---- cvs-1.12.13.orig/debian/patches/60_PAM_support
-+++ cvs-1.12.13/debian/patches/60_PAM_support
-@@ -0,0 +1,144 @@
-+#
-+# Add in extra PAM options compared to upstream's own PAM code:
-+# * Add an extra option PamAuth to control use of PAM separately from
-+# SystemAuth
-+# * Add support for DefaultPamUser - try that if the specified
-+# user does not exist
-+#
-+# Patch by Steve McIntyre <steve@einval.com>
-+diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
-+--- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
-++++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
-+@@ -2662,8 +2662,18 @@
-+ system has PAM (Pluggable Authentication Modules)
-+ and your @sc{cvs} server executable was configured to
-+ use it at compile time (using @code{./configure --enable-pam} - see the
-+-INSTALL file for more). In this case, PAM will be consulted instead.
-+-This means that @sc{cvs} can be configured to use any password
-++INSTALL file for more). In this case, PAM may be
-++consulted first (or instead). The
-++"fallback" behaviour can be controlled using the two
-++variables @code{PamAuth} and @code{SystemAuth}. On a
-++Debian system, @code{PamAuth} defaults to @code{yes}
-++and @code{SystemAuth} to @code{no} - after all, PAM can
-++supports passwd file lookups itself. Changing these is
-++possible by setting @code{PamAuth=no} and
-++@code{SystemAuth=yes} in the @sc{cvs} @file{config}
-++file, @pxref{config}).
-++
-++Use of PAM means that @sc{cvs} can be configured to use any password
-+ authentication source PAM can be configured to use (possibilities
-+ include a simple UNIX password, NIS, LDAP, and others) in its
-+ global configuration file (usually @file{/etc/pam.conf}
-+@@ -2691,7 +2701,7 @@
-+ cvs session required pam_unix.so
-+ @end example
-+
-+-The the equivalent @file{/etc/pam.d/cvs} would contain
-++The equivalent @file{/etc/pam.d/cvs} would contain
-+
-+ @example
-+ auth required pam_unix.so
-+@@ -2715,6 +2725,13 @@
-+ feature should not be used if you may not have control of the name
-+ @sc{cvs} will be invoked as.
-+
-++If you wish to use PAM for authentication, and details
-++of your users are not available using getpwnam(), you
-++may set a default name for the account on the server
-++that will be used after authentication. To do this,
-++either set @code{DefaultPamUser=user} in the @sc{cvs}
-++@file{config} file, @pxref{config}.
-++
-+ Be aware, also, that falling back to system
-+ authentication might be a security risk: @sc{cvs}
-+ operations would then be authenticated with that user's
-+diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
-+--- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
-++++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
-+@@ -303,8 +303,12 @@
-+ */
-+ #endif /* PROXY_SUPPORT */
-+ #ifdef AUTH_SERVER_SUPPORT
-+- new->system_auth = true;
-++ new->system_auth = false;
-+ #endif /* AUTH_SERVER_SUPPORT */
-++#ifdef HAVE_PAM
-++ new->PamAuth = true;
-++ new->DefaultPamUser = NULL;
-++#endif
-+
-+ return new;
-+ }
-+@@ -696,6 +700,13 @@
-+ readSizeT (infopath, "MaxCompressionLevel", p,
-+ &retval->MaxCompressionLevel);
-+ #endif /* SERVER_SUPPORT */
-++#ifdef HAVE_PAM
-++ else if (!strcmp (line, "DefaultPamUser"))
-++ retval->DefaultPamUser = xstrdup(p);
-++ else if (!strcmp (line, "PamAuth"))
-++ readBool (infopath, "PamAuth", p,
-++ &retval->PamAuth);
-++#endif
-+ else
-+ /* We may be dealing with a keyword which was added in a
-+ subsequent version of CVS. In that case it is a good idea
-+diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
-+--- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
-++++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
-+@@ -59,6 +59,10 @@
-+ #ifdef PRESERVE_PERMISSIONS_SUPPORT
-+ bool preserve_perms;
-+ #endif /* PRESERVE_PERMISSIONS_SUPPORT */
-++#ifdef HAVE_PAM
-++ char *DefaultPamUser;
-++ bool PamAuth;
-++#endif
-+ };
-+
-+ bool parse_error (const char *, unsigned int);
-+diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
-+--- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100
-++++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100
-+@@ -6919,6 +6919,15 @@
-+ {
-+ pam_stage = "get pam user";
-+ retval = pam_get_item (pamh, PAM_USER, (const void **)username);
-++ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
-++ {
-++ /* An issue with using pam is that the host may well not have
-++ a local user entry to match the authenticated user. If this
-++ has failed, optionally fall back to a specified local
-++ username */
-++ *username = xstrdup(config->DefaultPamUser);
-++ retval = PAM_SUCCESS;
-++ }
-+ }
-+
-+ if (retval != PAM_SUCCESS)
-+@@ -7022,7 +7031,11 @@
-+
-+ assert (rc == 0);
-+
-++#ifdef HAVE_PAM
-++ if (!config->system_auth && !config->PamAuth)
-++#else
-+ if (!config->system_auth)
-++#endif
-+ {
-+ /* Note that the message _does_ distinguish between the case in
-+ which we check for a system password and the case in which
-+@@ -7037,9 +7050,10 @@
-+
-+ /* No cvs password found, so try /etc/passwd. */
-+ #ifdef HAVE_PAM
-+- if (check_pam_password (&username, password))
-++ if ( (config->PamAuth && check_pam_password (&username, password)) ||
-++ (config->system_auth && check_system_password (username, password)))
-+ #else /* !HAVE_PAM */
-+- if (check_system_password (username, password))
-++ if (config->system_auth && check_system_password (username, password))
-+ #endif /* HAVE_PAM */
-+ host_user = xstrdup (username);
-+ else
+#
+# Add in extra PAM options compared to upstream's own PAM code:
+# * Add an extra option PamAuth to control use of PAM separately from
+# SystemAuth
+# * Add support for DefaultPamUser - try that if the specified
+# user does not exist
+#
+# Patch by Steve McIntyre <steve@einval.com>
+diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
+--- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
++++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
+@@ -2662,8 +2662,18 @@
+ system has PAM (Pluggable Authentication Modules)
+ and your @sc{cvs} server executable was configured to
+ use it at compile time (using @code{./configure --enable-pam} - see the
+-INSTALL file for more). In this case, PAM will be consulted instead.
