2 .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
3 .\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
5 .\" Manual: Linux-PAM Manual
6 .\" Source: Linux-PAM Manual
9 .TH "PAM" "3" "06/21/2011" "Linux-PAM Manual" "Linux-PAM Manual"
10 .\" -----------------------------------------------------------------
11 .\" * (re)Define some macros
12 .\" -----------------------------------------------------------------
13 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14 .\" toupper - uppercase a string (locale-aware)
15 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17 .tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
19 .tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
21 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22 .\" SH-xref - format a cross-reference to an SH section
23 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33 .\" SH - level-one heading that works better for non-TTY output
34 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36 .\" put an extra blank line of space above the head in non-TTY output
43 .nr an-prevailing-indent \\n[IN]
47 .HTML-TAG ".NH \\n[an-level]"
49 .nr an-no-space-flag 1
51 \." make the size of the head bigger
56 .\" if n (TTY output), use uppercase
61 .\" if not n (not TTY), use normal case (not uppercase)
65 .\" if not n (not TTY), put a border/line under subheading
70 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71 .\" SS - level-two heading that works better for non-TTY output
72 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77 .nr an-prevailing-indent \\n[IN]
82 .nr an-no-space-flag 1
85 \." make the size of the head bigger
91 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92 .\" BB/BE - put background/screen (filled box) around block of text
93 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
106 .if "\\$2"adjust-for-leading-newline" \{\
114 .nr BW \\n(.lu-\\n(.i
117 .ie "\\$2"adjust-for-leading-newline" \{\
118 \M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
121 \M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
132 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133 .\" BM/EM - put colored marker in margin next to block of text
134 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151 \M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
159 .\" -----------------------------------------------------------------
160 .\" * set default formatting
161 .\" -----------------------------------------------------------------
162 .\" disable hyphenation
164 .\" disable justification (adjust text to left margin only)
166 .\" -----------------------------------------------------------------
167 .\" * MAIN CONTENT STARTS HERE *
168 .\" -----------------------------------------------------------------
170 pam \- Pluggable Authentication Modules Library
177 #include <security/pam_appl\&.h>
187 #include <security/pam_modules\&.h>
197 #include <security/pam_ext\&.h>
206 is a system of libraries that handle the authentication tasks of applications (services) on the system\&. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
209 \fBsu\fR(1)) defer to to perform standard authentication tasks\&.
210 .SS "Initialization and Cleanup"
214 function creates the PAM context and initiates the PAM transaction\&. It is the first of the PAM functions that needs to be called by an application\&. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel\&. But it is not possible to use the same handle for different transactions, a new one is needed for every new context\&.
218 function terminates the PAM transaction and is the last function an application should call in the PAM context\&. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid\&. It can be called at any time to terminate a PAM transaction\&.
222 \fBpam_authenticate\fR(3)
223 function is used to authenticate the user\&. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print\&.
227 function manages the userscredentials\&.
228 .SS "Account Management"
231 \fBpam_acct_mgmt\fR(3)
232 function is used to determine if the users account is valid\&. It checks for authentication token and account expiration and verifies access restrictions\&. It is typically called after the user has been authenticated\&.
233 .SS "Password Management"
236 \fBpam_chauthtok\fR(3)
237 function is used to change the authentication token for a given user on request or because the token has expired\&.
238 .SS "Session Management"
241 \fBpam_open_session\fR(3)
242 function sets up a user session for a previously successful authenticated user\&. The session should later be terminated with a call to
243 \fBpam_close_session\fR(3)\&.
246 The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\&. This callback is specified by the
247 \fIstruct pam_conv\fR
250 at the start of the transaction\&. See
256 \fBpam_set_item\fR(3)
258 \fBpam_get_item\fR(3)
259 functions allows applications and PAM service modules to set and retrieve PAM informations\&.
262 \fBpam_get_user\fR(3)
263 function is the preferred method to obtain the username\&.
266 \fBpam_set_data\fR(3)
268 \fBpam_get_data\fR(3)
269 functions allows PAM service modules to set and retrieve free\-form data from one invocation to another\&.
270 .SS "Environment and Error Management"
276 \fBpam_getenvlist\fR(3)
277 functions are for maintaining a set of private environment variables\&.
280 \fBpam_strerror\fR(3)
281 function returns a pointer to a string describing the given PAM error code\&.
284 The following return codes are known by PAM:
288 Critical error, immediate abort\&.
293 User account has expired\&.
298 Authentication service cannot retrieve authentication info\&.
301 PAM_AUTHTOK_DISABLE_AGING
303 Authentication token aging disabled\&.
308 Authentication token manipulation error\&.
313 Authentication token expired\&.
316 PAM_AUTHTOK_LOCK_BUSY
318 Authentication token lock busy\&.
321 PAM_AUTHTOK_RECOVERY_ERR
323 Authentication information cannot be recovered\&.
328 Authentication failure\&.
333 Memory buffer error\&.
338 Conversation failure\&.
343 Failure setting user credentials\&.
348 User credentials expired\&.
351 PAM_CRED_INSUFFICIENT
353 Insufficient credentials to access authentication data\&.
358 Authentication service cannot retrieve user credentials\&.
363 The return value should be ignored by PAM dispatch\&.
368 Have exhausted maximum number of retries for service\&.
378 Authentication token is no longer valid; new one required\&.
383 No module specific data is present\&.
388 Failed to load module\&.
398 Error in service module\&.
403 Cannot make/remove an entry for the specified session\&.
423 Failed preliminary check by password service\&.
428 User not known to the underlying authentication module\&.
433 \fBpam_acct_mgmt\fR(3),
434 \fBpam_authenticate\fR(3),
435 \fBpam_chauthtok\fR(3),
436 \fBpam_close_session\fR(3),
439 \fBpam_get_data\fR(3),
441 \fBpam_getenvlist\fR(3),
442 \fBpam_get_item\fR(3),
443 \fBpam_get_user\fR(3),
444 \fBpam_open_session\fR(3),
446 \fBpam_set_data\fR(3),
447 \fBpam_set_item\fR(3),
448 \fBpam_setcred\fR(3),
450 \fBpam_strerror\fR(3)
455 interfaces are only thread\-safe if each thread within the multithreaded application uses its own PAM handle\&.