 AC_PREREQ([2.59])
 export CFLAGS LIBS LDFLAGS CPPFLAGS
 
-AC_INIT([pam_radius],1.5,[http://bugs.freeradius.org],,[http://www.freeradius.org])
+AC_INIT([pam_radius],1.5,[http://www.cumulusnetworks.com],,[http://www.cumulusnetworks.com])
 AC_CONFIG_SRCDIR([src/pam_radius_auth.c])
 AC_CONFIG_HEADER([src/config.h])
 m4_include([m4/ax_cc.m4])
diff --git a/debian/changelog b/debian/changelog
index 978af83..0bafb1c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,26 @@
+libpam-radius-auth (1.4.1-cl3u1) unstable; urgency=low
+
+  * Added support for mapping radius accounts to a local account
+    to get UID, GID, and base of home directory, so radius users
+    do not need to have an account created locally (or via LDAP)
+
+ -- Dave Olson <olson@cumulusnetworks.com>  Fri, 16 Jun 2017 15:44:12 -0700
+
 libpam-radius-auth (1.4.0) unstable; urgency=low
 
-   * Many changes.  See USAGE and git log for details.
+   * Many changes and bug fixes.  See USAGE and git log for details.
+   * src_ip in config file
+   * ipv6 support
+   * configure can use poll or select
+   * Add Calling-Station-Id to accounting requests
+   * mostly thread safe
+   * add force_prompt option to enforce new password prompt for use with Tok
+   * NetBSD fixes
+   * new parameter max_challenge limits number of Access-Challenges
+   * build: do not force flags, add to them instead.
+   * build: use GCC for build, and ensure that unneeded symbols are not exported.
 
- -- Alan T. DeKok <aland@freeradius.org>  Wed, 17 Dec 2014 17:00:59 -0500
+ -- Alan T. DeKok <aland@freeradius.org>  Thu, 23 Mar 2017 19:01:20 -0400
 
 libpam-radius-auth (1.3.17) unstable; urgency=low
 
@@ -14,10 +32,6 @@ libpam-radius-auth (1.3.17) unstable; urgency=low
 
  -- Arran Cudbard-Bell <a.cudbardb@freeradius.org>  Wed, 24 Oct 2012 08:18:01 +0100
 
-commit 0c3af1fb2a1ae1befb7a8e366406ded63cb9fa59
-
-    Note 1.4.0
-
 libpam-radius-auth (1.3.16-4.4) unstable; urgency=low
 
   * Non-maintainer upload to fix pending l10n issues.
diff --git a/debian/control b/debian/control
index b8090ae..cb8cb49 100644
--- a/debian/control
+++ b/debian/control
@@ -1,15 +1,14 @@
 Source: libpam-radius-auth
-Maintainer: Fabio M. Di Nitto <fabbione@fabbione.net>
+Maintainer: dev-support <dev-support@cumulusnetworks.com>
 Section: libs
 Priority: extra
 Standards-Version: 3.9.6
-Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 4.1.16)
+Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~)
 
 Package: libpam-radius-auth
 Architecture: any
-Depends: ${shlibs:Depends}
-Suggests: radius-server
-Description: The PAM RADIUS authentication module
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: PAM RADIUS client authentication module
  This is the PAM to RADIUS authentication module. It allows any PAM-capable
  machine to become a RADIUS client for authentication and accounting
  requests. You will, however, need to supply your own RADIUS server to
diff --git a/debian/copyright b/debian/copyright
index 8d52194..85c3d9e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,54 +1,25 @@
-This package was debianized by Fabio M. Di Nitto <fabbione@fabbione.net> on
-Thu, 31 Oct 2002 09:56:49 +0100
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: libpam-auth-user
+Source: https://github.com/FreeRADIUS/pam_radius
 
-It was downloaded from ftp://ftp.freeradius.org/pub/radius/
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
 