+-This means that @sc{cvs} can be configured to use any password
++INSTALL file for more). In this case, PAM may be
++consulted first (or instead). The
++"fallback" behaviour can be controlled using the two
++variables @code{PamAuth} and @code{SystemAuth}. On a
++Debian system, @code{PamAuth} defaults to @code{yes}
++and @code{SystemAuth} to @code{no} - after all, PAM can
++supports passwd file lookups itself. Changing these is
++possible by setting @code{PamAuth=no} and
++@code{SystemAuth=yes} in the @sc{cvs} @file{config}
++file, @pxref{config}).
++
++Use of PAM means that @sc{cvs} can be configured to use any password
+ authentication source PAM can be configured to use (possibilities
+ include a simple UNIX password, NIS, LDAP, and others) in its
+ global configuration file (usually @file{/etc/pam.conf}
+@@ -2691,7 +2701,7 @@
+ cvs session required pam_unix.so
+ @end example
+
+-The the equivalent @file{/etc/pam.d/cvs} would contain
++The equivalent @file{/etc/pam.d/cvs} would contain
+
+ @example
+ auth required pam_unix.so
+@@ -2715,6 +2725,13 @@
+ feature should not be used if you may not have control of the name
+ @sc{cvs} will be invoked as.
+
++If you wish to use PAM for authentication, and details
++of your users are not available using getpwnam(), you
++may set a default name for the account on the server
++that will be used after authentication. To do this,
++either set @code{DefaultPamUser=user} in the @sc{cvs}
++@file{config} file, @pxref{config}.
++
+ Be aware, also, that falling back to system
+ authentication might be a security risk: @sc{cvs}
+ operations would then be authenticated with that user's
+diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
+--- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
++++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
+@@ -303,8 +303,12 @@
+ */
+ #endif /* PROXY_SUPPORT */
+ #ifdef AUTH_SERVER_SUPPORT
+- new->system_auth = true;
++ new->system_auth = false;
+ #endif /* AUTH_SERVER_SUPPORT */
++#ifdef HAVE_PAM
++ new->PamAuth = true;
++ new->DefaultPamUser = NULL;
++#endif
+
+ return new;
+ }
+@@ -696,6 +700,13 @@
+ readSizeT (infopath, "MaxCompressionLevel", p,
+ &retval->MaxCompressionLevel);
+ #endif /* SERVER_SUPPORT */
++#ifdef HAVE_PAM
++ else if (!strcmp (line, "DefaultPamUser"))
++ retval->DefaultPamUser = xstrdup(p);
++ else if (!strcmp (line, "PamAuth"))
++ readBool (infopath, "PamAuth", p,
++ &retval->PamAuth);
++#endif
+ else
+ /* We may be dealing with a keyword which was added in a
+ subsequent version of CVS. In that case it is a good idea
+diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
+--- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
++++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
+@@ -59,6 +59,10 @@
+ #ifdef PRESERVE_PERMISSIONS_SUPPORT
+ bool preserve_perms;
+ #endif /* PRESERVE_PERMISSIONS_SUPPORT */
++#ifdef HAVE_PAM
++ char *DefaultPamUser;
++ bool PamAuth;
++#endif
+ };
+
+ bool parse_error (const char *, unsigned int);
+diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
+--- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100
++++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100
+@@ -6919,6 +6919,15 @@
+ {
+ pam_stage = "get pam user";
+ retval = pam_get_item (pamh, PAM_USER, (const void **)username);
++ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
++ {
++ /* An issue with using pam is that the host may well not have
++ a local user entry to match the authenticated user. If this
++ has failed, optionally fall back to a specified local
++ username */
++ *username = xstrdup(config->DefaultPamUser);
++ retval = PAM_SUCCESS;
++ }
+ }
+
+ if (retval != PAM_SUCCESS)
+@@ -7022,7 +7031,11 @@
+
+ assert (rc == 0);
+
++#ifdef HAVE_PAM
++ if (!config->system_auth && !config->PamAuth)
++#else
+ if (!config->system_auth)
++#endif
+ {
+ /* Note that the message _does_ distinguish between the case in
+ which we check for a system password and the case in which
+@@ -7037,9 +7050,10 @@
+
+ /* No cvs password found, so try /etc/passwd. */
+ #ifdef HAVE_PAM
+- if (check_pam_password (&username, password))
++ if ( (config->PamAuth && check_pam_password (&username, password)) ||
++ (config->system_auth && check_system_password (username, password)))
+ #else /* !HAVE_PAM */
+- if (check_system_password (username, password))
++ if (config->system_auth && check_system_password (username, password))
+ #endif /* HAVE_PAM */
+ host_user = xstrdup (username);
+ else