PAM(3) | Linux-PAM Manual | PAM(3) |
pam - Pluggable Authentication Modules Library
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>
PAM is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface - API) that privilege granting programs (such as login(1) and su(1)) defer to to perform standard authentication tasks.
The pam_start(3) function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context.
The pam_end(3) function terminates the PAM transaction and is the last function an application should call in the PAM context. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid. It can be called at any time to terminate a PAM transaction.
The pam_authenticate(3) function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print.
The pam_setcred(3) function manages the user's credentials.
The pam_acct_mgmt(3) function is used to determine if the user's account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated.
The pam_chauthtok(3) function is used to change the authentication token for a given user on request or because the token has expired.
The pam_open_session(3) function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to pam_close_session(3).
The PAM library uses an application-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the struct pam_conv passed to pam_start(3) at the start of the transaction. See pam_conv(3) for details.
The pam_set_item(3) and pam_get_item(3) functions allows applications and PAM service modules to set and retrieve PAM information.
The pam_get_user(3) function is the preferred method to obtain the username.
The pam_set_data(3) and pam_get_data(3) functions allows PAM service modules to set and retrieve free-form data from one invocation to another.
The pam_putenv(3), pam_getenv(3) and pam_getenvlist(3) functions are for maintaining a set of private environment variables.
The pam_strerror(3) function returns a pointer to a string describing the given PAM error code.
The following return codes are known by PAM:
PAM_ABORT
PAM_ACCT_EXPIRED
PAM_AUTHINFO_UNAVAIL
PAM_AUTHTOK_DISABLE_AGING
PAM_AUTHTOK_ERR
PAM_AUTHTOK_EXPIRED
PAM_AUTHTOK_LOCK_BUSY
PAM_AUTHTOK_RECOVERY_ERR
PAM_AUTH_ERR
PAM_BUF_ERR
PAM_CONV_ERR
PAM_CRED_ERR
PAM_CRED_EXPIRED
PAM_CRED_INSUFFICIENT
PAM_CRED_UNAVAIL
PAM_IGNORE
PAM_MAXTRIES
PAM_MODULE_UNKNOWN
PAM_NEW_AUTHTOK_REQD
PAM_NO_MODULE_DATA
PAM_OPEN_ERR
PAM_PERM_DENIED
PAM_SERVICE_ERR
PAM_SESSION_ERR
PAM_SUCCESS
PAM_SYMBOL_ERR
PAM_SYSTEM_ERR
PAM_TRY_AGAIN
PAM_USER_UNKNOWN
pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3), pam_close_session(3), pam_conv(3), pam_end(3), pam_get_data(3), pam_getenv(3), pam_getenvlist(3), pam_get_item(3), pam_get_user(3), pam_open_session(3), pam_putenv(3), pam_set_data(3), pam_set_item(3), pam_setcred(3), pam_start(3), pam_strerror(3)
The libpam interfaces are only thread-safe if each thread within the multithreaded application uses its own PAM handle.
05/07/2023 | Linux-PAM |