pam - API for PAM authentication
interface Authentication string user ; string[] roles ; integer connectionTimeout ; Block login(string locale, string username); Block assume(string locale, string rolename); Block submit(secret[] responses); opaque createToken(); redeemToken(string user, opaque token); complete();
PAM(3rad) RAD Module Definitions PAM(3rad) NAME pam - API for PAM authentication SYNOPSIS interface Authentication string user ; string[] roles ; integer connectionTimeout ; Block login(string locale, string username); Block assume(string locale, string rolename); Block submit(secret[] responses); opaque createToken(); redeemToken(string user, opaque token); complete(); DESCRIPTION API com.oracle.solaris.rad.pam This API exposes PAM authentication to rad(1m) clients. INTERFACES interface Authentication The authentication interface implements a PAM exchange to authenticate rad(1m) clients. Handles to this type of object can be retrieved from the RAD server using an object name built with: 1. the "com.oracle.solaris.rad.pam" domain name 2. a key named "type" paired with a value of "Authentication" The login() method begins a PAM conversation to authenticate as a user, while assume() does the same for a role. Each returns a list of Block objects encapsulating the status of the conversation, the messages that should be displayed, and the input that should be collected. At each step, when the requested input has been collected, it is submitted using submit(). This method also returns a list of Block objects, allowing the conversation to continue indefinitely until authentication is complete. When any of the three returns a Block whose type is SUCCESS, authentication has succeeded and complete() should be called to close the conversation. A typical algorithm for walking through this conversation might be: Example 1. Authentication interface (Python) import rad.connect as radcon import rad.auth as rada # Create a connection rc=radcon.connect_tls("host") # Get a native-looking python object that throws RAD exceptions auth = rada.RadAuth(rc) # login with username and password auth.pam_login("garypen", "******") print rc rc.close() print rc This example uses the rad.auth module which makes simplifying assumptions that the PAM interaction is as for a default Solaris install. If you wish to do something more flexible, you will need to interact directly with the PAM module binding. Authentication Properties string user (read-only, nullable) -- gets the username of the connected user string[] roles (read-only) -- gets the list of roles available to the connected user integer connectionTimeout (read-only) -- the PAM conversation timeout, in seconds Authentication Methods Block login(string locale, string username) begins a PAM conversation to authenticate as the specified user Arguments: locale username Result: Block Error: (no type) Block assume(string locale, string rolename) begins a PAM conversation to authenticate as the specified role Like login(), Arguments: locale rolename Result: Block Error: (no type) Block submit(secret[] responses) continues a PAM conversation with information collected from the previous step Arguments: responses Result: Block Error: (no type) opaque createToken() Creates a single-use token that can be redeemed later to authenticate a connection as a clone of the caller's. In addition to being single-use, the token has a limited lifetime. Result: opaque Error: (no type) redeemToken(string user, opaque token) Redeems a token, authenticating the current connection with the credentials in place when the token was created. Arguments: user token Error: (no type) complete() completes the PAM conversation with the RAD server ENUMERATED TYPES enum MsgType PROMPT_ECHO_OFF (0) -- a request for non-sensitive information, such as a username PROMPT_ECHO_ON (1) -- a request for secure/sensitive information, such as a password or passphrase ERROR_MSG (2) -- an error message to display to the user attempting authentication TEXT_INFO (3) -- an informational message to display to the user attempting authentication enum BlockType CONV (0) -- conversation must continue SUCCESS (1) -- authentication has succeeded ERROR (2) -- authentication has failed STRUCTURE TYPES struct Message Fields: MsgType style -- this message's type string message -- the message text struct Block Fields: BlockType type -- the status of the conversation Message[] messages (nullable) -- the messages to display to the user Version: (1.0) ATTRIBUTES See attributes(5) for descriptions of the following attributes: +--------------------+-------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +--------------------+-------------------------+ |Availability | system/management/rad/* | +--------------------+-------------------------+ |Interface Stability | Private | +--------------------+-------------------------+ SEE ALSO rad(1M) SunOS 5.11 2017-05-31 PAM(3rad)