110b5fe87SSascha Wildner.\" Generated from pam_get_authtok.c by gendoc.pl 210b5fe87SSascha Wildner.\" $OpenPAM: pam_get_authtok.c 938 2017-04-30 21:34:42Z des $ 3*4c84ab30SSascha Wildner.Dd February 24, 2019 4ade90846SJoerg Sonnenberger.Dt PAM_GET_AUTHTOK 3 5ade90846SJoerg Sonnenberger.Os 6ade90846SJoerg Sonnenberger.Sh NAME 7ade90846SJoerg Sonnenberger.Nm pam_get_authtok 8ade90846SJoerg Sonnenberger.Nd retrieve authentication token 9ade90846SJoerg Sonnenberger.Sh SYNOPSIS 10ade90846SJoerg Sonnenberger.In sys/types.h 11609d0d72SSascha Wildner.In security/pam_appl.h 127196b98dSSascha Wildner.In security/openpam.h 13ade90846SJoerg Sonnenberger.Ft "int" 14ade90846SJoerg Sonnenberger.Fn pam_get_authtok "pam_handle_t *pamh" "int item" "const char **authtok" "const char *prompt" 15ade90846SJoerg Sonnenberger.Sh DESCRIPTION 16ade90846SJoerg SonnenbergerThe 17577efdeeSPeter Avalos.Fn pam_get_authtok 1810b5fe87SSascha Wildnerfunction either prompts the user for an 1910b5fe87SSascha Wildnerauthentication token or retrieves a cached authentication token, 2010b5fe87SSascha Wildnerdepending on circumstances. 21ade90846SJoerg SonnenbergerEither way, a pointer to the authentication token is stored in the 22ade90846SJoerg Sonnenbergerlocation pointed to by the 23ade90846SJoerg Sonnenberger.Fa authtok 2410b5fe87SSascha Wildnerargument, and the corresponding PAM 2510b5fe87SSascha Wildneritem is updated. 26ade90846SJoerg Sonnenberger.Pp 27ade90846SJoerg SonnenbergerThe 28ade90846SJoerg Sonnenberger.Fa item 29ade90846SJoerg Sonnenbergerargument must have one of the following values: 30ade90846SJoerg Sonnenberger.Bl -tag -width 18n 31ade90846SJoerg Sonnenberger.It Dv PAM_AUTHTOK 32ade90846SJoerg SonnenbergerReturns the current authentication token, or the new token 33ade90846SJoerg Sonnenbergerwhen changing authentication tokens. 34ade90846SJoerg Sonnenberger.It Dv PAM_OLDAUTHTOK 35ade90846SJoerg SonnenbergerReturns the previous authentication token when changing 36ade90846SJoerg Sonnenbergerauthentication tokens. 37ade90846SJoerg Sonnenberger.El 38ade90846SJoerg Sonnenberger.Pp 39ade90846SJoerg SonnenbergerThe 40ade90846SJoerg Sonnenberger.Fa prompt 41ade90846SJoerg Sonnenbergerargument specifies a prompt to use if no token is cached. 42ade90846SJoerg SonnenbergerIf it is 43ade90846SJoerg Sonnenberger.Dv NULL , 44ade90846SJoerg Sonnenbergerthe 45ade90846SJoerg Sonnenberger.Dv PAM_AUTHTOK_PROMPT 46ade90846SJoerg Sonnenbergeror 47ade90846SJoerg Sonnenberger.Dv PAM_OLDAUTHTOK_PROMPT 48ade90846SJoerg Sonnenbergeritem, 49ade90846SJoerg Sonnenbergeras appropriate, will be used. 50ade90846SJoerg SonnenbergerIf that item is also 51ade90846SJoerg Sonnenberger.Dv NULL , 52ade90846SJoerg Sonnenbergera hardcoded default prompt will be used. 5310b5fe87SSascha WildnerAdditionally, when 54577efdeeSPeter Avalos.Fn pam_get_authtok 5510b5fe87SSascha Wildneris called from a service module, 5610b5fe87SSascha Wildnerthe prompt may be affected by module options as described below. 5710b5fe87SSascha WildnerThe prompt is then expanded using 5810b5fe87SSascha Wildner.Xr openpam_subst 3 5910b5fe87SSascha Wildnerbefore it is passed to 6010b5fe87SSascha Wildnerthe conversation function. 61ade90846SJoerg Sonnenberger.Pp 62ade90846SJoerg SonnenbergerIf 63ade90846SJoerg Sonnenberger.Fa item 64ade90846SJoerg Sonnenbergeris set to 65ade90846SJoerg Sonnenberger.Dv PAM_AUTHTOK 66ade90846SJoerg Sonnenbergerand there is a non-null 67ade90846SJoerg Sonnenberger.Dv PAM_OLDAUTHTOK 68ade90846SJoerg Sonnenbergeritem, 69577efdeeSPeter Avalos.Fn pam_get_authtok 70ade90846SJoerg Sonnenbergerwill ask the user to confirm the new token by 71ade90846SJoerg Sonnenbergerretyping it. 72ade90846SJoerg SonnenbergerIf there is a mismatch, 73577efdeeSPeter Avalos.Fn pam_get_authtok 74ade90846SJoerg Sonnenbergerwill return 75ade90846SJoerg Sonnenberger.Dv PAM_TRY_AGAIN . 7610b5fe87SSascha Wildner.Sh MODULE OPTIONS 7710b5fe87SSascha WildnerWhen called by a service module, 7810b5fe87SSascha Wildner.Fn pam_get_authtok 7910b5fe87SSascha Wildnerwill recognize the 8010b5fe87SSascha Wildnerfollowing module options: 8110b5fe87SSascha Wildner.Bl -tag -width 18n 8210b5fe87SSascha Wildner.It Dv authtok_prompt 8310b5fe87SSascha WildnerPrompt to use when 8410b5fe87SSascha Wildner.Fa item 8510b5fe87SSascha Wildneris set to 8610b5fe87SSascha Wildner.Dv PAM_AUTHTOK . 