pam_sm.3 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

pam_sm(3) pam_sm(3)

NAME

pam_sm - PAM Service Module APIs

SYNOPSIS

#include <security/pam_appl.h>

#include <security/pam_modules.h>

cc [ ﬂag ... ] ﬁle ...

-lpam [ library ... ]

DESCRIPTION

PAM gives system administrators the ﬂexibility of choosing any authentication service available on the

system to perform authentication. The framework also allows new authentication service modules to be

plugged in and made available without modifying the applications.

The PAM framework,

libpam, consists of an interface library and multiple authentication service

modules. The PAM interface library is the layer implementing the Application Programming Interface

(API). The authentication service modules are a set of dynamically loadable objects invoked by the PAM

API to provide a particular type of user authentication.

This manual page gives an overview of the PAM APIs for the service modules.

Interface Overview

The PAM service module interface consists of functions which can be grouped into four categories. The

names for all the authentication library functions start with

pam_sm. The only difference between the

pam_*() interfaces and their corresponding

pam_sm_*() interfaces is that all the pam_sm_*() inter-

faces require extra parameters to pass service speciﬁc options to the shared modules. They are otherwise

identical.

The ﬁrst category contains functions to authenticate an individual user (pam_sm_authenticate(3)) and to

set the credentials of the user (pam_sm_setcred(3)). These back-end functions implement the functional-

ity of pam_authenticate(3) and pam_setcred (3), respectively.

The second category contains functions to do account management (pam_sm_acct_mgmt(3)). This

includes checking for password aging and access-hour restrictions. This back-end function implements

the functionality of pam_acct_mgmt(3).

The third category contains functions to perform session management (pam_sm_open_session(3) and

pam_sm_close_session(3)) after access to the system has been granted. These back-end functions imple-

ment the functionality of pam_open_session(3) and pam_close_session(3), respectively.

The fourth category consists a function to change authentication tokens (pam_sm_chauthtok(3)). This

back-end function implements the functionality of pam_chauthtok(3).

Stateful Interface

A sequence of calls sharing a common set of state information is referred to as an authentication transac-

tion. An authentication transaction begins with a call to

pam_start(). pam_start() allocates

space, performs various initialization activities, and assigns an authentication handle to be used for sub-

sequent calls to the library. Note that the service modules do not get called or initialized when

pam_start() is called. The modules are loaded and the symbols resolved upon ﬁrst use of that func-

tion.

The PAM handle keeps certain information about the transaction that can be accessed through the

pam_get_item() API. Though the modules can also use pam_set_item()

to change any of the item

information, it is recommended that nothing be changed except

PAM_AUTHTOK and PAM_OLDAUTHTOK.

If the modules want to store any module speciﬁc state information then they can use the pam_set_data (3)

function to store that information with the PAM handle. The data should be stored with a name which is

unique across all modules and module types. Some modules use this technique to share data across two

different module types.

For example, during the call to

pam_authenticate(), the UNIX module may store the authentication

status (success or reason for failure) in the handle, using a unique name. This information is intended

for use by pam_setcred().

During the call to

pam_acct_mgmt(), the account modules may store data in the handle to indicate

which passwords have aged. This information is intended for use by pam_chauthtok( ).

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
pam_sm(3) pam_sm(3) NAME pam_sm - PAM Service Module APIs SYNOPSIS #include #include cc [ flag . . . ] file . . . -lpam [ library . . . ] DESCRIPTION PAM gives system administrators the flexibility of choosing any authentication service available on the system to perform authentication. The framework also allows new authentication service modules to be plugged in and made available without modifying the applications.
PAGE 2
pam_sm(3) pam_sm(3) The module can also store a cleanup function associated with the data. The PAM framework calls this cleanup function, when the application calls pam_end() to close the transaction. Interaction With the User The PAM service modules do not communicate directly with the user; instead they rely on the application to perform all such interactions.
PAGE 3
pam_sm(3) pam_sm(3) ERRORS If there are any errors, the modules should log them using syslog (3C) at the LOG_ERR level. RETURN VALUE The PAM service module functions may return any of the PAM error numbers specified in the specific man pages. It can also return a PAM_IGNORE error number to mean that the PAM framework should ignore this module regardless of whether it is required, optional or sufficient.
PAGE 4
(Notes) A (Notes) pA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010