-Copyright (extracted from pam_radius_auth.c):
-
-/*
- *  This module is a merger of an old version of pam_radius.c, and
- * code which went into mod_auth_radius.c, with further modifications
- * by Alan DeKok of CRYPTOCard Inc..
- *
- * The original pam_radius.c code is copyright (c) Cristian Gafton, 1996,
- *                                             <gafton@redhat.com>
- *
- * The additional code is copyright (c) CRYPTOCard Inc, 1998.
- *
- *                                              All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, and the entire permission notice in its entirety,
- *    including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- *    products derived from this software without specific prior
- *    written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions.  (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-On Debian GNU/Linux systems, the complete text of the GNU General
-Public License can be found in /usr/share/common-licenses/GPL file.
+Files: *
+License: GPL-2+
+Copyright: Cristian Gafton <gafton@redhat.com>, 1996, 
+    Alan T. DeKok <aland@freeradius.org> 1998, 2014, 2015, 2016, 2017
diff --git a/debian/libpam-radius-auth.dirs b/debian/libpam-radius-auth.dirs
new file mode 100644
index 0000000..8db6b07
--- /dev/null
+++ b/debian/libpam-radius-auth.dirs
@@ -0,0 +1,4 @@
+lib/security
+etc
+usr/share/doc/libpam-radius-auth/html
+usr/share/pam-configs
diff --git a/debian/libpam-radius-auth.install b/debian/libpam-radius-auth.install
new file mode 100644
index 0000000..fca8c6f
--- /dev/null
+++ b/debian/libpam-radius-auth.install
@@ -0,0 +1,4 @@
+pam_radius_auth.so lib/security
+pam_radius_auth.conf etc
+index.html usr/share/doc/libpam-radius-auth/html
+debian/radius usr/share/pam-configs
diff --git a/debian/libpam-radius-auth.lintian-overrides b/debian/libpam-radius-auth.lintian-overrides
new file mode 100644
index 0000000..49f75dd
--- /dev/null
+++ b/debian/libpam-radius-auth.lintian-overrides
@@ -0,0 +1,9 @@
+# they are old, but current is GPL v3, so leaving old
+libpam-radius-auth binary: outdated-autotools-helper-file config.sub 2007-11-19
+libpam-radius-auth binary: outdated-autotools-helper-file config.guess 2007-11-19
+libpam-radius-auth binary: diff-contains-git-control-dir .git
+libpam-radius-auth binary: debhelper-but-no-misc-depends libpam-radius-auth
+libpam-radius-auth binary: unsupported-source-format 3.0 (git)
+libpam-radius-auth binary: source-nmu-has-incorrect-version-number 1.4.1
+
+
diff --git a/debian/libpam-radius-auth.manpages b/debian/libpam-radius-auth.manpages
new file mode 100644
index 0000000..c85854a
--- /dev/null
+++ b/debian/libpam-radius-auth.manpages
@@ -0,0 +1,2 @@
+pam_radius_auth.5
+pam_radius_auth.8
diff --git a/debian/libpam-radius-auth.postinst b/debian/libpam-radius-auth.postinst
index 4b0d38e..de079ad 100644
--- a/debian/libpam-radius-auth.postinst
+++ b/debian/libpam-radius-auth.postinst
@@ -4,3 +4,6 @@ set -e
 
 # needed for install, upgrade, remove, and purge, including aborts
 pam-auth-update --package
+
+#DEBHELPER#
+
diff --git a/debian/rules b/debian/rules
index 4e68084..9a0976d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,7 +7,8 @@ ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
 else
 	CFLAGS += -O2
 endif
-CFLAGS+=-g3 -Wno-strict-aliasing -DCONF_FILE=\"/etc/pam_radius_auth.conf\"
+PAM_CONF_FILE=/etc/pam_radius_auth.conf
+CFLAGS+=-g3 -Wno-strict-aliasing -DCONF_FILE=\"${PAM_CONF_FILE}\"
 
 ifeq ($(DEB_HOST_GNU_CPU),(hppa|m68k|mips|powerpc|s390|sparc|sparc64|sheb))
 	CFLAGS += -DHIGHFIRST
@@ -17,6 +18,14 @@ export CFLAGS
 %:
 	dh  $@
 
-override_dh_auto_configure:
-	./configure
+# all the installing is here, not in Makefile.
+# The configuration file with the share secrets needs to be 600
+override_dh_install:
+	dh_install -v --sourcedir=.
+	chmod 600 debian/*/${PAM_CONF_FILE}
 
