PAM_AUTHTOK_GET(5) Standards, Environments, and Macros PAM_AUTHTOK_GET(5)


NAME


pam_authtok_get - authentication and password management module

SYNOPSIS


pam_authtok_get.so.1


DESCRIPTION


The pam_authtok_get service module provides password prompting
functionality to the PAM stack. It implements pam_sm_authenticate() and
pam_sm_chauthtok(), providing functionality to both the Authentication
Stack and the Password Management Stack.

Authentication Service


The implementation of pam_sm_authenticate(3PAM) prompts the user name if
not set and then tries to get the authentication token from the pam
handle. If the token is not set, it then prompts the user for a password
and stores it in the PAM item PAM_AUTHTOK. This module is meant to be the
first module on an authentication stack where users are to authenticate
using a keyboard.

Password Management Service


Due to the nature of the PAM Password Management stack traversal
mechanism, the pam_sm_chauthtok(3PAM) function is called twice. Once with
the PAM_PRELIM_CHECK flag, and one with the PAM_UPDATE_AUTHTOK flag.


In the first (PRELIM) invocation, the implementation of
pam_sm_chauthtok(3PAM) moves the contents of the PAM_AUTHTOK (current
authentication token) to PAM_OLDAUTHTOK, and subsequently prompts the
user for a new password. This new password is stored in PAM_AUTHTOK.


If a previous module has set PAM_OLDAUTHTOK prior to the invocation of
pam_authtok_get, this module turns into a NO-OP and immediately returns
PAM_SUCCESS.


In the second (UPDATE) invocation, the user is prompted to Re-enter his
password. The pam_sm_chauthtok implementation verifies this reentered
password with the password stored in PAM_AUTHTOK. If the passwords match,
the module returns PAM_SUCCESS.


The following option can be passed to the module:

debug
syslog(3C) debugging information at the LOG_DEBUG level


ERRORS


The authentication service returns the following error codes:

PAM_SUCCESS
Successfully obtains authentication token


PAM_SYSTEM_ERR
Fails to retrieve username, username is NULL or empty


The password management service returns the following error codes:

PAM_SUCCESS
Successfully obtains authentication token


PAM_AUTHTOK_ERR
Authentication token manipulation error


ATTRIBUTES


See attributes(5) for descriptions of the following attributes:


+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Evolving |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+

SEE ALSO


pam(3PAM), pam_authenticate(3PAM), syslog(3C), libpam(3LIB), pam.conf(4),
attributes(5), pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES


The interfaces in libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own PAM handle.


The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).


April 9, 2016 PAM_AUTHTOK_GET(5)