*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->FreeBSD man pages -> pam (3)              



NAME    [Toc]    [Back]

     pam_acct_mgmt, pam_authenticate, pam_chauthtok, pam_close_session,
     pam_end, pam_get_data, pam_get_item, pam_get_user, pam_getenv,
     pam_getenvlist, pam_open_session, pam_putenv, pam_set_data, pam_set_item,
     pam_setcred, pam_start, pam_strerror -- Pluggable Authentication Modules

LIBRARY    [Toc]    [Back]

     PAM Library (libpam, -lpam)

SYNOPSIS    [Toc]    [Back]

     #include <security/pam_appl.h>

     pam_acct_mgmt(pam_handle_t *pamh, int flags);

     pam_authenticate(pam_handle_t *pamh, int flags);

     pam_chauthtok(pam_handle_t *pamh, int flags);

     pam_close_session(pam_handle_t *pamh, int flags);

     pam_end(pam_handle_t *pamh, int status);

     pam_get_data(pam_handle_t *pamh, const char *module_data_name,
         const void **data);

     pam_get_item(pam_handle_t *pamh, int item_type, const void **item);

     pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt);

     const char *
     pam_getenv(pam_handle_t *pamh, const char *name);

     char **
     pam_getenvlist(pam_handle_t *pamh);

     pam_open_session(pam_handle_t *pamh, int flags);

     pam_putenv(pam_handle_t *pamh, const char *namevalue);

     pam_set_data(pam_handle_t *pamh, const char *module_data_name,
         void *data,
         void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status));

     pam_set_item(pam_handle_t *pamh, int item_type, const void *item);

     pam_setcred(pam_handle_t *pamh, int flags);

     pam_start(const char *service, const char *user,
         const struct pam_conv *pam_conv, pam_handle_t **pamh);

     const char *
     pam_strerror(pam_handle_t *pamh, int error_number);

DESCRIPTION    [Toc]    [Back]

     The Pluggable Authentication Modules (PAM) library abstracts a number of
     common authentication-related operations and provides a framework for
     dynamically loaded modules that implement these operations in various

   Terminology    [Toc]    [Back]
     In PAM parlance, the application that uses PAM to authenticate a user is
     the server, and is identified for configuration purposes by a service
     name, which is often (but not necessarily) the program name.

     The user requesting authentication is called the applicant, while the
     user (usually, root) charged with verifying his identity and granting him
     the requested credentials is called the arbitrator.

     The sequence of operations the server goes through to authenticate a user
     and perform whatever task he requested is a PAM transaction; the context
     within which the server performs the requested task is called a session.

     The functionality embodied by PAM is divided into six primitives grouped
     into four facilities: authentication, account management, session management
 and password management.

   Conversation    [Toc]    [Back]
     The PAM library expects the application to provide a conversation callback
 which it can use to communicate with the user.  Some modules may use
     specialized conversation functions to communicate with special hardware
     such as cryptographic dongles or biometric devices.  See pam_conv(3) for

   Initialization and Cleanup    [Toc]    [Back]
     The pam_start() function initializes the PAM library and returns a handle
     which must be provided in all subsequent function calls.  The transaction
     state is contained entirely within the structure identified by this handle,
 so it is possible to conduct multiple transactions in parallel.

     The pam_end() function releases all resources associated with the specified
 context, and can be called at any time to terminate a PAM transaction.

   Storage    [Toc]    [Back]
     The pam_set_item() and pam_get_item() functions set and retrieve a number
     of predefined items, including the service name, the names of the
     requesting and target users, the conversation function, and prompts.

     The pam_set_data() and pam_get_data() functions manage named chunks of
     free-form data, generally used by modules to store state from one invocation
 to another.

   Authentication    [Toc]    [Back]
     There are two authentication primitives: pam_authenticate() and
     pam_setcred().  The former authenticates the user, while the latter manages
 his credentials.