+override_dh_fixperms:
+	dh_fixperms --exclude ${PAM_CONF_FILE}
+
+override_dh_installchangelogs:
+	dh_installchangelogs Changelog
diff --git a/pam_radius_auth.5 b/pam_radius_auth.5
new file mode 100644
index 0000000..f117166
--- /dev/null
+++ b/pam_radius_auth.5
@@ -0,0 +1,56 @@
+.TH pam_radius_auth 5
+.\" Copyright 2017 Cumulus Networks, Inc.  All rights reserved.
+.SH NAME
+/etc/pam_radius_auth.conf \- RADIUS client configuration file
+.SH SYNOPSIS
+.B /etc/tacplus_servers
+is the RADIUS client configuration file for the PAM RADIUS client plugin.
+It contains the information on how to reach the RADIUS server(s), and 
+because it contains the shared secret key, should be mode 600 and owned
+by root.
+.SH DESCRIPTION
+Other PAM-specific options are described in the
+.B pam_radius_auth.8
+manpage, and must be added to the PAM configuration files.
+.PP
+By default, all components source this file, enabling a single point of
+configuration for the TACACS server(s), debug settings, etc.
+.PP
+Not all keywords use all fields.
+.TP
+.I debug
+Output PAM and RADIUS communication debugging information via syslog(3).
+.TP
+.I  server[:port] secret [timeout] [src_ip]
+the port name or number is optional.  The default port name is
+"radius", and is looked up from
+.IR /etc/services .
+The timeout field is optional.  The default timeout is 3 seconds.
+.IP
+For IPv6 literal addresses, the address has to be surrounded  by
+square  brackets as usual. E.g. [2001:0db8:85a3::4].
+.IP
+If multiple RADIUS server lines exist, they are tried in order.  The
+first server to return success or failure causes the module to return
+success or failure.  Only if a server fails to response is it skipped,
+and the next server in turn is used.
+.IP
+The optional timeout field controls how many seconds the module waits before
+deciding that the server has failed to respond.  It currently must be
+less than 60.
+.IP
+The optional src_ip may be used to configure the source IP address used
+in the RADIUS packets to the server.  The timeout field must be set if 
+setting the src_ip is desired
+.TP
+.I vrf-name VRFNAME
+If the management network is in a VRF, set this variable to the VRF name. This
+would  usually  be  "mgmt".  This is not normally needed with PAM.
+.SH "SEE ALSO"
+.BR pam_radius_auth (8),
+.BR mapuser_nss (5)
+.SH FILES
+.I /etc/pam_radius_auth.conf
+- RADIUS client configuration parameters
+.SH AUTHOR
+Dave Olson <olson@cumulusnetworks.com>
diff --git a/pam_radius_auth.8 b/pam_radius_auth.8
new file mode 100644
index 0000000..a713370
--- /dev/null
+++ b/pam_radius_auth.8
@@ -0,0 +1,140 @@
+.TH pam_radius_auth 8
+.\" Copyright 2017 Cumulus Networks, Inc.  All rights reserved.
+.\" Based on USAGE file in the source package
+.SH NAME
+pam_radius_auth.so \- PAM RADIUS client plugin
+.SH SYNOPSIS
+.SH DESCRIPTION
+.B pam_radius_auth
+is the RADIUS client PAM plugin.
+It supports IPv4 and IPv6 connections to a RADIUS server.  It only supports
+authentication and accounting for sessions, it does not support changing passwords,
+because the RADIUS protocol does not support it.
+.PP
+This PAM module takes a number of standard PAM configuration options,
+as well as some specific to this plugin.
+.PP
+options can be added by editting the files in
+.I /etc/pam.d
+or by editting the configuration file
+.I /usr/share/pam-configs/radius
+and then running 
+.BR pam-auth-config .
+.PP
+All of the following arguments are optional, and can be combined as needed.
+Note that not all of these options are relevant in for all uses of the module.
+.TP
+.I accounting_bug
+When used, the accounting response vector is NOT
+validated.  This option will probably only be necessary
+on REALLY OLD (i.e. Livingston 1.16) servers.
+.TP
+.I client_id=bar
+send a NAS-Identifier RADIUS attribute with string 'bar'.
+If the client_id is not specified, the PAM_SERVICE
+type is used instead. ('login', 'su', 'passwd', etc.)
+This feature may be disabled by using 'client_id='.
+i.e. A blank client ID.
+.TP
+.I conf=foo
+set the configuration filename to 'foo'.
+Default is /etc/raddb/server (/etc/pam_radius_auth.conf
+on Debian systems).
+.TP
+.I debug
+print out extensive debugging information via pam_log.
+These messages generally end up being handled by
+sylog(), and go to /var/log/messages.  Depending on
+your host operating system, the log messages may be
+elsewhere.
+.IP
+You should generally use the debug option when first
+trying configuring this module, as it will help
+enormously in tracking down problems.
+.TP
+.I force_prompt
+Request a new password and not using the previously entered
+password. This usefull for multi-factor authentication
+when used with a Token.
+.TP
+.I localifdown
+This option tells pam_radius to return PAM_IGNORE instead
+of PAM_AUTHINFO_UNAVAIL if RADIUS auth failed due to
+network unavailability.  PAM_IGNORE tells the pam stack
+to continue down the stack regardless of the control flag.
+.TP
+.I max_challenge=#
+configure maximum number of challenges that a server
+may request. This is a workaround for broken servers
+and disabled by default.
+.TP
+.I retry=#
+How many times to re-send a packet if there is no
+response.  Once the retry count has been reached,
+the module fails, and PAM continues to the next module.
+.TP
+.I prompt=string
