unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

pam_authtok_get(5)    Standards, Environments, and Macros   pam_authtok_get(5)



NAME
       pam_authtok_get - authentication and password management module

SYNOPSIS
       pam_authtok_get.so.1

DESCRIPTION
       The pam_authtok_get service module provides password prompting funtion-
       ality  to  the  PAM  stack.  It  implements  pam_sm_authenticate()  and
       pam_sm_chauthtok(),  providing functionality to both the Authentication
       Stack and the Password Management Stack.

   Authentication Service
       The implementation of pam_sm_authenticate(3PAM) prompts the  user  name
       if  not set and then tries to get the authentication token from the pam
       handle. If the token is not set, it then prompts the user for  a  pass-
       word and stores it in the PAM item PAM_AUTHTOK. This module is meant to
       be the first module on an  authentication  stack  where  users  are  to
       authenticate using a keyboard.

   Password Management Service
       Due to the nature of the PAM Password Management stack traversal mecha-
       nism, the pam_sm_chauthtok(3PAM) function is called  twice.  Once  with
       the PAM_PRELIM_CHECK flag, and one with the PAM_UPDATE_AUTHTOK flag.

       In  the first (PRELIM) invocation, the implementation of pam_sm_chauth-
       tok(3PAM) moves the contents of the PAM_AUTHTOK (current authentication
       token)  to  PAM_OLDAUTHTOK,  and subsequentially prompts the user for a
       new password. This new password is stored in PAM_AUTHTOK.

       If a previous module has set PAM_OLDAUTHTOK prior to the invocation  of
       pam_authtok_get, this module turns into a NO-OP and immediately returns
       PAM_SUCCESS.

       In the second (UPDATE) invocation, the user is prompted to Re-enter his
       password.  The  pam_sm_chauthtok implementation verifies this reentered
       password with the password stored  in  PAM_AUTHTOK.  If  the  passwords
       match, the module returns PAM_SUCCESS.

       The following option can be passed to the module:

       debug           syslog(3C) debugging information at the LOG_DEBUG level



ERRORS
       The authentication service returns the following error codes:

       PAM_SUCCESS             Successfully obtains authentication token



       PAM_SYSTEM_ERR          Fails to retrieve username, username is NULL or
                               empty



       The password management service returns the following error codes:

       PAM_SUCCESS             Successfully obtains authentication token



       PAM_AUTHTOK_ERR         Authentication token manipulation error



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
       ing MT LevelMT-Safe with exceptions


SEE ALSO
       pam(3PAM),    pam_authenticate(3PAM),     syslog(3C),     libpam(3LIB),
       pam.conf(4),  attributes(5),  pam_authtok_check(5), pam_authtok_get(5),
       pam_authtok_store(5),        pam_dhkeys(5),         pam_passwd_auth(5),
       pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES
       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
       the multi-threaded application uses its own PAM handle.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5), pam_dhkeys(5),  pam_passwd_auth(5),  pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).



SunOS 5.10                        14 Dec 2004               pam_authtok_get(5)