   Account Management    [Toc]    [Back]
     The pam_acct_mgmt() function enforces policies such as password expiry,
     account expiry, time-of-day restrictions, and so forth.

   Session Management    [Toc]    [Back]
     The pam_open_session() and pam_close_session() handle session setup and

   Password Management    [Toc]    [Back]
     The pam_chauthtok() function allows the server to change the user's password,
 either at the user's request or because the password has expired.

   Miscellaneous    [Toc]    [Back]
     The pam_putenv(), pam_getenv() and pam_getenvlist() manage a private
     environment list in which modules can set environment variables they want
     the server to export during the session.

     The pam_strerror() function returns a pointer to a string describing the
     specified PAM error code.

RETURN VALUES    [Toc]    [Back]

     The following return codes are defined by <security/pam_constants.h>:

     [PAM_ABORT]         General failure.

     [PAM_ACCT_EXPIRED]  User accound has expired.

                         Authentication information is unavailable.

                         Authentication token aging disabled.

     [PAM_AUTHTOK_ERR]   Authentication token failure.

                         Password has expired.

                         Authentication token lock busy.

                         Failed to recover old authentication token.

     [PAM_AUTH_ERR]      Authentication error.

     [PAM_BUF_ERR]       Memory buffer error.

     [PAM_CONV_ERR]      Conversation failure.

     [PAM_CRED_ERR]      Failed to set user credentials.

     [PAM_CRED_EXPIRED]  User credentials have expired.

                         Insufficient credentials.

     [PAM_CRED_UNAVAIL]  Failed to retrieve user credentials.

                         Unknown authentication domain.

     [PAM_IGNORE]        Ignore this module.

     [PAM_MAXTRIES]      Maximum number of tries exceeded.

                         Unknown module type.

                         New authentication token required.

                         Module data not found.

     [PAM_OPEN_ERR]      Failed to load module.

     [PAM_PERM_DENIED]   Permission denied.

     [PAM_SERVICE_ERR]   Error in service module.

     [PAM_SESSION_ERR]   Session failure.

     [PAM_SUCCESS]       Success.

     [PAM_SYMBOL_ERR]    Invalid symbol.

     [PAM_SYSTEM_ERR]    System error.

     [PAM_TRY_AGAIN]     Try again.

     [PAM_USER_UNKNOWN]  Unknown user.

SEE ALSO    [Toc]    [Back]

     openpam(3), pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3),
     pam_close_session(3), pam_conv(3), pam_end(3), pam_get_data(3),
     pam_get_item(3), pam_get_user(3), pam_getenv(3), pam_getenvlist(3),
     pam_open_session(3), pam_putenv(3), pam_set_data(3), pam_set_item(3),
     pam_setcred(3), pam_start(3), pam_strerror(3)

STANDARDS    [Toc]    [Back]

     X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules,
     June 1997.

AUTHORS    [Toc]    [Back]

     The OpenPAM library and this manual page were developed for the FreeBSD
     Project by ThinkSec AS and Network Associates Laboratories, the Security
     Research Division of Network Associates, Inc.  under DARPA/SPAWAR contract
 N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research

FreeBSD 5.2.1                    July 15, 2003                   FreeBSD 5.2.1
[ Back ]
 Similar pages
Name OS Title
pam Linux Pluggable Authentication Modules for Linux
pam.conf HP-UX configuration file for pluggable authentication modules
pam_user.conf HP-UX users configuration file for pluggable authentication modules
pam HP-UX Pluggable Authentication Module
pam_unix HP-UX authentication, account, session, and password management PAM modules for UNIX
pam_krb5 HP-UX authentication, account, session and password management modules for Kerberos 5
krb_rd_req NetBSD Kerberos authentication library
krb_mk_safe NetBSD Kerberos authentication library
krb_rd_priv NetBSD Kerberos authentication library
krb_mk_req NetBSD Kerberos authentication library
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service