+Specifies the prompt, without the ': ', that PAM should
+display when prompting for the password. This is useful
+when using hardware tokens as part of multi-factor
+authentication and presenting the same prompt twice would
+confuse users.  Use prompt=TokenCode (or some other
+relevant string different from Password) in this
+situation.
+.TP
+.I ruser
+If PAM_USER is root, Use the value of PAM_RUSER instead
+of PAM_USER to determine the username to authenticate via
+RADIUS.  This is to allow 'su' to act like 'sudo'.
+.TP
+.I skip_passwd
+Do not prompt for a password, even if there was none
+retrieved from the previous layer.
+Send the previous one (if it exists), or else send a NULL
+password.
+If this fails, exit.
+If an Access-Challenge is returned, display the challenge
+message, and ask the user for the response.
+Return success/failure as appropriate.
+.IP
+The password sent to the next authentication module will
+NOT be the response to the challenge.  If a password from
+a previous authentication module exists, it is passed on.
+Otherwise, no password is sent to the next module.
+.TP
+.I try_first_pass
+Instead of prompting the user for a password, retrieve
+the password from the previous authentication module.
+If the password exists, try it, and return success if it
+passes.
+If there was no previous password, or the previous password
+fails authentication, prompt the user with
+"Enter RADIUS password: ", and ask for another password.
+Try this password, and return success/failure as appropriate.
+.IP
+This is the default for authentication.
+.TP
+.I use_first_pass
+Instead of prompting the user for a password, retrieve
+the password from the previous authentication module.
+If the password does not exist, return failure.
+If the password exists, try it, returning success/failure
+as appropriate.
+.TP
+.I use_authtok
+force the use of a previously entered password.
+This is  needed for pluggable password strength checking
+i.e. try cracklib to be sure it's secure, then go update
+the RADIUS server.
+.SH "SEE ALSO"
+.BR pam_radius_auth (5),
+.BR mapuser_nss (5),
+.BR pam-auth-update (8)
+.SH FILES
+.IR /etc/pam_radius_auth.conf ,
+- RADIUS client configuration parameters
+.I /usr/share/pam-config/radius
+- configuration to generate RADIUS entries in the PAM files
+.SH AUTHOR
+Dave Olson <olson@cumulusnetworks.com>, based on the USAGE file written by multiple
+contributors
diff --git a/pam_radius_auth.conf b/pam_radius_auth.conf
index 2fe1f34..120c7a7 100644
--- a/pam_radius_auth.conf
+++ b/pam_radius_auth.conf
@@ -1,14 +1,16 @@
-#  pam_radius_auth configuration file.  Copy to: /etc/raddb/server
+#  pam_radius_auth configuration file.
+#
+#  See 'man pam_radius_auth.conf pam_radius_auth'
 #
 #  For proper security, this file SHOULD have permissions 0600,
 #  that is readable by root, and NO ONE else.  If anyone other than
 #  root can read this file, then they can spoof responses from the server!
 #
-#  There are 3 fields per line in this file.  There may be multiple
+#  There are 2-4 fields per line in this file.  There may be multiple
 #  lines.  Blank lines or lines beginning with '#' are treated as
 #  comments, and are ignored.  The fields are:
 #
-#  server[:port] secret [timeout]
+#  server[:port] secret [timeout] [src_ip]
 #
 #  the port name or number is optional.  The default port name is
 #  "radius", and is looked up from /etc/services The timeout field is
@@ -22,14 +24,24 @@
 #  success or failure.  Only if a server fails to response is it skipped,
 #  and the next server in turn is used.
 #
-#  The timeout field controls how many seconds the module waits before
-#  deciding that the server has failed to respond.
+#  The optional timeout field controls how many seconds the module waits before
+#  deciding that the server has failed to respond.  It currently must be
+#  less than 60.
+#
+#  The optional src_ip may be used to configure the source IP address used
+#  in the RADIUS packets to the server.  The timeout field must be set if 
+#  setting the src_ip is desired
 #
-# server[:port]             shared_secret      timeout (s)
-127.0.0.1                   secret             1
-other-server                other-secret       3
-[2001:0db8:85a3::4]:1812    other6-secret      1
+# server[:port]             shared_secret      timeout (secs) src_ip
+# 127.0.0.1                   secret             1
+# other-server                other-secret       3            192.168.3.4
+# [2001:0db8:85a3::4]:1812    other6-secret      1
 #
-# having localhost in your radius configuration is a Good Thing.
+#  This allows the radius client to work when a management VRF is in use.
+#  The syntax is "vrf-name" (keyword) followed by the VRF name, typically "mgmt"
+#  Since the keyword has an illegal character for a hostname ('-'), this can't
+#  conflict with a valid hostname
+# vrf-name mgmt
 #
-# See the INSTALL file for pam.conf hints.
+#  Uncomment to enable debugging, can be used instead of altering pam files
+# debug
diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c
index a9fd518..971dc01 100644
--- a/src/pam_radius_auth.c
+++ b/src/pam_radius_auth.c
@@ -525,13 +525,14 @@ static int initialize(radius_conf_t *conf, int accounting)
 	struct sockaddr_storage salocal6;
 	char hostname[BUFFER_SIZE];
 	char secret[BUFFER_SIZE];
+	char *vrfname = NULL;
 
