This is saying that "#foobar" is a valid field but "foo#bar" isn't. Is that still true with the new tokenizer? openpam_readlinev(3) leads me to openpam_readword(3), which states

If a hash character occurs within a word, however, it is preserved as-is.

which I interpret as permitting "foo#bar".

Thanks for catching that, I'll check.

OK so I think you misunderstood, it's not talking about the legality of a # character but about whether it will be seen as the start of a comment or as a regular character within a field. In both cases # starts a comment only if it is the first character on the line or is preceded by unescaped whitespace. In all other cases it is a regular character. This is unchanged. What has changed is mainly support for line continuations and improved quoting.

Presumably this should be explicit_bzero() or memset_s()?

Can't you write len += strlen(p); instead of having this loop?

Is len supposed to include the =? It looks like it does not.

Is srvp->navs guaranteed to be initialized? It might be nice to reset it at the beginning of the loop regardless.

Suppose strlen(fields[2]) == 0, i.e., the timeout was specified as "" in the config. Then we don't increment i, so below we'll compare "" with "single-connection", which doesn't seem to be the desired behaviour. In that case, I'd expect the timeout to be the default, and that we continue processing the next field.

Indentation here is wrong.

xstrdup() does not fail.

That's a matter of taste.

Yes it does.

It is and it does.

That is exactly the desired behavior. If you want the default timeout value, don't specify a timeout.