Mercurial > illumos > illumos-gate

changeset 3970:e0cf0f3e7aa4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
5073551 krlogin, krsh, ktelnet default PAM stacks look wrong. 6533858 zones unusable in s10u4_04 due to corrupted local zone pam.conf
author mp153739
date Thu, 05 Apr 2007 02:55:03 -0700
parents 53c82f760f32
children ad0c51c3d2f2
files deleted_files/usr/src/pkgdefs/SUNWrcmdr/postinstall.tmpl deleted_files/usr/src/pkgdefs/SUNWtnetr/postinstall.tmpl deleted_files/usr/src/pkgdefs/common_files/proc.pam_install usr/src/lib/libpam/pam.conf usr/src/pkgdefs/SUNWrcmdr/Makefile usr/src/pkgdefs/SUNWrcmdr/postinstall.tmpl usr/src/pkgdefs/SUNWrcmdr/prototype_com usr/src/pkgdefs/SUNWtnetr/Makefile usr/src/pkgdefs/SUNWtnetr/postinstall.tmpl usr/src/pkgdefs/SUNWtnetr/prototype_com usr/src/pkgdefs/common_files/i.pamconf usr/src/pkgdefs/common_files/proc.pam_install
diffstat 12 files changed, 285 insertions(+), 252 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deleted_files/usr/src/pkgdefs/SUNWrcmdr/postinstall.tmpl	Thu Apr 05 02:55:03 2007 -0700
@@ -0,0 +1,70 @@
+#!/bin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+include pam_install
+
+# update the pam.conf file
+
+pam_init
+
+# Delete the rlogin entry that uses pam_krb5.so.1 from pam.conf
+# Delete the "acceptor" option everywhere
+
+cat $pamconfold | \
+	sed -e "/^rlogin.*pam_krb5.so.1/d" |
+	sed "s/acceptor//g" > $pamconf
+if [ $? -ne 0 ]; then
+	echo "can't edit $pamconf"                              
+	pam_undo
+	exit 1
+fi
+
+pam_add "^[#	]*krlogin[	]*auth" << EOF
+#
+# Kerberized rlogin service
+#
+krlogin		auth	binding		pam_krb5.so.1
+krlogin		auth	required	pam_unix_auth.so.1
+EOF
+if [ $? -ne 0 ]; then
+        exit 1
+fi
+
+pam_add "^[#	]*krsh[		]*auth" << EOF
+#
+# Kerberized rsh service
+#
+krsh		auth binding		pam_krb5.so.1
+krsh		auth required		pam_unix_auth.so.1
+EOF
+if [ $? -ne 0 ]; then
+        exit 1
+fi
+
+pam_fini
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deleted_files/usr/src/pkgdefs/SUNWtnetr/postinstall.tmpl	Thu Apr 05 02:55:03 2007 -0700
@@ -0,0 +1,59 @@
+#!/bin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+include pam_install
+
+#
+# update the pam.conf file
+#
+
+pam_init
+
+# Delete the "acceptor" option everywhere
+
+cat $pamconfold | \
+	sed "s/acceptor//g" > $pamconf
+if [ $? -ne 0 ]; then
+	echo "can't edit $pamconf"
+	pam_undo
+	exit 1
+fi
+
+pam_add "^[#	]*ktelnet[	]*auth" << EOF
+#
+# Kerberized telnet service
+#
+ktelnet		auth	binding		pam_krb5.so.1
+ktelnet		auth	required	pam_unix_auth.so.1
+EOF
+if [ $? -ne 0 ]; then
+	exit 1
+fi
+
+pam_fini
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deleted_files/usr/src/pkgdefs/common_files/proc.pam_install	Thu Apr 05 02:55:03 2007 -0700
@@ -0,0 +1,69 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# proc.pam_install -- common code for pam.conf entry addition
+#
+# pam_init	: call before any other functions
+# pam_add	: if the regular expression specified as argument 1
+#		  does not match any line in pam.conf, add the lines
+#		  provided on stdin to the file
+# pam_undo	: call if rest of procedure script fails
+# pam_fini	: call if rest of procedure script succeeds
+#
+# pam_init and pam_add will perform necessary clean-up and
+# return a non-zero exit code on failure.
+
+pamconf=${PKG_INSTALL_ROOT:-/}/etc/pam.conf
+pamconfold=/tmp/pam.conf.$$
+
+pam_init() {
+	cat $pamconf > $pamconfold
+	if [ $? -ne 0 ]; then
+		echo "can't create $pamconfold"
+		return 1
+	fi
+	return 0
+}
+
+pam_fini() {
+	rm -f -- $pamconfold
+	return 0
+}
+
+pam_undo() {
+	cat $pamconfold > $pamconf
+	pam_fini
+}
+
+pam_add() {
+	grep -s "$1" $pamconf > /dev/null 2>&1 || cat >> $pamconf
+	if [ $? -ne 0 ]; then
+		echo "can't edit $pamconf"
+		pam_undo
+		return 1
+	fi
+	return 0
+}
--- a/usr/src/lib/libpam/pam.conf	Wed Apr 04 22:56:20 2007 -0700
+++ b/usr/src/lib/libpam/pam.conf	Thu Apr 05 02:55:03 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -22,7 +21,7 @@
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # PAM configuration
@@ -55,8 +54,7 @@
 # Kerberized rlogin service
 #
 krlogin	auth required		pam_unix_cred.so.1
-krlogin	auth binding		pam_krb5.so.1
-krlogin	auth required		pam_unix_auth.so.1
+krlogin	auth required		pam_krb5.so.1
 #
 # rsh service (explicit because of pam_rhost_auth,
 # and pam_unix_auth for meaningful pam_setcred)
@@ -67,14 +65,12 @@
 # Kerberized rsh service
 #
 krsh	auth required		pam_unix_cred.so.1
-krsh	auth binding		pam_krb5.so.1
-krsh	auth required		pam_unix_auth.so.1
+krsh	auth required		pam_krb5.so.1
 #
 # Kerberized telnet service
 #
 ktelnet	auth required		pam_unix_cred.so.1
-ktelnet	auth binding		pam_krb5.so.1
-ktelnet	auth required		pam_unix_auth.so.1
+ktelnet	auth required		pam_krb5.so.1
 #
 # PPP service (explicit because of pam_dial_auth)
 #
--- a/usr/src/pkgdefs/SUNWrcmdr/Makefile	Wed Apr 04 22:56:20 2007 -0700
+++ b/usr/src/pkgdefs/SUNWrcmdr/Makefile	Thu Apr 05 02:55:03 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -30,7 +29,6 @@
 
