1ee02aaa9SDag-Erling Smørgrav.Sh DESCRIPTION 2ee02aaa9SDag-Erling SmørgravThe Pluggable Authentication Modules (PAM) library abstracts a number 3ee02aaa9SDag-Erling Smørgravof common authentication-related operations and provides a framework 4ee02aaa9SDag-Erling Smørgravfor dynamically loaded modules that implement these operations in 5ee02aaa9SDag-Erling Smørgravvarious ways. 6ee02aaa9SDag-Erling Smørgrav.Ss Terminology 7ee02aaa9SDag-Erling SmørgravIn PAM parlance, the application that uses PAM to authenticate a user 8ee02aaa9SDag-Erling Smørgravis the server, and is identified for configuration purposes by a 9ee02aaa9SDag-Erling Smørgravservice name, which is often (but not necessarily) the program name. 10ee02aaa9SDag-Erling Smørgrav.Pp 11ee02aaa9SDag-Erling SmørgravThe user requesting authentication is called the applicant, while the 12ee02aaa9SDag-Erling Smørgravuser (usually, root) charged with verifying his identity and granting 13ee02aaa9SDag-Erling Smørgravhim the requested credentials is called the arbitrator. 14ee02aaa9SDag-Erling Smørgrav.Pp 15ee02aaa9SDag-Erling SmørgravThe sequence of operations the server goes through to authenticate a 16ee02aaa9SDag-Erling Smørgravuser and perform whatever task he requested is a PAM transaction; the 17ee02aaa9SDag-Erling Smørgravcontext within which the server performs the requested task is called 18ee02aaa9SDag-Erling Smørgrava session. 19ee02aaa9SDag-Erling Smørgrav.Pp 20ee02aaa9SDag-Erling SmørgravThe functionality embodied by PAM is divided into six primitives 21ee02aaa9SDag-Erling Smørgravgrouped into four facilities: authentication, account management, 22ee02aaa9SDag-Erling Smørgravsession management and password management. 23ee02aaa9SDag-Erling Smørgrav.Ss Conversation 24ee02aaa9SDag-Erling SmørgravThe PAM library expects the application to provide a conversation 25ee02aaa9SDag-Erling Smørgravcallback which it can use to communicate with the user. 26ee02aaa9SDag-Erling SmørgravSome modules may use specialized conversation functions to communicate 27ee02aaa9SDag-Erling Smørgravwith special hardware such as cryptographic dongles or biometric 28ee02aaa9SDag-Erling Smørgravdevices. 29ee02aaa9SDag-Erling SmørgravSee 30ee02aaa9SDag-Erling Smørgrav.Xr pam_conv 3 31ee02aaa9SDag-Erling Smørgravfor details. 32ca236e63SDag-Erling Smørgrav.Ss Initialization and Cleanup 33ee02aaa9SDag-Erling SmørgravThe 34ee02aaa9SDag-Erling Smørgrav.Fn pam_start 35ee02aaa9SDag-Erling Smørgravfunction initializes the PAM library and returns a handle which must 36ee02aaa9SDag-Erling Smørgravbe provided in all subsequent function calls. 37ee02aaa9SDag-Erling SmørgravThe transaction state is contained entirely within the structure 38ee02aaa9SDag-Erling Smørgravidentified by this handle, so it is possible to conduct multiple 39ee02aaa9SDag-Erling Smørgravtransactions in parallel. 40ee02aaa9SDag-Erling Smørgrav.Pp 41ee02aaa9SDag-Erling SmørgravThe 42ee02aaa9SDag-Erling Smørgrav.Fn pam_end 43ee02aaa9SDag-Erling Smørgravfunction releases all resources associated with the specified context, 44ee02aaa9SDag-Erling Smørgravand can be called at any time to terminate a PAM transaction. 