Wherever these PAM-API C-bindings describe structured data, only fields that must be provided by all PAM-API implementations are documented. Individual implementations may provide additional fields, either for internal use within PAM-API routines, or for use by non-portable applications.
The structure
pam_message
is used to pass prompt, error message,
or any text information from the PAM services to the application or
user. It is the responsibility of the PAM service modules to localize
the messages. The memory used by pam_message has to be allocated
and freed by the PAM modules. The pam_message structure has the
following structure:
The msg_style can be set to a number of values. See
The structure
pam_conv
contains the address of the conversation function provided by the
application. The underlying PAM service module invokes this function to
output information to and retrieve input from the user.
The pam_conv structure has the following entries:
where
int conv(int num_msg,
const struct pam_message **msg, struct pam_response **resp,
void *appdata_ptr);
The function,
The parameter, num_msg is the number of messages associated with the call. The parameter, msg, is a pointer to an array of length num_msg of the pam_message structure.
appdata_ptr is an application data pointer which is passed by the application to the PAM service modules. Since the PAM modules pass it back through the conversation function, the applications can use this pointer to point to any application-specific data.
One or more status codes are returned by each PAM-API routine. An implementation of PAM functions shall return PAM_SUCCESS and other status values appropriate for the implementation of the function. The characteristics of a particular implementation may make some status returns inappropriate for that implementation.
PAM-API routines return PAM status codes as their
int
| Name | Value in | Meaning |
|---|---|---|
| Field | ||
| [PAM_SUCCESS] | 0 | Successful completion. |
| [PAM_OPEN_ERR] | 1 | Failure when dynamically loading a service module. |
| [PAM_SYMBOL_ERR] | 2 | Symbol not found in service module. |
| [PAM_SERVICE_ERR] | 3 | Error in underlying service module. |
| [PAM_SYSTEM_ERR] | 4 | System error. |
| [PAM_BUF_ERR] | 5 | Memory buffer error. |
| [PAM_CONV_ERR | 6 | Conversation failure. |
| [PAM_PERM_DENIED] | 7 | The caller does not possess the required authority. |
| [PAM_MAXTRIES] | 8 | Maximum number of tries exceeded. |
| [PAM_AUTH_ERR] | 9 | Authentication error. |
| [PAM_NEW_AUTHTOK_REQD] | 10 | New authentication token required from user. |
| [PAM_CRED_INSUFFICIENT] | 11 | Cannot access authentication database because credentials supplied are insufficient. |
| [PAM_AUTHINFO_UNAVAIL] | 12 | Cannot retrieve authentication information. |
| [PAM_USER_UNKNOWN] | 13 | The user is not known to the underlying account management module. |
| [PAM_CRED_UNAVAIL] | 14 | Cannot retrieve user credentials. |
| [PAM_CRED_EXPIRED] | 15 | User credentials have expired. |
| [PAM_CRED_ERR] | 16 | Failure setting user credentials. |
| [PAM_ACCT_EXPIRED] | 17 | User account has expired. |
| [PAM_AUTHTOK_EXPIRED] | 18 | Password expired and no longer usable. |
| [PAM_SESSION_ERR] | 19 | Cannot initiate/terminate a PAM session. |
| [PAM_AUTHTOK_ERR] | 20 | Error in manipulating authentication token. |
| [PAM_AUTHTOK_RECOVERY_ERR] | 21 | Old authentication token cannot be recovered. |
| [PAM_AUTHTOK_LOCK_BUSY] | 22 | The authentication token lock is busy. |
| [PAM_AUTHTOK_DISABLE_AGING] | 23 | Authentication token ageing is disabled. |
| [PAM_NO_MODULE_DATA] | 24 | Module data not found. |
| [PAM_IGNORE] | 25 | Ignore this module. |
| [PAM_ABORT] | 26 | General PAM failure. |
| [PAM_TRY_AGAIN] | 27 | Unable to complete operation. Try again. |
| [PAM_MODULE_UNKNOWN] | 28 | Module type unknown. |
| [PAM_DOMAIN_UNKNOWN] | 29 | Domain unknown. |
| Name | Value | Meaning |
|---|---|---|
| [PAM_PROMPT_ECHO_OFF] | 1 | Echo off when getting response. |
| [PAM_PROMPT_ECHO_ON] | 2 | Echo on when getting response. |
| [PAM_ERROR_MSG] | 3 | Error message. |
| [PAM_TEXT_INFO] | 4 | Textual information. |
| [PAM_MAX_NUM_MSG] | 32 | Maximum number of messages passed to the application through the conversation function call. |
