diff --git a/CREDITS b/CREDITS
index a2fc7d3..c14f7ea 100644
--- a/CREDITS
+++ b/CREDITS
@@ -21,6 +21,7 @@ ideas:
 	Christos Zoulas <christos@netbsd.org>
 	Daniel Richard G. <skunk@iskunk.org>
 	Darren J. Moffat <darren.moffat@sun.com>
+	Dimitry Andric <dim@freebsd.org>
 	Dmitry V. Levin <ldv@altlinux.org>
 	Don Lewis <truckman@freebsd.org>
 	Emmanuel Dreyfus <manu@netbsd.org>
diff --git a/configure.ac b/configure.ac
index 526a5e0..843d500 100644
--- a/configure.ac
+++ b/configure.ac
@@ -142,7 +142,7 @@ AC_SUBST(SYSTEM_LIBOATH)
 
 AC_ARG_ENABLE([developer-warnings],
     AS_HELP_STRING([--enable-developer-warnings], [enable strict warnings (default is NO)]),
-    [CFLAGS="${CFLAGS} -Wall -Wextra"])
+    [CFLAGS="${CFLAGS} -Wall -Wextra -Wcast-qual"])
 AC_ARG_ENABLE([debugging-symbols],
     AS_HELP_STRING([--enable-debugging-symbols], [enable debugging symbols (default is NO)]),
     [CFLAGS="${CFLAGS} -O0 -g -fno-inline"])
diff --git a/lib/libpam/openpam_dispatch.c b/lib/libpam/openpam_dispatch.c
index 9ff4497..3ea3c23 100644
--- a/lib/libpam/openpam_dispatch.c
+++ b/lib/libpam/openpam_dispatch.c
@@ -117,7 +117,7 @@ openpam_dispatch(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
 			    pam_sm_func_name[primitive], chain->module->path);
 			r = (chain->module->func[primitive])(pamh, flags,
-			    chain->optc, (const char **)chain->optv);
+			    chain->optc, (const char **)(intptr_t)chain->optv);
 			pamh->current = NULL;
 			openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
 			    chain->module->path, pam_sm_func_name[primitive],
diff --git a/modules/pam_oath/pam_oath.c b/modules/pam_oath/pam_oath.c
index 9db3c3e..1205755 100644
--- a/modules/pam_oath/pam_oath.c
+++ b/modules/pam_oath/pam_oath.c
@@ -175,11 +175,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 {
 	enum pam_oath_nokey nokey, badkey;
 	struct passwd *pwd;
-	const char *user;
-	char *keyfile;
+	const char *user, *password;
+	char *end, *keyfile;
 	struct oath_key *key;
 	unsigned long response;
-	char *password, *end;
 	int pam_err, ret, window;
 
 	/* unused */
@@ -247,7 +246,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 
 	/* get user's response */
 	pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
-	    (const char **)&password, PAM_OATH_PROMPT);
+	    &password, PAM_OATH_PROMPT);
 	if (pam_err != PAM_SUCCESS) {
 		openpam_log(PAM_LOG_VERBOSE, "conversation failure");
 		goto done;
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c
index a1820b2..092aca2 100644
--- a/modules/pam_unix/pam_unix.c
+++ b/modules/pam_unix/pam_unix.c
@@ -74,7 +74,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 #endif
 	struct passwd *pwd;
 	const char *user;
-	char *crypt_password, *password;
+	const char *crypt_password, *password;
 	int pam_err, retry;
 
 	(void)argc;
@@ -98,7 +98,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 	for (retry = 0; retry < 3; ++retry) {
 #ifdef OPENPAM
 		pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
-		    (const char **)&password, NULL);
+		    &password, NULL);
 #else
 		resp = NULL;
 		pam_err = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);