PAM_SM_CHAUTHTOK(3PAM) PAM Library Functions PAM_SM_CHAUTHTOK(3PAM)
NAME
pam_sm_chauthtok - service provider implementation for pam_chauthtok
SYNOPSIS
cc [
flag ...]
file ...
-lpam [
library ... ]
#include <security/pam_appl.h>
#include <security/pam_modules.h>
int pam_sm_chauthtok(
pam_handle_t *pamh,
int flags,
int argc,
const char **argv);
DESCRIPTION
In response to a call to
pam_chauthtok(3PAM) the
PAM framework calls
pam_sm_chauthtok() from the modules listed in the
pam.conf(5) file. The
password management provider supplies the back-end functionality for this
interface function.
The
pam_sm_chauthtok() function changes the authentication token
associated with a particular user referenced by the authentication handle
pamh.
The following flags may be passed to
pam_chauthtok():
PAM_SILENT The password service should not generate
any messages.
PAM_CHANGE_EXPIRED_AUTHTOK The password service should only update
those passwords that have aged. If this
flag is not passed, the password service
should update all passwords.
PAM_PRELIM_CHECK The password service should only perform
preliminary checks. No passwords should be
updated.
PAM_NO_AUTHTOK_CHECK The password service should not perform
conformance checks on the structure of the
password. Conformance checks do not apply
to verification that the same password was
entered during both passes.
PAM_UPDATE_AUTHTOK The password service should update
passwords.
Note that
PAM_PRELIM_CHECK and
PAM_UPDATE_AUTHTOK cannot be set at the
same time.
Upon successful completion of the call, the authentication token of the
user will be ready for change or will be changed, depending upon the
flag, in accordance with the authentication scheme configured within the
system.
The
argc argument represents the number of module options passed in from
the configuration file
pam.conf(5). The
argv argument specifies the
module options, which are interpreted and processed by the password
management service. Please refer to the specific module man pages for the
various available
options.
It is the responsibility of
pam_sm_chauthtok() to determine if the new
password meets certain strength requirements.
pam_sm_chauthtok() may
continue to re-prompt the user (for a limited number of times) for a new
password until the password entered meets the strength requirements.
Before returning,
pam_sm_chauthtok() should call
pam_get_item() and
retrieve both
PAM_AUTHTOK and
PAM_OLDAUTHTOK. If both are
NULL,
pam_sm_chauthtok() should set them to the new and old passwords as
entered by the user.
RETURN VALUES
Upon successful completion,
PAM_SUCCESS must be returned. The following
values may also be returned:
PAM_PERM_DENIED No permission.
PAM_AUTHTOK_ERR Authentication token manipulation error.
PAM_AUTHTOK_RECOVERY_ERR Old authentication token cannot be
recovered.
PAM_AUTHTOK_LOCK_BUSY Authentication token lock busy.
PAM_AUTHTOK_DISABLE_AGING Authentication token aging disabled.
PAM_USER_UNKNOWN User unknown to password service.
PAM_TRY_AGAIN Preliminary check by password service
failed.
ATTRIBUTES
See
attributes(7) for description of the following attributes:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Stable |
+--------------------+-------------------------+
|MT-Level | MT-Safe with exceptions |
+--------------------+-------------------------+
SEE ALSO
libpam(3LIB),
pam(3PAM),
pam_chauthtok(3PAM),
pam_get_data(3PAM),
pam_get_item(3PAM),
pam_set_data(3PAM),
pam.conf(5),
attributes(7),
ping(8)NOTES
The
PAM framework invokes the password services twice. The first time the
modules are invoked with the flag,
PAM_PRELIM_CHECK. During this stage,
the password modules should only perform preliminary checks. For example,
they may
ping remote name services to see if they are ready for updates.
If a password module detects a transient error such as a remote name
service temporarily down, it should return
PAM_TRY_AGAIN to the
PAM framework, which will immediately return the error back to the
application. If all password modules pass the preliminary check, the
PAM framework invokes the password services again with the flag,
PAM_UPDATE_AUTHTOK. During this stage, each password module should
proceed to update the appropriate password. Any error will again be
reported back to application.
If a service module receives the flag
PAM_CHANGE_EXPIRED_AUTHTOK, it
should check whether the password has aged or expired. If the password
has aged or expired, then the service module should proceed to update the
password. If the status indicates that the password has not yet aged or
expired, then the password module should return
PAM_IGNORE.
If a user's password has aged or expired, a
PAM account module could save
this information as state in the authentication handle,
pamh, using
pam_set_data(). The related password management module could retrieve
this information using
pam_get_data() to determine whether or not it
should prompt the user to update the password for this particular module.
The interfaces in
libpam(3LIB) are MT-Safe only if each thread within the
multithreaded application uses its own
PAM handle.
If the
PAM_REPOSITORY item_type is set and a service module does not
recognize the type, the service module does not process any information,
and returns
PAM_IGNORE. If the
PAM_REPOSITORY item_type is not set, a
service module performs its default action.
August 19, 2023
PAM_SM_CHAUTHTOK(3PAM)