+###############################################################################
+#
+# Check for PAM.
+#
+###############################################################################
+
+case "$host" in
+ *-solaris*)
+ # Solaris systems tend to come with PAM misconfigured.
+ # Don't build it by default, even if the headers exist.
+ with_pam_default=no
+ ;;
+ *)
+ # Default to building PAM support on all other systems, if it exists.
+ with_pam_default=yes
+ ;;
+esac
+
+have_pam=no
+with_pam_req=unspecified
+
+AC_ARG_WITH(pam,
+[ --with-pam Include support for PAM (Pluggable Auth Modules.)],
+ [with_pam="$withval"; with_pam_req="$withval"],[with_pam=$with_pam_default])
+
+AC_ARG_WITH([pam_service_name],
+ AC_HELP_STRING([--with-pam-service-name=NAME],
+ [NAME is the name of the PAM service that
+ xscreensaver will authenticate as.]),
+ [pam_service_name="$withval"],[pam_service_name="xscreensaver"])
+
+HANDLE_X_PATH_ARG(with_pam, --with-pam, PAM)
+
+if test "$enable_locking" = yes -a "$with_pam" = yes; then
+ AC_CACHE_CHECK([for PAM], ac_cv_pam,
+ [AC_TRY_X_COMPILE([#include <security/pam_appl.h>],,
+ [ac_cv_pam=yes],
+ [ac_cv_pam=no])])
+ if test "$ac_cv_pam" = yes ; then
+ have_pam=yes
+ AC_DEFINE(HAVE_PAM)
+ AC_DEFINE_UNQUOTED(PAM_SERVICE_NAME,"$pam_service_name")
+
+ PASSWD_LIBS="${PASSWD_LIBS} -lpam"
+
+ # libpam typically requires dlopen and dlsym. On FreeBSD,
+ # those are in libc. On Linux and Solaris, they're in libdl.
+ AC_CHECK_LIB(dl, dlopen, [PASSWD_LIBS="${PASSWD_LIBS} -ldl"])
+
+ # On Linux, sigtimedwait() is in libc; on Solaris, it's in librt.
+ have_timedwait=no
+ AC_CHECK_LIB(c, sigtimedwait, [have_timedwait=yes])
+ if test "$have_timedwait" = no ; then
+ AC_CHECK_LIB(rt, sigtimedwait, [PASSWD_LIBS="${PASSWD_LIBS} -lrt"])
+ fi
+
+ AC_MSG_CHECKING(how to call pam_strerror)
+ AC_CACHE_VAL(ac_cv_pam_strerror_args,
+ [AC_TRY_COMPILE([#include <stdio.h>
+ #include <stdlib.h>
+ #include <security/pam_appl.h>],
+ [pam_handle_t *pamh = 0;
+ char *s = pam_strerror(pamh, PAM_SUCCESS);],
+ [ac_pam_strerror_args=2],
+ [AC_TRY_COMPILE([#include <stdio.h>
+ #include <stdlib.h>
+ #include <security/pam_appl.h>],
+ [char *s =
+ pam_strerror(PAM_SUCCESS);],
+ [ac_pam_strerror_args=1],
+ [ac_pam_strerror_args=0])])
+ ac_cv_pam_strerror_args=$ac_pam_strerror_args])
+ ac_pam_strerror_args=$ac_cv_pam_strerror_args
+ if test "$ac_pam_strerror_args" = 1 ; then
+ AC_MSG_RESULT(one argument)
+ elif test "$ac_pam_strerror_args" = 2 ; then
+ AC_DEFINE(PAM_STRERROR_TWO_ARGS)
+ AC_MSG_RESULT(two arguments)
+ else
+ AC_MSG_RESULT(unknown)
+ fi
+ fi
+fi
+
+
+###############################################################################
+#
+# Check for Kerberos.
+#
+###############################################################################
+
+have_kerberos=no
+have_kerberos5=no
+with_kerberos_req=unspecified
+
+AC_ARG_WITH(kerberos,
+[ --with-kerberos Include support for Kerberos authentication.],
+ [with_kerberos="$withval"; with_kerberos_req="$withval"],[with_kerberos=yes])
+
+HANDLE_X_PATH_ARG(with_kerberos, --with-kerberos, Kerberos)
+
+if test "$enable_locking" = yes -a "$with_kerberos" = yes; then
+ AC_CACHE_CHECK([for Kerberos 4], ac_cv_kerberos,
+ [AC_TRY_X_COMPILE([#include <krb.h>],,
+ [ac_cv_kerberos=yes],
+ [ac_cv_kerberos=no])])
+ AC_CACHE_CHECK([for Kerberos 5], ac_cv_kerberos5,
+ [AC_TRY_X_COMPILE([#include <kerberosIV/krb.h>],,
+ [ac_cv_kerberos5=yes],
+ [ac_cv_kerberos5=no])])
+
+ if test "$ac_cv_kerberos" = yes ; then
+ have_kerberos=yes
+ AC_DEFINE(HAVE_KERBEROS)
+ fi
+
+ if test "$ac_cv_kerberos5" = yes ; then
+
+ # Andrew Snare <ajs@pigpond.com> wrote:
+ #
+ # You were assuming that if kerberosV (krb5) was found, then kerberosIV
+ # (krb4) was also available. This turns out not to be the case with
+ # mit-krb-1.2.7; apparently backwards-compatibility with KerberosIV
+ # is optional.
