To ensure that the authentication tokens are not left lying around the
items, PAM_AUTHTOK
and PAM_OLDAUTHTOK
, are reset to NULL
when process control passes back to the application. This is an action
of pam_get_user
and the last action of functions
pam_authenticate()
and pam_chauthtok()
. The module
developer must ensure that before calling the application
supplied conversation function both of the authentication tokens are
reset to NULL (via two calls to pam_set_item()
).