110b5fe87SSascha Wildner.\" Generated by gendoc.pl 2*4c84ab30SSascha Wildner.Dd February 24, 2019 3ade90846SJoerg Sonnenberger.Dt PAM 3 4ade90846SJoerg Sonnenberger.Os 5ade90846SJoerg Sonnenberger.Sh NAME 6ade90846SJoerg Sonnenberger.Nm pam_acct_mgmt , 7ade90846SJoerg Sonnenberger.Nm pam_authenticate , 8ade90846SJoerg Sonnenberger.Nm pam_chauthtok , 9ade90846SJoerg Sonnenberger.Nm pam_close_session , 10ade90846SJoerg Sonnenberger.Nm pam_end , 11ade90846SJoerg Sonnenberger.Nm pam_get_data , 12ade90846SJoerg Sonnenberger.Nm pam_get_item , 13ade90846SJoerg Sonnenberger.Nm pam_get_user , 14ade90846SJoerg Sonnenberger.Nm pam_getenv , 15ade90846SJoerg Sonnenberger.Nm pam_getenvlist , 16ade90846SJoerg Sonnenberger.Nm pam_open_session , 17ade90846SJoerg Sonnenberger.Nm pam_putenv , 18ade90846SJoerg Sonnenberger.Nm pam_set_data , 19ade90846SJoerg Sonnenberger.Nm pam_set_item , 20ade90846SJoerg Sonnenberger.Nm pam_setcred , 21ade90846SJoerg Sonnenberger.Nm pam_start , 22ade90846SJoerg Sonnenberger.Nm pam_strerror 23ade90846SJoerg Sonnenberger.Nd Pluggable Authentication Modules Library 24ade90846SJoerg Sonnenberger.Sh LIBRARY 25ade90846SJoerg Sonnenberger.Lb libpam 26ade90846SJoerg Sonnenberger.Sh SYNOPSIS 27ade90846SJoerg Sonnenberger.In security/pam_appl.h 28ade90846SJoerg Sonnenberger.Ft "int" 29ade90846SJoerg Sonnenberger.Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags" 30ade90846SJoerg Sonnenberger.Ft "int" 31ade90846SJoerg Sonnenberger.Fn pam_authenticate "pam_handle_t *pamh" "int flags" 32ade90846SJoerg Sonnenberger.Ft "int" 33ade90846SJoerg Sonnenberger.Fn pam_chauthtok "pam_handle_t *pamh" "int flags" 34ade90846SJoerg Sonnenberger.Ft "int" 35ade90846SJoerg Sonnenberger.Fn pam_close_session "pam_handle_t *pamh" "int flags" 36ade90846SJoerg Sonnenberger.Ft "int" 37ade90846SJoerg Sonnenberger.Fn pam_end "pam_handle_t *pamh" "int status" 38ade90846SJoerg Sonnenberger.Ft "int" 39f23594ceSHasso Tepper.Fn pam_get_data "const pam_handle_t *pamh" "const char *module_data_name" "const void **data" 40ade90846SJoerg Sonnenberger.Ft "int" 41f23594ceSHasso Tepper.Fn pam_get_item "const pam_handle_t *pamh" "int item_type" "const void **item" 42ade90846SJoerg Sonnenberger.Ft "int" 43ade90846SJoerg Sonnenberger.Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt" 44ade90846SJoerg Sonnenberger.Ft "const char *" 45ade90846SJoerg Sonnenberger.Fn pam_getenv "pam_handle_t *pamh" "const char *name" 46ade90846SJoerg Sonnenberger.Ft "char **" 47ade90846SJoerg Sonnenberger.Fn pam_getenvlist "pam_handle_t *pamh" 48ade90846SJoerg Sonnenberger.Ft "int" 49ade90846SJoerg Sonnenberger.Fn pam_open_session "pam_handle_t *pamh" "int flags" 50ade90846SJoerg Sonnenberger.Ft "int" 51ade90846SJoerg Sonnenberger.Fn pam_putenv "pam_handle_t *pamh" "const char *namevalue" 52ade90846SJoerg Sonnenberger.Ft "int" 53ade90846SJoerg Sonnenberger.Fn pam_set_data "pam_handle_t *pamh" "const char *module_data_name" "void *data" "void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)" 54ade90846SJoerg Sonnenberger.Ft "int" 55ade90846SJoerg Sonnenberger.Fn pam_set_item "pam_handle_t *pamh" "int item_type" "const void *item" 56ade90846SJoerg Sonnenberger.Ft "int" 57ade90846SJoerg Sonnenberger.Fn pam_setcred "pam_handle_t *pamh" "int flags" 58ade90846SJoerg Sonnenberger.Ft "int" 59ade90846SJoerg Sonnenberger.Fn pam_start "const char *service" "const char *user" "const struct pam_conv *pam_conv" "pam_handle_t **pamh" 60ade90846SJoerg Sonnenberger.Ft "const char *" 61f23594ceSHasso Tepper.Fn pam_strerror "const pam_handle_t *pamh" "int error_number" 62ade90846SJoerg Sonnenberger.