pam_acct_mgmt, pam_authenticate, pam_chauthtok, pam_close_session, pam_end, pam_get_data, pam_get_item, pam_get_user, pam_getenv, pam_getenvlist, pam_open_session, pam_putenv, pam_set_data, pam_set_item, pam_setcred, pam_start, pam_strerrorLinux-PAM system administrators' guide
The user requesting authentication is called the applicant,
while the user (usually, root) charged with verifying his
identity and granting him the requested credentials is called the arbitrator.
The sequence of operations the server goes through to authenticate a user and perform whatever task he requested is a PAM transaction; the context within which the server performs the requested task is called a session
. The functionality embodied by PAM is divided into primitives; grouped into facilities:
set_data and get_data manage named chunks of free-form data, generally used by modules to store state from one invocation to another.
#include <security/pam_appl.h> int pam_acct_mgmt(pam_handle_t *pamh, int flags); int pam_open_session(pam_handle_t *pamh, int flags); int pam_authenticate(pam_handle_t *pamh, int flags); int pam_chauthtok(pam_handle_t *pamh, int flags); int pam_get_data(const pam_handle_t *pamh, const char *module_data_name, const void **data); int pam_get_item(const pam_handle_t *pamh, int item_type, const void **item); int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt); const char * pam_getenv(pam_handle_t *pamh, const char *name); char ** pam_getenvlist(pam_handle_t *pamh); int pam_putenv(pam_handle_t *pamh, const char *namevalue); int pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data, void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)); int pam_set_item(pam_handle_t *pamh, int item_type, const void *item); int pam_setcred(pam_handle_t *pamh, int flags); int pam_start(const char *service, const char *user, const struct pam_conv *pam_conv, pam_handle_t **pamh); int pam_close_session(pam_handle_t *pamh, int flags); int pam_end(pam_handle_t *pamh, int status); const char * pam_strerror(const pam_handle_t *pamh, int error_number);
<security/pam_constants.h>
:
[PAM_ABORT] General failure. [PAM_ACCT_EXPIRED] [PAM_AUTHINFO_UNAVAIL] [PAM_AUTHTOK_DISABLE_AGING] [PAM_AUTHTOK_ERR] [PAM_AUTHTOK_EXPIRED] [PAM_AUTHTOK_LOCK_BUSY] [PAM_AUTHTOK_RECOVERY_ERR] Failed to recover old authentication token. [PAM_AUTH_ERR] [PAM_CONV_ERR] [PAM_BUF_ERR] [PAM_CRED_ERR] Failed to set user credentials. [PAM_CRED_EXPIRED] [PAM_CRED_INSUFFICIENT] [PAM_CRED_UNAVAIL] Failed to retrieve user credentials. [PAM_DOMAIN_UNKNOWN] Unknown authentication domain. [PAM_IGNORE] [PAM_MAXTRIES] [PAM_MODULE_UNKNOWN] Unknown module type. [PAM_NEW_AUTHTOK_REQD] [PAM_NO_MODULE_DATA] [PAM_OPEN_ERR] Failed to load module. [PAM_PERM_DENIED] [PAM_SUCCESS] [PAM_SERVICE_ERR] [PAM_SESSION_ERR] [PAM_SYMBOL_ERR] [PAM_SYSTEM_ERR] [PAM_TRY_AGAIN] [PAM_USER_UNKNOWN]