 .KEEP_STATE:
 
-TMPLFILES += postinstall
 DATAFILES += i.manifest r.manifest depend
 
 all: $(FILES)
--- a/usr/src/pkgdefs/SUNWrcmdr/postinstall.tmpl	Wed Apr 04 22:56:20 2007 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,70 +0,0 @@
-#!/bin/sh
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-#
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
-
-include pam_install
-
-# update the pam.conf file
-
-pam_init
-
-# Delete the rlogin entry that uses pam_krb5.so.1 from pam.conf
-# Delete the "acceptor" option everywhere
-
-cat $pamconfold | \
-	sed -e "/^rlogin.*pam_krb5.so.1/d" |
-	sed "s/acceptor//g" > $pamconf
-if [ $? -ne 0 ]; then
-	echo "can't edit $pamconf"                              
-	pam_undo
-	exit 1
-fi
-
-pam_add "^[#	]*krlogin[	]*auth" << EOF
-#
-# Kerberized rlogin service
-#
-krlogin		auth	binding		pam_krb5.so.1
-krlogin		auth	required	pam_unix_auth.so.1
-EOF
-if [ $? -ne 0 ]; then
-        exit 1
-fi
-
-pam_add "^[#	]*krsh[		]*auth" << EOF
-#
-# Kerberized rsh service
-#
-krsh		auth binding		pam_krb5.so.1
-krsh		auth required		pam_unix_auth.so.1
-EOF
-if [ $? -ne 0 ]; then
-        exit 1
-fi
-
-pam_fini
--- a/usr/src/pkgdefs/SUNWrcmdr/prototype_com	Wed Apr 04 22:56:20 2007 -0700
+++ b/usr/src/pkgdefs/SUNWrcmdr/prototype_com	Thu Apr 05 02:55:03 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -39,7 +38,6 @@
 i pkginfo
 i copyright
 i depend
-i postinstall
 i i.manifest
 i r.manifest
 #
--- a/usr/src/pkgdefs/SUNWtnetr/Makefile	Wed Apr 04 22:56:20 2007 -0700
+++ b/usr/src/pkgdefs/SUNWtnetr/Makefile	Thu Apr 05 02:55:03 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -28,7 +27,6 @@
 
