pam - API for PAM authentication
interface Authentication string user ; string[] roles ; integer connectionTimeout ; Block login(string locale, string username); Block assume(string locale, string rolename); Block submit(secret[] responses); opaque createToken(); redeemToken(string user, opaque token); complete();
PAM(3rad) RAD Module Definitions PAM(3rad)
NAME
pam - API for PAM authentication
SYNOPSIS
interface Authentication
string user ;
string[] roles ;
integer connectionTimeout ;
Block login(string locale,
string username);
Block assume(string locale,
string rolename);
Block submit(secret[] responses);
opaque createToken();
redeemToken(string user,
opaque token);
complete();
DESCRIPTION
API com.oracle.solaris.rad.pam
This API exposes PAM authentication to rad(1m) clients.
INTERFACES
interface Authentication
The authentication interface implements a PAM exchange to authenticate
rad(1m) clients. Handles to this type of object can be retrieved from
the RAD server using an object name built with:
1. the "com.oracle.solaris.rad.pam" domain name
2. a key named "type" paired with a value of "Authentication"
The login() method begins a PAM conversation to authenticate as a user,
while assume() does the same for a role. Each returns a list of Block
objects encapsulating the status of the conversation, the messages that
should be displayed, and the input that should be collected.
At each step, when the requested input has been collected, it is
submitted using submit(). This method also returns a list of Block
objects, allowing the conversation to continue indefinitely until
authentication is complete.
When any of the three returns a Block whose type is SUCCESS,
authentication has succeeded and complete() should be called to close
the conversation.
A typical algorithm for walking through this conversation might be:
Example 1. Authentication interface (Python)
import rad.connect as radcon
import rad.auth as rada
# Create a connection
rc=radcon.connect_tls("host")
# Get a native-looking python object that throws RAD exceptions
auth = rada.RadAuth(rc)
# login with username and password
auth.pam_login("garypen", "******")
print rc
rc.close()
print rc
This example uses the rad.auth module which makes simplifying
assumptions that the PAM interaction is as for a default Solaris
install. If you wish to do something more flexible, you will need to
interact directly with the PAM module binding.
Authentication Properties
string user (read-only, nullable) -- gets the username of the
connected user
string[] roles (read-only) -- gets the list of roles available to
the connected user
integer connectionTimeout (read-only) -- the PAM conversation
timeout, in seconds
Authentication Methods
Block login(string locale, string username)
begins a PAM conversation to authenticate as the specified user
Arguments:
locale
username
Result:
Block
Error:
(no type)
Block assume(string locale, string rolename)
begins a PAM conversation to authenticate as the specified role
Like login(),
Arguments:
locale
rolename
Result:
Block
Error:
(no type)
Block submit(secret[] responses)
continues a PAM conversation with information collected from
the previous step
Arguments:
responses
Result:
Block
Error:
(no type)
opaque createToken()
Creates a single-use token that can be redeemed later to
authenticate a connection as a clone of the caller's. In
addition to being single-use, the token has a limited lifetime.
Result:
opaque
Error:
(no type)
redeemToken(string user, opaque token)
Redeems a token, authenticating the current connection with the
credentials in place when the token was created.
Arguments:
user
token
Error:
(no type)
complete()
completes the PAM conversation with the RAD server
ENUMERATED TYPES
enum MsgType
PROMPT_ECHO_OFF (0) -- a request for non-sensitive information,
such as a username
PROMPT_ECHO_ON (1) -- a request for secure/sensitive information,
such as a password or passphrase
ERROR_MSG (2) -- an error message to display to the user attempting
authentication
TEXT_INFO (3) -- an informational message to display to the user
attempting authentication
enum BlockType
CONV (0) -- conversation must continue
SUCCESS (1) -- authentication has succeeded
ERROR (2) -- authentication has failed
STRUCTURE TYPES
struct Message
Fields:
MsgType style -- this message's type
string message -- the message text
struct Block
Fields:
BlockType type -- the status of the conversation
Message[] messages (nullable) -- the messages to display to the
user
Version: (1.0)
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Availability | system/management/rad/* |
+--------------------+-------------------------+
|Interface Stability | Private |
+--------------------+-------------------------+
SEE ALSO
rad(1M)
SunOS 5.11 2017-05-31 PAM(3rad)