+ #
+ # So, disable kerberosV support if libkrb4 can't be found.
+ # This is not the best solution, but it makes the compile not fail.
+ #
+ AC_CHECK_X_LIB(krb4, krb_get_tf_realm,
+ [have_kerberos=yes],
+ [have_kerberos=no])
+ if test "$have_kerberos" = yes ; then
+ have_kerberos5=yes
+ AC_DEFINE(HAVE_KERBEROS)
+ AC_DEFINE(HAVE_KERBEROS5)
+ else
+ have_kerberos5=no
+ AC_MSG_WARN([Cannot find compat lib (libkrb4) needed to use Kerberos 5])
+ fi
+
+ fi
+
+ if test "$have_kerberos5" = yes ; then
+ # from Matt Knopp <mhat@infocalypse.netlag.com>
+ # (who got it from amu@mit.edu)
+
+ PASSWD_LIBS="$PASSWD_LIBS -lkrb4 -ldes425 -lkrb5 -lk5crypto -lcom_err"
+
+ # jwz: MacOS X uses -lkrb5, but not -lcrypt
+ AC_CHECK_X_LIB(crypt, crypt, [PASSWD_LIBS="$PASSWD_LIBS -lcrypt"])
+
+ elif test "$have_kerberos" = yes ; then
+ # from Tim Showalter <tjs@psaux.com> for FreeBSD 4.2
+ PASSWD_LIBS="$PASSWD_LIBS -lkrb -ldes -lcom_err"
+ fi
+
+ if test "$have_kerberos" = yes ; then
+ AC_CHECK_FUNC(res_search,,
+ AC_CHECK_LIB(resolv,res_search,PASSWD_LIBS="${PASSWD_LIBS} -lresolv",
+ AC_MSG_WARN([Can't find DNS resolver libraries needed for Kerberos])
+ ))
+ fi
+fi
+
+
+###############################################################################
+#
+# Check for the nine billion variants of shadow passwords...
+#
+###############################################################################
+
+need_setuid=no
+
+have_shadow=no
+with_shadow_req=unspecified
+
+AC_ARG_WITH(shadow,
+[ --with-shadow Include support for shadow password authentication.],
+ [with_shadow="$withval"; with_shadow_req="$withval"],[with_shadow=yes])
+
+HANDLE_X_PATH_ARG(with_shadow, --with-shadow, shadow password)
+
+if test "$enable_locking" = no ; then
+ with_shadow_req=no
+ with_shadow=no
+fi
+
+
+###############################################################################
+#
+# Check for Sun "adjunct" passwords.
+#
+###############################################################################
+
+if test "$with_shadow" = yes ; then
+ AC_CACHE_CHECK([for Sun-style shadow passwords], ac_cv_sun_adjunct,
+ [AC_TRY_X_COMPILE([#include <stdlib.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+ #include <sys/label.h>
+ #include <sys/audit.h>
+ #include <pwdadj.h>],
+ [struct passwd_adjunct *p = getpwanam("nobody");
+ const char *pw = p->pwa_passwd;],
+ [ac_cv_sun_adjunct=yes],
+ [ac_cv_sun_adjunct=no])])
+ if test "$ac_cv_sun_adjunct" = yes; then
+ have_shadow_adjunct=yes
+ have_shadow=yes
+ need_setuid=yes
+ fi
+fi
+
+
+###############################################################################
+#
+# Check for DEC and SCO so-called "enhanced" security.
+#
+###############################################################################
+
+if test "$with_shadow" = yes ; then
+ AC_CACHE_CHECK([for DEC-style shadow passwords], ac_cv_enhanced_passwd,
+ [AC_TRY_X_COMPILE([#include <stdlib.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <sys/security.h>
+ #include <prot.h>],
+ [struct pr_passwd *p;
+ const char *pw;
+ set_auth_parameters(0, 0);
+ check_auth_parameters();
+ p = getprpwnam("nobody");
+ pw = p->ufld.fd_encrypt;],
+ [ac_cv_enhanced_passwd=yes],
+ [ac_cv_enhanced_passwd=no])])
+ if test $ac_cv_enhanced_passwd = yes; then
+ have_shadow_enhanced=yes
+ have_shadow=yes
+ need_setuid=yes
+
+ # On SCO, getprpwnam() is in -lprot (which uses nap() from -lx)
+ # (I'm told it needs -lcurses too, but I don't understand why.)
