1*ade90846SJoerg Sonnenberger.\"- 2*ade90846SJoerg Sonnenberger.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. 3*ade90846SJoerg Sonnenberger.\" All rights reserved. 4*ade90846SJoerg Sonnenberger.\" 5*ade90846SJoerg Sonnenberger.\" This software was developed for the FreeBSD Project by ThinkSec AS and 6*ade90846SJoerg Sonnenberger.\" Network Associates Laboratories, the Security Research Division of 7*ade90846SJoerg Sonnenberger.\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 8*ade90846SJoerg Sonnenberger.\" ("CBOSS"), as part of the DARPA CHATS research program. 9*ade90846SJoerg Sonnenberger.\" 10*ade90846SJoerg Sonnenberger.\" Redistribution and use in source and binary forms, with or without 11*ade90846SJoerg Sonnenberger.\" modification, are permitted provided that the following conditions 12*ade90846SJoerg Sonnenberger.\" are met: 13*ade90846SJoerg Sonnenberger.\" 1. Redistributions of source code must retain the above copyright 14*ade90846SJoerg Sonnenberger.\" notice, this list of conditions and the following disclaimer. 15*ade90846SJoerg Sonnenberger.\" 2. Redistributions in binary form must reproduce the above copyright 16*ade90846SJoerg Sonnenberger.\" notice, this list of conditions and the following disclaimer in the 17*ade90846SJoerg Sonnenberger.\" documentation and/or other materials provided with the distribution. 18*ade90846SJoerg Sonnenberger.\" 3. The name of the author may not be used to endorse or promote 19*ade90846SJoerg Sonnenberger.\" products derived from this software without specific prior written 20*ade90846SJoerg Sonnenberger.\" permission. 21*ade90846SJoerg Sonnenberger.\" 22*ade90846SJoerg Sonnenberger.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23*ade90846SJoerg Sonnenberger.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24*ade90846SJoerg Sonnenberger.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25*ade90846SJoerg Sonnenberger.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26*ade90846SJoerg Sonnenberger.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27*ade90846SJoerg Sonnenberger.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28*ade90846SJoerg Sonnenberger.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29*ade90846SJoerg Sonnenberger.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30*ade90846SJoerg Sonnenberger.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31*ade90846SJoerg Sonnenberger.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32*ade90846SJoerg Sonnenberger.\" SUCH DAMAGE. 33*ade90846SJoerg Sonnenberger.\" 34*ade90846SJoerg Sonnenberger.\" $P4$ 35*ade90846SJoerg Sonnenberger.\" 36*ade90846SJoerg Sonnenberger.Dd June 16, 2005 37*ade90846SJoerg Sonnenberger.Dt PAM 3 38*ade90846SJoerg Sonnenberger.Os 39*ade90846SJoerg Sonnenberger.Sh NAME 40*ade90846SJoerg Sonnenberger.Nm pam_acct_mgmt , 41*ade90846SJoerg Sonnenberger.Nm pam_authenticate , 42*ade90846SJoerg Sonnenberger.Nm pam_chauthtok , 43*ade90846SJoerg Sonnenberger.Nm pam_close_session , 44*ade90846SJoerg Sonnenberger.Nm pam_end , 45*ade90846SJoerg Sonnenberger.Nm pam_get_data , 46*ade90846SJoerg Sonnenberger.Nm pam_get_item , 47*ade90846SJoerg Sonnenberger.Nm pam_get_user , 48*ade90846SJoerg Sonnenberger.Nm pam_getenv , 49*ade90846SJoerg Sonnenberger.Nm pam_getenvlist , 50*ade90846SJoerg Sonnenberger.Nm pam_open_session , 51*ade90846SJoerg Sonnenberger.Nm pam_putenv , 52*ade90846SJoerg Sonnenberger.Nm pam_set_data , 53*ade90846SJoerg Sonnenberger.Nm pam_set_item , 54*ade90846SJoerg Sonnenberger.Nm pam_setcred , 55*ade90846SJoerg Sonnenberger.Nm pam_start , 56*ade90846SJoerg Sonnenberger.Nm pam_strerror 57*ade90846SJoerg Sonnenberger.Nd Pluggable Authentication Modules Library 58*ade90846SJoerg Sonnenberger.Sh LIBRARY 59*ade90846SJoerg Sonnenberger.Lb libpam 60*ade90846SJoerg Sonnenberger.Sh SYNOPSIS 61*ade90846SJoerg Sonnenberger.In security/pam_appl.h 62*ade90846SJoerg Sonnenberger.Ft "int" 63*ade90846SJoerg Sonnenberger.Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags" 64*ade90846SJoerg Sonnenberger.Ft "int" 65*ade90846SJoerg Sonnenberger.Fn pam_authenticate "pam_handle_t *pamh" "int flags" 66*ade90846SJoerg Sonnenberger.Ft "int" 67*ade90846SJoerg Sonnenberger.Fn pam_chauthtok "pam_handle_t *pamh" "int flags" 68*ade90846SJoerg Sonnenberger.Ft "int" 69*ade90846SJoerg Sonnenberger.Fn pam_close_session "pam_handle_t *pamh" "int flags" 70*ade90846SJoerg Sonnenberger.Ft "int" 71*ade90846SJoerg Sonnenberger.Fn pam_end "pam_handle_t *pamh" "int status" 72*ade90846SJoerg Sonnenberger.Ft "int" 73*ade90846SJoerg Sonnenberger.Fn pam_get_data "pam_handle_t *pamh" "const char *module_data_name" "void **data" 74*ade90846SJoerg Sonnenberger.Ft "int" 75*ade90846SJoerg Sonnenberger.Fn pam_get_item "pam_handle_t *pamh" "int item_type" "const void **item" 76*ade90846SJoerg Sonnenberger.Ft "int" 77*ade90846SJoerg Sonnenberger.Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt" 78*ade90846SJoerg Sonnenberger.Ft "const char *" 79*ade90846SJoerg Sonnenberger.Fn pam_getenv "pam_handle_t *pamh" "const char *name" 80*ade90846SJoerg Sonnenberger.Ft "char **" 81*ade90846SJoerg Sonnenberger.Fn pam_getenvlist "pam_handle_t *pamh" 82*ade90846SJoerg Sonnenberger.Ft "int" 83*ade90846SJoerg Sonnenberger.Fn pam_open_session "pam_handle_t *pamh" "int flags" 84*ade90846SJoerg Sonnenberger.Ft "int" 85*ade90846SJoerg Sonnenberger.Fn pam_putenv "pam_handle_t *pamh" "const char *namevalue" 86*ade90846SJoerg Sonnenberger.Ft "int" 87*ade90846SJoerg Sonnenberger.Fn pam_set_data "pam_handle_t *pamh" "const char *module_data_name" "void *data" "void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)" 88*ade90846SJoerg Sonnenberger.Ft "int" 89*ade90846SJoerg Sonnenberger.Fn pam_set_item "pam_handle_t *pamh" "int item_type" "const void *item" 90*ade90846SJoerg Sonnenberger.Ft "int" 91*ade90846SJoerg Sonnenberger.Fn pam_setcred "pam_handle_t *pamh" "int flags" 92*ade90846SJoerg Sonnenberger.Ft "int" 93*ade90846SJoerg Sonnenberger.Fn pam_start "const char *service" "const char *user" "const struct pam_conv *pam_conv" "pam_handle_t **pamh" 94*ade90846SJoerg Sonnenberger.Ft "const char *" 95*ade90846SJoerg Sonnenberger.Fn pam_strerror "pam_handle_t *pamh" "int error_number" 96*ade90846SJoerg Sonnenberger.\" 97*ade90846SJoerg Sonnenberger.\" $P4: //depot/projects/openpam/doc/man/pam.man#4 $ 98*ade90846SJoerg Sonnenberger.\" 99*ade90846SJoerg Sonnenberger.Sh DESCRIPTION 100*ade90846SJoerg SonnenbergerThe Pluggable Authentication Modules (PAM) library abstracts a number 101*ade90846SJoerg Sonnenbergerof common authentication-related operations and provides a framework 102*ade90846SJoerg Sonnenbergerfor dynamically loaded modules that implement these operations in 103*ade90846SJoerg Sonnenbergervarious ways. 104*ade90846SJoerg Sonnenberger.Ss Terminology 105*ade90846SJoerg SonnenbergerIn PAM parlance, the application that uses PAM to authenticate a user 106*ade90846SJoerg Sonnenbergeris the server, and is identified for configuration purposes by a 107*ade90846SJoerg Sonnenbergerservice name, which is often (but not necessarily) the program name. 108*ade90846SJoerg Sonnenberger.Pp 109*ade90846SJoerg SonnenbergerThe user requesting authentication is called the applicant, while the 110*ade90846SJoerg Sonnenbergeruser (usually, root) charged with verifying his identity and granting 111*ade90846SJoerg Sonnenbergerhim the requested credentials is called the arbitrator. 