\" 6310b5fe87SSascha Wildner.\" $OpenPAM: pam.man 938 2017-04-30 21:34:42Z des $ 64ade90846SJoerg Sonnenberger.\" 65ade90846SJoerg Sonnenberger.Sh DESCRIPTION 66ade90846SJoerg SonnenbergerThe Pluggable Authentication Modules (PAM) library abstracts a number 67ade90846SJoerg Sonnenbergerof common authentication-related operations and provides a framework 68ade90846SJoerg Sonnenbergerfor dynamically loaded modules that implement these operations in 69ade90846SJoerg Sonnenbergervarious ways. 70ade90846SJoerg Sonnenberger.Ss Terminology 71ade90846SJoerg SonnenbergerIn PAM parlance, the application that uses PAM to authenticate a user 72ade90846SJoerg Sonnenbergeris the server, and is identified for configuration purposes by a 73ade90846SJoerg Sonnenbergerservice name, which is often (but not necessarily) the program name. 74ade90846SJoerg Sonnenberger.Pp 75ade90846SJoerg SonnenbergerThe user requesting authentication is called the applicant, while the 76ade90846SJoerg Sonnenbergeruser (usually, root) charged with verifying his identity and granting 77ade90846SJoerg Sonnenbergerhim the requested credentials is called the arbitrator. 78ade90846SJoerg Sonnenberger.Pp 79ade90846SJoerg SonnenbergerThe sequence of operations the server goes through to authenticate a 80ade90846SJoerg Sonnenbergeruser and perform whatever task he requested is a PAM transaction; the 81ade90846SJoerg Sonnenbergercontext within which the server performs the requested task is called 82ade90846SJoerg Sonnenbergera session. 83ade90846SJoerg Sonnenberger.Pp 84ade90846SJoerg SonnenbergerThe functionality embodied by PAM is divided into six primitives 85ade90846SJoerg Sonnenbergergrouped into four facilities: authentication, account management, 86ade90846SJoerg Sonnenbergersession management and password management. 87ade90846SJoerg Sonnenberger.Ss Conversation 88ade90846SJoerg SonnenbergerThe PAM library expects the application to provide a conversation 89ade90846SJoerg Sonnenbergercallback which it can use to communicate with the user. 90ade90846SJoerg SonnenbergerSome modules may use specialized conversation functions to communicate 91ade90846SJoerg Sonnenbergerwith special hardware such as cryptographic dongles or biometric 92ade90846SJoerg Sonnenbergerdevices. 93ade90846SJoerg SonnenbergerSee 94ade90846SJoerg Sonnenberger.Xr pam_conv 3 95ade90846SJoerg Sonnenbergerfor details. 96ade90846SJoerg Sonnenberger.Ss Initialization and Cleanup 97ade90846SJoerg SonnenbergerThe 98ade90846SJoerg Sonnenberger.Fn pam_start 99ade90846SJoerg Sonnenbergerfunction initializes the PAM library and returns a handle which must 100ade90846SJoerg Sonnenbergerbe provided in all subsequent function calls. 