+ # But on DEC, it's in -lsecurity.
+ #
+ AC_CHECK_LIB(prot, getprpwnam,
+ [PASSWD_LIBS="$PASSWD_LIBS -lprot -lcurses -lx"],
+ [AC_CHECK_LIB(security, getprpwnam,
+ [PASSWD_LIBS="$PASSWD_LIBS -lsecurity"])],
+ [-lx])
+ fi
+fi
+
+###############################################################################
+#
+# Check for HP's entry in the "Not Invented Here" Sweepstakes.
+#
+###############################################################################
+
+if test "$with_shadow" = yes ; then
+ AC_CACHE_CHECK([for HP-style shadow passwords], ac_cv_hpux_passwd,
+ [AC_TRY_X_COMPILE([#include <stdlib.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <hpsecurity.h>
+ #include <prot.h>],
+ [struct s_passwd *p = getspwnam("nobody");
+ const char *pw = p->pw_passwd;],
+ [ac_cv_hpux_passwd=yes],
+ [ac_cv_hpux_passwd=no])])
+ if test "$ac_cv_hpux_passwd" = yes; then
+ have_shadow_hpux=yes
+ have_shadow=yes
+ need_setuid=yes
+
+ # on HPUX, bigcrypt is in -lsec
+ AC_CHECK_LIB(sec, bigcrypt, [PASSWD_LIBS="$PASSWD_LIBS -lsec"])
+ fi
+fi
+
+
+###############################################################################
+#
+# Check for FreeBSD-style shadow passwords.
+#
+# On FreeBSD, getpwnam() and friends work just like on non-shadow-
+# password systems -- except you only get stuff in the pw_passwd field
+# if the running program is setuid. So, guess that we've got this
+# lossage to contend with if /etc/master.passwd exists, and default to
+# a setuid installation.
+#
+###############################################################################
+
+if test "$with_shadow" = yes ; then
+ AC_CACHE_CHECK([for FreeBSD-style shadow passwords], ac_cv_master_passwd,
+ [if test -f /etc/master.passwd ; then
+ ac_cv_master_passwd=yes
+ else
+ ac_cv_master_passwd=no
+ fi])
+ if test "$ac_cv_master_passwd" = yes; then
+ need_setuid=yes
+ fi
+fi
+
+
+###############################################################################
+#
+# Check for traditional (ha!) shadow passwords.
+#
+###############################################################################
+
+if test "$with_shadow" = yes ; then
+ AC_CACHE_CHECK([for generic shadow passwords], ac_cv_shadow,
+ [AC_TRY_X_COMPILE([#include <stdlib.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <shadow.h>],
+ [struct spwd *p = getspnam("nobody");
+ const char *pw = p->sp_pwdp;],
+ [ac_cv_shadow=yes],
+ [ac_cv_shadow=no])])
+ if test "$ac_cv_shadow" = yes; then
+ have_shadow=yes
+ need_setuid=yes
+
+ # On some systems (UnixWare 2.1), getspnam() is in -lgen instead of -lc.
+ have_getspnam=no
+ AC_CHECK_LIB(c, getspnam, [have_getspnam=yes])
+ if test "$have_getspnam" = no ; then
+ AC_CHECK_LIB(gen, getspnam,
+ [have_getspnam=yes; PASSWD_LIBS="$PASSWD_LIBS -lgen"])
+ fi
+ fi
+fi
+
+
+###############################################################################
+#
+# Check for other libraries needed for non-shadow passwords.
+#
+###############################################################################
+
+if test "$enable_locking" = yes ; then
+
+ # On some systems (UnixWare 2.1), crypt() is in -lcrypt instead of -lc.
+ have_crypt=no
+ AC_CHECK_LIB(c, crypt, [have_crypt=yes])
+ if test "$have_crypt" = no ; then
+ AC_CHECK_LIB(crypt, crypt,
+ [have_crypt=yes; PASSWD_LIBS="$PASSWD_LIBS -lcrypt"])
+ fi
+fi
+
+
+# Most of the above shadow mechanisms will have set need_setuid to yes,
+# if they were found. But, on some systems, we need setuid even when
+# using plain old vanilla passwords.