112*ade90846SJoerg Sonnenberger.Pp 113*ade90846SJoerg SonnenbergerThe sequence of operations the server goes through to authenticate a 114*ade90846SJoerg Sonnenbergeruser and perform whatever task he requested is a PAM transaction; the 115*ade90846SJoerg Sonnenbergercontext within which the server performs the requested task is called 116*ade90846SJoerg Sonnenbergera session. 117*ade90846SJoerg Sonnenberger.Pp 118*ade90846SJoerg SonnenbergerThe functionality embodied by PAM is divided into six primitives 119*ade90846SJoerg Sonnenbergergrouped into four facilities: authentication, account management, 120*ade90846SJoerg Sonnenbergersession management and password management. 121*ade90846SJoerg Sonnenberger.Ss Conversation 122*ade90846SJoerg SonnenbergerThe PAM library expects the application to provide a conversation 123*ade90846SJoerg Sonnenbergercallback which it can use to communicate with the user. 124*ade90846SJoerg SonnenbergerSome modules may use specialized conversation functions to communicate 125*ade90846SJoerg Sonnenbergerwith special hardware such as cryptographic dongles or biometric 126*ade90846SJoerg Sonnenbergerdevices. 127*ade90846SJoerg SonnenbergerSee 128*ade90846SJoerg Sonnenberger.Xr pam_conv 3 129*ade90846SJoerg Sonnenbergerfor details. 130*ade90846SJoerg Sonnenberger.Ss Initialization and Cleanup 131*ade90846SJoerg SonnenbergerThe 132*ade90846SJoerg Sonnenberger.Fn pam_start 133*ade90846SJoerg Sonnenbergerfunction initializes the PAM library and returns a handle which must 134*ade90846SJoerg Sonnenbergerbe provided in all subsequent function calls. 135*ade90846SJoerg SonnenbergerThe transaction state is contained entirely within the structure 136*ade90846SJoerg Sonnenbergeridentified by this handle, so it is possible to conduct multiple 137*ade90846SJoerg Sonnenbergertransactions in parallel. 138*ade90846SJoerg Sonnenberger.Pp 139*ade90846SJoerg SonnenbergerThe 140*ade90846SJoerg Sonnenberger.Fn pam_end 141*ade90846SJoerg Sonnenbergerfunction releases all resources associated with the specified context, 142*ade90846SJoerg Sonnenbergerand can be called at any time to terminate a PAM transaction. 143*ade90846SJoerg Sonnenberger.Ss Storage 144*ade90846SJoerg SonnenbergerThe 145*ade90846SJoerg Sonnenberger.Fn pam_set_item 146*ade90846SJoerg Sonnenbergerand 147*ade90846SJoerg Sonnenberger.Fn pam_get_item 148*ade90846SJoerg Sonnenbergerfunctions set and retrieve a number of predefined items, including the 149*ade90846SJoerg Sonnenbergerservice name, the names of the requesting and target users, the 150*ade90846SJoerg Sonnenbergerconversation function, and prompts. 151*ade90846SJoerg Sonnenberger.Pp 152*ade90846SJoerg SonnenbergerThe 153*ade90846SJoerg Sonnenberger.Fn pam_set_data 154*ade90846SJoerg Sonnenbergerand 155*ade90846SJoerg Sonnenberger.Fn pam_get_data 156*ade90846SJoerg Sonnenbergerfunctions manage named chunks of free-form data, generally used by 157*ade90846SJoerg Sonnenbergermodules to store state from one invocation to another. 158*ade90846SJoerg Sonnenberger.Ss Authentication 159*ade90846SJoerg SonnenbergerThere are two authentication primitives: 160*ade90846SJoerg Sonnenberger.Fn pam_authenticate 161*ade90846SJoerg Sonnenbergerand 162*ade90846SJoerg Sonnenberger.Fn pam_setcred . 163*ade90846SJoerg SonnenbergerThe former authenticates the user, while the latter manages his 164*ade90846SJoerg Sonnenbergercredentials. 