101ade90846SJoerg SonnenbergerThe transaction state is contained entirely within the structure 102ade90846SJoerg Sonnenbergeridentified by this handle, so it is possible to conduct multiple 103ade90846SJoerg Sonnenbergertransactions in parallel. 104ade90846SJoerg Sonnenberger.Pp 105ade90846SJoerg SonnenbergerThe 106ade90846SJoerg Sonnenberger.Fn pam_end 107ade90846SJoerg Sonnenbergerfunction releases all resources associated with the specified context, 108ade90846SJoerg Sonnenbergerand can be called at any time to terminate a PAM transaction. 109ade90846SJoerg Sonnenberger.Ss Storage 110ade90846SJoerg SonnenbergerThe 111ade90846SJoerg Sonnenberger.Fn pam_set_item 112ade90846SJoerg Sonnenbergerand 113ade90846SJoerg Sonnenberger.Fn pam_get_item 114ade90846SJoerg Sonnenbergerfunctions set and retrieve a number of predefined items, including the 115ade90846SJoerg Sonnenbergerservice name, the names of the requesting and target users, the 116ade90846SJoerg Sonnenbergerconversation function, and prompts. 117ade90846SJoerg Sonnenberger.Pp 118ade90846SJoerg SonnenbergerThe 119ade90846SJoerg Sonnenberger.Fn pam_set_data 120ade90846SJoerg Sonnenbergerand 121ade90846SJoerg Sonnenberger.Fn pam_get_data 122ade90846SJoerg Sonnenbergerfunctions manage named chunks of free-form data, generally used by 123ade90846SJoerg Sonnenbergermodules to store state from one invocation to another. 124ade90846SJoerg Sonnenberger.Ss Authentication 125ade90846SJoerg SonnenbergerThere are two authentication primitives: 126ade90846SJoerg Sonnenberger.Fn pam_authenticate 127ade90846SJoerg Sonnenbergerand 128ade90846SJoerg Sonnenberger.Fn pam_setcred . 129ade90846SJoerg SonnenbergerThe former authenticates the user, while the latter manages his 130ade90846SJoerg Sonnenbergercredentials. 131ade90846SJoerg Sonnenberger.Ss Account Management 132ade90846SJoerg SonnenbergerThe 133ade90846SJoerg Sonnenberger.Fn pam_acct_mgmt 134ade90846SJoerg Sonnenbergerfunction enforces policies such as password expiry, account expiry, 135ade90846SJoerg Sonnenbergertime-of-day restrictions, and so forth. 136ade90846SJoerg Sonnenberger.Ss Session Management 137ade90846SJoerg SonnenbergerThe 138ade90846SJoerg Sonnenberger.Fn pam_open_session 139ade90846SJoerg Sonnenbergerand 140ade90846SJoerg Sonnenberger.Fn pam_close_session 141ade90846SJoerg Sonnenbergerfunctions handle session setup and teardown. 142ade90846SJoerg Sonnenberger.Ss Password Management 143ade90846SJoerg SonnenbergerThe 144ade90846SJoerg Sonnenberger.Fn pam_chauthtok 145ade90846SJoerg Sonnenbergerfunction allows the server to change the user's password, either at 146ade90846SJoerg Sonnenbergerthe user's request or because the password has expired. 147ade90846SJoerg Sonnenberger.Ss Miscellaneous 148ade90846SJoerg SonnenbergerThe 149ade90846SJoerg Sonnenberger.Fn pam_putenv , 150ade90846SJoerg Sonnenberger.Fn pam_getenv 151ade90846SJoerg Sonnenbergerand 152ade90846SJoerg Sonnenberger.Fn pam_getenvlist 153ade90846SJoerg Sonnenbergerfunctions manage a private environment list in which modules can set 154ade90846SJoerg Sonnenbergerenvironment variables they want the server to export during the 155ade90846SJoerg Sonnenbergersession. 