Copyright (C) 2002, Sun Microsystems, Inc.
All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
#include <security/pam_appl.h> #include <security/pam_modules.h> cc [ flag ...] file ... -lpam [ library ...]
The PAM framework, libpam, consists of an interface library and multiple authentication service modules. The PAM interface library is the layer that implements the Application Programming Interface (API). The authentication service modules are a set of dynamically loadable objects invoked by the PAM API to provide a particular type of user authentication.
This manual page gives an overview of the PAM APIs for the service modules, also called the Service Provider Interface (PAM-SPI).
The first category contains functions to authenticate an individual user, pam_sm_authenticate(3PAM), and to set the credentials of the user, pam_sm_setcred(3PAM). These back-end functions implement the functionality of pam_authenticate(3PAM) and pam_setcred(3PAM) respectively.
The second category contains the function to do account management: pam_sm_acct_mgmt(3PAM). This includes checking for password aging and access-hour restrictions. This back-end function implements the functionality of pam_acct_mgmt(3PAM).
The third category contains the functions pam_sm_open_session(3PAM) and pam_sm_close_session(3PAM) to perform session management after access to the system has been granted. These back-end functions implement the functionality of pam_open_session(3PAM) and pam_close_session(3PAM), respectively.
The fourth category consists of a function to change authentication tokens pam_sm_chauthtok(3PAM). This back-end function implements the functionality of pam_chauthtok(3PAM).
The PAM handle keeps certain information about the transaction that can be accessed through the pam_get_item() API. Though the modules can also use pam_set_item() to change any of the item information, it is recommended that nothing be changed except PAM_AUTHTOK and PAM_OLDAUTHTOK.
If the modules want to store any module specific state information then they can use the pam_set_data(3PAM) function to store that information with the PAM handle. The data should be stored with a name which is unique across all modules and module types. For example, SUNW_PAM_UNIX_AUTH_userid can be used as a name by the UNIX module to store information about the state of user's authentication. Some modules use this technique to share data across two different module types.
Also, during the call to pam_authenticate(), the UNIX module may store the authentication status (success or reason for failure) in the handle, using a unique name such as SUNW_SECURE_RPC_DATA. This information is intended for use by pam_setcred().
During the call to pam_acct_mgmt(), the account modules may store data in the handle to indicate which passwords have aged. This information is intended for use by pam_chauthtok().
The module can also store a cleanup function associated with the data. The PAM framework calls this cleanup function, when the application calls pam_end() to close the transaction.
Though the PAM framework enforces no rules about the module's names, location, options and such, there are certain conventions that all module providers are expected to follow.
By convention, the modules should be located in the /usr/lib/security directory. Additional modules may be located in /opt/<pkg>/lib. Architecture specific libraries (for example, sparcv9 or amd64) are located in their respective subdirectories.
For every such module, there should be a corresponding manual page in section 7 which should describe the module_type it supports, the functionality of the module, along with the options it supports. The dependencies should be clearly identified to the system administrator. For example, it should be made clear whether this module is a stand-alone module or depends upon the presence of some other module. One should also specify whether this module should come before or after some other module in the stack.
By convention, the modules should support the following options: debug
Syslog debugging information at LOG_DEBUG level. Be careful as to not log any sensitive information such as passwords.
Turn off warning messages such as "password is about to expire."
If an unsupported option is passed to the modules, it should syslog the error at LOG_ERR level.
The permission bits on the service module should be set such that it is not writable by either "group" or "other." The service module should also be owned by root. The PAM framework will not load the module if the above permission rules are not followed.
ATTRIBUTE TYPE ATTRIBUTE VALUE |
Interface Stability Stable |
MT-Level MT-Safe with exceptions |