 	char buffer[BUFFER_SIZE];
 	char *p;
 	FILE *fserver;
-	radius_server_t *server = NULL;
+	radius_server_t *server = NULL, *tmp;
 	int timeout;
-	int line = 0;
+	int line = 0, scancnt;
 	char src_ip[MAX_IP_LEN];
 	int seen_v6 = 0;
 
@@ -572,48 +573,73 @@ static int initialize(radius_conf_t *conf, int accounting)
 			break;
 		}
 
-		timeout = 3;
-		src_ip[0] = 0;
-		if (sscanf(p, "%s %s %d %s", hostname, secret, &timeout, src_ip) < 2) {
-			_pam_log(LOG_ERR, "ERROR reading %s, line %d: Could not read hostname or secret\n",
-				 conf->conf_file, line);
-			continue;			/* invalid line */
-		} else {				/* read it in and save the data */
-			radius_server_t *tmp;
-
-			tmp = malloc(sizeof(radius_server_t));
-			if (server) {
-				server->next = tmp;
-				server = server->next;
-			} else {
-				conf->server = tmp;
-				server= tmp;		/* first time */
-			}
+		scancnt = sscanf(p, "%s %s %d %s", hostname, secret, &timeout, src_ip);
 
-			/* sometime later do memory checks here */
-			server->hostname = strdup(hostname);
-			server->secret = strdup(secret);
-			server->accounting = accounting;
+		/* is it the name of a vrf we should bind to? */
+		if (!strcmp(hostname, "vrf-name")) {
+			if (scancnt < 2)
+			  _pam_log(LOG_ERR, "ERROR reading %s, line %d: only %d fields\n",
+				   conf->conf_file, line, scancnt);
+			else
+			  vrfname = strdup(secret);
+			continue;
+		}
 
-			if ((timeout < 1) || (timeout > 60)) {
-				server->timeout = 3;
-			} else {
-				server->timeout = timeout;
-			}
-			server->next = NULL;
+		/*	allow setting debug in config file as well */
+		if (!strcmp(hostname, "debug")) {
+			if (scancnt < 1)
+			  _pam_log(LOG_ERR, "ERROR reading %s, line %d: only %d fields\n",
+				   conf->conf_file, line, scancnt);
+			else
+			  conf->debug = 1;
+			continue;
+		}
 
