1.\"
| 1.\"
|
2.\" $Id: pam.man 648 2013-03-05 17:54:27Z des $
| 2.\" $P4: //depot/projects/openpam/doc/man/pam.man#1 $
|
3.\"
4.Sh DESCRIPTION
5The Pluggable Authentication Modules (PAM) library abstracts a number
6of common authentication-related operations and provides a framework
7for dynamically loaded modules that implement these operations in
8various ways.
9.Ss Terminology
10In PAM parlance, the application that uses PAM to authenticate a user
11is the server, and is identified for configuration purposes by a
12service name, which is often (but not necessarily) the program name.
13.Pp
14The user requesting authentication is called the applicant, while the
15user (usually, root) charged with verifying his identity and granting
| 3.\"
4.Sh DESCRIPTION
5The Pluggable Authentication Modules (PAM) library abstracts a number
6of common authentication-related operations and provides a framework
7for dynamically loaded modules that implement these operations in
8various ways.
9.Ss Terminology
10In PAM parlance, the application that uses PAM to authenticate a user
11is the server, and is identified for configuration purposes by a
12service name, which is often (but not necessarily) the program name.
13.Pp
14The user requesting authentication is called the applicant, while the
15user (usually, root) charged with verifying his identity and granting
|
16him the requested credentials is called the arbitrator.
| 16him the requested credentials is called the arbitrator.
|
17.Pp
18The sequence of operations the server goes through to authenticate a
19user and perform whatever task he requested is a PAM transaction; the
20context within which the server performs the requested task is called
21a session.
22.Pp
23The functionality embodied by PAM is divided into six primitives
24grouped into four facilities: authentication, account management,
25session management and password management.
26.Ss Conversation
27The PAM library expects the application to provide a conversation
28callback which it can use to communicate with the user.
29Some modules may use specialized conversation functions to communicate
30with special hardware such as cryptographic dongles or biometric
31devices.
32See
33.Xr pam_conv 3
34for details.
| 17.Pp
18The sequence of operations the server goes through to authenticate a
19user and perform whatever task he requested is a PAM transaction; the
20context within which the server performs the requested task is called
21a session.
22.Pp
23The functionality embodied by PAM is divided into six primitives
24grouped into four facilities: authentication, account management,
25session management and password management.
26.Ss Conversation
27The PAM library expects the application to provide a conversation
28callback which it can use to communicate with the user.
29Some modules may use specialized conversation functions to communicate
30with special hardware such as cryptographic dongles or biometric
31devices.
32See
33.Xr pam_conv 3
34for details.
|
35.Ss Initialization and Cleanup
| 35.Ss Initialization And Cleanup
|
36The
37.Fn pam_start
38function initializes the PAM library and returns a handle which must
39be provided in all subsequent function calls.
40The transaction state is contained entirely within the structure
41identified by this handle, so it is possible to conduct multiple
42transactions in parallel.
43.Pp
44The
45.Fn pam_end
46function releases all resources associated with the specified context,
| 36The
37.Fn pam_start
38function initializes the PAM library and returns a handle which must
39be provided in all subsequent function calls.
40The transaction state is contained entirely within the structure
41identified by this handle, so it is possible to conduct multiple
42transactions in parallel.
43.Pp
44The
45.Fn pam_end
46function releases all resources associated with the specified context,
|
47and can be called at any time to terminate a PAM transaction.
| 47and can be called at any time to terminate a PAM transaction.
|
48.Ss Storage
49The
50.Fn pam_set_item
51and
52.Fn pam_get_item
53functions set and retrieve a number of predefined items, including the
54service name, the names of the requesting and target users, the
55conversation function, and prompts.
56.Pp
| 48.Ss Storage
49The
50.Fn pam_set_item
51and
52.Fn pam_get_item
53functions set and retrieve a number of predefined items, including the
54service name, the names of the requesting and target users, the
55conversation function, and prompts.
56.Pp
|
57The
| 57The
|
58.Fn pam_set_data
59and
60.Fn pam_get_data
| 58.Fn pam_set_data
59and
60.Fn pam_get_data
|
61functions manage named chunks of free-form data, generally used by
62modules to store state from one invocation to another.
| 61manage named chunks of free-form data, generally used by modules to
62store state from one invocation to another.
|
63.Ss Authentication
64There are two authentication primitives:
65.Fn pam_authenticate
66and
67.Fn pam_setcred .
68The former authenticates the user, while the latter manages his
69credentials.
70.Ss Account Management
71The
72.Fn pam_acct_mgmt
73function enforces policies such as password expiry, account expiry,
74time-of-day restrictions, and so forth.
75.Ss Session Management
76The
77.Fn pam_open_session
78and
79.Fn pam_close_session
| 63.Ss Authentication
64There are two authentication primitives:
65.Fn pam_authenticate
66and
67.Fn pam_setcred .
68The former authenticates the user, while the latter manages his
69credentials.
70.Ss Account Management
71The
72.Fn pam_acct_mgmt
73function enforces policies such as password expiry, account expiry,
74time-of-day restrictions, and so forth.
75.Ss Session Management
76The
77.Fn pam_open_session
78and
79.Fn pam_close_session
|
80functions handle session setup and teardown.
| 80handle session setup and teardown.
|
81.Ss Password Management
82The
83.Fn pam_chauthtok
84function allows the server to change the user's password, either at
85the user's request or because the password has expired.
86.Ss Miscellaneous
| 81.Ss Password Management
82The
83.Fn pam_chauthtok
84function allows the server to change the user's password, either at
85the user's request or because the password has expired.
86.Ss Miscellaneous
|
87The
| 87The
|
88.Fn pam_putenv ,
89.Fn pam_getenv
90and
91.Fn pam_getenvlist
| 88.Fn pam_putenv ,
89.Fn pam_getenv
90and
91.Fn pam_getenvlist
|
92functions manage a private environment list in which modules can set
93environment variables they want the server to export during the
94session.
| 92manage a private environment list in which modules can set environment
93variables they want the server to export during the session.
|
95.Pp
96The
97.Fn pam_strerror
| 94.Pp
95The
96.Fn pam_strerror
|
98function returns a pointer to a string describing the specified PAM
| 97function returns a pointer to a string describing a the specified PAM
|
99error code.
| 98error code.
|