JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
man pages section 5: Standards, Environments, and Macros
search filter icon
search icon

Document Information

Preface

Introduction

Standards, Environments, and Macros

acl(5)

advance(5)

adv_cap_1000fdx(5)

adv_cap_1000hdx(5)

adv_cap_100fdx(5)

adv_cap_100hdx(5)

adv_cap_10fdx(5)

adv_cap_10hdx(5)

adv_cap_asmpause(5)

adv_cap_autoneg(5)

adv_cap_pause(5)

adv_rem_fault(5)

ANSI(5)

architecture(5)

ascii(5)

attributes(5)

audit_binfile(5)

audit_syslog(5)

availability(5)

brands(5)

C++(5)

C(5)

cancellation(5)

cap_1000fdx(5)

cap_1000hdx(5)

cap_100fdx(5)

cap_100hdx(5)

cap_10fdx(5)

cap_10hdx(5)

cap_asmpause(5)

cap_autoneg(5)

cap_pause(5)

cap_rem_fault(5)

charmap(5)

compile(5)

condition(5)

crypt_bsdbf(5)

crypt_bsdmd5(5)

crypt_sha256(5)

crypt_sha512(5)

crypt_sunmd5(5)

crypt_unix(5)

CSI(5)

device_clean(5)

dhcp(5)

dhcp_modules(5)

environ(5)

eqnchar(5)

extendedFILE(5)

extensions(5)

filesystem(5)

fnmatch(5)

formats(5)

fsattr(5)

grub(5)

gss_auth_rules(5)

iconv_1250(5)

iconv_1251(5)

iconv(5)

iconv_646(5)

iconv_852(5)

iconv_8859-1(5)

iconv_8859-2(5)

iconv_8859-5(5)

iconv_dhn(5)

iconv_koi8-r(5)

iconv_mac_cyr(5)

iconv_maz(5)

iconv_pc_cyr(5)

iconv_unicode(5)

ieee802.3(5)

ipfilter(5)

isalist(5)

ISO(5)

kerberos(5)

krb5_auth_rules(5)

krb5envvar(5)

labels(5)

largefile(5)

lf64(5)

lfcompile(5)

lfcompile64(5)

link_asmpause(5)

link_duplex(5)

link_pause(5)

link_up(5)

live_upgrade(5)

locale(5)

lp_cap_1000fdx(5)

lp_cap_1000hdx(5)

lp_cap_100fdx(5)

lp_cap_100hdx(5)

lp_cap_10fdx(5)

lp_cap_10hdx(5)

lp_cap_asmpause(5)

lp_cap_autoneg(5)

lp_cap_pause(5)

lp_rem_fault(5)

lx(5)

man(5)

mansun(5)

me(5)

mech_spnego(5)

mm(5)

ms(5)

MT-Level(5)

mutex(5)

netsnmp(5)

nfssec(5)

openssl(5)

pam_authtok_check(5)

pam_authtok_get(5)

pam_authtok_store(5)

pam_deny(5)

pam_dhkeys(5)

pam_dial_auth(5)

pam_krb5(5)

pam_krb5_migrate(5)

pam_ldap(5)

pam_list(5)

pam_passwd_auth(5)

pam_projects(5)

pam_rhosts_auth(5)

pam_roles(5)

pam_sample(5)

pam_smartcard(5)

pam_tsol_account(5)

pam_unix_account(5)

pam_unix_auth(5)

pam_unix_cred(5)

pam_unix_session(5)

pkcs11_kernel(5)

pkcs11_softtoken(5)

POSIX.1(5)

POSIX.2(5)

POSIX(5)

privileges(5)

prof(5)

pthreads(5)

RBAC(5)

rbac(5)

regex(5)

regexp(5)

resource_controls(5)

sgml(5)

smartcard(5)

sma_snmp(5)

smf(5)

smf_bootstrap(5)

smf_method(5)

smf_restarter(5)

smf_security(5)

solbook(5)

stability(5)

standard(5)

standards(5)

step(5)

sticky(5)

SUS(5)

SUSv2(5)

SUSv3(5)

SVID3(5)

SVID(5)

tecla(5)

teclarc(5)

term(5)

threads(5)

trusted_extensions(5)

vgrindefs(5)

wbem(5)

xcvr_addr(5)

xcvr_id(5)

xcvr_inuse(5)

XNS4(5)

XNS(5)

XNS5(5)

XPG3(5)

XPG4(5)

XPG4v2(5)

XPG(5)

zones(5)

pam_authtok_get

- authentication and password management module

Synopsis

pam_authtok_get.so.1

Description

The pam_authtok_get service module provides password prompting funtionality to the PAM stack. It implements pam_sm_authenticate() and pam_sm_chauthtok(), providing functionality to both the Authentication Stack and the Password Management Stack.

Authentication Service

The implementation of pam_sm_authenticate(3PAM) prompts the user name if not set and then tries to get the authentication token from the pam handle. If the token is not set, it then prompts the user for a password and stores it in the PAM item PAM_AUTHTOK. This module is meant to be the first module on an authentication stack where users are to authenticate using a keyboard.

Password Management Service

Due to the nature of the PAM Password Management stack traversal mechanism, the pam_sm_chauthtok(3PAM) function is called twice. Once with the PAM_PRELIM_CHECK flag, and one with the PAM_UPDATE_AUTHTOK flag.

In the first (PRELIM) invocation, the implementation of pam_sm_chauthtok(3PAM) moves the contents of the PAM_AUTHTOK (current authentication token) to PAM_OLDAUTHTOK, and subsequentially prompts the user for a new password. This new password is stored in PAM_AUTHTOK.

If a previous module has set PAM_OLDAUTHTOK prior to the invocation of pam_authtok_get, this module turns into a NO-OP and immediately returns PAM_SUCCESS.

In the second (UPDATE) invocation, the user is prompted to Re-enter his password. The pam_sm_chauthtok implementation verifies this reentered password with the password stored in PAM_AUTHTOK. If the passwords match, the module returns PAM_SUCCESS.

The following option can be passed to the module:

debug

syslog(3C) debugging information at the LOG_DEBUG level

Errors

The authentication service returns the following error codes:

PAM_SUCCESS

Successfully obtains authentication token

PAM_SYSTEM_ERR

Fails to retrieve username, username is NULL or empty

The password management service returns the following error codes:

PAM_SUCCESS

Successfully obtains authentication token

PAM_AUTHTOK_ERR

Authentication token manipulation error

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Interface Stability
Evolving
MT Level
MT-Safe with exceptions

See Also

pam(3PAM), pam_authenticate(3PAM), syslog(3C), libpam(3LIB), pam.conf(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

Notes

The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

The pam_unix(5) module is no longer supported. Similar functionality is provided by pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).