 include ../Makefile.com
 
-TMPLFILES += postinstall
 DATAFILES += depend i.preserve i.manifest r.manifest
 
 .KEEP_STATE:
--- a/usr/src/pkgdefs/SUNWtnetr/postinstall.tmpl	Wed Apr 04 22:56:20 2007 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,59 +0,0 @@
-#!/bin/sh
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-#
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
-
-include pam_install
-
-#
-# update the pam.conf file
-#
-
-pam_init
-
-# Delete the "acceptor" option everywhere
-
-cat $pamconfold | \
-	sed "s/acceptor//g" > $pamconf
-if [ $? -ne 0 ]; then
-	echo "can't edit $pamconf"
-	pam_undo
-	exit 1
-fi
-
-pam_add "^[#	]*ktelnet[	]*auth" << EOF
-#
-# Kerberized telnet service
-#
-ktelnet		auth	binding		pam_krb5.so.1
-ktelnet		auth	required	pam_unix_auth.so.1
-EOF
-if [ $? -ne 0 ]; then
-	exit 1
-fi
-
-pam_fini
--- a/usr/src/pkgdefs/SUNWtnetr/prototype_com	Wed Apr 04 22:56:20 2007 -0700
+++ b/usr/src/pkgdefs/SUNWtnetr/prototype_com	Thu Apr 05 02:55:03 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -39,7 +38,6 @@
 i pkginfo
 i copyright
 i depend
-i postinstall
 i i.preserve
 i i.manifest
 i r.manifest
--- a/usr/src/pkgdefs/common_files/i.pamconf	Wed Apr 04 22:56:20 2007 -0700
+++ b/usr/src/pkgdefs/common_files/i.pamconf	Thu Apr 05 02:55:03 2007 -0700
@@ -3,9 +3,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -23,7 +22,7 @@
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 CLEANUP_FILE=/tmp/CLEANUP
@@ -32,35 +31,21 @@
 PPP_ENTRIES=$PAM_TMP/scp.$$
 CRON_ENTRIES=$PAM_TMP/scc.$$
 mkdir $PAM_TMP  || exit 1
-KRB5_CONF_FILE=$BASEDIR/etc/krb5/krb5.conf
-COMMENT_PREFIX="#"
 
 PATH="/usr/bin:/usr/sbin:${PATH}"
 export PATH
 
-kerberos_configured() {
-	if [ -f $KRB5_CONF_FILE ]; then
-		grep "___default_realm___" $KRB5_CONF_FILE > /dev/null 2>&1
-		if [ $? = 1 ]; then
-			COMMENT_PREFIX=""
-		fi
-	fi
-}
-
 setup_kerb_changes() {
 #
 # No comments or blanks lines allowed in entries below
 #
 cat > ${KERB_ENTRIES} << EOF
 krlogin		auth		required	pam_unix_cred.so.1
-krlogin		auth		binding		pam_krb5.so.1
-krlogin		auth		required	pam_unix_auth.so.1
+krlogin		auth		required	pam_krb5.so.1
 krsh		auth		required	pam_unix_cred.so.1
-krsh		auth		binding		pam_krb5.so.1
-krsh		auth		required	pam_unix_auth.so.1
+krsh		auth		required	pam_krb5.so.1
 ktelnet		auth		required	pam_unix_cred.so.1
-ktelnet		auth		binding		pam_krb5.so.1
-ktelnet		auth		required	pam_unix_auth.so.1
+ktelnet		auth		required	pam_krb5.so.1
 EOF
 }
 
