pam_unix_cred - PAM user credential authentication module for UNIX
The pam_unix_cred module implements pam_sm_setcred(3PAM). It provides functions that establish user credential information. It is a module separate from the pam_unix_auth(7) module to allow replacement of the authentication functionality independently from the credential functionality.
The pam_unix_cred module must always be stacked along with whatever authentication module is used to ensure correct credential setting.
Authentication service modules must implement both pam_sm_authenticate() and pam_sm_setcred().
pam_sm_authenticate() in this module always returns PAM_IGNORE.
pam_sm_setcred() initializes the user's project, privilege sets, initializes or updates the user's audit context if it hasn't already been initialized, and sets the process clearance.
The new clearance is set to the lower bound of the current process clearance and the minimum label returned by getuserrange(3TSOL). If these two labels are disjoint, the clearance is set to the greatest lower bound.
The following flags may be set in the flags field:
Initializes the user's project to the project specified in PAM_RESOURCE, or if PAM_RESOURCE is not specified, to the user's default project. Establishes the user's privilege sets.
If the audit context is not already initialized and auditing is configured, these flags cause the context to be initialized to that of the user specified in PAM_AUSER (if any) merged with the user specified in PAM_USER and host specified in PAM_RHOST. If PAM_RHOST is not specified, PAM_TTY specifies the local terminal name. Attributing audit to PAM_AUSER and merging PAM_USER is required for correctly attributing auditing when the system entry is performed by another user that can be identified as trustworthy.
If the audit context is already initialized, the PAM_REINITIALIZE_CRED flag merges the current audit context with that of the user specified in PAM_USER. PAM_REINITIALIZE_CRED is useful when a user is assuming a new identity, as with su(8).
Prompt for an "audit record annotation string" for a PAM_USER, who is configured to request audit record annotation.
This flag has no effect and always returns PAM_SUCCESS.
The following options are interpreted:
Provides syslog(3C) debugging information at the LOG_DEBUG level.
Disables any warning messages.
Do not prompt for audit record annotation. It is an error to include this option and the annotation_prompt= option.
Provides a prompt string to override the default audit record annotation prompt of Session Annotation:. The prompt string must immediately follow the =. If the string following the = contains white space, it must be surrounded by quotation marks, for example annotation_prompt=My Prompt String. It is an error to include this option and the noannotation option.
Upon successful completion of pam_sm_setcred(), PAM_SUCCESS is returned. The following error codes are returned upon error:
Underlying authentication service cannot retrieve user credentials
User credentials have expired
User is unknown to the authentication service
Failure in setting user credentials
Memory buffer error
An illegal option
The following values are returned from pam_sm_authenticate():
Ignores this module regardless of the control flag
See attributes(7) for descriptions of the following attributes:
ssh(1), settaskid(2), syslog(3C), libpam(3LIB), pam(3PAM), pam_set_item(3PAM), pam_sm_authenticate(3PAM), setproject(3PROJECT), getprojent(3PROJECT), nsswitch.conf(5), pam.conf(5), project(5), user_attr(5), attributes(7), labels(7), pam_authtok_check(7), pam_authtok_get(7), pam_authtok_store(7), pam_dhkeys(7), pam_passwd_auth(7), pam_unix_account(7), pam_unix_auth(7), pam_unix_session(7), privileges(7), su(8)
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
If this module is replaced, the audit context and credential may not be correctly configured.