PAM_SET_ITEM(3PAM) PAM Library Functions PAM_SET_ITEM(3PAM)
NAME
pam_set_item, pam_get_item - authentication information routines for PAM
SYNOPSIS
cc [
flag ... ]
file ...
-lpam [
library ... ]
#include <security/pam_appl.h>
int pam_set_item(
pam_handle_t *pamh,
int item_type,
const void *item);
int pam_get_item(
const pam_handle_t *pamh,
int item_type,
void **item);
DESCRIPTION
The
pam_get_item() and
pam_set_item() functions allow applications and
PAM service modules to access and to update
PAM information as needed.
The information is specified by
item_type, and can be one of the
following:
PAM_AUSER The authenticated user name. Applications that are
trusted to correctly identify the authenticated user
should set this item to the authenticated user name.
See NOTES and
pam_unix_cred(7).
PAM_AUTHTOK The user authentication token.
PAM_CONV The
pam_conv structure.
PAM_OLDAUTHTOK The old user authentication token.
PAM_RESOURCE A semicolon-separated list of
key=
value pairs that
represent the set of resource controls for application
by
pam_setcred(3PAM) or
pam_open_session(3PAM). See
the individual service module definitions, such as
pam_unix_cred(7), for interpretations of the keys and
values.
PAM_RHOST The remote host name.
PAM_RUSER The
rlogin/
rsh untrusted remote user name.
PAM_SERVICE The service name.
PAM_TTY The tty name.
PAM_USER The user name.
PAM_USER_PROMPT The default prompt used by
pam_get_user().
PAM_REPOSITORY The repository that contains the authentication token
information.
The pam_repository structure is defined as:
struct pam_repository {
char *type; /* Repository type, e.g., files, */
/* nis, ldap */
void *scope; /* Optional scope information */
size_t scope_len; /* length of scope information */
};
The
item_type PAM_SERVICE can be set only by
pam_start() and is read-only
to both applications and service modules.
For security reasons, the
item_type PAM_AUTHTOK and
PAM_OLDAUTHTOK are
available only to the module providers. The authentication module,
account module, and session management module should treat
PAM_AUTHTOK as
the current authentication token and ignore
PAM_OLDAUTHTOK. The password
management module should treat
PAM_OLDAUTHTOK as the current
authentication token and
PAM_AUTHTOK as the new authentication token.
The
pam_set_item() function is passed the authentication handle,
pamh,
returned by
pam_start(), a pointer to the object,
item, and its type,
item_type. If successful,
pam_set_item() copies the item to an internal
storage area allocated by the authentication module and returns
PAM_SUCCESS. An item that had been previously set will be overwritten by
the new value.
The
pam_get_item() function is passed the authentication handle,
pamh,
returned by
pam_start(), an
item_type, and the address of the pointer,
item, which is assigned the address of the requested object. The object
data is valid until modified by a subsequent call to
pam_set_item() for
the same
item_type, or unless it is modified by any of the underlying
service modules. If the item has not been previously set,
pam_get_item() returns a null pointer. An
item retrieved by
pam_get_item() should not
be modified or freed. The item will be released by
pam_end().
RETURN VALUES
Upon success,
pam_get_item() returns
PAM_SUCCESS; otherwise it returns
an error code. Refer to
pam(3PAM) for information on error related return
values.
ATTRIBUTES
See
attributes(7) for description of the following attributes:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Stable |
+--------------------+-------------------------+
|MT-Level | MT-Safe with exceptions |
+--------------------+-------------------------+
The functions in
libpam(3LIB) are MT-Safe only if each thread within the
multithreaded application uses its own
PAM handle.
SEE ALSO
libpam(3LIB),
pam(3PAM),
pam_acct_mgmt(3PAM),
pam_authenticate(3PAM),
pam_chauthtok(3PAM),
pam_get_user(3PAM),
pam_open_session(3PAM),
pam_setcred(3PAM),
pam_start(3PAM),
attributes(7),
pam_unix_cred(7)NOTES
If the
PAM_REPOSITORY item_type is set and a service module does not
recognize the type, the service module does not process any information,
and returns
PAM_IGNORE. If the
PAM_REPOSITORY item_type is not set, a
service module performs its default action.
PAM_AUSER is not intended as a replacement for PAM_USER. It is expected
to be used to supplement PAM_USER when there is an authenticated user
from a source other than
pam_authenticate(3PAM). Such sources could be
sshd host-based authentication, kerberized
rlogin, and
su(8).
October 31, 2006
PAM_SET_ITEM(3PAM)