156ade90846SJoerg Sonnenberger.Pp 157ade90846SJoerg SonnenbergerThe 158ade90846SJoerg Sonnenberger.Fn pam_strerror 159ade90846SJoerg Sonnenbergerfunction returns a pointer to a string describing the specified PAM 160ade90846SJoerg Sonnenbergererror code. 161ade90846SJoerg Sonnenberger.Sh RETURN VALUES 162ade90846SJoerg SonnenbergerThe following return codes are defined by 163ade90846SJoerg Sonnenberger.In security/pam_constants.h : 164ade90846SJoerg Sonnenberger.Bl -tag -width 18n 165ade90846SJoerg Sonnenberger.It Bq Er PAM_ABORT 166ade90846SJoerg SonnenbergerGeneral failure. 167ade90846SJoerg Sonnenberger.It Bq Er PAM_ACCT_EXPIRED 168ade90846SJoerg SonnenbergerUser account has expired. 169ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHINFO_UNAVAIL 170ade90846SJoerg SonnenbergerAuthentication information is unavailable. 171ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_DISABLE_AGING 172ade90846SJoerg SonnenbergerAuthentication token aging disabled. 173ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_ERR 174ade90846SJoerg SonnenbergerAuthentication token failure. 175ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_EXPIRED 176ade90846SJoerg SonnenbergerPassword has expired. 177ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_LOCK_BUSY 178ade90846SJoerg SonnenbergerAuthentication token lock busy. 179ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_RECOVERY_ERR 180ade90846SJoerg SonnenbergerFailed to recover old authentication token. 181ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTH_ERR 182ade90846SJoerg SonnenbergerAuthentication error. 18310b5fe87SSascha Wildner.It Bq Er PAM_BAD_CONSTANT 18410b5fe87SSascha WildnerBad constant. 18510b5fe87SSascha Wildner.It Bq Er PAM_BAD_FEATURE 18610b5fe87SSascha WildnerUnrecognized or restricted feature. 18710b5fe87SSascha Wildner.It Bq Er PAM_BAD_HANDLE 18810b5fe87SSascha WildnerInvalid PAM handle. 18910b5fe87SSascha Wildner.It Bq Er PAM_BAD_ITEM 19010b5fe87SSascha WildnerUnrecognized or restricted item. 191ade90846SJoerg Sonnenberger.It Bq Er PAM_BUF_ERR 192ade90846SJoerg SonnenbergerMemory buffer error. 193ade90846SJoerg Sonnenberger.It Bq Er PAM_CONV_ERR 194ade90846SJoerg SonnenbergerConversation failure. 195ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_ERR 196ade90846SJoerg SonnenbergerFailed to set user credentials. 197ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_EXPIRED 198ade90846SJoerg SonnenbergerUser credentials have expired. 199ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_INSUFFICIENT 200ade90846SJoerg SonnenbergerInsufficient credentials. 201ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_UNAVAIL 202ade90846SJoerg SonnenbergerFailed to retrieve user credentials. 203ade90846SJoerg Sonnenberger.It Bq Er PAM_DOMAIN_UNKNOWN 204ade90846SJoerg SonnenbergerUnknown authentication domain. 205ade90846SJoerg Sonnenberger.It Bq Er PAM_IGNORE 206ade90846SJoerg SonnenbergerIgnore this module. 207ade90846SJoerg Sonnenberger.It Bq Er PAM_MAXTRIES 208ade90846SJoerg SonnenbergerMaximum number of tries exceeded. 