In message <Pine.NEB.4.33.0308261205220.20543-100000@vespasia.home-net.icnt.net
>What parts do programs that are the clients (not the authenticators (my
>term)) need?

I'm not sure what you mean.  Those are the routines available for programs
like "login" or "su" to get authentication.  *none* of them are needed for
the "authenticators".  An authenticator can do something like
	#!/bin/sh
	if	[ $RANDOM < 20 ]
	then	echo >&3 "authenticate"
	fi
	exec /usr/libexec/login_passwd
for the "lets people in automatically one time in 16,000" authentication
class.

The authentication programs are called with a fixed environment and such,
and do a very limited set of things, and the only reason for them to use the
bsd_auth library routines is if they want to call *another* authenticator.

The functions I named are the ones that clients might use to interact with
an authenticator, although most clients won't use more than a couple of
them.  I will see if maybe I can get sample source to show how this is
done.

-s