xref: /freebsd/contrib/openpam/doc/man/pam_get_authtok.3 (revision 8d20be1e22095c27faf8fe8b2f0d089739cc742e)
1.\" Generated from pam_get_authtok.c by gendoc.pl
2.\" $Id: pam_get_authtok.c 670 2013-03-17 19:26:07Z des $
3.Dd September 7, 2013
4.Dt PAM_GET_AUTHTOK 3
5.Os
6.Sh NAME
7.Nm pam_get_authtok
8.Nd retrieve authentication token
9.Sh LIBRARY
10.Lb libpam
11.Sh SYNOPSIS
12.In sys/types.h
13.In security/pam_appl.h
14.Ft "int"
15.Fn pam_get_authtok "pam_handle_t *pamh" "int item" "const char **authtok" "const char *prompt"
16.Sh DESCRIPTION
17The
18.Fn pam_get_authtok
19function either prompts the user for an
20authentication token or retrieves a cached authentication token,
21depending on circumstances.
22Either way, a pointer to the authentication token is stored in the
23location pointed to by the
24.Fa authtok
25argument, and the corresponding PAM
26item is updated.
27.Pp
28The
29.Fa item
30argument must have one of the following values:
31.Bl -tag -width 18n
32.It Dv PAM_AUTHTOK
33Returns the current authentication token, or the new token
34when changing authentication tokens.
35.It Dv PAM_OLDAUTHTOK
36Returns the previous authentication token when changing
37authentication tokens.
38.El
39.Pp
40The
41.Fa prompt
42argument specifies a prompt to use if no token is cached.
43If it is
44.Dv NULL ,
45the
46.Dv PAM_AUTHTOK_PROMPT
47or
48.Dv PAM_OLDAUTHTOK_PROMPT
49item,
50as appropriate, will be used.
51If that item is also
52.Dv NULL ,
53a hardcoded default prompt will be used.
54Additionally, when
55.Fn pam_get_authtok
56is called from a service module,
57the prompt may be affected by module options as described below.
58The prompt is then expanded using
59.Xr openpam_subst 3
60before it is passed to
61the conversation function.
62.Pp
63If
64.Fa item
65is set to
66.Dv PAM_AUTHTOK
67and there is a non-null
68.Dv PAM_OLDAUTHTOK
69item,
70.Fn pam_get_authtok
71will ask the user to confirm the new token by
72retyping it.
73If there is a mismatch,
74.Fn pam_get_authtok
75will return
76.Dv PAM_TRY_AGAIN .
77.Sh MODULE OPTIONS
78When called by a service module,
79.Fn pam_get_authtok
80will recognize the
81following module options:
82.Bl -tag -width 18n
83.It Dv authtok_prompt
84Prompt to use when
85.Fa item
86is set to
87.Dv PAM_AUTHTOK .
88This option overrides both the
89.Fa prompt
90argument and the
91.Dv PAM_AUTHTOK_PROMPT
92item.
93.It Dv echo_pass
94If the application's conversation function allows it, this
95lets the user see what they are typing.
96This should only be used for non-reusable authentication
97tokens.
98.It Dv oldauthtok_prompt
99Prompt to use when
100.Fa item
101is set to
102.Dv PAM_OLDAUTHTOK .
103This option overrides both the
104.Fa prompt
105argument and the
106.Dv PAM_OLDAUTHTOK_PROMPT
107item.
108.It Dv try_first_pass
109If the requested item is non-null, return it without
110prompting the user.
111Typically, the service module will verify the token, and
112if it does not match, clear the item before calling
113.Fn pam_get_authtok
114a second time.
115.It Dv use_first_pass
116Do not prompt the user at all; just return the cached
117value, or
118.Dv PAM_AUTH_ERR
119if there is none.
120.El
121.Sh RETURN VALUES
122The
123.Fn pam_get_authtok
124function returns one of the following values:
125.Bl -tag -width 18n
126.It Bq Er PAM_BUF_ERR
127Memory buffer error.
128.It Bq Er PAM_CONV_ERR
129Conversation failure.
130.It Bq Er PAM_SYSTEM_ERR
131System error.
132.It Bq Er PAM_TRY_AGAIN
133Try again.
134.El
135.Sh SEE ALSO
136.Xr openpam_get_option 3 ,
137.Xr openpam_subst 3 ,
138.Xr pam 3 ,
139.Xr pam_conv 3 ,
140.Xr pam_get_item 3 ,
141.Xr pam_get_user 3 ,
142.Xr pam_strerror 3
143.Sh STANDARDS
144The
145.Fn pam_get_authtok
146function is an OpenPAM extension.
147.Sh AUTHORS
148The
149.Fn pam_get_authtok
150function and this manual page were
151developed for the
152.Fx
153Project by ThinkSec AS and Network Associates Laboratories, the
154Security Research Division of Network Associates, Inc.\& under
155DARPA/SPAWAR contract N66001-01-C-8035
156.Pq Dq CBOSS ,
157as part of the DARPA CHATS research program.
158.Pp
159The OpenPAM library is maintained by
160.An Dag-Erling Sm\(/orgrav Aq des@des.no .
161