1pam_authtok_get(5) Standards, Environments, and Macros pam_authtok_get(5)
2
6 pam_authtok_get - authentication and password management module
7
9 pam_authtok_get.so.1
10
13 The pam_authtok_get service module provides password prompting funtion‐
14 ality to the PAM stack. It implements pam_sm_authenticate() and
15 pam_sm_chauthtok(), providing functionality to both the Authentication
16 Stack and the Password Management Stack.
17 Authentication Service
19 The implementation of pam_sm_authenticate(3PAM) prompts the user name
20 if not set and then tries to get the authentication token from the pam
21 handle. If the token is not set, it then prompts the user for a pass‐
22 word and stores it in the PAM item PAM_AUTHTOK. This module is meant to
23 be the first module on an authentication stack where users are to
24 authenticate using a keyboard.
25 Password Management Service
27 Due to the nature of the PAM Password Management stack traversal mecha‐
28 nism, the pam_sm_chauthtok(3PAM) function is called twice. Once with
29 the PAM_PRELIM_CHECK flag, and one with the PAM_UPDATE_AUTHTOK flag.
30 In the first (PRELIM) invocation, the implementation of pam_sm_chauth‐
33 tok(3PAM) moves the contents of the PAM_AUTHTOK (current authentication
34 token) to PAM_OLDAUTHTOK, and subsequentially prompts the user for a
35 new password. This new password is stored in PAM_AUTHTOK.
36 If a previous module has set PAM_OLDAUTHTOK prior to the invocation of
39 pam_authtok_get, this module turns into a NO-OP and immediately returns
40 PAM_SUCCESS.
41 In the second (UPDATE) invocation, the user is prompted to Re-enter his
44 password. The pam_sm_chauthtok implementation verifies this reentered
45 password with the password stored in PAM_AUTHTOK. If the passwords
46 match, the module returns PAM_SUCCESS.
47 The following option can be passed to the module:
50 debug syslog(3C) debugging information at the LOG_DEBUG level
52
55 The authentication service returns the following error codes:
56 PAM_SUCCESS Successfully obtains authentication token
58 PAM_SYSTEM_ERR Fails to retrieve username, username is NULL or empty
61 The password management service returns the following error codes:
65 PAM_SUCCESS Successfully obtains authentication token
67 PAM_AUTHTOK_ERR Authentication token manipulation error
70
73 See attributes(5) for descriptions of the following attributes:
74 ┌─────────────────────────────┬─────────────────────────────┐
79 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
80 ├─────────────────────────────┼─────────────────────────────┤
81 │Interface Stability │Evolving │
82 ├─────────────────────────────┼─────────────────────────────┤
83 │MT Level │MT-Safe with exceptions │
84 └─────────────────────────────┴─────────────────────────────┘
85
87 pam(3PAM), pam_authenticate(3PAM), syslog(3C), libpam(3LIB),
88 pam.conf(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5),
89 pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
90 pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)
91
93 The interfaces in libpam(3LIB) are MT-Safe only if each thread within
94 the multi-threaded application uses its own PAM handle.
95 The pam_unix(5) module is no longer supported. Similar functionality is
98 provided by pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
99 tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
100 pam_unix_auth(5), and pam_unix_session(5).
101SunOS 5.11 14 Dec 2004 pam_authtok_get(5)