-			if (src_ip[0]) {
-				memset(&salocal, 0, sizeof(salocal));
-				get_ipaddr(src_ip, (struct sockaddr *)&salocal, NULL);
-				switch (salocal.ss_family) {
-					case AF_INET:
-						memcpy(&salocal4, &salocal, sizeof(salocal));
-						break;
-					case AF_INET6:
-						seen_v6 = 1;
-						memcpy(&salocal6, &salocal, sizeof(salocal));
-						break;
-				}
+		if (scancnt < 2) {
+			_pam_log(LOG_ERR, "ERROR reading %s, line %d: only %d fields\n",
+			   conf->conf_file, line, scancnt);
+			continue; /* invalid line */
+		}
+		if (scancnt < 4) {
+			src_ip[0] = 0;
+			if (scancnt < 3)
+			   timeout = 3; /*  default timeout */
+		}
+
+		/* read it in and save the data */
+		tmp = malloc(sizeof(radius_server_t));
+		if (server) {
+			server->next = tmp;
+			server = server->next;
+		} else {
+			conf->server = tmp;
+			server= tmp;		/* first time */
+		}
+
+		/* sometime later do memory checks here */
+		server->hostname = strdup(hostname);
+		server->secret = strdup(secret);
+		server->accounting = accounting;
+
+		memset(&server->ip, 0, sizeof server->ip);
+		if ((timeout < 1) || (timeout > 60)) {
+			server->timeout = 3;
+		} else {
+			server->timeout = timeout;
+		}
+		server->next = NULL;
+
+		if (src_ip[0]) {
+			memset(&salocal, 0, sizeof(salocal));
+			get_ipaddr(src_ip, (struct sockaddr *)&salocal, NULL);
+			switch (salocal.ss_family) {
+				case AF_INET:
+					memcpy(&salocal4, &salocal, sizeof(salocal));
+					break;
+				case AF_INET6:
+					seen_v6 = 1;
+					memcpy(&salocal6, &salocal, sizeof(salocal));
+					break;
 			}
 		}
 	}
@@ -639,6 +665,17 @@ static int initialize(radius_conf_t *conf, int accounting)
 		return PAM_AUTHINFO_UNAVAIL;
 	}
 
+	if (vrfname) {
+		/*  do not fail if the bind fails, connection may succeed */
+		if (setsockopt(conf->sockfd, SOL_SOCKET, SO_BINDTODEVICE,
+		    vrfname, strlen(vrfname)+1) < 0)
+		   _pam_log(LOG_WARNING, "Binding socket to VRF %s failed: %m",
+		            vrfname);
+		else if(conf->debug)
+		    _pam_log(LOG_DEBUG, "Configured vrf as: %s", vrfname);
+		free(vrfname);
+	}
+
 #ifndef HAVE_POLL_H
 	if (conf->sockfd >= FD_SETSIZE) {
 		_pam_log(LOG_ERR, "Unusable socket, FD is larger than %d\n", FD_SETSIZE);
@@ -1642,8 +1679,39 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c
  */
 PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc,CONST char **argv)
 {
-	int retval;
-	retval = PAM_SUCCESS;
+	int retval = PAM_SUCCESS;
+	CONST char *user;
+	radius_conf_t config;
+
+	(void) _pam_parse(argc, argv, &config);
+
+	/* grab the user name */
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS || user == NULL || strlen(user) > MAXPWNAM) {
+		return PAM_USER_UNKNOWN;
+	}
+
+	/*
+	* parse the config file.  We don't make any connections here, so ignore
+	* any failures.  For consistency only.
+	*/
+	retval = initialize(&config, FALSE);
+
+	/*
+	* set SUDO_PROMPT in env so that it prompts as the login user, not the mapped
+	* user, unless (unlikely) the prompt has already been set.
+	* It won't hurt to do this if the user wasn't mapped.
+	*/
+	if (!pam_getenv(pamh, "SUDO_PROMPT")) {
+		  char nprompt[strlen("SUDO_PROMPT=[sudo] password for ") +
+		      strlen(user) + 3]; /* + 3 for ": " and the \0 */
+		  snprintf(nprompt, sizeof nprompt,
+			  "SUDO_PROMPT=[sudo] password for %s: ", user);
+		  if (pam_putenv(pamh, nprompt) != PAM_SUCCESS)
+		  	_pam_log(LOG_NOTICE, "failed to set PAM sudo prompt "
+				"(%s)", nprompt);
+	}
+
 	return retval;
 }