|
NAMEpam_acct_mgmt , pam_authenticate ,
pam_chauthtok ,
pam_close_session , pam_end ,
pam_get_data , pam_get_item ,
pam_get_user , pam_getenv ,
pam_getenvlist ,
pam_open_session , pam_putenv ,
pam_set_data , pam_set_item ,
pam_setcred , pam_start ,
pam_strerror —
Pluggable Authentication Modules Library
LIBRARYPluggable Authentication Module Library (libpam, -lpam)SYNOPSIS#include <security/pam_appl.h>
int
int
int
int
int
int
int
int
const char *
char **
int
int
int
int
int
int
const char *
DESCRIPTIONThe Pluggable Authentication Modules (PAM) library abstracts a number of common authentication-related operations and provides a framework for dynamically loaded modules that implement these operations in various ways.TerminologyIn PAM parlance, the application that uses PAM to authenticate a user is the server, and is identified for configuration purposes by a service name, which is often (but not necessarily) the program name.The user requesting authentication is called the applicant, while the user (usually, root) charged with verifying his identity and granting him the requested credentials is called the arbitrator. The sequence of operations the server goes through to authenticate a user and perform whatever task he requested is a PAM transaction; the context within which the server performs the requested task is called a session. The functionality embodied by PAM is divided into six primitives grouped into four facilities: authentication, account management, session management and password management. ConversationThe PAM library expects the application to provide a conversation callback which it can use to communicate with the user. Some modules may use specialized conversation functions to communicate with special hardware such as cryptographic dongles or biometric devices. See pam_conv(3) for details.Initialization and CleanupThepam_start () function initializes the PAM library and
returns a handle which must be provided in all subsequent function calls. The
transaction state is contained entirely within the structure identified by
this handle, so it is possible to conduct multiple transactions in parallel.
The StorageThepam_set_item () and
pam_get_item () functions set and retrieve a number of
predefined items, including the service name, the names of the requesting and
target users, the conversation function, and prompts.
The AuthenticationThere are two authentication primitives:pam_authenticate () and
pam_setcred (). The former authenticates the user,
while the latter manages his credentials.
Account ManagementThepam_acct_mgmt () function enforces policies such as
password expiry, account expiry, time-of-day restrictions, and so forth.
Session ManagementThepam_open_session () and
pam_close_session () functions handle session setup and
teardown.
Password ManagementThepam_chauthtok () function allows the server to change
the user's password, either at the user's request or because the password has
expired.
MiscellaneousThepam_putenv (), pam_getenv ()
and pam_getenvlist () functions manage a private
environment list in which modules can set environment variables they want the
server to export during the session.
The RETURN VALUESThe following return codes are defined by<security/pam_constants.h> :
SEE ALSOopenpam(3), pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3), pam_close_session(3), pam_conv(3), pam_end(3), pam_get_data(3), pam_getenv(3), pam_getenvlist(3), pam_get_item(3), pam_get_user(3), pam_open_session(3), pam_putenv(3), pam_setcred(3), pam_set_data(3), pam_set_item(3), pam_start(3), pam_strerror(3)STANDARDSX/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules, June 1997.AUTHORSThe OpenPAM library and this manual page were developed for the FreeBSD Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.The OpenPAM library is maintained by Dag-Erling Smørgrav <des@des.no>.
Visit the GSP FreeBSD Man Page Interface. |