8710b5fe87SSascha WildnerThis option overrides both the 8810b5fe87SSascha Wildner.Fa prompt 8910b5fe87SSascha Wildnerargument and the 9010b5fe87SSascha Wildner.Dv PAM_AUTHTOK_PROMPT 9110b5fe87SSascha Wildneritem. 9210b5fe87SSascha Wildner.It Dv echo_pass 9310b5fe87SSascha WildnerIf the application's conversation function allows it, this 9410b5fe87SSascha Wildnerlets the user see what they are typing. 9510b5fe87SSascha WildnerThis should only be used for non-reusable authentication 9610b5fe87SSascha Wildnertokens. 9710b5fe87SSascha Wildner.It Dv oldauthtok_prompt 9810b5fe87SSascha WildnerPrompt to use when 9910b5fe87SSascha Wildner.Fa item 10010b5fe87SSascha Wildneris set to 10110b5fe87SSascha Wildner.Dv PAM_OLDAUTHTOK . 10210b5fe87SSascha WildnerThis option overrides both the 10310b5fe87SSascha Wildner.Fa prompt 10410b5fe87SSascha Wildnerargument and the 10510b5fe87SSascha Wildner.Dv PAM_OLDAUTHTOK_PROMPT 10610b5fe87SSascha Wildneritem. 10710b5fe87SSascha Wildner.It Dv try_first_pass 10810b5fe87SSascha WildnerIf the requested item is non-null, return it without 10910b5fe87SSascha Wildnerprompting the user. 11010b5fe87SSascha WildnerTypically, the service module will verify the token, and 11110b5fe87SSascha Wildnerif it does not match, clear the item before calling 11210b5fe87SSascha Wildner.Fn pam_get_authtok 11310b5fe87SSascha Wildnera second time. 11410b5fe87SSascha Wildner.It Dv use_first_pass 11510b5fe87SSascha WildnerDo not prompt the user at all; just return the cached 11610b5fe87SSascha Wildnervalue, or 11710b5fe87SSascha Wildner.Dv PAM_AUTH_ERR 11810b5fe87SSascha Wildnerif there is none. 11910b5fe87SSascha Wildner.El 120ade90846SJoerg Sonnenberger.Sh RETURN VALUES 121ade90846SJoerg SonnenbergerThe 122577efdeeSPeter Avalos.Fn pam_get_authtok 123ade90846SJoerg Sonnenbergerfunction returns one of the following values: 124ade90846SJoerg Sonnenberger.Bl -tag -width 18n 12510b5fe87SSascha Wildner.It Bq Er PAM_SUCCESS 12610b5fe87SSascha WildnerSuccess. 12710b5fe87SSascha Wildner.It Bq Er PAM_BAD_CONSTANT 12810b5fe87SSascha WildnerBad constant. 12910b5fe87SSascha Wildner.It Bq Er PAM_BAD_ITEM 13010b5fe87SSascha WildnerUnrecognized or restricted item. 131ade90846SJoerg Sonnenberger.It Bq Er PAM_BUF_ERR 132ade90846SJoerg SonnenbergerMemory buffer error. 133ade90846SJoerg Sonnenberger.It Bq Er PAM_CONV_ERR 134ade90846SJoerg SonnenbergerConversation failure. 135ade90846SJoerg Sonnenberger.It Bq Er PAM_SYSTEM_ERR 136ade90846SJoerg SonnenbergerSystem error. 137ade90846SJoerg Sonnenberger.It Bq Er PAM_TRY_AGAIN 138ade90846SJoerg SonnenbergerTry again. 139ade90846SJoerg Sonnenberger.El 140ade90846SJoerg Sonnenberger.Sh SEE ALSO 14110b5fe87SSascha Wildner.Xr openpam_get_option 3 , 142a474e9feSPeter Avalos.Xr openpam_subst 3 , 143ade90846SJoerg Sonnenberger.Xr pam 3 , 14410b5fe87SSascha Wildner.Xr pam_conv 3 , 145ade90846SJoerg Sonnenberger.Xr pam_get_item 3 , 146ade90846SJoerg Sonnenberger.Xr pam_get_user 3 , 147ade90846SJoerg Sonnenberger.Xr pam_strerror 3 148ade90846SJoerg Sonnenberger.Sh STANDARDS 149ade90846SJoerg SonnenbergerThe 150577efdeeSPeter Avalos.Fn pam_get_authtok 151ade90846SJoerg Sonnenbergerfunction is an OpenPAM extension. 152ade90846SJoerg Sonnenberger.Sh AUTHORS 153ade90846SJoerg SonnenbergerThe 154577efdeeSPeter Avalos.Fn pam_get_authtok 155577efdeeSPeter Avalosfunction and this manual page were 156577efdeeSPeter Avalosdeveloped for the 157ade90846SJoerg Sonnenberger.Fx 158577efdeeSPeter AvalosProject by ThinkSec AS and Network Associates Laboratories, the 159f23594ceSHasso TepperSecurity Research Division of Network Associates, Inc.\& under 160ade90846SJoerg SonnenbergerDARPA/SPAWAR contract N66001-01-C-8035 161ade90846SJoerg Sonnenberger.Pq Dq CBOSS , 162ade90846SJoerg Sonnenbergeras part of the DARPA CHATS research program. 16310b5fe87SSascha Wildner.Pp 16410b5fe87SSascha WildnerThe OpenPAM library is maintained by 16510b5fe87SSascha Wildner.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no . 166