1PAM_GET_AUTHTOK(3) Linux-PAM Manual PAM_GET_AUTHTOK(3)
2
3
4
6 pam_get_authtok, pam_get_authtok_verify, pam_get_authtok_noverify - get
7 authentication token
8
10 #include <security/pam_ext.h>
11
12 int pam_get_authtok(pam_handle_t *pamh, int item, const char **authtok,
13 const char *prompt);
14
15 int pam_get_authtok_noverify(pam_handle_t *pamh, const char **authtok,
16 const char *prompt);
17
18 int pam_get_authtok_verify(pam_handle_t *pamh, const char **authtok,
19 const char *prompt);
20
22 The pam_get_authtok function returns the cached authentication token,
23 or prompts the user if no token is currently cached. It is intended for
24 internal use by Linux-PAM and PAM service modules. Upon successful
25 return, authtok contains a pointer to the value of the authentication
26 token. Note, this is a pointer to the actual data and should not be
27 free()'ed or over-written!
28
29 The prompt argument specifies a prompt to use if no token is cached. If
30 a NULL pointer is given, pam_get_authtok uses pre-defined prompts.
31
32 The following values are supported for item:
33
34 PAM_AUTHTOK
35 Returns the current authentication token. Called from
36 pam_sm_chauthtok(3) pam_get_authtok will ask the user to confirm
37 the new token by retyping it. If a prompt was specified, "Retype"
38 will be used as prefix.
39
40 PAM_OLDAUTHTOK
41 Returns the previous authentication token when changing
42 authentication tokens.
43
44 The pam_get_authtok_noverify function can only be used for changing the
45 password (from pam_sm_chauthtok(3)). It returns the cached
46 authentication token, or prompts the user if no token is currently
47 cached. The difference to pam_get_authtok is, that this function does
48 not ask a second time for the password to verify it. Upon successful
49 return, authtok contains a pointer to the value of the authentication
50 token. Note, this is a pointer to the actual data and should not be
51 free()'ed or over-written!
52
53 The pam_get_authtok_verify function can only be used to verify a
54 password for mistypes gotten by pam_get_authtok_noverify(3). This
55 function asks a second time for the password and verify it with the
56 password provided by authtok argument. In case of an error, the value
57 of authtok is undefined. Else this argument will point to the actual
58 data and should not be free()'ed or over-written!
59
61 pam_get_authtok honours the following module options:
62
63 try_first_pass
64 Before prompting the user for their password, the module first
65 tries the previous stacked module's password in case that satisfies
66 this module as well.
67
68 use_first_pass
69 The argument use_first_pass forces the module to use a previous
70 stacked modules password and will never prompt the user - if no
71 password is available or the password is not appropriate, the user
72 will be denied access.
73
74 use_authtok
75 When password changing enforce the module to set the new token to
76 the one provided by a previously stacked password module. If no
77 token is available token changing will fail.
78
79 authtok_type=XXX
80 The default action is for the module to use the following prompts
81 when requesting passwords: "New UNIX password: " and "Retype UNIX
82 password: ". The example word UNIX can be replaced with this
83 option, by default it is empty.
84
86 PAM_AUTH_ERR
87 Authentication token could not be retrieved.
88
89 PAM_AUTHTOK_ERR
90 New authentication could not be retrieved.
91
92 PAM_SUCCESS
93 Authentication token was successfully retrieved.
94
95 PAM_SYSTEM_ERR
96 No space for an authentication token was provided.
97
98 PAM_TRY_AGAIN
99 New authentication tokens mismatch.
100
102 pam(8)
103
105 The pam_get_authtok function is a Linux-PAM extensions.
106
107
108
109Linux-PAM Manual 11/25/2020 PAM_GET_AUTHTOK(3)