+#
+if test "$enable_locking" = yes ; then
+ case "$host" in
+ *-hpux* | *-aix* | *-netbsd* | *-freebsd* | *-openbsd* )
+ need_setuid=yes
+ ;;
+ esac
+fi
+
+
+if test "$have_shadow_adjunct" = yes ; then
+ AC_DEFINE(HAVE_ADJUNCT_PASSWD)
+elif test "$have_shadow_enhanced" = yes ; then
+ AC_DEFINE(HAVE_ENHANCED_PASSWD)
+elif test "$have_shadow_hpux" = yes ; then
+ AC_DEFINE(HAVE_HPUX_PASSWD)
+elif test "$have_shadow" = yes ; then
+ AC_DEFINE(HAVE_SHADOW_PASSWD)
+fi
+
+
+###############################################################################
+#
+# Check for external password helper
+# On SuSE, instead of having xscreensaver be a setuid program, they
+# fork an external program that takes the password on stdin, and
+# returns true if that password is a valid one. Then only that
+# smaller program needs to be setuid.
+#
+# (Note that this external program is not a GUI: the GUI is still
+# all in xscreensaver itself; the external program just does auth.)
+#
+###############################################################################
+
+have_passwd_helper=no
+with_passwd_helper_req=unspecified
+
+AC_ARG_WITH(passwd-helper,
+[ --with-passwd-helper Include support for an external password
+ verification helper program.],
+ [with_passwd_helper="$withval"; with_passwd_helper_req="$withval"],[with_passwd_helper=no])
+# no HANDLE_X_PATH_ARG for this one
+
+if test "$enable_locking" = no ; then
+ with_passwd_helper_req=no
+ with_passwd_helper=no
+fi
+
+case "$with_passwd_helper" in
+ ""|no) : ;;
+ /*)
+ AC_DEFINE_UNQUOTED(PASSWD_HELPER_PROGRAM, "$with_passwd_helper")
+ have_passwd_helper=yes;;
+ *)
+ echo "error: --with-passwd-helper needs full pathname of helper (not '$with_passwd_helper')." >&2
+ exit 1
+esac
+
+
+###############################################################################
+#
+# Check for a login manager for a "New Login" button on the lock dialog.
+# Usually this will be "/usr/bin/gdmflexiserver".
+#
+###############################################################################
+
+have_login_manager=no
+with_login_manager_req=unspecified
+default_login_manager='gdmflexiserver -l'
+
+AC_ARG_WITH(login-manager,
+[ --with-login-manager Put a "New Login" button on the unlock dialog that
+ runs a login manager such as gdmflexiserver.],
+ [with_login_manager="$withval"; with_login_manager_req="$withval"],
+ [with_login_manager=no])
+# no HANDLE_X_PATH_ARG for this one
+
+if test "$enable_locking" = no ; then
+ with_login_manager_req=no
+ with_login_manager=no
+fi
+
+if test -n "$with_login_manager_req" ; then
+ ac_cv_login_manager_program=""
+
+ if test "$with_login_manager_req" = "yes" ; then
+ with_login_manager_req=$default_login_manager
+ fi
+
+ case "$with_login_manager_req" in
+ /*)
+ # absolute path
+ set dummy $with_login_manager_req ; login_manager_tmp=$2
+ AC_MSG_CHECKING([for $login_manager_tmp])
+ if test -x "$login_manager_tmp" ; then
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no)
+ with_login_manager=""
+ fi
+ ;;
+ *)
+ # relative path
+ set dummy $with_login_manager_req ; login_manager_tmp=$2
+ # don't cache
+ unset ac_cv_path_login_manager_tmp
+ AC_PATH_PROG(login_manager_tmp, $login_manager_tmp, [])
+ if test -z "$login_manager_tmp" ; then
+ with_login_manager=""
+ else
+ with_login_manager="$login_manager_tmp"
+ fi
+ ;;
+ esac
+ ac_cv_login_manager_program="$with_login_manager"
+
+elif test -n "$ac_cv_login_manager_program"; then
+ AC_MSG_RESULT([checking for login_manager... (cached) $ac_cv_login_manager_program])
+fi
+
+NEW_LOGIN_COMMAND_P=''
+NEW_LOGIN_COMMAND="$ac_cv_login_manager_program"
+
+if test -z "$NEW_LOGIN_COMMAND" ; then
+ NEW_LOGIN_COMMAND="$default_login_manager"
+ NEW_LOGIN_COMMAND_P='! '
+fi
+
+
+
+###############################################################################
+#
+# Check for -lgtk (and Gnome stuff)
+#
+###############################################################################
+
+have_gtk=no
+with_gtk_req=unspecified
+AC_ARG_WITH(gtk,[
+User interface options:
+
+ --with-gtk Use the Gtk toolkit for the user interface.],
+ [with_gtk="$withval"; with_gtk_req="$withval"],[with_gtk=yes])
+
+# if --with-gtk=/directory/ was specified, remember that directory so that
+# we can also look for the `gtk-config' program in that directory.
+case "$with_gtk" in
+ /*)
+ gtk_dir="$with_gtk"
+ ;;
+ *)
+ gtk_dir=""
+ ;;
+esac