1pam_unix_cred(5) Standards, Environments, and Macros pam_unix_cred(5)
2
6 pam_unix_cred - PAM user credential authentication module for UNIX
7
9 pam_unix_cred.so.1
10
13 The pam_unix_cred module implements pam_sm_setcred(3PAM). It provides
14 functions that establish user credential information. It is a module
15 separate from the pam_unix_auth(5) module to allow replacement of the
16 authentication functionality independently from the credential func‐
17 tionality.
18 The pam_unix_cred module must always be stacked along with whatever
21 authentication module is used to ensure correct credential setting.
22 Authentication service modules must implement both pam_sm_authenti‐
25 cate() and pam_sm_setcred().
26 pam_sm_authenticate() in this module always returns PAM_IGNORE.
29 pam_sm_setcred() initializes the user's project, privilege sets and
32 initializes or updates the user's audit context if it hasn't already
33 been initialized. The following flags may be set in the flags field:
34 PAM_ESTABLISH_CRED
36 PAM_REFRESH_CRED
37 PAM_REINITIALIZE_CRED
38 Initializes the user's project to the project specified in
40 PAM_RESOURCE, or if PAM_RESOURCE is not specified, to the user's
41 default project. Establishes the user's privilege sets.
42 If the audit context is not already initialized and auditing is
44 configured, these flags cause the context to be initialized to that
45 of the user specified in PAM_AUSER (if any) merged with the user
46 specified in PAM_USER and host specified in PAM_RHOST. If PAM_RHOST
47 is not specified, PAM_TTY specifies the local terminal name.
48 Attributing audit to PAM_AUSER and merging PAM_USER is required for
49 correctly attributing auditing when the system entry is performed
50 by another user that can be identified as trustworthy.
51 If the audit context is already initialized, the PAM_REINITIAL‐
53 IZE_CRED flag merges the current audit context with that of the
54 user specified in PAM_USER. PAM_REINITIALIZE_CRED is useful when a
55 user is assuming a new identity, as with su(1M).
56 PAM_DELETE_CRED
59 This flag has no effect and always returns PAM_SUCCESS.
61 The following options are interpreted:
65 debug Provides syslog(3C) debugging information at the LOG_DEBUG
67 level.
68 nowarn Disables any warning messages.
71
74 Upon successful completion of pam_sm_setcred(), PAM_SUCCESS is
75 returned. The following error codes are returned upon error:
76 PAM_CRED_UNAVAIL Underlying authentication service cannot retrieve
78 user credentials
79 PAM_CRED_EXPIRED User credentials have expired
82 PAM_USER_UNKNOWN User is unknown to the authentication service
85 PAM_CRED_ERR Failure in setting user credentials
88 PAM_BUF_ERR Memory buffer error
91 PAM_SYSTEM_ERR System error
94 The following values are returned from pam_sm_authenticate():
98 PAM_IGNORE Ignores this module regardless of the control flag
100
103 See attributes(5) for descriptions of the following attributes:
104 ┌─────────────────────────────┬─────────────────────────────┐
109 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
110 ├─────────────────────────────┼─────────────────────────────┤
111 │Interface Stability │Evolving │
112 ├─────────────────────────────┼─────────────────────────────┤
113 │MT Level │MT-Safe with exceptions │
114 └─────────────────────────────┴─────────────────────────────┘
115
117 ssh(1), su(1M), settaskid(2), libpam(3LIB), getprojent(3PROJECT),
118 pam(3PAM), pam_set_item(3PAM), pam_sm_authenticate(3PAM), syslog(3C),
119 setproject(3PROJECT),pam.conf(4), nsswitch.conf(4), project(4),
120 attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
121 tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_auth(5),
122 pam_unix_account(5), pam_unix_session(5), privileges(5)
123
125 The interfaces in libpam(3LIB) are MT-Safe only if each thread within
126 the multi-threaded application uses its own PAM handle.
127 If this module is replaced, the audit context and credential may not be
130 correctly configured.
131SunOS 5.11 9 Mar 2005 pam_unix_cred(5)