@@ -86,7 +71,6 @@
 EOF
 }
 #
-kerberos_configured
 setup_kerb_changes
 setup_ppp_changes
 setup_cron_changes
@@ -279,6 +263,59 @@
 		    >> ${CLEANUP_FILE}
     		rm -f /tmp/pamconf.$$
     	fi
+
+#
+# update pam.conf to remove the rlogin entry that uses pam_krb5.so.1
+#
+	rm -f /tmp/pamconf.$$
+	sed -e "/^[# 	]*rlogin.*pam_krb5.so.1/d" \
+			$dest > /tmp/pamconf.$$
+	if [ $? -ne 0 ]; then
+		echo "Couldn't edit /tmp/pamconf.$$, rlogin lines have not been \
+			updated to remove pam_krb5.so.1." \
+			 >> ${CLEANUP_FILE}
+	else
+		cp /tmp/pamconf.$$ $dest
+	fi
+
+#
+# update pam.conf to remove obsolete flags used with pam_krb5.so.1
+#
+	rm -f /tmp/pamconf.$$
+	sed -e "s/\(pam_krb5.so.1.*\)acceptor/\1/g" \
+		-e "s/\(pam_krb5.so.1.*\)use_first_pass/\1/g" \
+		-e "s/\(pam_krb5.so.1.*\)try_first_pass/\1/g" \
+		-e "s/\(pam_krb5.so.1.*\)use_xfn_pass/\1/g" \
+		-e "s/\(pam_krb5.so.1.*\)try_xfn_pass/\1/g" \
+			$dest > /tmp/pamconf.$$
+	if [ $? -ne 0 ]; then
+		echo "Couldn't edit /tmp/pamconf.$$ to remove obsolete flags: \
+		acceptor, use_first_pass, try_first_pass, use_xfn_pass, try_xfn_pass." \
+			 >> ${CLEANUP_FILE}
+	else
+		cp /tmp/pamconf.$$ $dest
+	fi
+
+#
+# update pam.conf to remove the unnecessary unix_auth entries for the
+# kerberized services. 
+#
+	rm -f /tmp/pamconf.$$
+	sed -e "/^[# 	]*krlogin[ 	]*auth[ 	]*.*[ 	]*pam_unix_auth.so.1/d" \
+	 -e "/^[# 	]*krsh[ 	]*auth[ 	]*.*[ 	]*pam_unix_auth.so.1/d" \
+	 -e "/^[# 	]*ktelnet[ 	]*auth[ 	]*.*[ 	]*pam_unix_auth.so.1/d" \
+	 -e "s/^\([# 	]*krlogin[ 	]*auth[ 	]*\)binding/\1required/" \
+	 -e "s/^\([# 	]*krsh[ 	]*auth[ 	]*\)binding/\1required/" \
+	 -e "s/^\([# 	]*ktelnet[ 	]*auth[ 	]*\)binding/\1required/" \
+			$dest > /tmp/pamconf.$$
+	if [ $? -ne 0 ]; then
+		echo "Couldn't edit /tmp/pamconf.$$, krlogin, krsh, ktelnet may \
+				still have pam_unix_auth in their stacks." \
+			 >> ${CLEANUP_FILE}
+	else
+		cp /tmp/pamconf.$$ $dest
+	fi
+
 #
 # update pam.conf to append kerberos entries if not already present
 #
@@ -296,13 +333,21 @@
 			if [ $e1 = "dtlogin" ]; then
 				if grep "^[# 	]*$e1[ 	][ 	]*$e2[ 	]" \
 					$dest >/dev/null 2>&1; then
-					echo "$COMMENT_PREFIX$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ 
+					echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ 
 				fi
 			else
 			# Doesn't exist, enter into pam.conf
-			echo "$COMMENT_PREFIX$e1\t$e2 $e3\t\t$e4 $e5" >> \
+			echo "$e1\t$e2 $e3\t\t$e4 $e5" >> \
 				/tmp/pamconf.$$
 			fi
+		else
+			# Does exist. To maintain proper stacking order: remove it
+			# and append it to the bottom of the conf file.
+			grep "^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
+				$dest >> /tmp/pamconf.$$ 2>/dev/null
+			sed -e "/^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4/d" \
+				$dest > /tmp/pamconf2.$$
+			mv /tmp/pamconf2.$$ $dest
 		fi
 	done)
 	# Append kerberos lines if any were not present already.
--- a/usr/src/pkgdefs/common_files/proc.pam_install	Wed Apr 04 22:56:20 2007 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-#
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
-# proc.pam_install -- common code for pam.conf entry addition
-#
-# pam_init	: call before any other functions
-# pam_add	: if the regular expression specified as argument 1
-#		  does not match any line in pam.conf, add the lines
-#		  provided on stdin to the file
-# pam_undo	: call if rest of procedure script fails
-# pam_fini	: call if rest of procedure script succeeds
-#
-# pam_init and pam_add will perform necessary clean-up and
-# return a non-zero exit code on failure.
-
-pamconf=${PKG_INSTALL_ROOT:-/}/etc/pam.conf
-pamconfold=/tmp/pam.conf.$$
-
-pam_init() {
-	cat $pamconf > $pamconfold
-	if [ $? -ne 0 ]; then
-		echo "can't create $pamconfold"
-		return 1
-	fi
-	return 0
-}
-
-pam_fini() {
-	rm -f -- $pamconfold
-	return 0
-}
-
-pam_undo() {
-	cat $pamconfold > $pamconf
-	pam_fini
-}
-
-pam_add() {
-	grep -s "$1" $pamconf > /dev/null 2>&1 || cat >> $pamconf
-	if [ $? -ne 0 ]; then
-		echo "can't edit $pamconf"
-		pam_undo
-		return 1
-	fi
-	return 0
-}