1.\" $NetBSD: pam.3,v 1.5 2013/12/27 20:10:20 christos Exp $ 2.\" 3.\" Generated by gendoc.pl 4.Dd September 7, 2013 5.Dt PAM 3 6.Os 7.Sh NAME 8.Nd Pluggable Authentication Modules Library 9.Sh LIBRARY 10.Lb libpam 11.Sh SYNOPSIS 12.In security/pam_appl.h 13.\" 14.\" Id: pam.man 648 2013-03-05 17:54:27Z des 15.\" 16.Sh DESCRIPTION 17The Pluggable Authentication Modules (PAM) library abstracts a number 18of common authentication-related operations and provides a framework 19for dynamically loaded modules that implement these operations in 20various ways. 21.Ss Terminology 22In PAM parlance, the application that uses PAM to authenticate a user 23is the server, and is identified for configuration purposes by a 24service name, which is often (but not necessarily) the program name. 25.Pp 26The user requesting authentication is called the applicant, while the 27user (usually, root) charged with verifying his identity and granting 28him the requested credentials is called the arbitrator. 29.Pp 30The sequence of operations the server goes through to authenticate a 31user and perform whatever task he requested is a PAM transaction; the 32context within which the server performs the requested task is called 33a session. 34.Pp 35The functionality embodied by PAM is divided into six primitives 36grouped into four facilities: authentication, account management, 37session management and password management. 38.Ss Conversation 39The PAM library expects the application to provide a conversation 40callback which it can use to communicate with the user. 41Some modules may use specialized conversation functions to communicate 42with special hardware such as cryptographic dongles or biometric 43devices. 44See 45.Xr pam_conv 3 46for details. 47.Ss Initialization and Cleanup 48The 49.Fn pam_start 50function initializes the PAM library and returns a handle which must 51be provided in all subsequent function calls. 52The transaction state is contained entirely within the structure 53identified by this handle, so it is possible to conduct multiple 54transactions in parallel. 55.Pp 56The 57.Fn pam_end 58function releases all resources associated with the specified context, 59and can be called at any time to terminate a PAM transaction. 60.Ss Storage 61The 62.Fn pam_set_item 63and 64.Fn pam_get_item 65functions set and retrieve a number of predefined items, including the 66service name, the names of the requesting and target users, the 67conversation function, and prompts. 68.Pp 69The 70.Fn pam_set_data 71and 72.Fn pam_get_data 73functions manage named chunks of free-form data, generally used by 74modules to store state from one invocation to another. 75.Ss Authentication 76There are two authentication primitives: 77.Fn pam_authenticate 78and 79.Fn pam_setcred . 80The former authenticates the user, while the latter manages his 81credentials. 82.Ss Account Management 83The 84.Fn pam_acct_mgmt 85function enforces policies such as password expiry, account expiry, 86time-of-day restrictions, and so forth. 87.Ss Session Management 88The 89.Fn pam_open_session 90and 91.Fn pam_close_session 92functions handle session setup and teardown. 93.Ss Password Management 94The 95.Fn pam_chauthtok 96function allows the server to change the user's password, either at 97the user's request or because the password has expired. 98.Ss Miscellaneous 99The 100.Fn pam_putenv , 101.Fn pam_getenv 102and 103.Fn pam_getenvlist 104functions manage a private environment list in which modules can set 105environment variables they want the server to export during the 106session. 107.Pp 108The 109.Fn pam_strerror 110function returns a pointer to a string describing the specified PAM 111error code. 112.Sh RETURN VALUES 113The following return codes are defined by 114.In security/pam_constants.h : 115.Bl -tag -width 18n 116.It Bq Er PAM_ABORT 117General failure. 118.It Bq Er PAM_ACCT_EXPIRED 119User account has expired. 120.It Bq Er PAM_AUTHINFO_UNAVAIL 121Authentication information is unavailable. 122.It Bq Er PAM_AUTHTOK_DISABLE_AGING 123Authentication token aging disabled. 124.It Bq Er PAM_AUTHTOK_ERR 125Authentication token failure. 126.It Bq Er PAM_AUTHTOK_EXPIRED 127Password has expired. 128.It Bq Er PAM_AUTHTOK_LOCK_BUSY 129Authentication token lock busy. 130.It Bq Er PAM_AUTHTOK_RECOVERY_ERR 131Failed to recover old authentication token. 132.It Bq Er PAM_AUTH_ERR 133Authentication error. 134.It Bq Er PAM_BUF_ERR 135Memory buffer error. 136.It Bq Er PAM_CONV_ERR 137Conversation failure. 138.It Bq Er PAM_CRED_ERR 139Failed to set user credentials. 140.It Bq Er PAM_CRED_EXPIRED 141User credentials have expired. 142.It Bq Er PAM_CRED_INSUFFICIENT 143Insufficient credentials. 144.It Bq Er PAM_CRED_UNAVAIL 145Failed to retrieve user credentials. 146.It Bq Er PAM_DOMAIN_UNKNOWN 147Unknown authentication domain. 148.It Bq Er PAM_IGNORE 149Ignore this module. 150.It Bq Er PAM_MAXTRIES 151Maximum number of tries exceeded. 152.It Bq Er PAM_MODULE_UNKNOWN 153Unknown module type. 154.It Bq Er PAM_NEW_AUTHTOK_REQD 155New authentication token required. 156.It Bq Er PAM_NO_MODULE_DATA 157Module data not found. 158.It Bq Er PAM_OPEN_ERR 159Failed to load module. 160.It Bq Er PAM_PERM_DENIED 161Permission denied. 162.It Bq Er PAM_SERVICE_ERR 163Error in service module. 164.It Bq Er PAM_SESSION_ERR 165Session failure. 166.It Bq Er PAM_SUCCESS 167Success. 168.It Bq Er PAM_SYMBOL_ERR 169Invalid symbol. 170.It Bq Er PAM_SYSTEM_ERR 171System error. 172.It Bq Er PAM_TRY_AGAIN 173Try again. 174.It Bq Er PAM_USER_UNKNOWN 175Unknown user. 176.El 177.Sh SEE ALSO 178.Xr openpam 3 , 179.Xr pam_conv 3 180.Sh STANDARDS 181.Rs 182.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" 183.%D "June 1997" 184.Re 185.Sh AUTHORS 186The OpenPAM library and this manual page were developed for the 187.Fx 188Project by ThinkSec AS and Network Associates Laboratories, the 189Security Research Division of Network Associates, Inc.\& under 190DARPA/SPAWAR contract N66001-01-C-8035 191.Pq Dq CBOSS , 192as part of the DARPA CHATS research program. 193.Pp 194The OpenPAM library is maintained by 195.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no . 196