45ee02aaa9SDag-Erling Smørgrav.Ss Storage 46ee02aaa9SDag-Erling SmørgravThe 47ee02aaa9SDag-Erling Smørgrav.Fn pam_set_item 48ee02aaa9SDag-Erling Smørgravand 49ee02aaa9SDag-Erling Smørgrav.Fn pam_get_item 50ee02aaa9SDag-Erling Smørgravfunctions set and retrieve a number of predefined items, including the 51ee02aaa9SDag-Erling Smørgravservice name, the names of the requesting and target users, the 52ee02aaa9SDag-Erling Smørgravconversation function, and prompts. 53ee02aaa9SDag-Erling Smørgrav.Pp 54ee02aaa9SDag-Erling SmørgravThe 55ee02aaa9SDag-Erling Smørgrav.Fn pam_set_data 56ee02aaa9SDag-Erling Smørgravand 57ee02aaa9SDag-Erling Smørgrav.Fn pam_get_data 58ca236e63SDag-Erling Smørgravfunctions manage named chunks of free-form data, generally used by 59ca236e63SDag-Erling Smørgravmodules to store state from one invocation to another. 60ee02aaa9SDag-Erling Smørgrav.Ss Authentication 61ee02aaa9SDag-Erling SmørgravThere are two authentication primitives: 62ee02aaa9SDag-Erling Smørgrav.Fn pam_authenticate 63ee02aaa9SDag-Erling Smørgravand 64ee02aaa9SDag-Erling Smørgrav.Fn pam_setcred . 65ee02aaa9SDag-Erling SmørgravThe former authenticates the user, while the latter manages his 66ee02aaa9SDag-Erling Smørgravcredentials. 67ee02aaa9SDag-Erling Smørgrav.Ss Account Management 68ee02aaa9SDag-Erling SmørgravThe 69ee02aaa9SDag-Erling Smørgrav.Fn pam_acct_mgmt 70ee02aaa9SDag-Erling Smørgravfunction enforces policies such as password expiry, account expiry, 71ee02aaa9SDag-Erling Smørgravtime-of-day restrictions, and so forth. 72ee02aaa9SDag-Erling Smørgrav.Ss Session Management 73ee02aaa9SDag-Erling SmørgravThe 74ee02aaa9SDag-Erling Smørgrav.Fn pam_open_session 75ee02aaa9SDag-Erling Smørgravand 76ee02aaa9SDag-Erling Smørgrav.Fn pam_close_session 77b33ab329SDag-Erling Smørgravfunctions handle session setup and teardown. 78ee02aaa9SDag-Erling Smørgrav.Ss Password Management 79ee02aaa9SDag-Erling SmørgravThe 80ee02aaa9SDag-Erling Smørgrav.Fn pam_chauthtok 81ee02aaa9SDag-Erling Smørgravfunction allows the server to change the user's password, either at 82ee02aaa9SDag-Erling Smørgravthe user's request or because the password has expired. 83ee02aaa9SDag-Erling Smørgrav.Ss Miscellaneous 84ee02aaa9SDag-Erling SmørgravThe 85ee02aaa9SDag-Erling Smørgrav.Fn pam_putenv , 86ee02aaa9SDag-Erling Smørgrav.Fn pam_getenv 87ee02aaa9SDag-Erling Smørgravand 88ee02aaa9SDag-Erling Smørgrav.Fn pam_getenvlist 89b33ab329SDag-Erling Smørgravfunctions manage a private environment list in which modules can set 90b33ab329SDag-Erling Smørgravenvironment variables they want the server to export during the 91b33ab329SDag-Erling Smørgravsession. 92ee02aaa9SDag-Erling Smørgrav.Pp 93ee02aaa9SDag-Erling SmørgravThe 94ee02aaa9SDag-Erling Smørgrav.Fn pam_strerror 95ca236e63SDag-Erling Smørgravfunction returns a pointer to a string describing the specified PAM 96ee02aaa9SDag-Erling Smørgraverror code. 97