HP-UX Reference (11i v2 07/12) - 3 Library Functions N-Z (vol 7)
p
pam(3) pam(3)
To perform session management, applications call
pam_open_session()
. For example, the system
may want to store the total time for the session. The function
pam_close_session()
closes the
current session.
When necessary, applications can call
pam_get_item()
and pam_set_item()
to access and update
specific authentication information. Such information may include the current username.
To terminate an authentication transaction, the application simply calls
pam_end(), which frees previ-
ously allocated space used to store authentication information.
Application - Authentication Service Interactive Interface
The authentication service in PAM does not communicate directly with the user; instead it relies on the
application to perform all such interactions. The application passes a pointer to the function,
conv(),
along with any associated application data pointers, through a
pam_conv structure to the authentication
service when it initiates an authentication transaction (via a call to
pam_start() ). The service will then
use the function,
conv(), to prompt the user for data, output error messages, and display text informa-
tion. Refer to pam_start(3) for more information.
Stacking Multiple Schemes
The PAM architecture enables authentication by multiple authentication services through stacking. System
entry applications, such as login(1), stack multiple service modules to authenticate users with multiple
authentication services. The order in which authentication service modules are stacked is specified in the
configuration file, pam.conf(4). A system administrator determines this ordering, and also determines
whether the same password can be used for all authentication services.
Administrative Interface
Various authentication services are implemented by their own loadable modules whose paths are specified
through the
pam.conf(4) file.
User configuration
The system administrator can determine a policy by user. These are specified in the configuration files:
pam.conf(4), pam_user.conf(4).
APPLICATION USAGE
All the
pam_*() interfaces implemented in the PAM framework, libpam, are thread-safe. A cancella-
tion point may occur while a thread is executing any of these interfaces. They are not cancel-safe, async-
cancel-safe, nor async-signal-safe. However, system administrators should be aware that the
pam_authenticate()
, pam_open_session(), pam_close_session()
,
pam_chauthtok(),
pam_setcred(), and pam_acct_mgmt() interfaces invoke the corresponding
pam_sm_*() interfaces implemented in the dynamically loadable modules specified in the configuration
file, pam.conf(4). Therefore, the thread-safety of these interfaces depends on the implementation of the
service module. Refer to module specific man pages such as pam_unix(5) for this information.
RETURN VALUE
The PAM functions may return one of the following generic values, or one of the values defined in the
specific man pages:
PAM_SUCCESS Successful function return.
PAM_OPEN_ERR Failure in dynamically loading a service module.
PAM_SYMBOL_ERR Symbol not found.
PAM_SERVICE_ERR Error in service module.
PAM_SYSTEM_ERR System error.
PAM_BUF_ERR Memory buffer error.
PAM_CONV_ERR Conversation failure.
PAM_PERM_DENIED Permission denied.
WARNINGS
Please note that all the PAM APIs and the data structures are subject to change without notice.
SEE ALSO
pam_authenticate(3), pam_open_session(3), pam_chauthtok(3), pam_set_item(3), pam_setcred(3),
pam_sm(3), pam_start(3), pam_strerror(3), pam.conf(4), pam_user.conf(4).
118 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: December 2007 Update