| [PAM_MAX_MSG_SIZE] | 512 | Maximum size in characters of messages passed to application through the conversation function call. |
| [PAM_MAX_RESP_SIZE] | 512 | Maximum size in characters of each response passed from the application through the conversation function call. |
| Name | Value | Meaning |
|---|---|---|
| General flags | ||
| PAM_SILENT | 0x80000000 | Switch off messages from service. |
| Flags for pam_authenticate | ||
| PAM_DISALLOW_NULL_AUTHTOK | 0x1 | Disallow a NULL authentication token. |
| Flags for pam_setcred | ||
| PAM_ESTABLISH_CRED | 0x1 | Set user credentials for the authentication service. |
| PAM_DELETE_CRED | 0x2 | Delete user credentials from the authentication service. |
| PAM_REINITIALISE_CRED | 0x4 | Reinitialize user credentials. |
| PAM_REFRESH_CRED | 0x8 | Extend lifetime of user credentials. |
| Flags for pam_sm_chauthtok | ||
| PAM_CRED_PRELIM_CHECK | 0x1 | Preliminary check for update readiness. |
| PAM_UPDATE_AUTHTOK | 0x2 | Update authentication token. |
| Flags for pam_sm_chauthtok and | ||
| pam_chauthtok | ||
| PAM_CHANGE_EXPIRED_AUTHTOK | 0x4 | Force a change to an expired authentication token. |
| Name | Value | Meaning |
|---|---|---|
| PAM_SERVICE | 1 | The program service name. |
| PAM_USER | 2 | The user name. |
| PAM_TTY | 3 | The tty name. |
| PAM_RHOST | 4 | The remote host name. |
| PAM_CONV | 5 | The conversation structure. |
| PAM_AUTHTOK | 6 | The authentication token. |
| PAM_OLDAUTHTOK | 7 | The old authentication token. |
| PAM_RUSER | 8 | The remote user name. |
| PAM_USER_PROMPT | 9 | The user prompt. |
<service_name> <module_type> <control_flag> <module_path> <options>
An entry commencing with a "#" character will be ignored.
The following subsections define the string constants that are used within a PAM configuration entry.
The keyword, other, indicates the module that should be used for all applications which have not been included in the PAM configuration under a specific service name. The other keyword can also be used if all services using the same module_type have the same requirements.
| Module_type | Module | |
|---|---|---|
| auth | Authentication module. | |
| account | Account management module. | |
| mapping | Mapping module. | |
| password | Password management module. | |
| session | Session management module. |
| Control Flags |
|---|
| required |
| sufficient |
| requisite |
| optional |
The PAM framework processes each service module in the stack.
If a requisite module fails the PAM framework immediately returns to the application with the error returned by the requisite module and stops processing the module stack.
If all requisite and required modules in the stack succeed, then success is returned (optional and sufficient error values are ignored).
If one or more required modules fail, then the error value from the first required module that failed is returned.
If none of the service modules in the stack are designated as required or requisite, then the PAM framework requires that at least one optional or sufficient module succeed. If all fail then the error value from the first service module in the stack is returned.
The exception to the above is caused by the sufficient flag. If a service module that is designated as sufficient succeeds, then the PAM framework immediately returns success to the application (all subsequent service modules, even required and requisite ones, in the stack are ignored), given that all prior required and requisite modules have also succeeded. If a prior required module failed, then the error value from that module is returned.
If a module does not exist or cannot be opened, then the entry is ignored.
The PAM configuration syntax does not dictate either the name or the
location of the service specific modules. The convention, however, is the
following:
/usr/lib/security/pam_<service_name>_<module_name>.<extension>
The options field is used by the PAM framework layer to pass module specific options to the modules. It is up to the module to parse and interpret the options. This field can be used by the modules to turn on debugging or to pass any module specific parameters such as a TIMEOUT value. It can also be used to support unified login. The options supported by a modules shall be documented by the supplier of the module.
| Contents | Next section | Index |