165*ade90846SJoerg Sonnenberger.Ss Account Management 166*ade90846SJoerg SonnenbergerThe 167*ade90846SJoerg Sonnenberger.Fn pam_acct_mgmt 168*ade90846SJoerg Sonnenbergerfunction enforces policies such as password expiry, account expiry, 169*ade90846SJoerg Sonnenbergertime-of-day restrictions, and so forth. 170*ade90846SJoerg Sonnenberger.Ss Session Management 171*ade90846SJoerg SonnenbergerThe 172*ade90846SJoerg Sonnenberger.Fn pam_open_session 173*ade90846SJoerg Sonnenbergerand 174*ade90846SJoerg Sonnenberger.Fn pam_close_session 175*ade90846SJoerg Sonnenbergerfunctions handle session setup and teardown. 176*ade90846SJoerg Sonnenberger.Ss Password Management 177*ade90846SJoerg SonnenbergerThe 178*ade90846SJoerg Sonnenberger.Fn pam_chauthtok 179*ade90846SJoerg Sonnenbergerfunction allows the server to change the user's password, either at 180*ade90846SJoerg Sonnenbergerthe user's request or because the password has expired. 181*ade90846SJoerg Sonnenberger.Ss Miscellaneous 182*ade90846SJoerg SonnenbergerThe 183*ade90846SJoerg Sonnenberger.Fn pam_putenv , 184*ade90846SJoerg Sonnenberger.Fn pam_getenv 185*ade90846SJoerg Sonnenbergerand 186*ade90846SJoerg Sonnenberger.Fn pam_getenvlist 187*ade90846SJoerg Sonnenbergerfunctions manage a private environment list in which modules can set 188*ade90846SJoerg Sonnenbergerenvironment variables they want the server to export during the 189*ade90846SJoerg Sonnenbergersession. 190*ade90846SJoerg Sonnenberger.Pp 191*ade90846SJoerg SonnenbergerThe 192*ade90846SJoerg Sonnenberger.Fn pam_strerror 193*ade90846SJoerg Sonnenbergerfunction returns a pointer to a string describing the specified PAM 194*ade90846SJoerg Sonnenbergererror code. 195*ade90846SJoerg Sonnenberger.Sh RETURN VALUES 196*ade90846SJoerg SonnenbergerThe following return codes are defined by 197*ade90846SJoerg Sonnenberger.In security/pam_constants.h : 198*ade90846SJoerg Sonnenberger.Bl -tag -width 18n 199*ade90846SJoerg Sonnenberger.It Bq Er PAM_ABORT 200*ade90846SJoerg SonnenbergerGeneral failure. 201*ade90846SJoerg Sonnenberger.It Bq Er PAM_ACCT_EXPIRED 202*ade90846SJoerg SonnenbergerUser account has expired. 203*ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHINFO_UNAVAIL 204*ade90846SJoerg SonnenbergerAuthentication information is unavailable. 205*ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_DISABLE_AGING 206*ade90846SJoerg SonnenbergerAuthentication token aging disabled. 207*ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_ERR 208*ade90846SJoerg SonnenbergerAuthentication token failure. 209*ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_EXPIRED 210*ade90846SJoerg SonnenbergerPassword has expired. 211*ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_LOCK_BUSY 212*ade90846SJoerg SonnenbergerAuthentication token lock busy. 213*ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTHTOK_RECOVERY_ERR 214*ade90846SJoerg SonnenbergerFailed to recover old authentication token. 215*ade90846SJoerg Sonnenberger.It Bq Er PAM_AUTH_ERR 216*ade90846SJoerg SonnenbergerAuthentication error. 217*ade90846SJoerg Sonnenberger.It Bq Er PAM_BUF_ERR 218*ade90846SJoerg SonnenbergerMemory buffer error. 219*ade90846SJoerg Sonnenberger.It Bq Er PAM_CONV_ERR 220*ade90846SJoerg SonnenbergerConversation failure. 221*ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_ERR 222*ade90846SJoerg SonnenbergerFailed to set user credentials. 223*ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_EXPIRED 224*ade90846SJoerg SonnenbergerUser credentials have expired. 225*ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_INSUFFICIENT 226*ade90846SJoerg SonnenbergerInsufficient credentials. 