PAM_AUTHTOK_GET(7) Standards, Environments, and Macros PAM_AUTHTOK_GET(7)
NAME
pam_authtok_get - authentication and password management module
SYNOPSIS
pam_authtok_get.so.1DESCRIPTION
The
pam_authtok_get service module provides password prompting
functionality to the PAM stack. It implements
pam_sm_authenticate(3PAM) and
pam_sm_chauthtok(3PAM), providing
functionality to both the Authentication Stack and the Password
Management Stack.
Authentication Service
The implementation of
pam_sm_authenticate(3PAM) prompts the user name
if not set and then tries to get the authentication token from the
pam handle. If the token is not set, it then prompts the user for a
password and stores it in the
PAM item
PAM_AUTHTOK. This module is
meant to be the first module on an authentication stack where users
are to authenticate using a keyboard.
Password Management Service
Due to the nature of the PAM Password Management stack traversal
mechanism, the
pam_sm_chauthtok(3PAM) function is called twice. Once
with the
PAM_PRELIM_CHECK flag, and one with the
PAM_UPDATE_AUTHTOK flag.
In the first (
PRELIM) invocation, the implementation of
pam_sm_chauthtok(3PAM) moves the contents of the
PAM_AUTHTOK (current
authentication token) to
PAM_OLDAUTHTOK, and subsequently prompts the
user for a new password. This new password is stored in
PAM_AUTHTOK.
If a previous module has set
PAM_OLDAUTHTOK prior to the invocation
of pam_authtok_get, this module turns into a
NO-OP and immediately
returns
PAM_SUCCESS.
In the second (
UPDATE) invocation, the user is prompted to Re-enter
his password. The pam_sm_chauthtok implementation verifies this
reentered password with the password stored in
PAM_AUTHTOK. If the
passwords match, the module returns
PAM_SUCCESS.
The following option can be passed to the module:
debug syslog(3C) debugging information at the
LOG_DEBUG level
ERRORS
The authentication service returns the following error codes:
PAM_SUCCESS Successfully obtains authentication token
PAM_SYSTEM_ERR Fails to retrieve username, username is
NULL or
empty
The password management service returns the following error codes:
PAM_SUCCESS Successfully obtains authentication token
PAM_AUTHTOK_ERR Authentication token manipulation error
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Evolving |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+
SEE ALSO
pam(3PAM),
pam_authenticate(3PAM),
pam_sm_authenticate(3PAM),
pam_sm_chauthtok(3PAM),
syslog(3C),
libpam(3LIB),
pam.conf(5),
attributes(7),
pam_authtok_check(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7),
pam_unix_session(7)NOTES
The interfaces in
libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
The
pam_unix(7) module is no longer supported. Similar functionality
is provided by
pam_authtok_check(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7), and
pam_unix_session(7).
August 9, 2023 PAM_AUTHTOK_GET(7)
