Firstly, the relevant include file for the Linux-PAM library
is <security/pam_appl.h>
. It contains the definitions
for a number of functions. Before listing these functions, we collect
some guiding remarks for programmers.
In general writers of authorization-granting applications should
assume that each module is likely to call any or all `libc'
functions. For `libc' functions that return pointers to
static/dynamically allocated structures (ie. the library allocates the
memory and the user is not expected to `free()
' it) any module
call to this function is likely to corrupt a pointer previously
obtained by the application. The application programmer should either
re-call such a libc function after any call to the Linux-PAM
library, or copy the structure contents to some safe area of memory
before passing control to the Linux-PAM library.
Here we document those functions in the Linux-PAM library that may be called from an application.
extern int pam_start(char *service_name, char *user, struct
pam_conv *pam_conversation, pam_handle_t **pamh);
This is the first of the Linux-PAM functions that must be
called by an application. It initializes the interface and reads the
system configuration file, /etc/pam.conf
(see
pam.html). Following a successful return (PAM_SUCCESS
)
the contents of *pamh
is a handle that provides continuity
for successive calls to the Linux-PAM library. The arguments
expected by pam_start
are as follows: the
service_name
of the program, the user
name of the
individual to be authenticated, a pointer to an application-supplied
pam_conv
structure and a pointer to a pam_handle_t
pointer.
The pam_conv
structure is discussed more fully below in the
section covering ``What is expected of an application''. The
pam_handle_t
is a blind structure and the
application should not attempt to probe it directly for
information. Instead the Linux-PAM library provides the
functions pam_set_item
and pam_get_item
. These
functions are documented below.
extern int pam_end(pam_handle_t *pamh, int pam_status);
This function is the last function an application should call in the
Linux-PAM library. Upon return the handle pamh
is no
longer valid. Under normal conditions the argument pam_status
has
the value PAM_SUCCESS, but its purpose is to be passed as an argument
to the module specific function cleanup()
(see
pam_modules.html.
extern int pam_set_item(pam_handle_t *pamh, int item_type, const
void *item);
This function is used to (re)set the value of one of the following item_types:
PAM_SERVICE
The service name
PAM_USER
The user name
PAM_TTY
The terminal name
PAM_RHOST
The remote host name
PAM_CONV
The pam_conv structure (see below)
PAM_RUSER
The remote user name
PAM_USER_PROMPT
The string used when prompting for a user's name.
For all item_type
s, but PAM_CONV
, item
is a pointer to
a '\\0'
terminated character string. In the case of PAM_CONV
,
item
points to an initialized pam_conv
structure (see
below).
extern int pam_get_item(const pam_handle_t *pamh, int item_type,
void **item);
This function is used to obtain the value of the indicated
item_type
. Upon successful return, *item
contains a pointer
to the value of the corresponding item. Note, this is a pointer to the
actual data and should not be free()
'ed or
over-written! If an attempt is made to get an undefined item,
PAM_BAD_ITEM
is returned.
extern const char *pam_strerror(int errnum);
This function returns some text describing the Linux-PAM
error associated with the argument errnum
.
extern int pam_authenticate(pam_handle_t *pamh, int flags);
This function serves as an interface to the authentication mechanisms of the loaded modules. Valid flags, which may be logically OR'd, are
PAM_SILENT
Instruct the authentication modules to not generate any messages, and
PAM_DISALLOW_NULL_AUTHTOK
Instruct the authentication modules to return
PAM_AUTHTOKEN_REQD
if the item, PAM_AUTHTOK
, is set to
NULL
.
If one or more of the authentication modules fails to load, for
whatever reason, this function will return PAM_ABORT
.
extern int pam_setcred(pam_handle_t *pamh, int flags);
This function is used to set the module-specific credentials of the
user. It is usually called after the user has been
authenticated. Currently, this function simply calls the
pam_sm_setcred
functions of each of the loaded modules. Valid
flags
, which may be logically OR'd, are:
PAM_CRED_ESTABLISH
Set the credentials for the authentication service,
PAM_CRED_DELETE
Delete the credentials associated with the authentication service,
PAM_CRED_REINITIALIZE
Reinitialize the user credentials, and
PAM_CRED_REFRESH
Extend the lifetime of the user credentials.
extern int pam_acct_mgmt(pam_handle_t *pamh, int flags);
This function is typically called after the user has been
authenticated. It establishes whether the user's account is
healthy. That is to say, whether the user's account is still active
and whether the user is permitted to gain access to the system at this
time. Valid flags, which may be logically OR'd, are the same as those
applicable to the flags
argument of pam_authenticate
.
Currently, this function simply calls the corresponding functions of
each of the loaded modules, as instructed by the configuration file,
/etc/pam.conf
.
extern int pam_open_session(pam_handle_t *pamh, int flags);
This function is used to indicate that an authenticated session has begun. It is used to inform the module that the user is currently in a session. It should be possible for the Linux-PAM library to open a session and close the same session (see below) from different applications.
Currently, this function simply calls each of the corresponding
functions of the loaded modules.
If any of the required loaded modules are unable to open a
session for the user, this function will return PAM_SESSION_ERR
.
extern int pam_close_session(pam_handle_t *pamh, int flags);
This function is used to indicate that an authenticated session has ended. It is used to inform the module that the user is exiting a session. It should be possible for the Linux-PAM library to open a session and close the same session from different applications.
Currently, this function simply calls each of the corresponding
functions of the loaded modules.
If any of the required loaded modules are unable to close a
session for the user, this function will return PAM_SESSION_ERR
.
extern int pam_chauthtok(pam_handle_t *pamh, const int flags);
This function is used to change the authentication token for a given
user (as indicated by the state associated with the handle,
pamh
). Valid flags, which may be logically OR'd, are those
associated with a call to pam_authenticate
above.
An application must provide a ``conversation function''. It is used
for direct communication between a loaded module and the application
and will typically provide a means for the module to prompt the user
for a password etc. . The structure pam_conv
is defined in
<security/pam_appl.h> to be,
struct pam_conv {
int (*conv)(int num_msg,
const struct pam_message **msg,
struct pam_response **resp,
void *appdata_ptr);
void *appdata_ptr;
};
It is initialized by the application before it is passed to the
library. The contents of this structure are attached to the *pamh
handle. The point of this argument is to provide a mechanism for any
loaded module to interact directly with the application program. This
is why it is called a conversation structure.
When a module calls the referenced conv()
function, the argument
*appdata_ptr
is set to the second element of this structure.
The other arguments of a call to conv()
concern the information
exchanged by module and application. That is to say, num_msg
holds the length of the array of pointers, msg
. After a
successful return, the pointer *resp
points to a
pam_response
structure, holding the application supplied text.
The message (from the module to the application) passing structure is
defined in <security/pam_appl.h>
as:
struct pam_message {
int msg_style;
char *msg;
};
Valid choices for msg_style
are:
PAM_PROMPT_ECHO_OFF
Obtain a string without echoing any text
PAM_PROMPT_ECHO_ON
Obtain a string whilst echoing text
PAM_ERROR_MSG
Display an error
PAM_TEXT_INFO
Display some text.
The response (from the application to the module) passing structure is
defined in <security/pam_appl.h>
as:
struct pam_response {
char *resp;
int resp_retcode;
};
Currently, there are no definitions for resp_retcode
values. The
normal response is 0
.