227*ade90846SJoerg Sonnenberger.It Bq Er PAM_CRED_UNAVAIL 228*ade90846SJoerg SonnenbergerFailed to retrieve user credentials. 229*ade90846SJoerg Sonnenberger.It Bq Er PAM_DOMAIN_UNKNOWN 230*ade90846SJoerg SonnenbergerUnknown authentication domain. 231*ade90846SJoerg Sonnenberger.It Bq Er PAM_IGNORE 232*ade90846SJoerg SonnenbergerIgnore this module. 233*ade90846SJoerg Sonnenberger.It Bq Er PAM_MAXTRIES 234*ade90846SJoerg SonnenbergerMaximum number of tries exceeded. 235*ade90846SJoerg Sonnenberger.It Bq Er PAM_MODULE_UNKNOWN 236*ade90846SJoerg SonnenbergerUnknown module type. 237*ade90846SJoerg Sonnenberger.It Bq Er PAM_NEW_AUTHTOK_REQD 238*ade90846SJoerg SonnenbergerNew authentication token required. 239*ade90846SJoerg Sonnenberger.It Bq Er PAM_NO_MODULE_DATA 240*ade90846SJoerg SonnenbergerModule data not found. 241*ade90846SJoerg Sonnenberger.It Bq Er PAM_OPEN_ERR 242*ade90846SJoerg SonnenbergerFailed to load module. 243*ade90846SJoerg Sonnenberger.It Bq Er PAM_PERM_DENIED 244*ade90846SJoerg SonnenbergerPermission denied. 245*ade90846SJoerg Sonnenberger.It Bq Er PAM_SERVICE_ERR 246*ade90846SJoerg SonnenbergerError in service module. 247*ade90846SJoerg Sonnenberger.It Bq Er PAM_SESSION_ERR 248*ade90846SJoerg SonnenbergerSession failure. 249*ade90846SJoerg Sonnenberger.It Bq Er PAM_SUCCESS 250*ade90846SJoerg SonnenbergerSuccess. 251*ade90846SJoerg Sonnenberger.It Bq Er PAM_SYMBOL_ERR 252*ade90846SJoerg SonnenbergerInvalid symbol. 253*ade90846SJoerg Sonnenberger.It Bq Er PAM_SYSTEM_ERR 254*ade90846SJoerg SonnenbergerSystem error. 255*ade90846SJoerg Sonnenberger.It Bq Er PAM_TRY_AGAIN 256*ade90846SJoerg SonnenbergerTry again. 257*ade90846SJoerg Sonnenberger.It Bq Er PAM_USER_UNKNOWN 258*ade90846SJoerg SonnenbergerUnknown user. 259*ade90846SJoerg Sonnenberger.El 260*ade90846SJoerg Sonnenberger.Sh SEE ALSO 261*ade90846SJoerg Sonnenberger.Xr openpam 3 , 262*ade90846SJoerg Sonnenberger.Xr pam_acct_mgmt 3 , 263*ade90846SJoerg Sonnenberger.Xr pam_authenticate 3 , 264*ade90846SJoerg Sonnenberger.Xr pam_chauthtok 3 , 265*ade90846SJoerg Sonnenberger.Xr pam_close_session 3 , 266*ade90846SJoerg Sonnenberger.Xr pam_conv 3 , 267*ade90846SJoerg Sonnenberger.Xr pam_end 3 , 268*ade90846SJoerg Sonnenberger.Xr pam_get_data 3 , 269*ade90846SJoerg Sonnenberger.Xr pam_getenv 3 , 270*ade90846SJoerg Sonnenberger.Xr pam_getenvlist 3 , 271*ade90846SJoerg Sonnenberger.Xr pam_get_item 3 , 272*ade90846SJoerg Sonnenberger.Xr pam_get_user 3 , 273*ade90846SJoerg Sonnenberger.Xr pam_open_session 3 , 274*ade90846SJoerg Sonnenberger.Xr pam_putenv 3 , 275*ade90846SJoerg Sonnenberger.Xr pam_setcred 3 , 276*ade90846SJoerg Sonnenberger.Xr pam_set_data 3 , 277*ade90846SJoerg Sonnenberger.Xr pam_set_item 3 , 278*ade90846SJoerg Sonnenberger.Xr pam_start 3 , 279*ade90846SJoerg Sonnenberger.Xr pam_strerror 3 280*ade90846SJoerg Sonnenberger.Sh STANDARDS 281*ade90846SJoerg Sonnenberger.Rs 282*ade90846SJoerg Sonnenberger.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" 283*ade90846SJoerg Sonnenberger.%D "June 1997" 284*ade90846SJoerg Sonnenberger.Re 285*ade90846SJoerg Sonnenberger.Sh AUTHORS 286*ade90846SJoerg SonnenbergerThe OpenPAM library and this manual page were developed for the 287*ade90846SJoerg Sonnenberger.Fx 288*ade90846SJoerg SonnenbergerProject by ThinkSec AS and Network Associates Laboratories, the 289*ade90846SJoerg SonnenbergerSecurity Research Division of Network Associates, Inc.& under 290*ade90846SJoerg SonnenbergerDARPA/SPAWAR contract N66001-01-C-8035 291*ade90846SJoerg Sonnenberger.Pq Dq CBOSS , 292*ade90846SJoerg Sonnenbergeras part of the DARPA CHATS research program. 293