Developer's Guide to Oracle® Solaris 11 Security

Exit Print View

Updated: July 2014

Requirements for PAM Consumers

PAM consumers must be linked with the PAM library libpam. Before an application can use any service that is provided by the modules, the application must initialize its instance of the PAM library by calling pam_start(3PAM). The call to pam_start() initializes a handle that must be passed to all subsequent PAM calls. When an application is finished with the PAM services, pam_end() is called to clean up any data that was used by the PAM library.

    Communication between the PAM application and the PAM modules takes place through items. For example, the following items are useful for initialization:

  • PAM_USER – Currently authenticated user

  • PAM_AUTHTOK – Password

  • PAM_USER_PROMPT – User name prompt

  • PAM_TTY – Terminal through which the user communication takes place

  • PAM_RHOST – Remote host through which user enters the system

  • PAM_REPOSITORY – Any restrictions on the user account repository

  • PAM_RESOURCE – Any controls on resources

For a complete list of available items, see pam_set_item(3PAM). Items can be set by the application through pam_set_item(3PAM). Values that have been set by the modules can be retrieved by the application through pam_get_item(3PAM). However, PAM_AUTHTOK and PAM_OLDAUTHTOK cannot be retrieved by the application. The PAM_SERVICE item cannot be set.

Note - PAM consumers must have unique PAM service names which are passed to pam_start(3PAM).