1.\"
| 1.\"
|
2.\" $Id: pam.man 648 2013-03-05 17:54:27Z des $
| 2.\" $P4: //depot/projects/openpam/doc/man/pam.man#1 $
|
3.\" 4.Sh DESCRIPTION 5The Pluggable Authentication Modules (PAM) library abstracts a number 6of common authentication-related operations and provides a framework 7for dynamically loaded modules that implement these operations in 8various ways. 9.Ss Terminology 10In PAM parlance, the application that uses PAM to authenticate a user 11is the server, and is identified for configuration purposes by a 12service name, which is often (but not necessarily) the program name. 13.Pp 14The user requesting authentication is called the applicant, while the 15user (usually, root) charged with verifying his identity and granting
| 3.\" 4.Sh DESCRIPTION 5The Pluggable Authentication Modules (PAM) library abstracts a number 6of common authentication-related operations and provides a framework 7for dynamically loaded modules that implement these operations in 8various ways. 9.Ss Terminology 10In PAM parlance, the application that uses PAM to authenticate a user 11is the server, and is identified for configuration purposes by a 12service name, which is often (but not necessarily) the program name. 13.Pp 14The user requesting authentication is called the applicant, while the 15user (usually, root) charged with verifying his identity and granting
|
16him the requested credentials is called the arbitrator.
| 16him the requested credentials is called the arbitrator.
|
17.Pp 18The sequence of operations the server goes through to authenticate a 19user and perform whatever task he requested is a PAM transaction; the 20context within which the server performs the requested task is called 21a session. 22.Pp 23The functionality embodied by PAM is divided into six primitives 24grouped into four facilities: authentication, account management, 25session management and password management. 26.Ss Conversation 27The PAM library expects the application to provide a conversation 28callback which it can use to communicate with the user. 29Some modules may use specialized conversation functions to communicate 30with special hardware such as cryptographic dongles or biometric 31devices. 32See 33.Xr pam_conv 3 34for details.
| 17.Pp 18The sequence of operations the server goes through to authenticate a 19user and perform whatever task he requested is a PAM transaction; the 20context within which the server performs the requested task is called 21a session. 22.Pp 23The functionality embodied by PAM is divided into six primitives 24grouped into four facilities: authentication, account management, 25session management and password management. 26.Ss Conversation 27The PAM library expects the application to provide a conversation 28callback which it can use to communicate with the user. 29Some modules may use specialized conversation functions to communicate 30with special hardware such as cryptographic dongles or biometric 31devices. 32See 33.Xr pam_conv 3 34for details.
|
35.Ss Initialization and Cleanup
| 35.Ss Initialization And Cleanup
|
36The 37.Fn pam_start 38function initializes the PAM library and returns a handle which must 39be provided in all subsequent function calls. 40The transaction state is contained entirely within the structure 41identified by this handle, so it is possible to conduct multiple 42transactions in parallel. 43.Pp 44The 45.Fn pam_end 46function releases all resources associated with the specified context,
| 36The 37.Fn pam_start 38function initializes the PAM library and returns a handle which must 39be provided in all subsequent function calls. 40The transaction state is contained entirely within the structure 41identified by this handle, so it is possible to conduct multiple 42transactions in parallel. 43.Pp 44The 45.Fn pam_end 46function releases all resources associated with the specified context,
|
47and can be called at any time to terminate a PAM transaction.
| 47and can be called at any time to terminate a PAM transaction.
|
48.Ss Storage 49The 50.Fn pam_set_item 51and 52.Fn pam_get_item 53functions set and retrieve a number of predefined items, including the 54service name, the names of the requesting and target users, the 55conversation function, and prompts. 56.Pp
| 48.Ss Storage 49The 50.Fn pam_set_item 51and 52.Fn pam_get_item 53functions set and retrieve a number of predefined items, including the 54service name, the names of the requesting and target users, the 55conversation function, and prompts. 56.Pp
|
57The
| 57The
|
58.Fn pam_set_data 59and 60.Fn pam_get_data
| 58.Fn pam_set_data 59and 60.Fn pam_get_data
|
61functions manage named chunks of free-form data, generally used by 62modules to store state from one invocation to another.
| 61manage named chunks of free-form data, generally used by modules to 62store state from one invocation to another.
|
63.Ss Authentication 64There are two authentication primitives: 65.Fn pam_authenticate 66and 67.Fn pam_setcred . 68The former authenticates the user, while the latter manages his 69credentials. 70.Ss Account Management 71The 72.Fn pam_acct_mgmt 73function enforces policies such as password expiry, account expiry, 74time-of-day restrictions, and so forth. 75.Ss Session Management 76The 77.Fn pam_open_session 78and 79.Fn pam_close_session
| 63.Ss Authentication 64There are two authentication primitives: 65.Fn pam_authenticate 66and 67.Fn pam_setcred . 68The former authenticates the user, while the latter manages his 69credentials. 70.Ss Account Management 71The 72.Fn pam_acct_mgmt 73function enforces policies such as password expiry, account expiry, 74time-of-day restrictions, and so forth. 75.Ss Session Management 76The 77.Fn pam_open_session 78and 79.Fn pam_close_session
|
80functions handle session setup and teardown.
| 80handle session setup and teardown.
|
81.Ss Password Management 82The 83.Fn pam_chauthtok 84function allows the server to change the user's password, either at 85the user's request or because the password has expired. 86.Ss Miscellaneous
| 81.Ss Password Management 82The 83.Fn pam_chauthtok 84function allows the server to change the user's password, either at 85the user's request or because the password has expired. 86.Ss Miscellaneous
|
87The
| 87The
|
88.Fn pam_putenv , 89.Fn pam_getenv 90and 91.Fn pam_getenvlist
| 88.Fn pam_putenv , 89.Fn pam_getenv 90and 91.Fn pam_getenvlist
|
92functions manage a private environment list in which modules can set 93environment variables they want the server to export during the 94session.
| 92manage a private environment list in which modules can set environment 93variables they want the server to export during the session.
|
95.Pp 96The 97.Fn pam_strerror
| 94.Pp 95The 96.Fn pam_strerror
|
98function returns a pointer to a string describing the specified PAM
| 97function returns a pointer to a string describing a the specified PAM
|
99error code.
| 98error code.
|