209ade90846SJoerg Sonnenberger.It Bq Er PAM_MODULE_UNKNOWN 210ade90846SJoerg SonnenbergerUnknown module type. 211ade90846SJoerg Sonnenberger.It Bq Er PAM_NEW_AUTHTOK_REQD 212ade90846SJoerg SonnenbergerNew authentication token required. 213ade90846SJoerg Sonnenberger.It Bq Er PAM_NO_MODULE_DATA 214ade90846SJoerg SonnenbergerModule data not found. 215ade90846SJoerg Sonnenberger.It Bq Er PAM_OPEN_ERR 216ade90846SJoerg SonnenbergerFailed to load module. 217ade90846SJoerg Sonnenberger.It Bq Er PAM_PERM_DENIED 218ade90846SJoerg SonnenbergerPermission denied. 219ade90846SJoerg Sonnenberger.It Bq Er PAM_SERVICE_ERR 220ade90846SJoerg SonnenbergerError in service module. 221ade90846SJoerg Sonnenberger.It Bq Er PAM_SESSION_ERR 222ade90846SJoerg SonnenbergerSession failure. 223ade90846SJoerg Sonnenberger.It Bq Er PAM_SUCCESS 224ade90846SJoerg SonnenbergerSuccess. 225ade90846SJoerg Sonnenberger.It Bq Er PAM_SYMBOL_ERR 226ade90846SJoerg SonnenbergerInvalid symbol. 227ade90846SJoerg Sonnenberger.It Bq Er PAM_SYSTEM_ERR 228ade90846SJoerg SonnenbergerSystem error. 229ade90846SJoerg Sonnenberger.It Bq Er PAM_TRY_AGAIN 230ade90846SJoerg SonnenbergerTry again. 231ade90846SJoerg Sonnenberger.It Bq Er PAM_USER_UNKNOWN 232ade90846SJoerg SonnenbergerUnknown user. 233ade90846SJoerg Sonnenberger.El 234ade90846SJoerg Sonnenberger.Sh SEE ALSO 235ade90846SJoerg Sonnenberger.Xr openpam 3 , 236ade90846SJoerg Sonnenberger.Xr pam_acct_mgmt 3 , 237ade90846SJoerg Sonnenberger.Xr pam_authenticate 3 , 238ade90846SJoerg Sonnenberger.Xr pam_chauthtok 3 , 239ade90846SJoerg Sonnenberger.Xr pam_close_session 3 , 240ade90846SJoerg Sonnenberger.Xr pam_conv 3 , 241ade90846SJoerg Sonnenberger.Xr pam_end 3 , 242ade90846SJoerg Sonnenberger.Xr pam_get_data 3 , 243ade90846SJoerg Sonnenberger.Xr pam_getenv 3 , 244ade90846SJoerg Sonnenberger.Xr pam_getenvlist 3 , 245ade90846SJoerg Sonnenberger.Xr pam_get_item 3 , 246ade90846SJoerg Sonnenberger.Xr pam_get_user 3 , 247ade90846SJoerg Sonnenberger.Xr pam_open_session 3 , 248ade90846SJoerg Sonnenberger.Xr pam_putenv 3 , 249ade90846SJoerg Sonnenberger.Xr pam_setcred 3 , 250ade90846SJoerg Sonnenberger.Xr pam_set_data 3 , 251ade90846SJoerg Sonnenberger.Xr pam_set_item 3 , 252ade90846SJoerg Sonnenberger.Xr pam_start 3 , 253ade90846SJoerg Sonnenberger.Xr pam_strerror 3 254ade90846SJoerg Sonnenberger.Sh STANDARDS 255ade90846SJoerg Sonnenberger.Rs 256ade90846SJoerg Sonnenberger.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" 257ade90846SJoerg Sonnenberger.%D "June 1997" 258ade90846SJoerg Sonnenberger.Re 259ade90846SJoerg Sonnenberger.Sh AUTHORS 260ade90846SJoerg SonnenbergerThe OpenPAM library and this manual page were developed for the 261ade90846SJoerg Sonnenberger.Fx 262ade90846SJoerg SonnenbergerProject by ThinkSec AS and Network Associates Laboratories, the 263f23594ceSHasso TepperSecurity Research Division of Network Associates, Inc.\& under 264ade90846SJoerg SonnenbergerDARPA/SPAWAR contract N66001-01-C-8035 265ade90846SJoerg Sonnenberger.Pq Dq CBOSS , 266ade90846SJoerg Sonnenbergeras part of the DARPA CHATS research program. 267577efdeeSPeter Avalos.Pp 268577efdeeSPeter AvalosThe OpenPAM library is maintained by 26910b5fe87SSascha Wildner.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no . 270